Experiences in some Asian countries show how data has helped to track the coronavirus epidemic and to reduce its spread. Preliminary results seem to demonstrate the efficiency of the method, but to what extent does it infringe on privacy and the right to data protection1? As European countries are considering a similar approach, it is necessary to consider the existing tracing and tracking techniques to fight the Covid-19 – the use of mobile carriers and the development of smartphone applications – and to clarify their legal implications.
Data shared by mobile carriers
Public authorities rely on telecommunications data to monitor the evolution of the epidemic and control populations. The use of this type of data is likely to have a major impact on privacy, unless the data are anonymized.
Analysis of anonymized geolocation data
A first approach, favored by Austria, Germany or Italy, is based on the analysis of location data from mobile operators by health authorities or researchers to watch population movements (data tracking).
It allows public health agencies to visualize significant flows of people, predicts the geographical spread of the disease and estimates the effectiveness of quarantine measures. Aggregated data showed, for example, that many people left large cities to go to their country houses before stricter confinement measures were adopted in some countries.
Information is anonymized before being disclosed to health authorities or researchers by telecommunications providers. The first question to ask from a legal standpoint is whether the information collected qualifies as personal data under the General Data Protection Regulation (GDPR).
The European regulation applies only to the processing of “
personal data”2. Personal data are information about an “
identified” or “
identifiable” person, an identifiable person being one who can be identified, directly or indirectly, by reference to an “
Information relating to the geolocation of a person or equipment belonging to her/him undoubtedly qualifies as personal data. The GDPR indeed considers “
location data” as an “
identifier”4 and, according to the definition mentioned above, information relating to a person who can be identified by reference to an identifier is a personal data.
A contrario, data that are not “
personal” are not covered by the European text. It is the case for anonymized data. It is information that could previously be used to identify a person “
but where that identification is no longer possible”5. Anonymized data fall outside the scope of the GDPR6.
Location data can thus be legally processed provided that they have been appropriately anonymized7. Anonymization goes beyond simply deleting phone and International Mobile Equipment Identity (IMEI) numbers from the communicated dataset8, the technique used should result in the “
irreversible de-identification” of individuals9.
Using non-anonymized geolocation data
Some states preferred another approach, focusing not on the entire population or large groups of people, but on the individualized monitoring of their citizens using telecommunications data.
Emergency measures in force in Israel, for example, allow active surveillance of mobile phones. Data collected from telecommunication companies make it possible to use triangulation to locate people who have been in close contact with an infected person (contact tracing). After analyzing the data, health authorities can warn them about the risk they are facing.
If authorities are using non-anonymized location data directly provided by mobile carriers, because anonymization is impossible or not wanted, the European Data Protection Board (EDPB) recommends10 that Member States introduce laws based on the ePrivacy Directive11, as amended by Directive 2009/136/EC12.
Article 15 of the ePrivacy Directive allows national legislative bodies to adopt measures to safeguard “
public security”, which might include, as the EDPB implicitly suggest, public health.
Measures introduced in the national legislation on this legal basis must be necessary, appropriate and proportionate13. They may be considered proportionate, according to the EDPB, in the light of the actual exceptional circumstances14.
The least intrusive option should always be preferred to any others, a condition that limits the possibility of tracking every movement of every citizen – or even of only infected people – on an ongoing basis.
Member States have to maintain adequate safeguards and provide appropriate remedies if they resort to non-anonymized data:
- They should clearly and publicly identify the types of data that they require from telecommunications companies;
- They shouldmake sure that the data are securely transmitted;
- They should maintain confidentiality at all times; and
- They should restrict access to the data to a limited number of persons.
Data processed according to emergency laws adopted under the ePrivacy Directive should be deleted as soon as possible after the emergency situation comes to an end.
The ePrivacy Directive applies only to the processing of data by telecommunication providers15. If authorities or private companies develop applications for smartphones, the legal basis for processing location data would be different.
Information society services and data protection
The last approach, adopted by countries like China, South Korea or Taiwan, is based on tracking individuals’ health and movements. The state does not use only the modelization of its population movements to follow the spread of the virus. It collects, in this case, a wide range of personal and sensitive data that must be processed, in Europe, on an appropriate legal basis16.
Collection of location and health data by applications
Citizens, in some countries, have to install an application on their smartphone. After personalizing it with their name, phone number, and national identification number, the software tracks their every movement. It indicates through geolocation if a person came in close contact with an individual tested positive for Covid-19, whether on the street, in a classroom, at the workplace, in transportation facilities (trains, planes, buses, etc.) or in private spaces.
Applications like these make it possible to track the movements of persons tested positive for coronavirus and understand their social interactions. Health authorities can also make sure that a contaminated person, confined at home, stays within a specified perimeter. If the person leaves this perimeter, the police may be notified and the person may be arrested. Authorities can check if people carry their cell phones with them – turned on and operational – at all times by calling them or using other verification methods.
Another possibility is to compel the population to fill a daily health questionnaire. Citizens are asked every day about their symptoms (fever, coughing, breathing problems, etc.) and the application decides whether they should stay at home or undergo a screening test. Smartphones become passports to go to work, take public transport, visit government buildings or spend time in commercial centers based on a color code (green, yellow and red). They also play the same surveillance role as mentioned in the previous paragraphs for people who are confined.
Finally, there are applications developed around the Bluetooth technology, such as TraceTogether, designed by the Singapore authorities, or the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) and Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) projects led by European researchers. After being installed, they make it possible to detect other users of the application who are nearby. The information stored on users’ phones, for a specific period of time, can then be used to warn them that they have recently been in contact with an infected person.
