“Health tech innovations such as contact tracing applications have been amongst possible solutions to prevent the spread of COVID-19.”

Health technology and data are vital in this crisis

COVID-19 outbreak has created a global public health crisis. The outbreak has put healthcare systems under unprecedented pressure all around the world. Challenges concern, in particular, the capacity of the healthcare sector, availability and quality of necessary equipment as well as possibilities to track contacts between people. In this type of crisis, medical devices, such as surgical masks, medical gloves and other medical equipment are crucial. Further, health tech innovations such as contact tracing applications have been amongst possible solutions to prevent the spread of COVID-19. Such applications need data in order to function and serve its purpose. The data is typically personal data i.e. information relating to an identified or identifiable natural person, such as health data.

An organisation that wants to develop a contact tracing application, or another COVID-19 related innovation, must assess whether the application is a medical device, what type of data needs to be collected and under which conditions the processing of the data is lawful.

Medical devices play a critical part

Approximately at the time of publication of this article, EU’s new Medical Devices Regulation (745/2017) should have become applicable in all EU Member States, the original date of application being 26 May 2020. However, due to the COVID-19 outbreak, application of this new legal framework was postponed by one year, until 26 May 2021.

The new legislation will harmonise the standards within the EU and introduce a wider scope of medical devices, increased market surveillance as well as updates to the classification of medical devices. The proper implementation of the new legislation could have resulted in a limited or delayed availability of essential medical devices as well as capacity of relevant authorities and other key players. Thus, postponing the application of the new Regulation was deemed necessary.

Is a contact tracing application a medical device?

Besides the medical equipment used for the diagnosis or treatment of COVID-19 patients in hospitals, contact tracing applications (referring to software applications used on smart devices) have been a hot topic globally. Such application is considered a medical device if it fulfils the criteria set forth in the Medical Devices Directive (93/42/EEC), and in the Medical Devices Act (629/2010) currently applicable in Finland.

A contact tracing application is a medical device if it is intended to be used for diagnosis, prevention, monitoring, treatment or alleviation of a disease. The determining factor is therefore the purpose of use of the application: if the application has a medical purpose, it is a medical device. For example, if the data collected by a contact tracing application is disclosed to and used by a health care provider in connection with diagnosis of COVID-19 or the prevention of a severe condition, the application could possibly be considered a medical device.

Data in the heart of innovation

Data is the essence of any contact tracing application. If the data is personal data, data protection legislation, including EU’s General Data Protection Regulation 2016/679 (“GDPR”), must be complied with. Compliance with data protection legislation must be ensured throughout the life cycle of the application, starting from the early stages of its development – all the way from the planning phase to the actual implementation and any further activities. Further, if location data is processed and/or telecom operators’ networks are used, it is also necessary to pay attention to the Act on Electronic Communications Services (917/2014).

Nature of the data, compliance and transparency

Appropriate measures should be taken by the relevant parties in accordance with the requirements set forth in the GDPR, including, among others, proper implementation of privacy by design and privacy by default mechanisms. The European Data Protection Board (“EDPB”) has explicitly stated that a data protection impact assessment (“DPIA”) must be carried out before the development of the application and it is recommended to make the DPIA publicly available. Similarly, according to the EDPB, the source code should be made public. Thus, transparency is essential in the development of an application. Releasing the code under an open source license would meet this recommendation and also enable collaborative development of the application by welcoming code contributions from third parties.

In order to identify the specific requirements for the processing of data, the nature of the data is decisive. A contact tracing application could for example collect the user’s contact information, health data and location data. In the context of COVID-19 outbreak, information about a vacation in a certain country at a certain time could become health data when it is, for example, processed by a healthcare service provider in connection with diagnosis.

Further, the data collected for the purposes of the application could also be anonymous data, which is not subject to data protection legislation as it is not personal data. However, it is important to make the distinction between anonymised and pseudonymised data. Pseudonymised data refers to data that can no longer be attributed to an individual without additional information. Pseudonymised data is personal data, whereas anonymised data is no longer personal data.

The European Commission and the EDPB have highlighted that the actual use and uploading of a contact tracing application should be voluntary. An individual should have the freedom to choose between using and not using any application, and a decision not to use an application should not have negative consequences on the individual.

The fact that the use of an application is voluntary does not necessarily mean that the processing of personal data is based on the user’s consent. A possible legal basis could be the consent of the user or for example a contract with the user or a task carried out in the public interest, depending on the circumstances in each individual case. However, in order for the processing of personal data to be lawful, at least one of the legal bases set forth in Article 6 (1) of the GDPR must apply.

If the data is health data, stricter rules apply. The main rule is that processing of health data is forbidden. The possible derogations from this main rule are listed in Article 9 (2) of the GDPR. Thus, processing of health data is lawful if at least one of the legal bases in Article 6 (1) of the GDPR and one of the derogations in Article 9 (2) of the GDPR apply.

“Individuals should not need to choose between privacy and contribution to public health.”

The right balance of rights and interests is the key

Individuals should not need to choose between privacy and contribution to public health. If applied properly, the GDPR is a facilitator, not an obstacle. Protecting privacy and personal data, while at the same time protecting public health and enabling the development of innovative tools, is essential. A good balance between interests, together with fairness, sustainability and transparency throughout the lifecycle of an innovation responding to COVID-19 outbreak is the way forward.