COVID-19: plan for seamless cross-border tracing across Europe

The EU has agreed on a set of technical specifications to ensure a safe exchange of information between national contact tracing apps, based on a decentralised architecture. Once the technical solution is deployed, such national apps will work seamlessly when users travel to another EU country.

This concerns the vast majority of tracing apps that were already, or are about to be, launched in the EU. This is an important additional step towards interoperability of mobile apps for tracing coronavirus infections, as countries begin to lift travel restrictions across borders.

The EU and other countries have been assessing the effectiveness, security, privacy, and data protection aspects of digital solutions to address the crisis. Contact tracing apps, if fully compliant with EU rules and well-coordinated, can play a key role in all phases of crisis management, especially when most countries are gradually lifting social distancing measures. They can complement existing manual contact tracing and help interrupt the transmission chain of the virus.

But there are concerns over privacy, accuracy, and the involvement of global tech giants. Some countries have even withdrawn apps while in others’ trials have hit technical and legal problems. They are a useful as part of a wider toolkit but not the ‘Magic Wand’ some claim. Not every person has or wants a phone that can install an app, in some countries, mobile phones have areas with no cover, and some people refuse to have them as they do not trust state authorities.

Commissioner Thierry Breton said: “It is important to ensure that Europeans can use the app from their own country wherever they are travelling in the EU. Contact tracing apps can be useful to limit the spread of coronavirus as part of national strategies to lift confinement measures.”

Commissioner Stella Kyriakides added: “Digital technologies are crucial to alert our citizens about infection risks and break transmission chains as we reopen our societies and economies. I call on our citizens to use them, as these technologies can only be effective if we have a critical mass of users, with interoperability of the applications across EU borders. Data security, fundamental rights and privacy protection in these digital tools will be non-negotiable.”

Most EU countries have decided to launch mobile apps to complement manual contact tracing of the spread of coronavirus. The great majority of national approved apps are based on a decentralised architecture, which means that the arbitrary identifiers of users that were detected in proximity remain on the phone itself, and will be checked by the phone against the identifiers of users reported to be infected. The technical specification for interoperability will allow these checks to be done also for users travelling from other countries, without the need to download several national apps.

The proximity information shared between apps will be exchanged in an encrypted way that prevents the identification of an individual person, in line with the strict EU guidelines on data protection for apps; no geolocation data will be used. To support further streamlining of the system, the European Commission will set up a gateway as an interface to efficiently receive and pass on relevant information from national contact tracing apps and servers. This will minimise the amount of data exchanged and thus reduce users’ data consumption.

The technical specifications agreed build on the Interoperability guidelines agreed in May, setting the general principles.

EU countries will already be able to update apps to permit information exchange between national, decentralised apps as soon as they are technically ready. The European Commission continues to support the work of countries on extending interoperability also to centralised tracing apps.

Countries in the eHealth Network, supported by the European Commission, have developed an EU toolbox for the use of mobile applications for contact tracing and warning in response to the coronavirus pandemic, which was accompanied by guidance on data protection for mobile apps.

The new system does not and probably will not include the UK, but will extend to non-EU countries that are in EFTA or the Schengen Zone.