Coronavirus: a common approach for safe and efficient mobile tracing apps across the EU

What is a contact tracing and warning app?

A contact tracing and warning app is voluntarily installed and used to warn users if they have been in proximity for a certain duration to a person who reported to have been tested positive of COVID-19. In case of an alert, the app may provide relevant information from health authorities such as advice to get tested or to self-isolate, and who to a contact.

Why do we need these apps?

Contact tracing is an essential intervention, alongside testing and isolation, in the effort to control the pandemic. Mobile tracing will complement traditional tracing that is done manually by public health authorities when they interview patients with symptoms, typically over the phone, to understand with whom they have been in contact over the past 48 hours.

Contact tracing apps may allow warning as many potential contacts as possible, thereby enabling them to take further steps that can help to break infection chains and thus quickly stop the virus from spreading further. Together with traditional tracing and complemented by other measures such as increased testing, voluntarily installed tracing apps can provide a valuable contribution to the gradual lifting of confinement measures.

What are the guidelines on cross-border interoperability about?

These are common and general principles aiming at ensuring that tracing apps can communicate with each other when required, so citizens can report a positive test or receive an alert, wherever they are in the EU and whatever app they are using. The guidelines will be complemented by a set of clear technological parameters to ensure swift implementation by developers working with national health authorities.

The Commission is supporting Member States in finding the right solution to ensure secure, protected and interoperable contact tracing apps across Europe, in line with the principles set out in the EU toolbox and the Commission guidance on data protection.

Tracing apps must be voluntary, transparent, secure, interoperable and respect people’s privacy. Apps will use arbitrary identifiers, no geolocation or movement data will be used. All apps have to be temporary only, so they will have to be dismantled as soon as the pandemic is over.

And they should function everywhere in the EU, across borders and across operating systems. Interoperability is crucial, so that wide, voluntary take-up of national tracing apps can support the relaxing of confinement measures and the lifting of restrictions of freedom of movement throughout the EU.

Why do we need these interoperability guidelines?

Interoperable apps will facilitate the tracing of cross-border infection chains, be valuable for cross-border workers, tourism, business trips and neighbouring countries. The voluntary and widespread use of interoperable apps may support exit strategies, the gradual lifting of border controls within the EU and the restoration of freedom of movement.

The interoperability guidelines were agreed by Member States in the eHealth Network with the support of the Commission. They set out the minimum requirements for approved apps to communicate with each other, so that individual users can receive an alert, wherever they are in the EU, if they may have been in proximity for a certain time to another user who has been tested positive for the virus.

For example, apps need to have a common approach to detecting proximity between devices, and they should allow individuals roaming in another Member State to be alerted with the relevant information in a language they understand.

What data will I share when using these apps?

Upon activation, the app generates an arbitrary identifier (a set of numbers and letters). These keys will be exchanged via Bluetooth between phones at short distance. The exchanges make it possible to detect other devices with a similar, running app nearby.

How does a tracing app work, concretely?

You install the application on your phone. Some limited registration information may need to be provided to start the application. After giving the necessary consent to use Bluetooth for proximity detection, the app will start generating temporary keys that are shared with other devices running an EU contact tracing app.

If you feel sick and get a positive diagnosis for COVID-19, your public health authority will enable you to confirm this through the app. At that moment, the electronic contact tracing triggers an alert to the people with whom you have been in contact. These users will be notified of their exposure and will be advised on the steps to follow, for example self-quarantine or testing. They can also contact the health authority.

Neither your identity, location nor exact time of contact are ever revealed. This is the same if a contact of yours is tested positive: you will be notified so that you can protect yourself and the people around you. The use of the application is voluntary. It will be deactivated automatically at the end of the pandemic, and you are free to uninstall it at any time.

The functioning of contact tracing and warning apps across borders is illustrated in this infographic.

Will I need an internet connection to use my app?

For the tracing functionality as such, a permanent Internet connection is not necessary. Bluetooth, which is used to detect proximity with other users, does not require Internet. However, to check infection chains, to receive alerts, and potentially for additional functionalities, the apps will need to communicate through mobile Internet or Wi-Fi.

How will people be covered who do not have a modern smartphone or do not have a smartphone at all?

Health authorities will continue to operate manual contact tracing, especially for elderly and disabled persons. These manual contacts will be more focused and efficient as the applications will allow to cover most of the rest of the population.

Will personal data be shared between Member States?

The Commission is working with Member States on a privacy preserving interoperability protocol. If one Member State’s app is to work in another Member State, some encrypteddata will be shared with the server processing data collected by the app in that other Member State. These servers should be under the control of the competent national authority. Each app must be fully compliant with the EU data protection and privacy rules, and should follow the Commission guidance.

Johannes BAHRKE- photo EU