EU COVID-19 Contact Tracing Recommendation

On 8 April 2020, the European Commission adopted Recommendation (EU) 2020/518 on a common Union toolbox for the use of mobile applications and location data in the COVID-19 response (C(2020)2296). The recommendation urges EU and EEA member states to deploy voluntary, privacy-preserving contact tracing and warning apps that are interoperable across borders and consistent with the GDPR, the ePrivacy Directive, and EU Charter protections. It tasks the eHealth Network with coordinating technical standards, data governance rules, and interoperability testing so citizens can receive exposure notifications when they travel.

Context and scope

The following section provides additional context and analysis.

Legal objectives and public-health rationale

The Commission framed contact tracing apps as complementary public-health tools that must align with national testing, isolation, and manual tracing programs. Recommendation (EU) 2020/518 specifies that apps should help break transmission chains, provide accurate risk communication, and support epidemiological modeling while avoiding any form of social profiling or movement enforcement. It emphasizes compliance with Regulation (EU) 2016/679, the free movement of persons, and the proportionality principle, ensuring that digital measures do not exceed what needs to manage the pandemic.

The European Data Protection Board (EDPB) later confirmed these legal boundaries, clarifying that proximity-tracing apps should rely on Bluetooth-based pseudonymous identifiers rather than geolocation and must include strong safeguards such as purpose limitation, strict access controls, and transparency for users (EDPB Guidelines 04/2020).

Voluntary participation and non-discrimination

The recommendation requires that installation and use remain strictly voluntary and that individuals who opt out face no penalty or loss of service. Member states are instructed to ensure public authorities and private actors do not make app use a condition for access to transport, employment, or venues. Clear withdrawal mechanisms must allow users to uninstall the app and delete data at any time, with no disadvantage to those who choose not to participate.

Data minimization and storage limitations

Data collected should be limited to what is necessary for exposure notifications. Personal data should, where possible, remain on the device and be processed locally. Centralized storage of proximity data is discouraged unless strictly necessary and subject to high-grade security controls. Any optional data needed for epidemiological analysis must be fully anonymized or aggregated, and retention periods must be short—aligned with incubation periods and national health laws.

Privacy safeguards

Built-in GDPR controls

Member states are instructed to define controllers, processors, and lawful bases for processing before launch. Public-health authorities should lead processing under national legislation implementing Articles 6 and 9 of the GDPR, while app stores and analytics providers must be kept outside the data flow where feasible. Data protection impact assessments (DPIAs) must document necessity and proportionality, with consultation of supervisory authorities when high risks are identified.

The recommendation calls for explicit transparency: plain-language privacy notices, open-source code publication, and easy access to contact details for data controllers. Individuals should be able to exercise their GDPR rights—especially access, rectification, erasure, and restriction—through in-app tools or dedicated portals. Strong pseudonymization, rotating identifiers, and resistance to re-identification should prevent misuse.

Security baselines and trust assurance

Security expectations include end-to-end encryption for proximity keys, signed risk scores, and protections against replay or relay attacks. National computer security incident response teams (CSIRTs) should test apps for resilience, monitor threat intelligence, and coordinate rapid updates when vulnerabilities are discovered. The EDPB underscored that neither employers nor insurers should gain access to contact-tracing data, and data must never be used for law enforcement or commercial profiling purposes.

Sunset clauses and deletion guarantees

Processing must end when the pandemic no longer warrants digital tracing. Member states are directed to set explicit end dates tied to public-health assessments and to publish criteria for decommissioning. All data—on devices and any back-end systems—needs to be erased or irreversibly anonymized at the sunset date, and open-source repositories should archive versions to preserve transparency while preventing future misuse.

Technical standards and interoperability

Bluetooth-based proximity design

The eHealth Network's toolbox recommends short-range Bluetooth Low Energy (BLE) proximity detection with rolling, cryptographically generated identifiers. The design avoids GPS or cellular geolocation, reinforcing compliance with the data minimization principle. Apps should estimate contact risk using signal strength thresholds and cumulative exposure duration, configurable by public-health authorities to reflect local epidemiology and testing strategies.

Risk scoring parameters—transmit power calibration, attenuation buckets, and infectiousness weighting—should be publicly documented and regularly reviewed. The recommendation notes that epidemiologists should validate these parameters to minimize false positives and false negatives, while software teams implement safeguards against device heterogeneity and background execution limits.

