As covid19 is taking a toll on Europe, some EU countries, following the steps of others previously impacted by this pandemic, are introducing legislation allowing them to process health data based on public interest and without individuals' consent. While GDPR provides for such a legal basis on substantial public interest grounds in the area of public health, this should not be interpreted as a blank cheque for governments to proceed as they see it fit.
For instance, the Spanish Ministry of Health recently passed an Order that provides for the development of technology solutions and mobile apps that will collect citizens' data in support of improved health services. This includes, in particular, the urgent development of an app which, in addition to providing users with a self-diagnose test to determine if they are infected and suggest them practical recommendations, it will trace their geolocalisation to verify that they are where they claim to be.
Similarly, the French Government has announced the development of an app, "StopCovid", which should track infected users and warn those who have been in contact with them. In spite of the privacy concerns raised, the German Government is also favouring a contact-tracing app to curtail the virus spread.
Against this background, the European Commission issued a Recommendation on 8 April 2020 calling for a coordinated European approach for the use of mobile applications and mobile data in response to the coronavirus pandemic. While the Commission acknowledges the important role that digital tools can play in the gradual lifting of the current containment mesures, by empowering citizens to practise targeted social distancing, they should not undermine EU fundamental rights such as privacy and data protection.
The Spanish Ministry of Health will be able to check through its mobile app if citizens are where they claim to be.