Plan to Require EU Telcos to Monitor COVID-19 Prompts Privacy Concerns
European telcos will provide cellphone location data to help analyze COVID-19's spread, under recommendations unveiled Wednesday by the European Commission. The proposed "toolbox," which is intended to support steps to return to normality and which the EC said will be finalized April 15, includes a common EU approach for modeling and predicting the virus' evolution via aggregated, anonymized mobile location data. The use of telecom metadata has buy-in from mobile operators and EU data protection officials. Some privacy advocates are concerned.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The EC "kick-started a discussion with mobile phone operators" about providing the metadata, a spokesperson emailed. The idea is to analyze "mobility patterns, including the impact of confinement measures on the intensity of contacts, and hence the risks of contamination." The EC Joint Research Center will do the modeling and share results with EU governments. The EC wants to work with one operator in each country to come up with a representative sample. That means aggregated and anonymized data couldn't be used to track individuals, the spokesperson said. The data would be kept only as long as the crisis lasts, and would comply with general data protection regulation and the e-privacy directive.
Telcos share aggregated and anonymized data, not individual phone numbers or identities, with public officials in COVID-19 actions, said the European Telecommunications Network Operators Association. "All personally identifiable information is stripped from datasets, which are then combined with anonymous data from other users."
Governments must ensure the protection of personal data "even in these exceptional times," said the European Data Protection Board. Any measures must respect general legal principles and not be irreversible, it said: "Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period." The European Data Protection Supervisor advised the EC that data protection rules "are flexible enough to allow for various measures taken in the fight against pandemics," and effectively anonymized data isn't covered by data protection rules. Aggregating data can provide an additional safeguard, it noted.
"Use of location and movement data in the EU is worrisome," emailed Morrison & Foerster (Brussels) privacy lawyer Alja Poler De Zwart. It will enable the tracking and recording of every step, she said: Collecting and using such sensitive personal information, even in an anonymized form, "should be our last resort." The data must be stored safely; there must be limited access; and it must be deleted when no longer needed, she advised. The situation now "is right out of our hands, and it all comes down to how much we trust our governments with our most sensitive information."
Besides GDPR, the information must also be processed under the e-privacy directive, emailed Linklaters (Brussels) data protection lawyer Tanguy Van Overstraeten. That's especially relevant for data enabling the identification of subscriber location, which can only be processed when anonymized. There are difficulties with anonymizing local information at the individual level because even if all direct identifiers are removed, the location information may remain.
Given the public health crisis, collecting information from citizens can be valuable in developing a better understanding of coronavirus spread, European Data Rights Policy Head Diego Naranjo told us. Responses must be based on fundamental rights, he said. "What happens after" the emergency, asked Privacy International, seeking a sunset date. "Once a government has given itself such power, it is rare that they will vote to remove them."