Europe is working on more cooperation and coordination in the area of health, that has resulted in a proposal by the Council of the European Union for a health regulation [1] that recently has been made public. Much in the proposal is organisational in nature and mainly affects member states.

Contact-tracing as a central element
One of the subjects that will affect citizens is that contact-tracing is a central element in the proposal [2]. According to the proposal a large messaging European system is created in which the authorities will exchange contact and health data of all citizens [3]. The definition of contact-tracing is found in article 3 paragraph 4:

‘contact tracing’ means measures to identify persons who have been exposed to a source of a serious cross-border threat to health, and who are in danger of being infected or being infectious or who have developed a communicable disease, through manual or other technological means, with the sole objective of rapidly identifying potentially newly infected persons who may have come into contact with existing cases, in order to reduce further onward transmission;

Contact-tracing will be an important element in the prevention, preparedness and response planning of chapter II (article 5 paragraph 4) and in the epidemiological surveillance described in chapter III of the proposal.
The proposal includes a ‘network for epidemiological surveillance’ that shall aim to support the contact-tracing measures of competent health authorities; the national authorities shall provide information about contact-tracing monitoring systems developed at national level to the network (article 13).
In the European Early Warning and Response System (EWRS) contact-tracing is important also, see article 18 (markup by me):

Taking into account Member States’ opinions, the ECDC shall continuously update the EWRS allowing for the use of modern technologies, such as digital mobile applications, artificial intelligence models, space-enabled applications, or other technologies for automated contact tracing, building upon the contact-tracing technologies developed by the Member States or by the Union, used for the purpose of combatting serious cross-border threats to health. The ECDC, in close cooperation with Member States, shall facilitate interoperability with national systems for the purposes of the EWRS.

An alert notification by a national authority to the Commission shall include personal data necessary for contact tracing (article 19).

Data protection
Of course measures regarding data protection are provided for [4].

Article 28
Protection of personal data concerning the EWRS selective messaging functionality

1. The EWRS shall include a selective messaging functionality allowing personal data, including contact and health data, to be communicated only to the national competent authorities involved in contact-tracing measures and medical evacuation procedures. That selective messaging functionality shall be designed and operated so as to ensure safe and lawful processing of personal data and to link with contact-tracing systems at Union level.
2. Where national competent authorities implementing contact-tracing measures or medical evacuation procedures communicate, through the EWRS, personal data necessary for contact-tracing purposes pursuant to Article 19(3), they shall use the selective messaging functionality referred to in paragraph 1 of this Article and communicate the data only to the other Member States involved in the contact-tracing or medical evacuation measures.
3. When communicating the data referred to in paragraph 2, the national competent authorities shall refer to the alert communicated previously through the EWRS.
4. The selective message functionality shall be used solely for the purpose of contact tracing and medical evacuation. It shall only allow national competent authorities to receive data that were sent to them by other national competent authorities. The ECDC shall only access the data required to ensure the proper functioning of the selective message functionality. Messages containing personal data shall automatically be erased from the selective message functionality 14 days after the date of their posting at the latest.
5. Where necessary for the purpose of contact tracing, personal data may also be exchanged using contact-tracing technologies. The national competent authorities shall not retain the contact data and health data received through the selective message functionality for longer than the retention period applicable in the context of their national contact-tracing activities.
6. The Commission shall adopt delegated acts to supplement this Regulation by establishing:
(a) detailed requirements necessary to ensure that the operation of the EWRS and the processing of data complies with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 including the respective responsibilities of the national competent authorities and of the ECDC; and
(b) a list of the categories of personal data that may be exchanged for the purpose of the coordination of contact-tracing measures.
7. The Commission shall, by means of implementing acts, adopt:
(a) procedures for the interlinking of the EWRS with contact-tracing systems at Union and international levels; and
(b) the modalities for processing contact-tracing technologies and their interoperability, as well as the cases where, and the conditions under which, the third countries may be granted access to contact tracing interoperability and the practical arrangements for such access, in full compliance with the GDPR and the applicable case law of the Court of Justice of the European Union.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 29(2).

Data protection organisations would do well to follow developments around this proposal closely because in Europe, theory and reality do not always match. The system of contact-tracing should not develop into a surveillance system, enabling governments and the EU to monitor and influence every citizen.

Notes
[1] Proposal (pdf) of 7 October 2022 for a regulation of the European Parliament and of the Council on serious cross-border threats to health and repealing Decision No 1082/2013/EU – Outcome of the European Parliament’s first reading (Strasbourg, 3 to 6 October 2022). Interinstitutional file: 2020/0322(COD).
[2] See page 7: “The capacity for contact tracing should be strengthened via the creation
of an automated system, using modern technologies” and on page 32:

(37) The occurrence of an event that corresponds to a serious cross-border threat to health and is likely to have Union-wide consequences should require the Member States concerned to take particular control or contact-tracing measures in a coordinated manner in order to identify people already contaminated and those persons exposed to risk. Such coordination could require the exchange of personal data, including sensitive information related to health and information about confirmed or suspected human cases of the disease or infection, between those Member States directly involved in the contact-tracing measures.

[3] Paragraph (39) on page 34.
[4] See also the first sentence of paragraph (39) on page 34, the last words of paragraph (43) on page 36. The Commission will have a central role in defining the criteria, see paragraph (46) on page 38.