View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
April 17, 2020

Europe Publishes Contact-Tracing App Guidelines

EC urges privacy protections, robust security

By CBR Staff Writer

The European Commission (EC) has released a contact-tracing application toolbox to help member states develop apps to trace the path of COVID-19, without, it hopes, infringing on the rights of citizens.

In a 44-page guide the EC sets out the requirements that should be met for any contact-tracing application. It should be voluntary, approved by the state’s health authority and in line with personal data privacy laws.

The aim of contact tracing is to enable public health authorities to quickly assess and trace the path of the virus by identifying people who have had contact with an infected individual.

Collected anonymised and aggregated data could allow local authorities to follow infection patterns and make critical containment decisions.

Commissioner for Internal Market Thierry Breton commented: “Contact-tracing apps to limit the spread of coronavirus can be useful, especially as part of member states’ exit strategies.

“However, strong privacy safeguards are a pre-requisite for the uptake of these apps, and therefore their usefulness. While we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements.”

Crucially – and typically harder to implement – it is required that once the application is no longer needed, it should be dismantled.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The report notes that: “The functionality in such apps – if rolled-out on a large scale so that they reach well over 50 percent of the population – could be useful for Member States to rapidly detect contacts of cases, collect information on these contacts and to inform contacts on the need for follow-up and testing if required.”

The EU toolbox has been developed by the e-Health Network – a voluntary platform for member states – with support from the European Commission.


The guide has privacy concerns as a central point and is advising that applications be built on technology that does not enable the tracking of an individual’s location. One such method suggested is Bluetooth proximity technology, which has already been used by the Singapore Ministry of Health.

Another existing application build using a different approach is  Israel’s Hamagen app that uses a device’s GPS data to determine if a user has come into contact with an infected person within the preceding 14 days.

The UK government itself is receiving mobile data from telecommunication providers such as BT. Richard Helson, a former police officer and now head of mobile data specialist Chorus Intelligence UK, told Computer Business Review that it appeared the government would be getting “only the cell tower location… not the physical location of the device,” but that this data would be useful to track larger-scale lockdown compliance.


The toolbox has several guidelines for developers and understanding the scope of the project seems to be squarely in view as they are urged to actively limit the permissions of the application.

When possible they should use pseudonymise or anonymise data to ensure public privacy. Any sensitive data not being used should be deleted as soon as possible. The guide advises that developers “test their app as much as possible, using automated tools for testing and integration, which cover not only functional tests, but also security tests like fuzz testing, vulnerability scanning, code quality checks, (static and dynamic) code analysis tools, source code scanning for libraries and developed code.”

The EC suggests that member states stage bi-weekly meetings and, by June, deliver a standard that can help authorities to plan exit strategies.

See Also: ICO will Relax Enforcement of Data Protection Law in Light of COVID-19

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.