Contact tracing applications aim to warn people if they were in the close proximity of a person who is a confirmed case of COVID-19 and at the same time can provide to the health authorities a “modern” help in identifying the contacts of a confirmed case and guide them for self-isolation and testing. This sort of information could also offer a “big picture” of the epidemic and be useful for making further policy decision, such as lifting containment or imposing it again.

After observing individual initiatives of several EU Member States to develop warning and contact tracing applications (both in the public and private sector), the European Commission issued on 8 April 2020 the Recommendation C (2020) 2296 for developing a common European approach on the use of digital means in the fight against COVID-19, referred to as a “Toolbox” [1].

An intervention of the European Commission in this field was welcome, in order to reassure the European citizens that their right to data protection will be respected by the Member States during the use of any kind of warning and contact tracing app.

Also, the European citizens are expecting the reopening of the EU’s internal borders and hope that if these apps are respecting the same principles and techniques, they will be interoperable and will help a “healthy” exercise of the free movement right that was one of the greatest achievements of the Union.

The European Commission stated that it would explore even the possibility of a pan-European application. This would be a good idea for so many reasons: the level of trust of the citizens in the application will increase, leading to a high rate of use of the application and thus to good prevention results, while being a sign of old and good European solidarity during these days of amplified nationalism and sporadic cooperation.

The European Commission worked on the “Toolbox” in collaboration with the European Center for Disease Control and with the Member States represented in the eHealth Network. A first version of the “Toolbox” was released by the eHealth Network on 16 April 2020 and refers to a common European approach on the use of mobile applications for warning, preventing and contact tracing [2]. In addition, on 17 April 2020, the European Commission published in the EU Official Journal the Guidance 2020/C 124 I/01 on Apps supporting the fight against COVID-19 pandemic in relation to data protection [3].

The key points of the Guidance & “Toolbox” are, in my opinion, the following:

  • the applications used inside the EU should be voluntary;
  • the national health authorities should be the “controllers” of the processing of the users’ personal data;
  • the exact location of the individuals is not necessary to track, being enough to determine the proximity to an infected person.

Thus, the European Commission strongly recommends apps to be used on a voluntary basis and people to be determined to use them just by their conviction in the necessity of such apps and by their trust in the “controllers” of the processing of personal data. “Controller” is the concept used in the GDPR (General Data Protection Regulation) to designate the entity which is deciding the scope and means of processing and is accountable for respecting the GDPR. Hence, the European Commission praises that any such application to be used in strong cooperation with the national health authorities as “controllers”.

The Guidance & “Toolbox” point out that it is not necessary to store the exact time and place of the contact with an infected person or to follow the movements of the citizens. In order to help the user of the app, it is sufficient to determine his/ her proximity to an infected person and to warn him/ her to self-isolate or test.

The determination of the proximity will be done from epidemiological point of view as a function of the relevant distance and duration of a contact. From technological point of view, for the determination of proximity the European Commission recommends the use of Bluetooth Low Energy (BLE) communications data between devices (or data generated by equivalent technology).

How are the apps supposed to work?

The apps will generate pseudo-randomly ephemeral identifiers of the phones that are in contact with the user, during the exchange of Bluetooth signals. These identifiers will also change periodically, for a better data protection. The activation of Bluetooth should be possible without having to activate other location services, in order to exclude tracking by third parties.

The identifiers will be stored on the phone of the user, along with the proximity to the other devices and the duration of this proximity. The storing on the phone of the user is the so-called “decentralized solution”, which keeps the individual in control of his data.

Once a user is tested positive, he/ she introduces this information in the app, with the approval or confirmation of the national health authority, for example in the form of a QR or TAN code. Next, based on the above-mentioned identifiers, the app is sending an automatic alert message to the persons who have been in an epidemiological relevant contact with the infected person. The content of the alert message should be determined by the national health authority. The infected person will not know the identity of the persons that are alerted. Likewise, the alerted persons will not know the identity of the infected person.

Another solution of data storing is also discussed in the Guidance & “Toolbox”, the so-called “backend server solution”. In this scenario, the arbitrary identifiers are stored on a server held by the health authorities, as opposed to the individual’s phone. Of course, users cannot be directly identified through these data (identifiers). The alerts to the possibly infected persons will be generated in the same manner like in the previously discussed version (the decentralized solution), but the advantage will be for the public interest: health authorities to have a general picture of the epidemic evolution.

The European Commission considers that the decentralized solution is more in line with the minimization principle of the GDPR. However, the backend server solution can be put in practice if the user of the app is consenting to share the data stored on his phone with the national health authorities or if a Member State choses to build the application in this configuration (providing appropriate safeguards to the public).

The consent of the user should be asked also for the various functionalities of the apps dedicated to COVID-19 epidemic. The Guidance stresses on the fact that the functionalities like simple information, symptom checker, contact tracing and warning, forum between patients and doctors, should not be bundled, so that the user can provide his/ her consent, specifically, for each functionality.

Currently, some of the EU Member States are already testing or developing contact tracing app (e.g. Ireland, Norway, UK, Austria, France) [4]. Each application should undergo the principles established above in the Guidance & “Toolbox”.

From technical point of view, we see currently two competing open-source protocols in Europe, called “PEPP-PT” and “DP-3T”, each developed by a separate consortium of scientists and experts from various universities and research institutes. “PEPP-PT” (Pan-European Privacy-Preserving Proximity Tracing) is requiring users to upload contact logs to a central reporting server, while in what concerns “DP-3T” (Decentralized Privacy-Preserving Proximity Tracing) the contact logs remain locally on the users’ phone [5]. These protocols seem to correspond to the two solutions described in the Guidance & “Toolbox” above.

The European Commission has clearly indicated the preference for the decentralized solution, but still the health authorities in the Member States can make a choice for the centralized solution. Of course, the civil society can interfere with this choice.

For instance, in Austria, the code of “Stopp Corona” App (operated by the Austrian Red Cross) has been reviewed by privacy organizations and security experts and they made some critical recommendations that determined the Austrian Red Cross to announce the switch to a completely decentralized system based on DP-3T protocol [6].

It is clear that contact tracing apps can be a valuable help in the stage of lifting the restrictions in Europe and the re-start of the economy and of the people’s normal life and habits. It remains to be seen if the European citizens will accept only a limited role of this sort of modern “epidemiologist” – the personal warning, or they will accept also a wider role of such apps, giving also to the public health authorities some information about the users state of health, on which further public policy decisions can be based. Although there are currently some national apps under development, we hope that the most promising of these apps, the one that will best fulfil the GDPR criteria, will be adopted on a large scale, becoming a pan-European app, for supporting people’s free movement inside the EU.