News from Cullen International's COVID-19 Update no. 5 (25 June 2020)

This update provides insights on the national contact tracing apps focusing on their architecture (decentralised vs. centralised) as well as the integration of the Google and Apple technology. The report also summarises the main developments on data processing and data sharing by providers of electronic communication services (ECS) since the beginning of the pandemic. The research covers 14 European countries.  

Background

Governments across the world are looking into different technological data-driven solutions to contain and manage the spread of coronavirus (COVID-19).

Some countries have already imposed data sharing obligations on private actors and are introducing surveillance measures relying on data collection and processing. In some instances, providers of electronic communication services have voluntarily shared anonymised location data with public authorities.

European governments are increasingly exploring – with some already launched - contact tracing and symptom-checking mobile apps in an attempt to control the spread of the virus as they prepare to start to phase out their lockdown restrictions.

In reaction, data protection authorities are issuing statements and guidance on data processing in the context of the pandemic and the conformity of such initiatives with existing data protection rules.

These new findings by Cullen International reflect the data sharing and data processing practices and requirements imposed by European governments on providers of electronic communication services (ECS) as well as the use of mobile applications by public authorities to collect and process data in 14 European countries in an attempt to control the spread of COVID-19.

The update shows that:

• Voluntary mobile apps remain relevant in most exit strategies from the COVID-19 lockdown. Slovakia has launched a new quarantine enforcement app for people entering the country and opting to spend the mandatory quarantine at home instead of a state quarantine facility.
• Health authorities are the data controllers for the mobile apps in almost all surveyed countries where apps are being deployed. In Poland, however, the Ministry of Digitisation is the data controller for the mandatory quarantine enforcement app.
• Almost all countries developing contact tracing apps have indicated that the apps will be Bluetooth-based. The contact tracing apps in Italy, Ireland and Poland are based on the Google and Apple exposure notification technology, which ensures interoperability between the two operating systems (Android and iOS).
• Germany, Ireland, Italy, Poland and Slovakia have opted for a decentralised approach for their contact tracing apps while France and the UK currently plan to collect data on a central server. Data from contact tracing apps in Austria and the Czech Republic is stored partially on the user device and partially on a central server.
• Bulgaria, the Czech Republic, Poland, Slovakia and Spain have adopted specific legislation obliging ECS providers to share data with public authorities for different purposes. In Slovakia, following a decision by the constitutional court, ECS providers are now required to share personal data upon written request by health authorities and with the user’s consent.
• In most surveyed countries ECS providers have been sharing voluntarily aggregated and anonymised location data with public authorities.
• Data protection authorities (DPAs) in most countries have issued statements or guidance on data processing and sharing in the context of the pandemic. The Austrian, Czech, Italian and Spanish DPAs have in general recommended the processing of anonymised location data. By contrast, according to the Dutch DPA anonymising location data is not really possible as it is highly likely individuals can be reidentified and the Spanish DPA warned that issues such as an incomplete anonymisation can put privacy at risk.

To access the full benchmark, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.