Guidance issued on data sharing during COVID-19

The European Internal Market Commissioner, Thierry Breton, along with a number of European Telecoms operators and the GSMA (an industry association representing worldwide mobile network operators), discussed the topic of data sharing during a recent video conference. During the video conference, Commissioner Breton stressed the critical role played by telecoms operators in supporting individuals and businesses during the crisis, and called on telecoms operators to collect and share with the European Commission (EC) anonymised mobile metadata to help in the effort to analyse the diffusion of the virus. The Commissioner stressed, however, the need to do so in a manner that was compliant with the GDPR and e-privacy legislation.

Shortly after the video conference, the European Data Protection Supervisor (EDPS) published an open letter to the EC responding to queries raised by the EC in relation to proposed data sharing. Amongst other things, the EDPS confirmed that:

• Current European data protection rules are flexible enough to allow for various measures to be taken in the fight against pandemics such as COVID-19.

• Although “effectively anonymised data” falls outside the scope of data protection rules, effective anonymisation requires more than simply removing identifiers like phone and IMEI numbers. (This statement echoes those made by the ICO’s Deputy Commissioner, Steve Wood, who similarly confirmed that properly anonymised and aggregated data will not fall under data protection law (particularly flagging the use of such data for addressing emergency situations), and privacy laws will not be breached provided the appropriate safeguards are in place.)

• Even though the data set may not constitute personal data under data protection legislation, the EC should continue to be bound by applicable information security obligations (and any third parties processing data on its behalf should be under equivalent obligations).

• The use of data aggregation techniques (as proposed by the EC) will be considered to be an additional safeguard.

• The EC’s proposal that the relevant data set should be deleted following the end of the crisis is welcomed, given the approach is reflective of the extraordinary circumstances. Any changes to the proposed scope of the activities (for example, any extensions) will require further consultation with the EDPS.

• The EC should clearly define the dataset it wishes to obtain from telecoms operators and communicate its plans to the public in a transparent way.

Although the points around data sharing and the treatment of anonymised data are not new, it will be interesting to see what the next steps will be in relation to this matter. The EC will no doubt rely on telecoms operators to provide details around their data anonymisation methods (to allow the EC to comply with its transparency obligations to the public). This will require telecoms operators to ensure that they are confident in their data anonymisation techniques and the safeguards in place.

The potential value of anonymised location data in addressing emergencies is also being recognised in other industries. Google recently confirmed that it plans to publish an early release of its COVID-19 Community Mobility Reports, which will shed light on the impact of the governmental measures introduced to flatten the curve of the pandemic. The Reports themselves will chart global movement trends across various places (for example, supermarkets and pharmacies). It remains to be seen if other companies in the private sector and other industries follow suit.