Article, Commentary, Covid, GDPR

Location privacy and data retention in times of pandemic and the importance of harmonisation at European level

Patrícia Corrêa

In this time of pandemic, many countries are starting to actively monitor cellphone data to try to contain the spread of the new coronavirus. Governments are using location data to trace contacts or monitor and enforce quarantine of persons who have tested positive for COVID-19 or those with whom they have come into contact with.

The United States’ Government is in discussions with the tech industry about how to use Americans’ cellphone location data to track the spread of the novel coronavirus. In Iceland, authorities have launched an app that tracks users’ movements in order to help tracking coronavirus cases by collecting data about other phones in the area. In India, state authorities have also launched an application to track the movement history of persons tested positive, also providing the date and time of the visit to spots by the patients. In Brazil, at least one city is already using cellphone data to monitor gathering of people and take action to disperse them and soon federal government will follow. There are reports of similar approaches in many other countries as well.

At European level, Internal Market Commissioner Thierry Breton has held a videoconference with CEOs of European telecommunication companies and GSMA to discuss the sharing of anonymised metadata for modelling and predicting the propagation of the virus.

Does this approach necessarily put data privacy at risk? Is the trade-off between data privacy and public health necessary? Whereas it is true that in exceptional circumstances fundamental rights need to be balanced against each other, data privacy shall not be an insurmountable obstacle to the implementation of exceptional public health policies.

Some basics on data and metadata

Simply put, data consists of potential information that has to be processed to be useful. [1] Metadata, on the other hand, is “data about data”, comprising all the information about data at any given time, at any level of aggregation. It is structured information about an information resource of any media type or format. [2]

In order to safeguard privacy, personal data must be anonymised before its processing. Anonymisation refers to the process of de-identifying sensitive data while preserving its format and type [3] so it cannot be tied to specific individuals. Privacy can be also be assured by means of aggregation, which refers to the “process where raw data is gathered and expressed in a summary form for statistical analysis.”

Conditions for the use of location data

While in some countries the use of information to combat the COVID-19 outbreak seems to go beyond anonymised data (individual location and contacts tracking, for instance, requires device-level data), in Europe, so far, collaboration between telecommunication companies and governments appears to encompass only the exchange of anonymised data or databased models. On that level of data processing, the European Data Protection Board issued an approval statement based on some conditions, such as the anonymity of the processed data and the applicability of administrative controls, including security, limited access and limited retention periods.

On April 8, the European Commission issued a Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit from the COVID-19 Crisis, in particular concerning mobile applications and the use of anonymised mobility data. The Recommendation acknowledges the value of digital technologies and data in combating the COVID-19 crisis stating, however, that fragmented and uncoordinated approaches could hamper the effectiveness of measures aimed at combating the pandemic and violate fundamental rights and freedoms. It sets up a process for developing a common approach (Toolbox) to use digital means to address the crisis. The Toolbox will consist of practical measures for making effective use of technologies and data, with a focus on a pan-European approach for the use of mobile applications, coordinated at Union level and a common scheme for using anonymised and aggregated data on mobility of populations.

Regarding the use of mobility data, the Recommendation provides, inter alia, for safeguards to be put in place to prevent de-anonymisation and avoid reidentifications of individuals, including guarantees of adequate levels of data and IT security, and assessment of reidentification risks when correlating the anonymised data with other data.

The right to location privacy

According to the Article 4(1) of the GDPR, personal data comprises any information relating to an identified or identifiable natural person, including location data. Location data, as stated by the ePrivacy Directive, means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service. It can be tied to a known individual (e.g. a name linked to a cell phone subscription) or to an identifier associated with a specific device (anonymised data). In other cases, a dataset is modified to display the location of groups of people, instead of individuals (aggregated data).

Location privacy, hence, relates to the location information of an individual in a sense that prevents others to learn about one’s current or past location. [4] In other words, “This definition captures the idea that the person whose location is being measured should control who can know it.”

The right to location privacy encompasses two fundamental rights, both guaranteed by the Charter of Fundamental Rights of the EU: the respect for private and family life (Article 7) and the protection of personal data (Article 8). Notwithstanding its importance, fundamental rights are not absolute and can be restricted in exceptional situations. As stated by Article 52(1), restrictions on these rights can only be imposed when lawful, legitimate and proportionate.

