The European Data Protection Board has held its 32nd plenary session.
Statement on contact tracing apps
It adopted a statement on the interoperability of contact tracing applications, analysing key aspects that need to be considered, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications.
The EDPB emphasises that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.
In addition, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing to improve the effectiveness of the performed measures.
Ensuring interoperability is not only technically challenging and sometimes impossible without disproportionate trade-offs, but also leads to a potential increased data protection risk. Therefore, controllers need to ensure that measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.
Using personal data when reopening Schengen borders
The EDPB also adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures currently envisaged or implemented by member states include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve processing of personal data.
The EDPB highlights that data protection legislation applies and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. In the statement, the EDPB urges the member states to take a common European approach when deciding which processing of personal data is necessary in this context.
The statement also addresses the GDPR principles that member states need to pay special attention to when processing personal data in the context of reopening borders. These include lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation, security of data and data protection by design and by default. In addition, the decision to allow entry to someone should not only be based on the automated individual decision making technologies. In any case, such decisions should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express their point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Automated individual decision measures should not apply to children. Finally, the EDPB highlights the importance of a prior consultation with competent national supervisory authorities when Member States intend to process personal data in this context.
Encryption bans
The EDPB also adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal information is transferred to countries where these bans exist. The EDPB says that any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.
Laptop camera covers
A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. In its reply, the EDPB clarifies that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Data controllers must evaluate the risks of each processing and choose the appropriate safeguards to comply with GDPR.