Data privacy during the coronavirus pandemic – is the decision on the ‘COVID-19 app’ architecture in line with recent European Data Protection Board guidance?

29. April 2020

Click herto read ARQIS’s article on plans to introduce a ‘COVID-19 app’ and the associated legal challenges. Now the German government appears to have reached consensus on the controversial issue of which software architecture to use for the app. It has opted for a tracing app with special Bluetooth technology to alert smartphone users when they have been in close proximity to someone infected with the virus. The app is not expected to be available until mid-May at the earliest. Until now opinions had differed on how exactly to implement the app and whether it would be compliant with data privacy legislation.

The guidelines published by the European Data Protection Board (EDPB) on 21 April 2020 pertaining to the processing of health, location and contact tracing data in the context of the COVID-19 outbreak provide important guidance as to the legality of such a tracing app. According to the EDPB there are no fundamental data privacy obstacles to the use of a tracing app. It is not a matter of choosing between an effective response to the current crisis and interfering with citizens’ fundamental freedoms and data privacy rights. The two are compatible if certain precautions are taken and rules observed when developing the tracing app:

  • Use of the app would have to be voluntary and allow citizens to monitor the use of their personal data at all times.
  • The app would not collect location data since this type of data is not necessary for the purpose of interrupting the infection chain. It is sufficient if information about close proximity between people, irrespective of their location, is obtained.
  • If the app user is diagnosed as infected with COVID-19, information about the infection should only be disclosed to persons who have been in epidemiological contact with the infected user.
  • The use of a central server to log contacts should not been rejected outright.However, if it is necessary to use a central server the volume of processed data will have to be restricted to the absolute Minimum .

The European Data Protection Board provided the following guidance on the processing of health data:

  • Article 9(2) (i) and (j) of the General Data Protection Regulation (GDPR) allow for health data to be processed when necessary for scientific research purposes or statistical purposes. However, such processing must always be based on Member State law and, as a result, the terms and scope of such processing may differ from country to country.
  • Existing processing risks will make it essential to take suitable technical and organisational measures pursuant to Art. 5, 32 and 89 GDPR to ensure the security of the data. When data is processed for research purposes a suitable guarantee will have to be provided.
  • Proportionate data storage periods will have to be established which take various criteria such as the duration and purpose of the research into account.
  • The fundamental rights accorded to data subjects concerning their personal data in Art. 12 to 22 GDPR (including the right to information and access, the right to rectification and erasure) may not be categorically restricted or excluded. However, Member State law may provide for specific derogations (where personal data are processed for scientific or historical research purposes or statistical purposes) in accordance with Art. 89 (2) GDPR.

According to the information currently available, the German government’s proposal for a tracing app is in line with the above guidance. In particular, voluntary use of the app and the fact that no location data will be stored, have repeatedly proven to be the main criteria for a data privacy-compliant software architecture. After a several-week-long dispute the German government has now decided to adopt a more data privacy-friendly decentral architecture for the storage of proximity data. This decision should be welcomed.

It remains to be seen whether the privacy-by-design approach will be adopted by citizens with the same enthusiasm as the mandatory face masks. From a data privacy perspective, there is no reason why they shouldn’t.

Your contact persons:
Tobias Neufeld, LL.M., Partner
+49 172 6865 911
E tobias.neufeld@localhost


Dr. Philipp Maier, Counsel
M  +49 172 990 1195


If you have any questions, please write to us.