Location privacy is also protected under the Article 8 of the European Convention on Human Rights and cannot be limited either, if not for derogation in time of emergency consisting of war or other public emergency threatening the life of the nation. In that case, the measures shall be taken strictly to the extent required by the situation and cannot be inconsistent with other obligations under international law (Article 15).

Data retention in EU context

In Digital Rights Ireland case, the ECJ declared the invalidity of the Directive 2006/24/EC, which required providers of publicly available electronic communication services or public communication networks to retain telecommunication data of individuals for the purposes of preventing, investigating and prosecuting serious crime. The ECJ took the view that the Directive does not “provide for sufficient safeguards … to ensure effective protection of the data retained against the risk of abuse and against any unlawful access…” According to the ECJ, although the Directive satisfies a valid objective of general interest (public security), it does not meet the principle of proportionality.

To date, there is no EU legislation regarding data retention. Filling up the void, the ECJ decided in Tele2 Sverige case on the scope and effect of its previous judgment on Digital Rights Ireland, establishing minimum safeguards that must be included in any national law regarding data retention. ECJ therefore concluded that national legislation that did not contemplate minimum safeguards would be precluded pursuant to Article 15(1) of ePrivacy Directive.

Despite the guidelines set out in the Tele2 Sverige judgement, a survey by Privacy International indicates that, as of 2017, a large number of Member States still had not yet made necessary changes to ensure national legislation compliance. This is especially important in this time of pandemic, as many States in Europe are recurring to private telecom companies to disclose retained location data in order to fight the COVID-19 outbreak.

Data retention and location privacy: the need for harmonisation

This scenario highlights the importance of harmonisation on the subject at European level, what would contribute to safeguard citizens’ privacy rights. That coordination between private companies and governments shall reveal how access to sensitive telecommunication data by public authorities will affect the retention of data for private purposes.

In the light of the COVID-19 pandemic, location data can be very useful for epidemiological analysis, medical research and measures against disease spread. This importance, however, does not preclude the respect for privacy rights. In that context, a European framework for data retention is paramount to location privacy, since it can effectively regulate what data can be retained, for how long, and what measures must be taken in order to reduce violations risks and making it is being stored and shared in legitimate and responsible ways.

Final remarks

The retention, processing and exchange of location data to handle the pandemic do not necessarily have to violate privacy. There are mechanisms that, although not infallible, minimise risks of breach in the processing of personal data, in particular aggregation and anonymization. Besides, even in exceptional cases in which personal identifiable information processing is needed, EU Regulation and case law have already set some boundaries, especially amounting to proportionality. What really matters is the approach authorities will choose to take after the outbreak subsides, so mass surveillance does not become the norm.

[1] POMERANTZ, Jeffrey. Metadata. Cambridge : The MIT Press, 2015. p. 21.
[2] BACA, Murtha (ed). Introduction to Metadata. 3. ed. Los Angeles : Getty Research Institute, 2016. p. 2.
[3] RAGHUNATHAN, Balaji. The Complete Book of Data Anonymization: From Planning to Implementation. Boca Raton, FL, USA : CRC Press, 2013. p. 4.
[4] ATAEI, Mehrnaz; KRAY, Christian. Ephemerality is the New Black: A Novel Perspective on Location Data Management and Location Privacy in LBS. In GERTNER, Georg; HUANG, Haosheng (ed. ) Progress in Location-Based Services 2016. Switzerland : Spring, 2017. p. 360.

 

The Author

Patrícia Corrêa is a Portuguese qualified lawyer currently pursuing a Master’s Degree in International and European Law at Universidade Católica do Porto, Portugal.

Arbitration, Article, Courts, GDPR

Tennant Energy vs. Canada: Diluting the Impact of GDPR in International Treaty Arbitration

Bhavit Baxi

The Permanent Court of Arbitration ‘PCA’ in Tennant Energy vs. Canada[1] ruled that EU General Data Protection Regulations (‘GDPR’) will not come within the material scope in investor-state arbitrations under Chapter 11 of North American Trade Agreement ‘NAFTA’, a treaty to which neither the European Union nor its Member States are the parties.

