After suggestions there might be some suspect data sharing going on to combat the coronavirus outbreak, the European Data Protection Supervisor has said it is within the rules.
The European Commission’s Internal Market chief Thierry Breton has been one of the busier bureaucrats in recent times. Last week, Breton’s calendar showed meetings with Walt Disney, Netflix and Google to ‘preserve the smooth functioning of the internet’, and this week it appears the telcos are on the speed-dial.
This week, meetings with the major European telcos have been on the agenda to discuss ways and means to which data can be used to combat COVID-19. The collection and analysis of anonymised and aggregated geo-location data is one proposed initiative which the telcos can help with.
There might be some concerns about the legality of the proposed ideas, though European Data Protection Supervisor Wojciech Wiewiórowski has attempted to calm fears.
“Firstly, let me underline that data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics,” Wiewiórowski said in an open letter to Roberto Viola, Director-General of DG CNECT.
“I am aware of the discussions taking place in some Member States with telecommunications providers with the objective of using such data to track the spread of the COVID-19 outbreak.”
While previous generations have had to go by educated assumptions to combat the spread of such pandemics, today data us one of the most valuable tools. Insight on how citizens are moving around the country can inform on the success of self-isolation demands or give clues as to where perhaps the next viral hotspot would be. Information is critical in creating the most effective response to a pandemic which caught the world by surprise.
However, the presence of coronavirus does not give authorities a blank cheque to do whatever they please; rules and regulations to protect the interest of the citizen and mitigate the risk of abuse have to be adhered to.
Sophie in’t Veld, a Dutch Member of the European Parliament, is one such person to have raised concerns.
Writing to Internal Market chief Thierry Breton, in’t Veld wanted reassurances to ensure data would be and remain anonymised, including asking how this would be done, whether the European Data Protection Supervisor has been consulted for an opinion and how the Commission will respond to academic criticism that the collection of geo-location data will not offer benefits as it is not specific enough.
Breton responded to the letter from in’t Veld in satisfactory fashion, but also added that all data collected during this initiative would be deleted once the COVID-19 outbreak is in the past. Adding to Breton’s reassurances, the opinion of the European Data Protection Supervisor further validates the actions from authorities.
In the opinion, European Data Protection Supervisor Wiewiórowski states:
- Effectively anonymised data fall outside of the scope of data protection rules, assuming the protections applied are resilient enough
- Should third parties be used for the purposes of collection or analysis, the Commission should ensure appropriate protections are applied
- Data obtained should be deleted as soon as the current emergency comes to an end
Should the conditions mentioned above be met, Wiewiórowski believes the European Commission should be able to act within the boundaries of data protection rules and regulations.
What should be taken into account is whether such processes are deemed legitimate with other laws.
“The data is anonymised so its use is in compliance with UK and EU data privacy laws, but it may still be an infringement of the human right to privacy under the Human Rights Act,” said Toni Vitale, Partner and Head of Data Protection at JMW Solicitors.
“A lot depends on how the data is used. If it is limited to creating heat maps showing where people are congregating, that might be OK. Some shopping centres already do this to show where shoppers are. This is useful to plan exits, where the cafes should be placed etc. Location data is commonly scraped from mobiles without users being aware.”
Little attention has been paid to whether the collection of personal information on this scale is a violation of the Human Rights Act, though one would hope the appropriate protections have been put in place. Data could hold the key to mitigate the worst impacts of COVID-19, so the European Commission should be applauded with its attempts to be as informed as possible.