The European Internal Market Commissioner, Thierry Breton, along with a number of European Telecoms operators and the GSMA (an industry association representing worldwide mobile network operators), discussed the topic of data sharing during a recent video conference. During the video conference, Commissioner Breton stressed the critical role played by telecoms operators in supporting individuals and businesses during the crisis and called on telecoms operators to collect and share with the European Commission (EC) anonymised mobile metadata to help in the effort to analyse the diffusion of the virus. The Commissioner stressed, however, the need to do so in a manner that was compliant with the GDPR and e-privacy legislation.
Shortly after the video conference, the European Data Protection Supervisor (EDPS) published an open letter to the EC responding to queries raised by the EC in relation to proposed data sharing. Amongst other things, the EDPS confirmed that:
Current European data protection rules are flexible enough to allow
for various measures to be taken in the fight against pandemics such
as COVID-19.Although effectively anonymised data falls outside the scope of
data protection rules, effective anonymisation requires more than
simply removing identifiers like phone and IMEI numbers. (This
statement echoes those made by the ICO’s Deputy Commissioner, Steve
Wood, who similarly confirmed that properly anonymised and
aggregated data will not fall under data protection law (particularly
flagging the use of such data for addressing emergency
situations), and privacy laws will not be breached provided the
appropriate safeguards are in place.)Even though the data set may not constitute personal data under data
protection legislation, the EC should continue to be bound by
applicable information security obligations (and any third parties
processing data on its behalf should be under equivalent
obligations).The use of data aggregation techniques (as proposed by the EC) will
be considered to be an additional safeguard.The EC’s proposal that the relevant data set should be deleted
following the end of the crisis is welcomed, given the approach is
reflective of the extraordinary circumstances. Any changes to the
proposed scope of the activities (for example, any extensions) will
require further consultation with the EDPS.The EC should clearly define the dataset it wishes to obtain from
telecoms operators and communicate its plans to the public in a
transparent way.
Although the points around data sharing and the treatment of anonymised data are not new, it will be interesting to see what the next steps will be in relation to this matter. The EC will no doubt rely on telecoms operators to provide details around their data anonymisation methods (to allow the EC to comply with its transparency obligations to the public). This will require telecoms operators to ensure that they are confident in their data anonymisation techniques and the safeguards in place.
The potential value of anonymised location data in addressing emergencies is also being recognised in other industries. Google recently confirmed that it plans to publish an early release of its COVID-19 Community Mobility Reports, which will shed light on the impact of the governmental measures introduced to flatten the curve of the pandemic. The Reports themselves will chart global movement trends across various places (for example, supermarkets and pharmacies). It remains to be seen if other companies in the private sector and other industries follow suit.
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
