Dutch regulator breaks ranks on coronavirus data sharing
The Dutch data protection authority has urged caution in allowing location data to be shared with its government for coronavirus-fighting efforts – taking a position that differs from many of its European counterparts.
The regulator said earlier this week that telecommunications companies may be able to share data with its government, but only if there is a specific emergency law in place allowing the practice.
The GDPR and Dutch telecoms laws only allow such sharing based on consent – which would be impractical in the current situation – or if the data is anonymised, the regulator said. Aleid Wolfsen, the head of the watchdog, argued that true anonymisation of location data is not possible because it can be combined with other information to identify individuals.
"That turns this data into personal data and you shouldn't just share it,” Wolfsen said.
Data-sharing schemes have been proposed in numerous countries across Europe and have been largely greenlit by national and EU-wide regulators, which have stated that the GDPR provides the legal grounds for public health authorities to process personal data without consent when it is in the interest of public health.
With the exception of the German federal data regulator, which criticised a series of proposed amendments to the country’s emergency health law, most data protection authorities have suggested that widespread data-sharing practices – which would normally attract high levels of scrutiny – ought to be allowed to tackle the crisis.
The Dutch regulator is known for taking a hardline stance on privacy and data protection issues. Recent enforcement against a tennis association attracted criticism for implying that the GDPR’s legitimate interests legal basis for data processing cannot be used for commercial purposes.
And the watchdog said earlier this week that it accepts that exceptional times require exceptional measures – but that the “effect and consequences” of such measures must be weighed against privacy.
“In times of crisis, privacy is sometimes compared to safety or public health. That is a false contradiction. We must protect both public health and our fundamental right to privacy,” Wolfsen said.
Wouter Seinen, a partner at Baker McKenzie in Amsterdam, said the regulator’s position on telecoms data sharing can be partly attributed to its culture and background and its historical willingness to criticise the Dutch central government.
The suggestion that the government should pass a law to allow such data sharing is “quite sensible”, Seinen said. “The Dutch legislature is a quite efficient one … the government would be able to pass an act that would provide a concrete legal basis for this in a matter of days or weeks.”
“[The regulator] is saying that a government should not rely on anything like legitimate interests. They are the lawmaker – if they think that there is a legal necessity to do that, they can formalise that by making a law. It might take longer in other countries and there would be a greater need to flex the current systems, but that is not the case here,” he said.
The regulator’s view that the data required for tackling the pandemic could likely be used to identify individuals also stands up to scrutiny, Seinen said, as authorities would need to “drill down” into the information to get the best use out of it.
Eva de Vries, a partner at SOLV in Amsterdam, said the stance taken by the Dutch authority is not necessarily “that different” to other European regulators – it has only taken this position because the processing of location data has a big effect on privacy and there is currently no Dutch law containing sufficient safeguards for this type of data processing, she said.
De Vries said she understands the authority’s privacy concerns, particularly regarding safeguards called for by the regulator. Especially important, she said, are “things like purpose definition and rules on duration of data storage. The data processing activity should only be temporary, for this crisis,” she said.
Although there is currently no formal proposed bill, she said, the regulator has indicated it would provide quick feedback to any proposals, meaning an emergency law could be passed very quickly.
Estelle Massé, a senior policy analyst at digital rights organisation Access Now, said data protection has “never been about not using data but about using it responsibly. In this health crisis, the question is not if to use data but how.”
“We are therefore pleased to see the guidance coming out of the Dutch data protection authority regarding the use of location data and anonymised data, recalling the limitation of this practice and that it should be based on law,” she said.