European Data Protection Board Adopts New Guidelines on COVID-19 Contact Tracing Apps

May 06, 2020

The potential tension between the protection of public health and the fundamental right to personal privacy is being tested on an unprecedented scale in the global coronavirus (COVID-19) pandemic. The European Data Protection Board (EDPB) adopted guidelines on 21 April 2020 on the processing of health data as part of research efforts to respond to the COVID-19 pandemic (Research Guidelines) and on geolocation, and other tracing tools, in the context of the pandemic (Tracing Guidelines).

The Research and Tracing guidelines follow the EDPB’s broad statement, adopted on 19 March 2020, regarding the processing of personal data in the context of the COVID-19 pandemic. This guidance comes at a time when many countries are rolling out location tracking and contact tracing apps, including a new National Health Service (NHS) app that is being trialled in the United Kingdom. The UK’s Information Commissioner’s Office (ICO) has also published guidance on these apps.

The EDPB highlights that data protection rules do not hinder measures taken in the fight against the COVID-19 pandemic. The aim of the guidelines is to explain why this is the case and to offer guidance on how the collection of location data to enable contact tracing can be lawful and proportionate. The EDPB emphasises that the apps should be voluntary, albeit that the key to their efficacy in the COVID-19 pandemic relies upon a significant proportion of a country’s population downloading and using the app and the quality of the information users submit to the app regarding their health.

Specifically, the Research Guidelines clarify that data protection laws do not prohibit the processing of health data for the purpose of scientific research in connection with the fight against the COVID-19 pandemic, provided that such processing complies with the fundamental right to privacy and personal data protection. The GDPR contains a specific lawful processing ground allowing the processing of special categories of personal data, such as health data, where it is necessary for the purposes of scientific research or for public health reasons. Further, the Tracing Guidelines explain that the GDPR and ePrivacy Directive contain measures allowing the use of personal data collected through the apps to support public authorities in monitoring and containing the spread of COVID-19 because of the contact tracing aspect to the apps.

The Research Guidelines

The Research Guidelines aim to clarify the legal basis upon which such data is used, what safeguards should be implemented, the extent to which data subjects may exercise their rights, and whether and how international data transfers can occur in the context of scientific research.

The data subject must be informed of the processing and that his or her data is being processed for scientific purposes. The Research Guidelines acknowledge that researchers often process health data they have not obtained directly from the data subject and the focus of the Research Guidelines is therefore on the implications of Article 14 of the GDPR, which governs information obligations where personal data is not collected directly from the data subject.

Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The Research Guidelines clarify that further processing for scientific research purposes shall not be considered incompatible with the initial purposes.

The Research Guidelines emphasise the importance of the data minimisation principle. They suggest that due consideration should be given to both the nature of the research questions, and the type and amount of data necessary to properly answer those questions. Data should be anonymised where it is possible to perform the relevant research with anonymised data.

The Research Guidelines suggests that such measures should include the following as a minimum: pseudonymisation, encryption, nondisclosure agreements and strict access role distribution, restrictions as well as logs.

Data protection impact assessments must be carried out when such processing is likely to result in a high risk to the rights and freedoms of natural persons. Further, the Research Guidelines underline the importance of data protection officers and the need for them to be consulted if any health data is processed. Any measures which are adopted must also be properly documented.

International cooperation on a large scale is likely to be required in order to coordinate effective research into how to curtail the spread of COVID-19. This may result in the international transfer of health data outside the EEA. The Research Guidelines clarify that the GDPR does not preclude international cooperation in the field of research.

Where this occurs, however, additional obligations beyond those already discussed apply to the data exporter. These include an obligation on the data exporter to inform data subjects of its intention to transfer personal data to a third country or international organisation. This obligation includes informing data subjects about the existence or absence of an adequacy decision by the European Commission of the country to which their personal data has been exported, or whether the transfer is based on a suitable safeguard or derogation pursuant to the GDPR. Data exporters should favour solutions that guarantee the rights of the relevant safeguards. This is likely to be satisfied, according to the Research Guidelines, where the country to which the data is exported has been deemed by the European Commission to have an “adequate” level of data protection, or instead where safeguards are relief upon, that would ensure data subjects have enforceable rights and effective legal remedies.

Importantly, however, in the absence of an adequacy decision or appropriate safeguards, the Research Guidelines explain that data exporters may be able to rely on the public interest derogation under Article 49(1)(d) of the GDPR. The EDPB clarifies that the fight against COVID-19 has been recognised by the EU and most of its member states as an important public interest, which may require urgent action in the field of scientific research, and may also involve transfers to third countries or international organisations. The Research Guidelines clarify that the derogation may justify the initial transfer of personal health data that is urgently needed to carry out necessary research, while repetitive and longer-term COVID-19 research projects will need to be based on appropriate safeguards under Article 46 of the GDPR.

The Tracing Guidelines

Governments and businesses are using, or are in the process of developing, data driven solutions to respond to the COVID-19 pandemic. For example, the aim of contact tracing apps is to allow smartphones to determine automatically whether a person has been in contact with, or in close proximity to, an infected person or someone with symptoms suggesting an infection of COVID-19 and notify him or her accordingly that a test should be undertaken or he or she should self-isolate.  

The Tracing Guidelines clarify that data protection laws are flexible and are therefore able to achieve both an efficient response in fighting the pandemic while protecting the fundamental human right to privacy. The EDPR does stress, however, that we should not put ourselves in a position where we have to choose between an efficient response to the crisis and the protection of our fundamental rights. Instead, the EDPR states that we can achieve both, and importantly, that data protection principles can and should play an important role in the response to the pandemic.

