Germany debates whether apps related to the coronavirus (COVID-19) pandemic would be useful, what they should cover, and what the ramifications would be under applicable data protection laws.
An initial statement from a German government agency confirmed that apps related to the COVID-19 pandemic are legally possible under applicable data protection laws. The design and introduction of such apps may have a multitude of implications for businesses, whether they design such apps or wish to work with them. For instance, the data sets that such apps would collect could be combined with other data to allow identification of individual users, depending on who has access to these data sets, so that users would not remain anonymous.
On April 7, the federal commissioner for data protection and freedom of information provided initial comments on the EU General Data Protection Regulation (GDPR) compliant design of a planned nationwide “data donation app.” Through this app, citizens provide relevant health data on a voluntary basis to the Robert Koch Institute (RKI), Germany’s federal agency in charge of public health (comparable to the US Centers for Disease Control and Prevention), in order to enable the RKI to generate additional information on the geographical spread of the virus by using algorithms. The RKI explicitly refers to a similar project in the United States that demonstrated that wearable device data can improve real-time surveillance of influenza-like illnesses.
There is great interest within parts of the industry to get access to this app, which requires a smartphone and a wearable device. The commissioner’s opinion carries substantial weight, as he is in charge of the telecommunications sector nationwide. The commissioner seems to assume that the RKI “data donation app” would collect personal data and hence falls under the GDPR.
From what has become public so far, the RKI is the main promoter of this app, which processes the following data sets of each participating individual:
The algorithms behind the app are designed to recognize symptoms that are associated with a coronavirus infection, such as an increased resting pulse and altered sleep and activity patterns. The “donated” data will be used exclusively for scientific purposes.
After careful processing, the data will be incorporated into a map that visually represents the distribution of potentially infected persons down to the level of the zip code. The RKI will regularly update the map and publish it on its website.
The app is not a coronavirus test, and app users will not be informed about possible infection.
The name of the app, translated to “Corona Data Donation,” is somewhat misleading, as the app’s users do not waive their rights under data protection law. However, the federal commissioner believes that a GDPR-compliant app is generally possible. He stated:
My agency has not yet received a final version of the “Corona Data Donation” app. My staff has advised the RKI in advance [on the data protection requirements]. In principle, I consider a data protection-compliant implementation to be possible and welcome the corresponding decisions of the RKI on the design of the app. We will continue to provide advice and will also subsequently accompany the data processing of the app within the scope of our data protection supervision.
In his public statement, the federal commissioner referred to the information obligations under the GDPR that the app must comply with, which includes in particular information transparency.[1] He sees a need to catch up with regard to the storage period:[2] "Citizens must be clearly and unambiguously informed which data the app collects and for what purpose. In addition, the RKI still needs to specify how long the data will be stored.”
He also commented on the purpose limitation of the app, which is a core principle under the GDPR: "I also expect regular evaluation of whether the app is fulfilling its purpose. If it does not, the processing must be stopped."
The federal commissioner and some of the state data protection commissioners discussed the app-related data protection issues in the context of individual informed consents.[3] This is due to the design of the app, which requires voluntary download and registration. However, it leaves unanswered the question of whether the use of such apps may be based on the "public interest" exemption for health data.[4] Using consent as legal basis has its downsides. It raises issues such as whether consent is really voluntary, whether the formal requirements of obtaining consent are met, and what happens if the individual withdraws his/her consent.[5]
For instance, if an employer encourages its employees to participate in using the “data donation” app, the employees may feel pressured to participate, such that their individual consent might not be regarded as “freely given” under the GDPR.
Moreover, the processing of health data, as a special category of personal data, requires the individual’s “explicit consent.”[6] As currently required by the many European data protection authorities, the extra requirements for consent to be ‘explicit’ are likely to be the following:
The privacy policy and consent process must fully comply with these requirements. This process must also fully safeguard the data subjects’ rights to delete their personal data.[7]
As regards withdrawal of consent, the federal commissioner’s statement is clear that app users may do so at any time, and the RKI agreed that all collected data of such users will be deleted in this case.
Another open issue that the federal commissioner addressed is that it is unclear how the app will interface with the commercial collection of health data in the life sciences sector. Unfettered data transfers to and from such data collectors would likely undermine the GDPR’s protections of participating individuals.
One issue is that such data collectors could use an algorithm or combine the six data sets with their own stored information to find out the identity of app users. They are not “fully anonymous.” The federal commissioner also noted this risk and concluded, “I would like to point out that the level of data protection in fitness trackers and Smart Watches varies greatly from manufacturer to manufacturer. This interface is probably the biggest problem from a data protection perspective.”
The RKI reported that so far more than 300,000 people (as of April 14) have downloaded the app and decided to share selected data with the RKI.
If the data sets collected over the app will be later disclosed to other parties for scientific or other purposes, a well-designed consent process with a detailed privacy policy is particularly important. Such other parties, as the likely controllers, will need to ensure that the data sharing fully complies with the GDPR requirements, such as “explicit consent” and, where applicable, the requirements for storing data outside of the European Economic Area.
Otherwise, they could be liable for GDPR violations as the data controller,[8] or if the data sets were shared jointly and severally, as a joint controller.[9] Businesses using data from fitness trackers and smart watches that share their data sets with such app could also qualify as joint controllers for these data sets, and should not share their data sets with such app without valid consent from users.
We will continue to monitor the app’s progress and its GDPR implications, and will update this LawFlash with further details.
For our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. We also have launched a resource page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Frankfurt
Walter Ahrens
Washington, DC
Axel Spies