The COVID-19 health crisis has created a situation where there is a need to access select personal data in order to help understand the spread of the virus and potentially to save lives too. GDPR contains provisions for the collection of such helpful data in the public interest – for this public health crisis.
The regulations also provide structure for public organisations to understand their obligations and responsibilities, as well as providing them with the ability to gather data that can help fight against the virus.
The European Commission has recently begun talks with European telecom companies and GSMA, the association of mobile telecom operators, to discuss sharing anonymised data to model and predict the spread of Coronavirus across the continent.
The Commission has asked telecoms operators to hand over anonymised mobile metadata. The data can be used in a way that is fully compliant with the GDPR and e-Privacy legislation, Internal Market Commissioner, Thierry Breton, said.
The HSE is also about to roll out an app to facilitate contact tracing after a Coronavirus diagnosis. The app will use Bluetooth technology to detect when devices with the app installed are in close contact with each other. When the owner of a device with this app installed tests positive for Covid-19, this data may give a head start to the contact tracing process.
The HSE is in close contact with the Data Protection Commission while developing this app.
The European Data Protection Supervisor, Wojciech Wiewiórowski, said in a letter directed to the EC executive that ‘data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics. I share and support your call for an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible. There is a clear need to act at the European level now.’
Wiewiórowski highlighted data anonymisation and wrote that anonymised data falls outside of the scope of data protection rules: ‘At the same time, effective anonymisation requires more than simply removing obvious identifiers such as phone numbers and IMEI numbers.’
He also called for transparency for the public to understand how their data will be treated, to avoid any misunderstanding.
‘Should the Commission rely on third parties to process the information, these third parties have to apply equivalent security measures and be bound by strict confidentiality obligations and prohibitions on further use as well.’
Importantly, the EU official clarified that the data will be deleted once the crisis is over, adding that the EU plan is not about centralising mobile data nor about policing people.
The European Data Protection Board (EDPB) has said that ‘emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.’
‘With regard to the processing of telecom data, such as location data, national laws implementing the e-Privacy Directive must also be respected. In principle, location data can only be used by the operator when made anonymous or with the consent of individuals. However, Art. 15 of the e-Privacy Directive enables Member States to introduce legislative measures to safeguard public security.’
A number of territories around the world, such as Israel, Singapore and Taiwan have already implemented contact-sharing apps and location-tracking using mobile phones to fight the spread of the virus.