EDPB Guidelines on Corona Apps
On 21 April 2020, the European Data Protection Board (EDPB) adopted guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. With regard to location data, the EDPB guidelines underline the necessity to respect the regulations set out by the ePrivacy Directive, for instance asking for anonymisation as well as consent of the data subjects for storage, processing, and other measures.
According to the guidelines, contact tracing applications must be voluntary, serve the purpose of managing the COVID-19 health crisis only, respect the principle of data minimisation, and ask for the data subjects’ consent to any operations that are not strictly necessary. Special attention should be paid to the regular review of algorithms and to applying state-of-the-art cryptographic techniques to secure the stored data. Finally, reporting users as infected with COVID-19 on the application must be subject to proper authorisation.