Article, Commentary, Covid, GDPR

Location privacy and data retention in times of pandemic and the importance of harmonisation at European level

Patrícia Corrêa

In this time of pandemic, many countries are starting to actively monitor cellphone data to try to contain the spread of the new coronavirus. Governments are using location data to trace contacts or monitor and enforce quarantine of persons who have tested positive for COVID-19 or those with whom they have come into contact with.

The United States’ Government is in discussions with the tech industry about how to use Americans’ cellphone location data to track the spread of the novel coronavirus. In Iceland, authorities have launched an app that tracks users’ movements in order to help tracking coronavirus cases by collecting data about other phones in the area. In India, state authorities have also launched an application to track the movement history of persons tested positive, also providing the date and time of the visit to spots by the patients. In Brazil, at least one city is already using cellphone data to monitor gathering of people and take action to disperse them and soon federal government will follow. There are reports of similar approaches in many other countries as well.

At European level, Internal Market Commissioner Thierry Breton has held a videoconference with CEOs of European telecommunication companies and GSMA to discuss the sharing of anonymised metadata for modelling and predicting the propagation of the virus.

Does this approach necessarily put data privacy at risk? Is the trade-off between data privacy and public health necessary? Whereas it is true that in exceptional circumstances fundamental rights need to be balanced against each other, data privacy shall not be an insurmountable obstacle to the implementation of exceptional public health policies.

Some basics on data and metadata

Simply put, data consists of potential information that has to be processed to be useful. [1] Metadata, on the other hand, is “data about data”, comprising all the information about data at any given time, at any level of aggregation. It is structured information about an information resource of any media type or format. [2]

In order to safeguard privacy, personal data must be anonymised before its processing. Anonymisation refers to the process of de-identifying sensitive data while preserving its format and type [3] so it cannot be tied to specific individuals. Privacy can be also be assured by means of aggregation, which refers to the “process where raw data is gathered and expressed in a summary form for statistical analysis.”

Conditions for the use of location data

While in some countries the use of information to combat the COVID-19 outbreak seems to go beyond anonymised data (individual location and contacts tracking, for instance, requires device-level data), in Europe, so far, collaboration between telecommunication companies and governments appears to encompass only the exchange of anonymised data or databased models. On that level of data processing, the European Data Protection Board issued an approval statement based on some conditions, such as the anonymity of the processed data and the applicability of administrative controls, including security, limited access and limited retention periods.

On April 8, the European Commission issued a Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit from the COVID-19 Crisis, in particular concerning mobile applications and the use of anonymised mobility data. The Recommendation acknowledges the value of digital technologies and data in combating the COVID-19 crisis stating, however, that fragmented and uncoordinated approaches could hamper the effectiveness of measures aimed at combating the pandemic and violate fundamental rights and freedoms. It sets up a process for developing a common approach (Toolbox) to use digital means to address the crisis. The Toolbox will consist of practical measures for making effective use of technologies and data, with a focus on a pan-European approach for the use of mobile applications, coordinated at Union level and a common scheme for using anonymised and aggregated data on mobility of populations.

Regarding the use of mobility data, the Recommendation provides, inter alia, for safeguards to be put in place to prevent de-anonymisation and avoid reidentifications of individuals, including guarantees of adequate levels of data and IT security, and assessment of reidentification risks when correlating the anonymised data with other data.

The right to location privacy

According to the Article 4(1) of the GDPR, personal data comprises any information relating to an identified or identifiable natural person, including location data. Location data, as stated by the ePrivacy Directive, means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service. It can be tied to a known individual (e.g. a name linked to a cell phone subscription) or to an identifier associated with a specific device (anonymised data). In other cases, a dataset is modified to display the location of groups of people, instead of individuals (aggregated data).

Location privacy, hence, relates to the location information of an individual in a sense that prevents others to learn about one’s current or past location. [4] In other words, “This definition captures the idea that the person whose location is being measured should control who can know it.”

