The European Commission has published a Recommendation for use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile apps and use of anonymised mobility data.

What does the Recommendation cover?

The Recommendation establishes a process for developing a common approach (Toolbox) to use digital measures to address the COVID-19 crisis.  The Toolbox will include practical measures for making effective use of technology and data, focusing on a:

  1. Pan-European approach for use of mobile apps, co-ordinated at an EU level, to empower citizens to take effective and targeted social distancing measures and for warning, preventing and contact tracing to help limit the spread of the virus. This will involve a methodology for monitoring and sharing assessments of how effective these apps are, cross border implications and interoperability, and how such apps respect security, privacy and data protection; and
  2. Common scheme for using anonymised and aggregated data on mobility of populations for modelling and predicting the spread of the virus.  This will also be used to monitor how effective decision making has been by Member State authorities regarding measures such as confinement and social distancing, as well as informing a coordinated strategy for exiting the COVID-19 crisis.  

The Toolbox

The European Commission notes that respect for fundamental rights, including privacy, data protection, prevention of surveillance and stigmatization, are paramount throughout this process.  In addition, the development of solutions should be guided by privacy and data protection principles.

Therefore, the Toolbox should:

  1. Strictly limit the processing of personal data for purposes of combating COVID-19, and personal data should not be used for any other purposes (such as law enforcement or commercial purposes);
  2. Ensure regular review of the need for the processing of personal data to combat COVID-19, and include appropriate “sun set” clauses to ensure the processing does not go beyond what is strictly necessary;
  3. Include measures to ensure once the processing is no longer strictly necessary, the processing ceases and personal data is irreversibly destroyed (unless on advice of ethics boards and data protection authorities, the scientific value in serving the public interest outweighs the impact on data subjects, but appropriate safeguards must be in place).

The European Data Protection Board and the European Data Protection Supervisor will be closely involved in development of the Toolbox to ensure it integrates data protection and privacy by design principles.

The Toolbox will be complemented by guidance from the European Commission, including on data protection and privacy implications of use of mobile warning and prevention apps.

Pan European Approach to COVID-19 mobile apps

As a first priority for the Toolbox is a pan-European approach for COVID-19 mobile apps, which will be developed together by Member States and the European Commission by 15 April 2020.

This co-ordinated approach will include:

  1. Specifications to ensure mobile information, warning and tracing apps to combat COVID-19 are effective from a medical and technical perspective;
  2. Measures which prevent apps being proliferated which are not compatible with EU law, as well as supporting accessibility for people with disabilities, and supporting interoperability and promoting common solutions (including a potential pan-European app);
  3. Governance mechanisms for public health authorities and cooperation with ECDC;
  4. Identifying good practices and mechanisms to exchange information on functioning of apps; and
  5. Sharing data with relevant epidemiological public bodies and public health research institutions, including aggregated data to ECDC.

Mobility data

The second priority for the Toolbox is the common approach for use of anonymised and aggregated mobility data necessary for:

  1. Modelling to map and predict the spread of the virus as well as the impact on needs of health systems in Member States (including Intensive Care Units and Personal Protective Equipment); and
  2. Optimising the effectiveness of measures to contain the spread of the virus, and to address its effects, including confinement (and de-confinement) and to obtain and use such data.

This will include the appropriate use of anonymous and aggregated mobility data for modelling to understand how the virus will spread and modelling the economic effects of the COVID-19 crisis. In addition, safeguards will be required to prevent de-anonymization and to avoid re-identification of individuals, as well as immediate and irreversible deletion of personal data which is accidentally processed and notifying the provider of the personal data and competent authorities.

The personal data should be deleted within a period of 90 days, or no later than when the pandemic is under control, and processing of the personal data should be restricted exclusively for the purposes set out in the Recommendation and there must be no sharing of data with any third party.

Next Steps

The pan-European approach for COVID-19 mobile apps will be developed by 15 April 2020.

Member States will report to the Commission on the actions they have taken pursuant to the Recommendation by 31 May 2020.

In June 2020, the Commission will assess the progress made and the effect of the Recommendation.

Further Information

To read the full Commission Recommendation, visit Commission Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis. If you have any questions about these enforcement trends or any other privacy law, please do not hesitate to reach out to authors Brian Hengesbaugh, Harry Valetk  and Ben Slinn.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.


Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.

Write A Comment