Cross-border interoperability and roaming

The Commission mandates cross-border functionality so that citizens receive exposure alerts when traveling. The eHealth Network published interoperability guidelines and a federated Gateway Service enabling national back ends to exchange diagnosis keys securely (eHealth Network EU Toolbox). Member states must ensure their apps conform to common protocols, metadata formats, and certificate policies before connecting to the gateway.

Interoperability testing should verify cryptographic compatibility, consent handling, and adherence to national risk thresholds. Privacy reviews must confirm that keys exchanged across borders are limited to what is necessary and that no location or device identifiers accompany the data. Service-level agreements between participating authorities should set uptime, incident notification, and key-revocation processes.

Open-source transparency and auditability

The recommendation encourages publishing source code, cryptographic specifications, and documentation to foster public trust and expert review. Continuous integration pipelines should include automated security testing, linting for privacy-sensitive logging, and reproducible builds to guard against supply-chain tampering. Where decentralized frameworks like DP-3T or the Google/Apple Exposure Notification (GAEN) APIs are used, national teams should document how they configure exposure parameters and handle updates pushed through app stores.

Member state actions and governance

National coordination and oversight

Health ministries should appoint a lead authority to manage the app lifecycle, backed by multidisciplinary teams including epidemiologists, security engineers, legal counsel, and public-communication specialists. Governance forums must meet regularly to assess uptake, effectiveness, and incident reports, publishing dashboards with anonymized metrics such as active users, keys uploaded after positive tests, and exposure notifications delivered.

Data-protection authorities should receive DPIAs, code audit results, and change logs. Where national parliaments or civil-society oversight bodies exist, the recommendation supports their involvement to reinforce legitimacy and accountability.

Communications and user experience

Clear onboarding flows should explain how exposure notifications work, how data is protected, and how to obtain support. Accessibility requirements under Directive (EU) 2016/2102 apply, requiring support for screen readers, high-contrast modes, and multilingual content. Notifications should direct users to official testing and isolation guidance, and content must be aligned with the European center for Disease Prevention and Control (ECDC) risk-communication principles.

Monitoring effectiveness and adjusting parameters

Member states should evaluate effectiveness by correlating app-derived contact events with manual tracing outcomes and testing positivity rates. The toolbox urges the use of anonymized epidemiological data, limited to what is necessary, to refine risk-scoring parameters. Authorities should publish periodic reports describing parameter changes, rationale, and observed false-positive/false-negative trends, while ensuring that no re-identification risk arises from published statistics.

Lifecycle exit strategy

Before decommissioning, authorities should publish a migration plan that disables key uploading, prevents new installations, and removes the app from app stores. Public messaging should explain the decision and provide assurances about data deletion. Any retained documentation should be limited to non-personal operational records needed for audits or lessons-learned exercises.

More on this topic

Further reading from our research library.

Policy · Credibility 92/100 · February 19, 2020

European Commission AI White Paper

The European Commission published its AI white paper and European Data Strategy together. The message: AI needs trustworthiness requirements and high-risk AI systems will face mandatory conformity assessments. This is…

Policy · Credibility 92/100 · January 29, 2020

EU 5G Cybersecurity Toolbox Endorsed

The EU published its 5G security toolbox, and it is a pointed message to member states: assess high-risk suppliers, diversify vendors, and apply strict security requirements to network core functions. Huawei is not…

Policy · Credibility 87/100 · September 18, 2020

Brazil Lgpd Effective

In-depth LGPD go-live guide detailing enforcement scope, ANPD expectations, data subject rights operations, lawful bases, security controls, vendor oversight, and a pragmatic compliance roadmap for Brazil-focused teams.

Policy · Credibility 91/100 · November 17, 2020

Canada Tables Digital Charter Implementation Act

Canada introduced Bill C-11 to replace PIPEDA with the Consumer Privacy Protection Act, add a Personal Information and Data Protection Tribunal, and create EU-grade penalties, shaping the blueprint for successor federal…

Policy · Credibility 90/100 · December 1, 2020

New Zealand Privacy Act 2020 Commences

New Zealand brought the Privacy Act 2020 into force, replacing the 1993 framework with mandatory breach notification, stronger cross-border controls, and new compliance orders overseen by the Privacy Commissioner.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Policy Advocacy Roadmap

  Coordinate cross-border policy advocacy aligned with EU Better Regulation, U.S. Administrative Procedure Act, Lobbying Disclosure rules, and Canadian transparency requirements.

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Export Controls and Sanctions Policy Guide

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…

Source material

1. Commission Recommendation (EU) 2020/518 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis — European Commission
2. Mobile applications to support contact tracing in the EU’s fight against COVID-19 — Common EU Toolbox — European Commission
3. Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection — European Commission