The European Commission has responded to the regional scramble for apps and data to help tackle the coronavirus crisis by calling for a common EU approach to boost the effectiveness of digital interventions and ensure key rights and freedoms are respected.
The European Union’s executive body wants to ensure Member States’ individual efforts to use data and tech tools to combat COVID-19 are aligned and can interoperate across borders — and therefore be more effective, given the virus does not respect national borders. Current efforts by governments across the EU to combat the virus are being hampered by the fragmentation of approaches, it warns. At the same time its recommendation puts a strong focus on the need to ensure that fundamental EU rights do not get overridden in the rush to mitigate the spread of the virus — with the Commission urging public health authorities and research institutions to observe a key EU legal principle of data minimization when processing personal data for a coronavirus purpose. Specifically it writes that these bodies should apply what it calls “appropriate safeguards” — listing pseudonymization, aggregation, encryption and decentralization as examples of best practice. The Commission’s thinking is that getting EU citizens to trust digital efforts — such as the myriad of COVID-19 contacts tracing apps now in development — will be key to their success by helping to drive uptake and usage, which means core rights like privacy take on additional significance at a moment of public health crisis. Commenting in a statement, commissioner for the EU’s internal market, Thierry Breton said: “Digital technologies, mobile applications and mobility data have enormous potential to help understand how the virus spreads and to respond effectively. With this Recommendation, we put in motion a European coordinated approach for the use of such apps and data, without compromising on our EU privacy and data protection rules, and avoiding the fragmentation of the internal market. Europe is stronger when it acts united.” “Europe’s data protection rules are the strongest in the world and they are fit also for this crisis, providing for exceptions and flexibility. We work closely with data protection authorities and will come forward with guidance on the privacy implications soon,” added Didier Reynders, the commissioner for justice, in another supporting statement. “We all must work together now to get through this unprecedented crisis. The Commission is supporting the Member States in their efforts to fight the virus and we will continue to do so when it comes to an exit strategy and to recovery. In all this, we will continue to ensure full respect of Europeans’ fundamental rights.” Since Europe has fast-followed China to become a secondary epicenter for the SARS-CoV-2 virus there has been a rush by governments, institutions and the private sector to grab data and technologies to try to map the spread of the virus and inform policy responses. The Commission itself has leant on telcos to provide anonymized and aggregated user location data for COVID-19 tracking purposes. Some individual Member States have gone further — calling in tech companies to ask directly for resources and/or data, with little public clarity on what exactly is being provided. Some governments have even rushed out apps that apply individual-level location tracking to enforce quarantine measures. Multiple EU countries also have contacts tracing apps in the works — taking inspiration from Singapore’s TraceTogether app which users Bluetooth proximity as a proxy for infection risk. With so much digital activity going on — and huge economic and social pressure for a ‘coronavirus fix’ — there are clear risks to privacy and civil liberties. Governments, research institutions and the private sector are all mobilizing to capture health-related data and track people’s location like never before, all set against the pressing backdrop of a public health emergency. The Commission warned today that some of the measures being taken by certain (unnamed) countries — such as location-tracking of individuals; the use of technology to rate an individual’s level of health risk; and the centralization of sensitive data — risk putting pressure on fundamental EU rights and freedoms. Its recommendation emphasizes that any restrictions on rights must be justified, proportionate and temporary. Any such restrictions should remain “strictly limited” to what is necessary to combat the crisis and should not continue to exist “without an adequate justification” after the COVID-19 emergency has passed, it adds. It’s not alone in expressing such concerns. In recent days bottom-up efforts have emerged out of EU research institutions with the aim of standardizing a ‘privacy-preserving’ approach to coronavirus contacts tracing. One coalition of EU technologists and scientists led by institutions in Germany, Switzerland and France, is pushing a common approach that they’re hoping will get baked into such apps to limit risks. They’ve called the effort: PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing). However a different group of privacy experts is simultaneously pushing for a decentralized method for doing the same thing (DP-3T) — arguing it’s a better fit with the EU’s data protection model as it doesn’t require pseudonymized IDs to be centralized on a server. Instead storage of contacts and individual infection risk processing would be decentralized — performed locally, on the user’s device — thereby shrinking the risk of such a system being repurposed to carry out state-level surveillance of citizens. Although the backers of this protocol accept it does not erase all risk; with the potential for tech savvy hackers to intercept the pseudonymized IDs of infected people at the point they’re being broadcast to devices for local processing, for instance. (While health authorities may be more accustomed to the concept of centralizing data to secure it, rather than radically distributing it.) Earlier this week, one of the technologists involved in the PEPP-PT project told us it intends to support both approaches — centralized and decentralized — in order to try to maximize international uptake, allowing developers to make their own choice of preferred infrastructure. Though questions remain over achieving interoperability between different models. Per its recommendation, the Commission looks to be favoring a decentralized model — as the closest fit with the EU’s rights framework. In a section of its recommendation paper on privacy and data protection for “COVID-19 mobile warning and prevention applications” it also states a preference for preference for “safeguards ensuring respect for fundamental rights and prevention of stigmatization”; and for “the least intrusive yet effective measures”. The Commission’s recommendation also stresses the importance of keeping the public informed. “Transparency and clear and regular communication, and allowing for the input of persons and communities most affected, will be paramount to ensuring public trust when combating the COVID-19 crisis,” it warns. The Commission is proposing a joint toolbox for EU Member States to encourage the development of a rights-respecting, coordinated and common approach to smartphone apps for tracing COVID-19 infections — which will consist of [emphasis its]:- specifications to ensure the effectiveness of mobile information, warning and tracing applications from a medical and technical point of view;
- measures to avoid proliferation of incompatible applications, support requirements for interoperability and promotion of common solutions;
- governance mechanisms to be applied by public health authorities and in cooperation with the European Centre for Disease Control;
- the identification of good practices and mechanisms for exchange of information on the functioning of the applications; and
- sharing data with relevant epidemiological public bodies, including aggregated data to ECDC.