Amid the rising number of cases of COVID-19 in Europe, it has been reported that certain telecommunication companies may have agreed to share anonymous mobile phone geolocation data with the European Commission (the "Commission"). According to the report, the Commission will aggregate this geolocation data to coordinate measures to halt the spread of COVID-19 and delete the data once the health crisis is over.
The European Data Protection Supervisor (the "EDPS") has cautioned that while anonymised data fall outside of the scope of the General Data Protection Regulation (the "GDPR"), effective anonymization requires more than simply removing identifiers such as phone or IMEI numbers. The UK Information Commissioner's Office (the "ICO") issued a statement that generalised location data trend analysis based on properly anonymised and aggregated mobile phone data falls outside the GDPR and the Data Protection Act 2018. However, businesses need to be very careful that any location information they share with third parties is fully anonymised (in Europe, normally by anonymisation and aggregation) and cannot be traced back to individuals. The EDPS also stressed that the Commission has to ensure that any third parties that process the data comply with strict information security and confidentiality obligations.
Business can be instrumental in fighting the pandemic but they need to carefully consider their data protection obligations. The European Data Protection Board and some national data protection authorities have stressed that while the GDPR should not hinder measures taken in the fight against the pandemic, controllers are still responsible for ensuring the protection of personal data and ensuring that they process it in accordance with the existing legal requirements.
For example, recent reports indicate that different organisations are developing tools that will alert people to self-isolate if they are identified as having recently been in contact with someone diagnosed with COVID-19. These tools will rely on collecting and monitoring large amounts of geolocation and health information about individuals on an ongoing basis in order to be effective. Although the deployment of these types of technologies could have numerous benefits in terms of protecting public health and helping public and private sector organisations manage and minimise disruption within their workforce, naturally businesses will need to consider how to address solutions such as these in a way that addresses the applicable data protection legislation (not to mention employment law and human rights requirements) in the jurisdictions in which they may be implemented.
In Europe, businesses have to comply with the GDPR, the ePrivacy Directive and its local implementation when processing personal data. Under the GDPR, organisations will need to establish a legal basis for processing the personal data collected (for example, whether the data subject's freely given, specific, informed and unambiguous consent needs to be obtained and if so, how).
Further information about managing cybersecurity and privacy risks through COVID-19 can be found at: https://www.covid19.law/2020/03/managing-cybersecurity-and-privacy-risks-through-covid-19/