On 13th May, the European Commission's eHealth Network published its interoperability guidelines for approved contact tracing mobile applications in the EU, guiding developers when designing and implementing applications and backend solutions to ensure efficient tracing of cross-border infection chains. These guidelines serve as a follow-up action to their previously published 'Common EU Toolbox for Member States' on mobile applications to support contact tracing in the EU's fight against COVID-19 on 15th April.
Why are interoperable apps considered important in the fight again COVID-19? It is almost inevitable that in today's day and age we would look to technology to be part of the solution. The hope is that interoperable apps will facilitate the tracing of cross-border infection chains, which is particularly valuable for cross-border workers, tourism, business trips and neighbouring countries.
Most Member States have launched or intend to launch an approved mobile contact tracing app as part of their national COVID-19 management strategy. The intention being that contact tracing apps will be one of a number of important elements to support the gradual lifting of border controls within the EU and the restoration of freedom of movement. The apps are based on Bluetooth proximity technology to alert people who have been in proximity to an infected person for a certain duration, in order to self-isolate and to get tested - and therefore interrupt the transmission chain. However, there is of course a need for the apps to be voluntary, transparent, secure, interoperable and to respect people's privacy, which are all emphasized by the eHealth Network's guidelines and related communications.
The previously published toolbox sets out three key requirements with contact tracing apps - first, the alignment of epidemiological criteria to define close contact for a high risk exposure; second, for contact tracing apps to register a user's proximity contact with other users using different contact tracing apps; third, and importantly, for national authorities to exchange data on infection transmission chains by means of backend solutions, in order to interrupt cross-border transmission chains.
The new interoperability guidelines were agreed by Member States in the eHealth Network with the support of the Commission. They lay down common and general principles with the aim of "ensuring that tracing apps can communicate with each other when required, so citizens can report a positive test or receive an alert, wherever they are in the EU and whatever app they are using". The guidelines also include technological parameters to ensure swift implementation by developers working with national health authorities.
An important consequence of achieving interoperability, is that cross border transmission chains have to be such that Member State backend servers must seamlessly communicate to receive relevant keys between themselves using a trusted and secure mechanism. All approved apps must be linked to these backend servers so that when roaming users upload their relevant proximity encounter information, it is uploaded to the home country backend and is then available for transfer. Additionally, the apps will need to have a common approach to detecting proximity between devices, and they should allow roaming individuals to be alerted with the relevant information in a language they understand.
Although contact tracing apps and the interoperability of data collected will provide crucial support to the lifting of border restrictions, they clearly come with big challenges. For this reason, the interoperability guidelines are a living document, not set in stone, to be used as baseline for interoperability specifications to guide developers when designing and implementing the apps and backend solutions.
Whilst there is clearly a lot of work being put into interoperability within Europe, there are still big questions as to whether smooth cross-border working will be possible in practice – not least given the ongoing differences between each EU Member State on the choice of architecture for their contact tracing app. This comes down to a choice of either a decentralized approach (involving protocols for storing and processing data locally on smartphones) versus a centralized approach (involving the uploading of exposure data and performing contact matching on a central server controlled by a national authority). Member States agreed in the guidelines that interoperability should happen regardless of which app architecture an EU country has chosen. And yet, whilst interoperability should be possible irrespective of different app architectures between countries, this will very likely increase the privacy concerns.
For organisations in the private sector, the focus on interoperability may be important for the development of international standards for digital medical products and services and the ability for those products to integrate with the interoperability agenda of the European Commission.
The interoperability guidelines anticipate further technical details to be agreed upon, to ensure the operationalisation of interoperability as soon as possible. This will be supported by structured discussions between the eHealth Network with the New Generation Internet community. Watch this space for further developments!
This article is presented for informational purposes only and is not intended to constitute legal advice.