Tech & Rights

Legal Acts

Knowledge Hub: COVID-19 Contact Tracing Apps In The EU

by LibertiesEU

Country Reports | Data Protection Authorities | Policy Bodies | Courts | Legal Acts

This page provides a summary of the legal acts that have been introduced specifically to regulate the use of COVID-19 apps or contain at least one or several paragraphs that are directly relevant to the national COVID-19 app. We did not, however, collect general national or European data protection laws or other relevant and applicable laws.

Last updated 15 March 2021

Austria l Belgium | Bulgaria | Croatia | Cyprus | Czech Republic | Denmark | Estonia | Finland | France | Germany | Hungary | Ireland | Italy | Lithuania | Malta | Netherlands | Poland | Portugal | Slovenia | Spain | United Kingdom | European Union


Austria

N.A. (No specific legal framework was introduced to regulate the use of the app.)


Belgium

Royal Decree of Special Powers No. 18

Entered into force on 4 May, ceases its effects on 4 June 2020

The decree sets the legal basis for the creation of a huge centralized database. The decree provided that the personal data would be communicated to the National Public Health Institute by general practitioners, hospitals, laboratories and call centers. This means that doctors would be obliged to communicate their patients’ data, a breach of medical confidentiality.


Royal Decree No. 25

Entered into force on 5 June and ceases its effects on 30 June 2020

The decree essentially extends Royal Decree No. 18.


Royal Decree No. 44

Enters into force on 1 July and ceases its effects on 15 October 2020

The decree regulates manual contact tracing and sets the legal basis for the creation of a digital contact tracing app. The decree was not submitted to the national data protection authority for opinion. The decree deals with the app's technical aspect, including its functionalities and operations, technical specifications and interoperability, as well as the responsibilities and obligations of its developers. The text also includes control measures, such as regular monitoring and evaluation, and subjects the app to an information security audit.


Cooperation Agreement of 25 August 2020

The Cooperation Agreement of 25 August 2020 between the Federal State, the Flemish Community, the Walloon Region, the German-speaking Community and the Joint Community Commission replaces Royal Decree of Special Powers No. 44. It provides the legal framework necessary for manual and digital tracing of contacts of people infected with the SARS-CoV-2 virus in order to limit its spread. It also concerns the joint processing of data by Sciensano (the national public health institute) and the contact centers (or call centers) as part of contact tracing, for which the authors of the project deem it necessary to have a massive centralized database.


Bulgaria

Act on the Measures and Actions during the State of Emergency

Announced 13 March 2020

The Act sets the legal basis for the implementation of new measures to limit the spread of COVID-19. The Act included an amendment to the Electronic Communication Act (ECA), giving the national police the power to access phone location data from telecommunications companies in order to control citizens put under mandatory quarantine – without court order or a clear time limit. The matter was brought before the Constitutional Court by a group of parliamentarians. On 17 November, the Court decided by 10 votes to 2 that the use of location data to control quarantine compliance is unconstitutional.


Croatia

Amendment to the Law on Electronic Communications

Passed 19 March 2020, withdrawn before the second reading in Parliament

Legalized the widespread monitoring of citizens’ mobile devices in order to contain the spread of the virus.


Cyprus

N.A. (No specific legal framework was introduced to regulate the use of the app.)


Czech Republic

Governmental Resolution No. 576

25 May 2020

The Resolution defined a joint task to implement the Smart Quarantine 2.0 strategy through mutual cooperation between the Ministry of Health and the National Agency for Communication and Information Technologies. A part of the strategy is further development and operation of the contact tracing app.


Denmark

Executive Order on the processing of information on electronically registered contacts with a view to preventing and curbing the spread of Coronavirus disease 2019 (COVID-19)

Entered into force on 31 October 2020 and was repealed on 1 March 2021

The Executive Order regulates the use of the Danish Smittestop app, including its purpose and scope, the data processing and deletion of personal data on users’ telephones as well as by health authorities.


Estonia

Amendment to the Regulation No. 138 Statutes of the Health Information System

21 July 2020

The purpose of this amendment is to ensure the protection of the users’ personal data. In particular, the Amendment calls for data providers to perform their obligations in such a way that the app will not reveal users personal data.


Finland

Temporary amendments (Chapter 4a) to the Finnish Law on Contagious Diseases

31 August 2020

These amendments set up rules of the use and transfer of data, such as receipt of the user’s consent for data processing inside an app, as well as a requirement to delete the collected data within 21 days of its registration.


France

Decree n ° 2020-650 of 29 May 2020 relating to data processing known as "StopCovid"

29 May 2020

The decree regulates the use of the contact tracing app StopCovid (later called TousAntiCovid). It provides the general rules for data processing (e.g. defines the data controller and processor, the purpose and duration of data processing). It also specifies that the source code must be published, that the use of the app is voluntary and that it can be “uninstalled at any time”. The decree also specifies the functioning of the app.


