Popular culture would have it that if you think of something, there’s an app for it. And, since COVID-19 is presently on top of most people’s minds, there are various apps for it – from checking symptoms to tracing apps. 

As the global fight against the coronavirus pandemic perseveres, a lot of countries are exploring the possibility of easing lockdowns and returning to some form of normality – although this will definitely be a ‘new normal’. 

The easing of restrictions depends on various factors, including on being able to quickly identify people who might have been exposed to the virus. Such early detection and tracking – even through technological tools such as Artificial Intelligence – have been shown to be effective in controlling the spread of COVID-19.

When conducted physically, such contact tracing is a slow and laborious process. However, with the help of dedicated apps, a person’s movements can be retraced in an automated manner – therefore identifying the people who that particular person has been in contact with, more quickly, and notifying them at the earliest possible stage. 

Tracing apps also generate data on population movements – such data, when anonymised and aggregated, can help authorities and researchers anticipate needs, plan public health resources, and check whether other measures used to limit the spread of COVID-19 are proving effective. 

There are two main models of tracing apps: centralised and decentralised – in the first, user data is stored in a central database, while in the second, data relating to the individual user is stored on their own phone. Also, while in the former model, it’s the database that does the contact matching, risk analysis and sends alerts, in a decentralised app, it’s the phone itself that carries out these functions. Both models have their supporters, and detractors, on which is the most effective to protect user data.

The efficiency of such apps, however, depends on take-up. A preprint shared by a research team from Oxford University suggests that for such apps to help slow the spread of the virus, a threshold of 60 per cent of the population would need to have downloaded the app. 

Whether a person downloads a tracing app depends on various factors – from availability of technology to lifestyle and trust that an app would protect a user’s privacy and private data. 

Most EU countries have already launched or intend to launch a mobile tracing app designed to track individuals who are infected or at risk of contracting the virus. In Malta, while a symptom testing app has been launched, in a press briefing on April 30, Superintendent of Public Health Charmaine Gauci said a team of experts had been brought together and they are working with people from the EU and the European Centre for Disease Prevention and Control, to evaluate the best way forward. 

Tracing apps must be truly voluntary, non-discriminatory and transparent

In a plenary debate in May, Members of the European Parliament have agreed that apps – together with other measures such as testing, masks and social distancing – could be a useful ally in combating the spread of COVID-19. However, most highlighted that apps should safeguard citizens’ personal data and privacy.

Specifically, tracing apps must be truly voluntary, non-discriminatory and transparent. The use of tracing apps must be strictly limited to contact tracing and any data gathered must be deleted as soon as the situation allows.

MEPs also emphasized the need for a coordinated approach in developing tracing apps to ensure cross-border interoperability. 

During the same debate, Commissioner for Justice Didier Reynders and Croatian State Secretary Nikolina Brnjac shared the MEPs’ views on the need to ensure that citizens can trust the safety of the apps. Reynders highlighted that national authorities will work together with the EU data protection authorities to ensure the tracing apps comply with EU privacy and data protection laws in place. He also stressed that the Commission strives to ensure a common approach between EU countries so that the apps are interoperable.

This focus on data protection and privacy is also informed by an April 17 resolution, where the European Parliament stressed that national and EU authorities must fully comply with data protection and privacy legislation, specifically the ePrivacy Directive and the GDPR.

MEP Roberta Metsola said that any app or digital infrastructure that intends to help flatten the COVID19 curve or mitigate the contagion must have inbuilt data protection, privacy and security safeguards within it. 

“These cannot be an afterthought but must be part of the conversation from the very beginning. I still need to be convinced that the data-trove these apps would allow governments to access contain the ironclad guarantees as to their use, access and retention of data that we would require in order for the public to have the confidence in the system and make use of it.

“What is true is that the conversation needs to shift to what measures we can introduce to mitigate the spread of the infection until a vaccine is made available. Contact tracing is a critical element of this process but it must be coupled with ensuring everyone has access to personal protective equipment like masks and gloves, rapid testing, unprecedented education and public awareness campaigns and reinforcing physical distancing. We want common European health and sanitation protocols for the hospitality and transport industries, to mention two examples, so that every EU member state and every citizen can be sure that the highest standards are kept across the EU.

MEP Miriam Dalli said that when used correctly, technology and innovation provide us with the solutions to protect ourselves but when abused they threaten our rights and our freedoms. 