The Tracing Guidelines explain the data protection principles and conditions that need to be followed when:

  • using location data to model the spread of COVID-19; and
  • using contact tracing apps to notify individuals when they have been in close contact with a person who is later confirmed to have the virus.

The data privacy implications depend on the source of the location data. Where electronic communication providers collect location data as part of their service, such data may only be transmitted to authorities, or other third parties, if:

  • the data has been anonymised by the provider; or
  • for data that discloses the geographic position of the user (but not traffic data), the users have given their prior consent to the processing.

Where location data is collected by information society service providers whose functionality requires the use of such data (e.g., navigation and transportation services), then the storing of information on the user’s device or gaining access to the information that is stored therein is allowed only if:

  • the user has given consent; or
  • the storage and/or access is strictly necessary for the information society service explicitly requested by the user.

There is a clear focus in the Tracing Guidelines on the need for data anonymisation. Whenever possible, the processing of anonymised location data is preferred over the processing of identifiable data. The EDPB acknowledges that adequate anonymisation may be difficult. For data to be truly and irrevocably anonymised, the user must not be able to be identified.

The Tracing Guidelines state that the extent of location monitoring and/or contact tracing required to implement these types of solutions could be a significant intrusion into individuals’ privacy. Accordingly, strict measures will need to be adopted to ensure the legitimate and proportionate use of these types of applications. Such measures include the following:

  • The use of these apps must be voluntary and individuals who do not consent should not be disadvantaged for not using the applications.
  • Data controllers must be clearly identified to ensure accountability.
  • The purposes of the processing must be specific enough to exclude further processing for purposes unrelated to COVID-19, and once such a purpose is defined, the use of data must be adequate, necessary, and proportionate.
  • Data controllers must consider the principles of data minimisation and data protection, for example:
    • proximity data is used in favour of the location of individual users
    • measures should be put in place to prevent the re-identification of individuals
    • any data collected should reside only on the equipment of the user.
  • The current crisis should not be used as a way of implementing disproportionate data retention mandates. Any storage of personal data should therefore be limited to the true needs and medical relevance, and personal data should be erased or anonymised post-COVID-19. A sunset provision requiring full deletion of data after the pandemic ends, may be needed.

The Tracing Guidelines make a number of recommendations for how tracing applications should be developed and used. For example:

  • any data processed should be reduced to the strict minimum
  • data broadcasted by applications must only include unique and pseudonymous identifiers, generated by and specific to the application
  • any server involved in the contact tracing system must only collect the contact history or the pseudonymous identifiers of a user diagnosed as infected as the result of a proper assessment made by health authorities and of a voluntary action of the user
  • state-of-the-art cryptographic techniques must be implemented to secure the data stored in servers and applications, exchanges between applications, and the remote server

In an Annex to the Tracing Guidelines, the EDPB has also adopted a guidance for designers and implementers of contact tracing applications. In the guide, the EDPB encourages publishers of these apps to take account of a number of principles including the following:

  • The use of apps must be voluntary.
  • A data protection impact assessment should be carried out prior to the app’s deployment.
  • Information on the proximity between users of the application can be obtained without locating them. Tracking data should, therefore, not be required.
  • When a user is diagnosed with the virus, only the persons with whom the user has been in close contact within the epidemiologically relevant contact period for contact tracing should be informed.
  • Where tracing apps require the use of a centralised server, the data processed by this server should be limited to the bare minimum.


The UK has launched a trial of NHSX, a contact tracing app for users in the UK, operated by a joint venture with the NHS. The ICO has announced it is working with NHSX on privacy issues and has published a blog on contact tracing apps in general. We understand that NHSX uses anonymous data, albeit with location information (but, notably, not location tracking data) and this would mitigate against privacy concerns where the data collected is no longer identifiable to the user. The ICO advises that the key privacy considerations in designing and operating tracing apps is:

  • privacy by design: is privacy built-in to the technology for processing data;
  • is the collection and use of any personal data (that is not anonymous) necessary and proportionate to the purpose of collection i.e. contact tracing to enable individuals to either be tested or self-isolate;
  • do users have control over their data in accordance with GDPR requirements;
  • what data needs to be processed centrally;
  • what happens when the data is no longer needed.


The COVID-19 pandemic has given rise to a myriad of unprecedented challenges for governments, businesses, organisations and individuals alike. Privacy and data security concerns are a central issue given the importance of health data in the fight against the virus.

The EDPB has gone to great lengths to explain that existing data protection laws should not stand in the way of finding a vaccine, and that the existing legal framework allows the use of anonymised personal data to support governments and businesses in their attempts to monitor and contain the spread of COVID-19. The guidelines helpfully explain how lawful processing can be maintained in this context by setting out a number of recommendations (e.g., contact tracing apps should use proximity data rather than the individual’s actual location) to ensure that individual privacy rights are protected and exemptions upon which organisations may rely (e.g., clarification that organisations may rely upon the Article 29 derogation concerning international data transfers for scientific purposes) when processing health data.

Trainee solicitor William Mallin contributed to this LawFlash.

Coronavirus COVID-19 Task Force

For our clients, we have formed a multidisciplinary  COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. We also have launched a resource page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe to receive our COVID-19 alerts.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Washington, DC
Ronald Del Sesto
Dr. Axel Spies 

Gregory Parks
Ezra Church
Kristin Hadgis

San Francisco
Reece Hirsch