Global menu

Our global pages


Contact tracing apps: a new digital tool to fight COVID-19 but what are the data protection considerations? - Ireland

  • Ireland


    As of today, the Irish Department of Health has announced another fall in the daily number of people with confirmed cases of COVID-19. The country is cautiously moving towards loosening restrictions and considering possible other ways to see people return to a “new normal”. One such measure that is being considered both here and abroad is the introduction of smartphone tracing applications (ie “contact tracing apps”).

    What is a “contact tracing app”?

    “Contact tracing” is a term we have all become quite familiar with during this pandemic. The World Health Organisation defines contact tracing as “the process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission”.

    The aim of contact tracing apps therefore is to enable smartphones to automatically detect whether the user has been in contact with, or in close proximity to, an infected person or someone with COVID-19 symptoms. The premise is that the app would then notify the user accordingly that a test should be undertaken or the user should self-isolate. This could help break the contamination chains as early as possible thereby reducing the risk of further spread of COVID-19.

    Sounds great! Where do I sign up? 

    Although a contact tracing app sounds like a great way to fight this pandemic, any data driven technology carries data protection and privacy concerns. The European Data Protection Board (EDPB) adopted its Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak on 21 April 2020 (the Tracing Guidelines). The Tracing Guidelines reflect the EDPB’s earlier statement on the processing of personal data in the context of the COVID-19 outbreak adopted on 19 March 2020 (the Statement). 

    The EDPB’s overarching message in both the Statement and the Tracing Guidelines is that although data protection rules do not hinder measures taken against the COVID-19 pandemic, such measures must respect the general principles of law and importantly must not be irreversible.

    What are the Tracing Guidelines key messages?

    Voluntary adoption: Contract tracing apps can only be legitimised by relying on a voluntary adoption by its users. There should be no disadvantage to those who decide not to or cannot use such apps.

    Data Protection Impact Assessment: A DPIA should first be carried out as this new technology consists of systematic and large scale monitoring of location and/or contacts between individuals.

    Controller Identification: In line with the GDPR principle of accountability, the controller of the app should be clearly identified. National health authorities are noted by the EDPB as possible controllers.

    Purpose Limitation: The purposes must be specific enough to exclude further processing for purposes unrelated to the management of the COVID- 19 pandemic (eg commercial or law enforcement purposes).

    Data minimisation and data protection by design and default: Proximity data should be used (as opposed to location tracking), re-identification of individuals should be prevented and the information should reside on the user’s terminal equipment (as opposed to a central server).

    ePrivacy Directive: Consent requirements under Article 5(3) of the “ePrivacy” Directive must be considered.

    Legal Basis: The appropriate legal basis must be identified. The EDPB notes that where the contact tracing app is provided by a public authority, the most likely relevant legal basis for the processing is the necessity for the performance of a task in the public interest (Article 6(1)(e) GDPR). Where health data is processed a further legal basis under Article 9 must be identified.

    Least intrusive solution: The specific purpose should be taken into account and the least intrusive option selected.

    Retention: As a general rule, all personal data obtained from the contact tracing app should be erased or anonymised after the COVID-19 crisis ends.

    Audit: The source code for the tracing app should be made publically available to ensure accountability and scrutiny.

    What contract tracing apps are currently available?

    Many countries have already began using such digital tools in their fight against COVID-19. China was a prominent first adopter of this technology where individuals must show a green health code on their smartphones to gain entry to many public places. This demonstrates they have not been in contact with a confirmed case of COVID-19.

    Closer to home, the UK’s NHSX (the digital innovation wing of the National Health Service) is now trialling its own contact tracing app on the Isle of Wight. Privacy and data protection experts have begun to weigh in as the proposed test version reportedly uses a centralised server and not the de-centralised storage on the user’s smartphone (as recommended by the EDPB).

    The Irish Health Services Executive (HSE) is currently developing its own contact tracing app. It is reported that the app will follow the decentralised model used in Germany where data will be retained on the user’s phone and not the centrally collected UK model. The Irish Data Protection Commission (DPC) has not yet published an official statement on the proposed HSE app. However, it is understood that the HSE is preparing its DPIA to be sent to the DPC and will engage with the DPC on data protection considerations. Before the app is launched, we expect to see guidance from the HSE on its use for both business and individuals together with supporting guidance from the DPC.

    For further information please contact

    Marie McGinley, Partner and Head of IP, Technology & DP -

    Neasa Ní Ghráda, Senior Associate in IP, Technology & DP -

    For support on legal issues facing your business in light of the outbreak of Covid-19, please visit our Coronavirus hub to get our latest information and guidance.


    This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

    < Go back

    Print Friendly and PDF
    Register to receive regular updates via email.