“If contact tracing apps are to be deployed, they should guarantee privacy, should not store unnecessary personal information including location tracking, should be installed voluntarily, and dismantled post-pandemic. This is extremely important. Unfortunately, we have seen situations where systems have been introduced because of an emergency or another, but then ended up outliving that emergency. This should be enforced on a member state level and independent app reviews and audits must also be enforced. 

“Having said that, Malta has shown that the pandemic can be controlled by citizens acting responsibly and respecting social distance measures. The jury is still out on what will happen now that border controls are being gradually lifted. 

“The coordination of cross-border interoperable COVID-19 contact tracing apps work is a European Commission competence, but the development of the app is a national competence. The major issue with having many different national tracing apps is not knowing whether they will be functionable or even interoperable when citizens travel from one member state to another. If a user has multiple apps when travelling, it could further complicate an unproven technology.”

For Dr Dalli, the answer to this would be the effective interoperability of contact tracing apps among member states and their individual apps. 

“This means that all social tracing apps would be able to exchange the minimum amount of information necessary to alert individual app users, wherever they are located in the EU, of an epidemiologically relevant exposure. All this has to be accompanied by strict and high standards of data privacy.

“In April, we supported a European Parliament resolution calling for the storage of data to be decentralised, full transparency be given on commercial interests of developers of these apps, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, will lead to a significantly lower number of infected people.

“With apps that can determine a person’s location at any given time, risking building a ‘Big Brother’ society, developers and operators must be fully transparent on the functioning of contact-tracing apps, so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities claim,” she added.

To assist in a common approach and making tracing apps operate across borders, in April , the EU Commission published a toolbox and interoperability guidelines, adopted by consensus by the e-Health Network. These tools provide a practical guide to member states to develop apps on which users can rely, irrespective of the region or member state they are in. 

The guidelines also point out that most EU member states have launched – or are preparing to roll out – tracing apps. These apps were developed according to the member state’s respective COVID-19 crisis management strategy. For instance, some apps require almost all data processing and storage to take place on the device, while other apps would require more processing and storage on a backend server. But for all approaches, the guidelines specify that the implementation of the app must be in a such a way that it prevents the possibility for identification of app users, whether infected, exposed or otherwise, unless that information has been voluntarily provided by the individuals in question. 

The situation created by the pandemic is unique – and this may justify member states to limit certain freedoms in order to take effective steps to fight COVID-19. 

Yet such exceptional circumstances still warrant that any measures taken – including the development and launch of tracing apps – should comply with fundamental rights standards and EU rules on data protection and privacy. 
In all potential applications, technology can be used wisely. In the fight against COVID-19, various forms of technology – such as tracing apps, artificial intelligence, clinical devices and robots to disinfect areas – can provide precious assistance. When developed and launched in a manner that fundamental rights and privacy are protected, tracing apps are another tool in Europe’s arsenal to fight – and defeat – the pandemic. 

The European Parliament will keep monitoring. 

“We´ll keep a close eye that EU law principles and rules are respected throughout the fight against COVID-19. That includes apps and technologies to control the spread patterns of the pandemics,” said Juan Fernando López Aguilar, chair of Parliament’s civil liberties committee, while welcoming the introduction of the EU toolbox.  

EU toolbox: guidance on developing tracing apps 

EU member states, supported by the Commission the European Data Protection Supervisor, and European Data Protection Board have developed an EU toolbox for the use of mobile applications for contact tracing and warning in response to the coronavirus pandemic. Guidance on data protection is an essential part of these guidelines: the apps must fully comply with EU data protection rules, most notably the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

  • National health authorities should approve apps and be accountable for compliance with EU personal data protection rules
  • Users remain in full control of personal data. App installation should be voluntary and they should be discontinued as soon as no longer needed
  • Limits use of personal data: only data relevant to the purpose in question, and should not include location tracking
  • Strict limits on data storage: personal data should be kept for no longer than necessary
  • Security of data: data should be stored on an individual's device and encrypted.
  • Interoperability: apps should be usable in other EU countries as well
  • National data protection authorities should be fully consulted and involved 

A service brought to you by the European Parliament Office in Malta, with the cooperation of the European Commission Representation in Malta. #EuropeansAgainstCovid19

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.