European Data Protection Board holds its 32nd plenary session and adopts statement on the interoperability of contact tracing applications

At its 32nd plenary session, the EDPB adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The EDPB also adopted two letters to MEP Körner on encryption and on Article 25 GDPR, and a letter to the Committee of European Auditor Oversight Bodies (on US Public Company Accounting Oversight Board arrangements.

The statement on the interoperability of contact tracing apps built on the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The statement offers a more in-depth analysis of key aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications, that all need to be considered on top of those highlighted in the EDPB Guidelines 04/2020.

The EDPB emphasised that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake, it said. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.

Further, the EDPB said, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing for the purpose of improving the effectiveness.

Ensuring interoperability is not only technically challenging, it is sometimes impossible without disproportionate trade-offs, and it also leads to a potential increased data protection risk. Therefore, controllers need to ensure measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.

The EDPB also adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures allowing a safe reopening of the borders currently envisaged or implemented by Member States include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve the processing of personal data.

The EDPB emphasised that data protection legislation remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. The EDPB urges the Member States to take a common European approach when deciding which processing of personal data is necessary in this context.

The EDPB adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist. According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.

A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. The EDPB clarified that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Controllers must evaluate the risks of each processing and choose appropriate safeguards to comply with the GDPR, including privacy by design and by default enshrined in Article 25 GDPR.

Finally, the EDPB adopted a letter to the Committee of European Auditor Oversight Bodies (CEAOB). The EDPB received a proposal from the CEAOB, which gathers national auditor oversight bodies at EU level, to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board. The EDPB welcomed this proposal and indicated that it is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of its Guidelines on the GDPR for transfers of personal data between EEA and non-EEA public authorities. To read the EDPB’s press release in full, click here.