Faced with the multiplication of national initiatives, the European Commission has in turn invited telecommunications companies to contribute to the fight against the spread of COVID-19. In a conference call on 23 March, Internal Market Commissioner Thierry Breton suggested the development of a large “anonymised” and “aggregated” database at EU level.
This information, revealed by the American newspaper Politico, was later confirmed by the European institution, which acknowledged that the discussion with the eight major business leaders and the international organisation GSMA had focused in particular on the need to collect anonymised mobile metadata to help analyse the distribution patterns of the coronavirus.
Respect for confidentiality
According to the Commission, this initiative would not contravene the General Data Protection Regulation (GDPR) and the legislation on electronic data protection (e-Privacy). “The processing of health-related data is in principle prohibited by the GDPR. However, the Regulation provides for exceptions to these rules for reasons of public interest, including serious cross-border health threats”, a Commission spokesman explained the day after the video conference. “For aggregated statistical data that does not allow the identification of natural persons, the GDPR does not apply and therefore there is no data protection issue”, he continued.
According to Politico, Thierry Breton’s idea would be to select one major operator per country “to monitor the spread of the virus and determine where the need for medical supplies is most pressing”. The European Data Protection Supervisor (EDPS) has confirmed to us that they have been consulted by the Commission, assuring us that this will not be individual tracing, but aggregated information. “The European Executive has also made commitments with regard to limiting the purpose of the information to be obtained”, adds Olivier Rossignol of the EDPS.
National initiatives
Until now, initiatives have mostly been national. In Germany (Deutsche Telekom), Austria (Telekom Austria AG) and Belgium (Proximus, Orange, Base), operators are already sharing customer data with health authorities to combat coronavirus. In addition, Vodafone produced an aggregated and anonymous thermal map for the region of Lombardy, particularly affected by COVID-19, to help the Italian authorities understand population movements.
On Tuesday 24 March, two other countries also expressed their intention to move in this direction. The French authorities have announced the establishment of a committee of researchers and doctors to examine, inter alia, the possibility of using geolocation data to identify persons in contact with those infected with the coronavirus. The Slovak government, meanwhile, was to discuss a law allowing public institutions to use data from telecommunications operators to ensure that people in quarantine - travellers returning from abroad and those in contact with infected people - remain isolated.
The most extreme practice is observed in Poland, where quarantined persons are required to send a selfie within 20 minutes of receiving a message from the authorities, at the risk of the police disembarking.
EDRI mobilised
And it is this kind of application that particularly frightens the online rights organisation, EDRI: “Apps offered by public authorities should be subject to the same scrutiny as access to data from mobile operators. Whenever possible, privacy-preserving algorithms should be used in these apps”, says Diego Naranjo, EDRI Head of Policy. He added that a certain minimum threshold should be established to ensure that geolocation data are truly anonymous, since this cannot be achieved by simply deleting the subscriber's name and telephone number, in order to avoid any risk of re-identification.
As for private applications, EDRI calls on data protection authorities to check their compatibility with the GDPR. “Necessity, proportionality, purpose limitation (only public health) and storage limitation are key principles when thinking of technological solutions involving the use of personal data. Any personal data collected should be disclosed directly only to health authorities, and not under any circumstances shared with other authorities (law enforcement, intelligence services, immigration authorities)”, concludes the EDRI.
EDPB warnings
On Thursday 19 March, the European Data Protection Board (EDPB) had already adopted a declaration on data protection in the event of a COVID-19 pandemic. The Committee called for the promotion of anonymised location data and, if not, for adequate safeguards such as providing individuals the right to a judicial remedy.
According to the body composed of the EDPS and the data protection authorities of the Member States, the least intrusive solutions should always be preferred, taking into account the specific objective to be achieved.
“Invasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing”, the document states.
“However, it should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles - proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation”. (Original version in French by Sophie Petitjean)