The right to location privacy encompasses two fundamental rights, both guaranteed by the Charter of Fundamental Rights of the EU: the respect for private and family life (Article 7) and the protection of personal data (Article 8). Notwithstanding its importance, fundamental rights are not absolute and can be restricted in exceptional situations. As stated by Article 52(1), restrictions on these rights can only be imposed when lawful, legitimate and proportionate.

Location privacy is also protected under the Article 8 of the European Convention on Human Rights and cannot be limited either, if not for derogation in time of emergency consisting of war or other public emergency threatening the life of the nation. In that case, the measures shall be taken strictly to the extent required by the situation and cannot be inconsistent with other obligations under international law (Article 15).

Data retention in EU context

In Digital Rights Ireland case, the ECJ declared the invalidity of the Directive 2006/24/EC, which required providers of publicly available electronic communication services or public communication networks to retain telecommunication data of individuals for the purposes of preventing, investigating and prosecuting serious crime. The ECJ took the view that the Directive does not “provide for sufficient safeguards … to ensure effective protection of the data retained against the risk of abuse and against any unlawful access…” According to the ECJ, although the Directive satisfies a valid objective of general interest (public security), it does not meet the principle of proportionality.

To date, there is no EU legislation regarding data retention. Filling up the void, the ECJ decided in Tele2 Sverige case on the scope and effect of its previous judgment on Digital Rights Ireland, establishing minimum safeguards that must be included in any national law regarding data retention. ECJ therefore concluded that national legislation that did not contemplate minimum safeguards would be precluded pursuant to Article 15(1) of ePrivacy Directive.

Despite the guidelines set out in the Tele2 Sverige judgement, a survey by Privacy International indicates that, as of 2017, a large number of Member States still had not yet made necessary changes to ensure national legislation compliance. This is especially important in this time of pandemic, as many States in Europe are recurring to private telecom companies to disclose retained location data in order to fight the COVID-19 outbreak.

Data retention and location privacy: the need for harmonisation

This scenario highlights the importance of harmonisation on the subject at European level, what would contribute to safeguard citizens’ privacy rights. That coordination between private companies and governments shall reveal how access to sensitive telecommunication data by public authorities will affect the retention of data for private purposes.

In the light of the COVID-19 pandemic, location data can be very useful for epidemiological analysis, medical research and measures against disease spread. This importance, however, does not preclude the respect for privacy rights. In that context, a European framework for data retention is paramount to location privacy, since it can effectively regulate what data can be retained, for how long, and what measures must be taken in order to reduce violations risks and making it is being stored and shared in legitimate and responsible ways.

Final remarks

The retention, processing and exchange of location data to handle the pandemic do not necessarily have to violate privacy. There are mechanisms that, although not infallible, minimise risks of breach in the processing of personal data, in particular aggregation and anonymization. Besides, even in exceptional cases in which personal identifiable information processing is needed, EU Regulation and case law have already set some boundaries, especially amounting to proportionality. What really matters is the approach authorities will choose to take after the outbreak subsides, so mass surveillance does not become the norm.

[1] POMERANTZ, Jeffrey. Metadata. Cambridge : The MIT Press, 2015. p. 21.
[2] BACA, Murtha (ed). Introduction to Metadata. 3. ed. Los Angeles : Getty Research Institute, 2016. p. 2.
[3] RAGHUNATHAN, Balaji. The Complete Book of Data Anonymization: From Planning to Implementation. Boca Raton, FL, USA : CRC Press, 2013. p. 4.
[4] ATAEI, Mehrnaz; KRAY, Christian. Ephemerality is the New Black: A Novel Perspective on Location Data Management and Location Privacy in LBS. In GERTNER, Georg; HUANG, Haosheng (ed. ) Progress in Location-Based Services 2016. Switzerland : Spring, 2017. p. 360.

 

The Author

Patrícia Corrêa is a Portuguese qualified lawyer currently pursuing a Master’s Degree in International and European Law at Universidade Católica do Porto, Portugal.