Legal bases for processing data collected by applications
All of these applications rely primarily on the processing of identification, location and health data to ensure the effectiveness of public policies. An application like the one envisioned here would be considered, within the European Union, as providing an “
information society service”17 and general data protection laws would be applicable18.
Processing of personal data could be based primarily on the consent of concerned individuals for the specific purpose of fighting the coronavirus epidemic. Consent should be the preferred legal basis whenever it comes to the processing of location data19, according to Article 29 Working Party. Processing will be lawful if the person has given consent to the collecting of her/his identification and location data on the basis of article 6 (1) (a) GDPR or, in the case of health data, on the basis of article 9 (2) (a) GDPR.
However, these lawful bases raise questions: would consent in this case be freely expressed20 if the government compels its citizens to install the application? If the use of the application is not mandatory, who would freely consent to be monitored around the clock, seven days a week, including in the private sphere?
Another possible legal basis for collecting location data could be the necessity to protect the “
vital interests” of a specific person or group of persons21. Vital interest here means “
an interest which is essential for the life” of a person22. It includes threats to the physical integrity or life of a person or any other persons and the monitoring of epidemics and their spread23.
In the absence of a vital interest, it would be possible to invoke the performance of a task carried out in the public interest24. Public interest refers to the public good and what is in the best interests of a group of individuals or the society as a whole25. It would be difficult to argue that fighting a global pandemic is not in the public interest. The public interest task is entrusted by law to a controller or is exercised by an official authority.
The vital interests and public interest legal bases also yield important questions, since geolocation data can be used to infer several details about an individual’s lifestyle and personal choices. Is the continuous monitoring of citizens’ locations necessary to fight the coronavirus and proportionate to the goal pursued by the national authorities? Could health authorities or any developers establish a substantial connection between the systematic processing of location data and the stated purpose of preventing the spread of an epidemic? Is there a logical link between the processed data and the alleged legitimate objective? And, finally, does it respect the data minimization principle26, which provides that only adequate, relevant and necessary data must be processed?
These latter legal bases could not be put forward to process health data, as they are considered to be special categories of personal data27. The sensitive nature of the data has prompted the European legislator to enact a special legal regime to deal with any health-related information. Processing of such data is prohibited as a general rule28, unless one can rely on consent or an exception.
Health data could be processed under the vital interests exception29, which is similar to the lawful basis mentioned before. However, it can only be invoked if the individual is physically or legally unable to give consent. Sensitive data about a person’s health may also be processed under the public health exception30 if the processing is in the public interest. We refer the reader to our article Health Data in the Time of Coronavirus for details relating to these exceptions.
[D]ata protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics”31, wrote Wojciech Rafał Wiewiórowski, the European Data Protection Supervisor. Privacy advocates are skeptical about the opportunity of processing an unlimited amount of location and health data of European citizens. One has to ask if it is necessary and proportionate, even in a time of crisis. It may amount quickly to mass surveillance and set a dreadful precedent. A balance needs to be struck between the public interest in fighting the epidemic and the respect for individual rights and freedoms.
* Une version française de ce texte a été publiée sous le titre Coronavirus, traçage des données et vie privée.
1 Charter of Fundamental Rights of the European Union (consolidated), OJEU C 326, 26 October 2012, p. 391, art. 7 et 8.
2 Art. 2 GDPR.
3 Art. 4 (1) GDPR.
5 Article 29 Working Party, Opinion 4/2007 on the Concept of Personal Data (2007), p. 21.
6 Recital 26 GDPR.
7 European Data Protection Board, Statement on the Processing of Personal Data in the Context of the Covid-19 Outbreak (2020), p. 2.
8 European Data Protection Board, Monitoring Spread of Covid-19 (2020), p. 2.
9 Article 29 Working Party, Opinion 5/2014 on Anonymisation Techniques (2014), p. 7.
10 Statement on the Processing of Personal Data in the Context of the Covid-19 Outbreak, op. cit., p. 2.
11 Directive 2002/58/EC of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, OJEC L 201, 31 July 2002, p. 37.
12 Directive 2009/136/EC of 25 November 2009 Amending Directive 2002/22/EC on Universal Service and Users’ Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws, OJEU L 337, 18 December 2009, p. 11.
13 Directive 2002/58/EC, op. cit., art. 15.
14 Statement on the Processing of Personal Data in the Context of the Covid-19 Outbreak, op. cit., p. 3.
15 Directive 2002/58/EC, op. cit., art. 3 (1).
16 The European Commission advocates for a pan-European approach to mobile application development: European Commission, Commission Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit from the Covid-19 Crisis, in Particular Concerning Mobile Applications and the Use of Anonymised Mobility Data (2020).
17 Directive (EU) 2015/1535 of 9 September 2015 Laying Down a Procedure for the Provision of Information in the Field of Technical Regulations and of Rules on Information Society Services, OJEU L 241, 17 septembre 2015, p. 1, art. 1 (1) (b).
18 Article 29 Working Party, Opinion 13/2011 on Geolocation Services on Smart Mobile Devices (2011), p. 8.
19 Ibid., p. 14.
20 Art. 4 (11) GDPR.
21 Art. 6 (1) (d) GDPR.
22 Recital 46 GDPR.
24 Art. 6 (1) (e) GDPR.
25 Recital 53 GDPR.
26 Art. 5 (1) (c) GDPR.
27 Art. 9 (1) GDPR.
29 Art. 9 (2) (c) GDPR.
30 Art. 9 (2) (i) GDPR.
31 Monitoring Spread of Covid-19, op. cit., p. 1.