top of page

Position Statement on the Contact Tracing Mobile Applications and Data Protection

Submitted by Baldeep Singh Gill, Kshitij Naik, Associate Editors, The Indian Learning and Manohar Samal, Research Intern.


European Commission Guidance on Apps supporting the fight against COVID 19

  • The European Commission on 16th April 2020 issued a draft Guidance on COVID-19 Mobile Applications (downloaded voluntarily by people), as contact tracing mobile applications are believed to play a vital role in COVID-19 management and to lift the containment measures. The draft focuses on guiding the European Union (EU), Member States, and the Application developers to ensure the General Data Protection Regulation (GDPR) and ePrivacy Directive compliance.

  • To complement the exit strategy (lift containment measures), the draft develops a common European Union approach (“Toolbox”) or pan-Europe approach vis-à-vis contact tracing mobile applications to enable the citizens to take efficacious social distancing measures and to limit the spread of COVID-19 by contact tracing, prevention and warning. The draft ensures the protection of privacy, personal data, and fundamental rights of citizens.

Symptom Checker and Contact Tracing

  • The draft recognizes two types of apps to fight COVID-19 i.e., symptom checker and contact tracing. Symptom checker apps guide citizens by providing information on COVID-19, self-isolation and transmission. Contact tracing apps identify whether the person came in contact with a COVID-19 infected person and provide for the next appropriate steps. The data collected by the former apps can facilitate the European public health, epidemiological centres and, European Centre for Disease Prevention and Control (ECDC) to identify the spread and transmission of COVID-19.

Accountable and Trustful Use of Applications

  • The draft acknowledges the fact that symptom checker and contact tracing apps impact on a wide range of rights provided under the EU Fundamental Rights Charter. To ensure GDPR and ePrivacy Directive compliance, and to ensure trust among the general public, the draft reckons the following 10 elements:

(i) National health authorities as data controllers

  • National health authorities or similar entities are recognised as data controllers. The data controllers will be responsible to process the sensitive personal data and GDPR compliance which will result in building trust among EU citizens. Albeit, the authorities will have limited access to the data.

(ii) Control of personal data

  • The draft gives individuals control over their data. The installation of applications is voluntary and the data generated by the application is to be stored on the individual’s device (decentralised). The individuals can exercise their rights under GDPR and ePrivacy Directive. It further ascertains the deactivation of such apps after the COVID-19 is declared under control.

(iii) Legal basis for processing data

  • The third element proclaims that legal basis for processing data and personal information should exist as per the provisions of the ePrivacy Directive which stipulates that if data is already stored or if it is intended to store data on an individual’s device, then the user should explicitly consent and request for storage and access. Furthermore, it also requires that processing of collected personal data and information by the national health authorities should be done by way of legislation to ensure that the details of the processing of specific health data are prescribed, the possibility of utilising such data for a different purpose is excluded and adequate safeguards are postulated.

(iv) Data Minimisation

  • The fourth element requires that only personal data and information which is adequate, limited and relevant to the specified purpose can be processed. The test of necessity can be used to achieve this result effectively. The commission believes that collecting fewer data will aid the security of the collected data.

(v) Limiting the disclosure/access to data

  • The fifth element propagates that disclosure and access of data should be limited. To be more precise, even other health authorities who are not necessary authorities for such data collection can not have access to this data. As far as the symptom checker and telemedicine functions are concerned, only responsible health authorities and national epidemiological authorities should get access to the information of an individual. It is extremely vital that under this element, information of the identity of the infected person should not be disclosed to persons with whom he or she has been in epidemiological contact.

(vi) Precise purposes for processing

  • The legal basis for processing personal data and information should explicitly assert its purpose and, the purpose will depend upon the mobile application’s functionalities.

(vii) Strict limits to data storage

  • This element under the guidance draft recommends that stringent limits to data storage should exist. It emphasizes the duration of data storage rather than other aspects. All information which is related to installing the functionality has to be deleted immediately. Information collected through telemedicine and symptom checker functionalities should be deleted by the responsible health authorities after a maximum period of 1(one) month or after the individual is tested negative. Moreover, contact tracing and warning functionalities that use proximity data have to be deleted at the earliest, which is either after a maximum period of 1 (one) month or if the individual is tested negative.

(viii) Ensuring the security of the data

  • The data security has to be ensured by storing such information and data on a personal device of the individual in a pseudonymised and encrypted format. To prevent eavesdropping and hacking, the proximity data should be created and stored on regularly changing temporary IDs rather than storing them on the actual ID of the device.

(ix) Ensuring the accuracy of the data

  • To minimise false-positive results, the accuracy of contact tracing information is indispensable. Location data and Bluetooth should be amalgamated for precise assessment.

(x) Involving Data Protection Authorities

  • Lastly, the authorities created under regional and domestic data protection laws of the EU should be actively involved, consulted and deployed for the development of the aforementioned applications.

European Data Protection Board

  • While advising the European Commission on Guidance draft “Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection”, the European Data Protection Board (EDPB) stated that one-size-fits-all solution can not be adopted and the technical solutions are to be examined on a case-by-case basis. Considering every individual’s health, personal data collected from such individuals should be processed lawfully by the data protection authorities.

  • The EDPB ascertains the fact that applications must be developed in an accountable way taking into account Data Protection Impact Assessment (DPIA), privacy by design and privacy by default mechanisms and, making the source code of the applications publically available for possible scrutiny.

  • EDPB focusses on minimising the interference with the private life of individuals and concurrently processing the data to preserve the public health. It focuses to protect every individual’s rights and duties and not making the installation of such applications mandatory. To ensure the effectiveness of applications, EDPB advises national level awareness campaigns and assistance for minors, impaired, less skilled and educated.

  • The EDPB has suggested that the contact tracing apps shall not track the movement of people (individuals) and enforce prescriptions. The main function of such apps is to discover events (contacts with positive persons) and make the user of these apps aware of such incidents so that they may take due care and precaution.

  • The European Commission gave utmost priority to the privacy rights of the citizens and has ensured that such data is not used for surveillance or to spread mass hysteria. The qualified personnel/experts will ensure strict supervision on the apps and the individuals using them are in total control of their data at all times. EDPB further instructs the compliance of apps with the General Data Protection Regulation (GDPR) and the ePrivacy Directive while ensuring that the data collected by these apps are only used to obstruct the pandemic. To ensure security and privacy of individuals, EDPB advocates Data Anonymization and Data Minimisation.

For further information please refer to:

For more queries, mail us at


The Indian Society of Artificial Intelligence and Law is a technology law think tank founded by Abhivardhan in 2018. Our mission as a non-profit industry body for the analytics & AI industry in India is to promote responsible development of artificial intelligence and its standardisation in India.


Since 2022, the research operations of the Society have been subsumed under VLiGTA® by Indic Pacific Legal Research.

ISAIL has supported two independent journals, namely - the Indic Journal of International Law and the Indian Journal of Artificial Intelligence and Law. It also supports an independent media and podcast initiative - The Bharat Pacific.

bottom of page