Contact The Team


* indicates required

COVID-19 contact tracing and data protection

Wednesday, April 22, 2020


As the seriousness of the Covid-19 pandemic took hold in Ireland in March, measures were introduced here on a phased basis, after we all witnessed a series of similar measures implemented previously across Europe. EU member states took action to protect their citizens. However, from an EU wide perspective, it was clear that there was no coordinated approach amongst members states leading to bottlenecks in accessing essential medical equipment, undermining the freedom of movement within the EU.

In a bid to avoid a repeat of the uncoordinated EU approach in the lead up to the European wide lockdown measures, the EU has been looking to get ahead of the next phase of Covid-19 and the easing of restrictions by means of an EU-wide coordinated approach. In a similar vein, the European Commission is advocating for a coordinated approach in the use of technology and data in the fight against Covid-19, and in particular in the area of contact tracing.

EU Action

On 8 April 2020, the Commission adopted a Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis. The Recommendation paved the way for the Common EU Toolbox for Member States (15 April 2020, Version 1.0). The common approach aims to exploit the latest privacy-enhancing technological solutions that enable at-risk individuals to be contacted using apps and, if necessary, to be tested as quickly as possible, regardless of where he/she is and the app he/she is using. It explains the essential requirements for national apps, namely that they be:

  • voluntary;
  • approved by the national health authority;
  • privacy-preserving, based on anonymised data and that personal data is securely encrypted;
  • interoperable across the EU; and
  • dismantled as soon as no longer needed.

The added value of these apps (as opposed to manual contact tracing) is that they can record contacts that a person may not notice or remember.

The toolbox is accompanied by guidance on data protection for such mobile apps. The guidance was drafted in consultation with the European Data Protection Board and outlines the framework to be followed by app developers to ensure full effectiveness and compliance of the technology they offer.

The guidance sets out a number of prerequisites for the development of mobile apps:

  • national health authorities would be responsible for compliance with EU data protection rules;
  • the installation and use of an app should be voluntary and provide its user with full control of their personal data;
  • the data protection principles set out in the GDPR should be followed (i.e. data minimisation; storage limitation; security; accuracy); and
  • data protection authorities should be fully involved and consulted in the development of an app.

ICO response  

On 17 April the ICO published an opinion on Apple and Google’s joint initiative on Covid-19 contact tracing technology. The ICO refers to the contact tracing initiative as the Contract Tracing Framework, or “CTF”, and broadly speaking confirms that the CTF aligns with data protection principles of data protection by design and default, but importantly noting that app developers must still take their own measures to ensure they comply with data protection law. The CTF is not itself a contact tracing app, and Google and Apple are not yet proposing to build such an app, although they have indicated that they intend to develop more functionality into their solution. For now, the aim is to enable third parties, such as public health authorities, to create contact tracing apps that exchange information via Bluetooth Low Energy between devices.

A simple explanation of how an app is envisaged to work has been provided by Google and Apple and is available here.

It appears that consent is likely to be the legal basis for processing under contact tracing apps and the ICO notes that this will raise interesting challenges in the roll out of the technology,  for example if consent is withdrawn.

The ICO recommends that organisations using contact tracing or location tracking technologies consider the following questions:

  1. Have you demonstrated how privacy is built into the processor technology?
  2. Is the planned collection and use of personal data necessary and proportionate?
  3. What control do users have over their data?
  4. How much data needs to be gathered and processed centrally?
  5. When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
  6. What happens when the processing is no longer necessary?

What next?

By 30 April 2020, public health authorities will assess the effectiveness of the apps at national and cross-border level. Member States should report on their actions by 31 May 2020 and make the measures accessible to other Member States and the Commission for peer review. The Commission will assess the progress made and publish periodic reports starting in June 2020 and throughout the crisis, recommending action or the phasing out of measures that seem no longer necessary.


As supervisory authorities (including the DPC) have stated, data protection laws do not stand in the way of the provision of public healthcare and public health management. The laws, however, must be respected in order to produce digital tools that the public can have confidence in and adopt in significant numbers in order for the technology to achieve its purpose and play its role in helping us manage our way out of the current crisis. A study of the Oxford University indicates that 60-75% of a population need to have the tracing app for it to be efficient. The Italian government has indicated that a minimum uptake of 60% in the population would be necessary to deliver the necessary levels of effectiveness. The EU Commission is at pains to avoid a repeat of the lack of coordination in the lead up to the lockdown measures experienced across the EU. It is stressing that a coordinated approach to contact tracing is needed to fight the Covid-19 crisis and to avoid adverse effects on freedom of movement and the single market.

The work being undertaken by Apple and Google referred to above is receiving positive feedback such as from the ICO and hundreds of academics across the world. It will be interesting to see how Member States approach the next phase of combatting Covid-19 through the use of digital based contact tracing. We await the feedback from the Commission that will follow each Member State reporting to the Commission by 31 May 2020. We will continue to monitor progress in this area and provide updates in due course.












Eoghan Doyle


Hugo Grattirola