European Union’s Data-Based Policy Against the Pandemic, Explained

Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. Here is an overview of key recent events essential to understand EU’s data-based approach against the pandemic:Early on, the European Data Protection Supervisor (EDPS) – which is the supervisory authority of the EU institutions and bodies and also the consultative body on EU legislation that may impact data protection, issued Comments on the European Commission’s plan to access telecommunications data from telecommunications service providers to monitor the COVID-19 spread (March 25), and also issued a public call for a pan-European approach against the pandemic (April 6).Following a detailed Recommendation issued by the European Commission on April 8, the eHealth Network, a voluntary network providing a platform of Member States’ competent authorities dealing with digital health, published a week later a common EU Toolbox for Member States on contact tracing mobile applications. The Presidents of the European Commission and the European Council – which reunites the heads of state or government of EU Member States, published on April 15 an exit strategy, or Joint European Roadmap towards lifting COVID-19 containment measures, where the first two of seven measures proposed are based on the collection and use of data. The Commission also issued guidelines specifically on how these mobile applications should be designed and implemented to respect data protection requirements (April 16). The European Parliament adopted, on April 17, a resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, including specific recommendations and even ‘demands’ for certain safeguards around contact tracing applications, including a decentralized approach. The European Data Protection Board, the EU body reuniting the leaders of all Data Protection Authorities (DPAs) in the EU – meaning the only authorities that are competent to enforce data protection law within Member States both in the public and private sectors, published its Guidelines on contact tracing apps and the use of telecommunications data to fight the effects of the pandemic and Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (April 23). These guidelines come after several other instances where the EDPB quickly provided its view on related pressing issues: a letter to the Commission responding to a consultation on its data protection guidelines mentioned above, and a Statement on the processing of personal data in the context of the COVID-19 outbreak, with a focus on the employer-employee relationship. This contribution looks solely at EU-level policy, which will trickle down to national level.