The European Union’s committee of data protection regulators has clarified that national governments will need to lay down new laws if they wish to use mobile location data to track the spread of the coronavirus outbreak.
In a statement issued on Monday (16 March), the European Data Protection Board (EDPB) said that efforts to use geolocation data to carry out contact-tracing – in the same way that Israel controversially plans to, and Taiwan already has – would currently be unlawful under the ePrivacy Directive.
But the EDPB adds that in certain circumstances, including matters of national and public security, member states are entitled to introduce new laws that would override their existing interpretations of the directive.
The statement says: “The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals.
“The public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data). This could enable to generate reports on the concentration of mobile devices at a certain location (“cartography”).”
In this instance, law enforcement agencies could use aggregated location data, based on individuals’ proximity to cell towers, to identify groups of people who were breaking self-isolation rules. But they couldn’t use the data to find people who had come into close contact with those who had later tested positive.
However, the statement continues: “When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security.
“This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.”
While EU data legislation tends to follow a pro-privacy agenda, it often includes loopholes that allow member-states to maintain sovereignty when it comes to issues of national security. As this announcement shows, the ePrivacy directive is no exception. But what about the GDPR?
“The GDPR”, the EDPB states, “provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.”
Andrea Jelinek, chair of the EDPB, said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
Speaking to NS Tech, Emily Cox – a media disputes partner at the law firm Stewarts – said: “This statement from the EDPB serves as a timely reminder that GDPR protections are not simply swept away during a public health crisis.
“This is a warning to governments, health authorities and employers that while they can process biometric and health data without consent, this must be done proportionately, lawfully, and with safeguards in place.”