Factual Background

In June 2017, the Tennant Energy LLC instituted the arbitration proceedings against Canada which were in front of Permanent Court of Arbitration. Thereby Tennant Energy under Chapter 11 of NAFTA claimed the damages from Canada amounting to $ 116 Million relating to its investment in a wind project.

Since the beginning of the proceedings the preliminary issues of Data Protection were the prime focus of the discussions.[2] It was Argued by the Claimant that EU General Data Protection Regulation 2016/679 should be taken into account and the procedures developed to comply with it, since one of the tribunal members (Arbitrator) is based in the UK.[3] Canada, on the other hand, argued that the GDPR does not generally govern the arbitration proceedings because, among other things, the claim was made under a treaty to which neither the EU nor its Member States are a party. Therefore, the arbitration is outside of the material scope of the GDPR.[4]

Procedural order

The Arbitral Tribunal on 24 June 2019 informed both the parties via email very briefly in two paragraphs stating “Arbitration under NAFTA Chapter 11, a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of the GDPR.”

Further Tribunal also clarified that Procedural Order would not make any reference to GDPR, however this would be ‘without prejudice to the importance of ensuring a high level of data protection’.[5]

Applicability of GDPR

The fundamental objective of GDPR is to protect natural persons with regard to the processing of their personal data. It regulates and safeguards the fundamental rights and freedom of natural persons and in particular the right to have their personal data protected.

On plain reading of Article 3 of General Data Protection Regulation 2016/679 it could be concluded that the regulation is applicable to Arbitral Tribunals seated in EU and also tribunals outside EU concerning EU data subjects.

In Tennant Energy vs. Canada it was argued[6] by Canada that since the Permanent Court of Arbitration  seats in the Netherlands, this grants certain immunities to  PCA and it should exclude PCA from the applicability of GDPR.

Article 44, Chapter V of GDPR, expressly states that it covers the transfer of data to international organizations or third countries in order to ensure that the level of protection of natural persons is guaranteed.  Moreover, a European Commission decision of ‘adequacy’ is necessary prior to the transfer of the personal data to third countries or international organizations.

Further  the guidelines issued by European Data Protection Board[7] on the territorial scope of GDPR, which more explicitly clarifies that GDPR can extend to data processing that occurs outside of the EU: “The text of Article 3(1) does not restrict the application of the GDPR to the processing of personal data of individuals who are in the Union. The EDPB, therefore, considers that any personal data processing in the context of the activities of an establishment of a controller or processor in the Union would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed. This approach is supported by Recital 14 of the GDPR which states that “the protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”  It was further submitted by the claimant[8] that one of the London-based arbitrator has confirmed in a data privacy notice that the GDPR applies to him, as he is is both a data “processor” and a data “controller”, pursuant to how the terms are defined in the GDPR. Thus, it could be prima facie concluded that by no means Canada can escape from the applicability of GDPR.

Conclusion

GDPR serves as a strongest medium to protect sensitive and privileged, personal and commercial information, in international disputes. However, the impact of GDPR in international treaty arbitrations still remains faded and it continues to be a big topic of debate in the arbitration arena. It seems that there is a great need of case law which could settle this issue.

Lastly, ICCA and the IBA have established a Joint Task Force on Data Protection in International Arbitration Proceedings. The task force is developing the guidance to facilitate arbitration professionals with regards to data protection in arbitration proceedings, which is due to be published later in the year.

 

The author

BLS-LLB (Hons.) Student at M.K.E.S College of Law, University of Mumbai, India.

 

 

[1] PCA Case No. 2018-54: Tennant Energy, LLC (U.S.A.) v. Government of Canada.

[2] Claimants Submission on confidentiality.

[3] Investor comments on the EU General Data Privacy Regulation; – Tennant Energy, LLC (U.S.A.) v. Government of Canada.

[4] Reply to Claimant’s Submissions.

[5] See 1.

[6] Tennant Energy LLC v. Government of Canada Response to the Claimant’s Submission on the European Union General Data Protection Regulation

[7] Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation

[8] Questions And Investor’s Response To Tribunal GDPR Questions And Data Privacy Questions June 4, 2019