Order defining the distance and duration of contact criteria with regard to the risk of contamination by the COVID-19 virus for the operation of the data processing known as "StopCovid"

30 May 2020

The Order provides that the distance and duration of contact criteria mentioned in Article 2 (5) of Decree of 29 May 2020 allows to consider that two mobile phones are sufficiently close to each other to pose a risk of contamination by the COVID-19 virus when users of the "StopCovid" application are within one meter for at least 15 minutes.


Decree No. 2021-157 of 12 February 2021 amending Decree No. 2020-650 of 29 May 2020 relating to data processing known as "StopCovid"

12 February 2021

The decree amends the Decree n°2020-650 of May 29 and introduces new functionalities. For example, users can now change their status to "contact at risk of contamination", which allows them to benefit from a COVID-19 test. In addition, the application can now collect the last contact date with a person diagnosed or tested positive with the COVID-19 virus.


Germany

N.A. (No specific legal framework was introduced to regulate the use of the app.)


Hungary

Government Decree 181/2020

4 May 2020

The decree gave authorities the power to check the compliance with the official home quarantine rules electronically. It also modified the procedure for violating epidemiological regulations.


Ireland

N.A. (No specific legal framework was introduced to regulate the use of the app.)


Italy

Law No. 70 of 25 June 2020

25 June 2020

Converts the law decree of 30 April 2020 into Law No. 70


Law Decree no. 28 of 30 April 2020 (or 'Justice Decree')

30 April 2020

The government passed a decree that sets out inter alia rules for the adoption of a contact tracing app (Article 6). It also stipulates that the Ministry of Health is the data controller. While the data processed through the Immuni app can only be used to contain COVID-19, aggregated or anonymized data can also be used for public health or scientific research purposes.


Lithuania

Law on Electronic Communications

31 March 2020

Bill passed under fast-track procedure forcing phone service providers to share location data to a government-authorized body.


Malta

N.A. (No specific legal framework was introduced to regulate the use of the app.)


Netherlands

Temporary Act on notification application Covid-19

6 October 2020

Sets the legal basis for the usage of the contact tracing app.


Decree of 11 December 2020, extending the Temporary Act on Notification Application Covid-19

11 December 2020

Extends the force of the Temporary Act on notification application Covid-19.


Poland

Act on special solutions related to the prevention, prevention and combating of COVID-19, other infectious diseases and crisis situations caused by them (Anti-crisis shield)

8 March 2020

Article 7e of the Anti-Crisis-Shield made it mandatory for people under home quarantine to use the Kwarantanna domowa / home quarantine app released by the Ministry of Digitization.


Portugal

Decreto-Lei n.º 52/2020

12 August 2020

This decree-law establishes who is responsible for data processing and regulates the intervention of the doctor in the STAYAWAY COVID system. The data processing for the operation of the STAYAWAY COVID system is exceptional and transitory.


Slovenia

Intervention Measures to Contain the COVID-19 Epidemic and to Mitigate its Consequences for Citizens and Economy Act

10 April 2020

The new legislation, inter alia, significantly increased the power of the police. Article 103 enables police to use personal data obtained by the National Institute for Public Health (NIJZ). The information includes the name, identification number (EMŠO), address, information on the general practitioner and on the decision by which the person is ordered to be quarantined, information on the type and duration of the quarantine and more. In its first draft proposal, the government had also suggested giving police the power to trace the location of an individual’s mobile phone without a court warrant (Article 104).


The Act on Intervention Measures in Preparation for the Second Wave of COVID-19 or "Fourth COVID-19 Act"

9 July 2020

The parliament passed the "Fourth COVID-19 Act" on 9 July, creating the legal basis for the deployment of a contact tracing app. According to the new law, people who test positive for the virus or are currently in quarantine are obliged to download and use the app (Article 28) and could receive a fine between 100 and 600 EUR if they fail to do so (Article 47). Opposition parties and the DPA said that mandatory use is unconstitutional and would breach personal data protection rights. In a press conference a few days later, the government announced that the app would be voluntary for everyone. However, as of February 2021, the law has not been changed.


Spain

Orden SND/297/2020

27 March 2020

The Order entrusts the Secretary of State for Digitalization and Artificial Intelligence (SEDIA) of the Ministry of Economic Affairs and Digital Transformation more competences to manage the pandemic, including the development of technological solutions and mobile applications for data collection and the launch of a mobility study.


United Kingdom

The Health Protection (Coronavirus) Regulations 2020

28 September 2020

The Health Protection (Coronavirus) Regulations 2020 provides, on top of the Data Protection Act 2018 and the GDPR, an additional legal basis for processing data related to COVID-19.


European Union

Regulation (EU) 2017/745 on medical devices (MDR)

5 April 2017

Mobile applications used to fight the spread of COVID-19 may potentially be classified as medical devices, in which case they will have to comply with specific safety rules. According to the provisions of Regulation (EU) 2017/745 on medical devices (MDR), an app could be deemed a medical device if it is intended by the manufacturer to be used, inter alia, for diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease.


Country Reports | Data Protection Authorities | Policy Bodies | Courts | Legal Acts
Information Hub

COVID-19 Contact Tracing Apps in the EU

Find out more