Council of Europe Strasbourg

In a joint statement the Chair of the Council of Europe’s data protection “Convention 108” committee, Alessandra Pierucci, and the Council of Europe’s Data Protection Commissioner, Jean-Philippe Walter, have warned of the possible side effects of digital contact tracing applications used to help combat the COVID-19 pandemic, and call for adequate safeguards to be put in place to prevent risks to personal data and privacy.

Since the start of the pandemic, governments and stakeholders involved in the fight against the virus have been relying on data analytics and digital technologies to address the threat. Mobile applications have been used in some countries and are being considered in others as a complementary response to the need to rapidly perform contact monitoring.

Aimed at contributing to deliberations currently underway in many countries, the statement has been issued in order to emphasise that, wherever such solutions are chosen, strict legal and technical safeguards need to be in place to mitigate the risks to the protection of personal data and privacy.

If these applications are deployed, it should be for a limited duration only and solely on a voluntary basis. These applications should include safeguards "by design" to prevent or minimise risks, e.g. to ensure that location data of individuals are not used, that no direct identification is possible or that re-identification is prevented.

This statement follows a first Joint Declaration on the right to data protection in the context of the COVID-19 pandemic issued on 30 March.

In 1981, the Council of Europe adopted the first international treaty to address the right of individuals to the protection of their personal data, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as “Convention 108”. In 2018, the treaty was updated by an amending protocol, not yet in force, aimed at ensuring that its data protection principles are still adapted to new tools and new practices. So far, 55 countries have ratified “Convention 108” and many others have used it as a model for new data protection legislation.