Telcos share location data for coronavirus efforts

Data regulators have greenlit wide-scale data-sharing practices as telecommunications companies across the globe hand over location data to health authorities to assist in the fight against coronavirus.

In at least four European countries, telecoms companies have started to share aggregated location data with health officials to help governments assess whether social distancing measures are working or being adhered to.

News broke yesterday that mobile network O2 has provided information to the UK government to monitor the public, particularly in London which has the highest number of Covid-19 cases in the country. Deutsche Telekom has taken similar measures in Germany, reports Reuters.

In Austria, the country’s largest mobile phone company – A1 Telekom Austria – is sharing results from a motion analysis application that is usually used to map traffic congestion. Authorities are using the data to observe the movements of the public and determine whether public health messages asking people to self-isolate are working.

Italian mobile networks Telecom Italia, Vodafone and WindTre have all offered aggregated data to the Italian authorities, where in some places they are using the data to work out who is adhering to Italy’s strict lockdown rules.

China, Taiwan and South Korea have taken a more draconian approach, using mobile location data as a way to ensure those in quarantine are following orders and to trace those who have come into contact with individuals who have tested positive for Covid-19.

European regulators said that the measures taken on the continent do not breach privacy rules. The European Data Protection Board issued a statement on Monday saying that the GDPR provides the legal grounds for public health authorities to process personal data without consent when it is in the interest of public health.

Regarding the processing of mobile location data, additional rules apply, the board said. The ePrivacy Directive – which ensures location data can only be used when anonymised or with consent – can allow member states to introduce legislation pursuant to public safety that allows them to process data that has not been made anonymous.

But this emergency legislation must constitute a “necessary, appropriate and proportionate measure within a democratic society”, the EDPB said.

EDPB chair Andrea Jelinek said: “I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

The executive committee of the Global Privacy Assembly, which represents more than 130 data protection and privacy authorities worldwide, said Tuesday that it recognised the “unprecedented” challenge of Covid-19 and that the sharing of personal information at the national and global level was required.

“Health data is considered sensitive across many jurisdictions, but work between data protection authorities and governments means we have already seen many examples of national approaches to sharing public health messages; of using the latest technology to facilitate safe and speedy consultations and diagnoses; and of creating linkages between public data systems to facilitate identification of the spread of the virus.”

Daniel Cooper, a partner at Covington & Burling in London, told GDR that the measures in Europe are “not too much of a concern” from a privacy perspective as the data being used by authorities is anonymised and aggregated. But “it’s hard to say whether telcos have conducted rigorous anonymisation assessments”, he said. 

“Even privacy advocates are not making too much of a fuss about this … the risks go away when the data is aggregated”, he said.

If telcos started to share individual-level data, Cooper said, greater restrictions would apply. “But if it’s a health authority requirement and as long as it’s done by order of a competent authority in the EU, it wouldn’t be problematic from a privacy perspective,” Cooper said.

Although this is a unique situation, “you don’t want this to be the thin end of the wedge”, Cooper said. If a mobile network company decided to unilaterally track individuals, “then that would be a problem on ePrivacy grounds, which restricts the processing of location data”.

He also noted regulator guidance is starting to shift. Originally, the guidance was that “you can’t proactively take health information from employees”, but regulators are starting to reconsider that position, Cooper said.

“In Italy, in the face of pressure from the government, they said it probably is necessary for employers to check temperatures in more and more settings, because people are now dying of the virus in larger numbers.” As a result, “even the staunchest privacy regulators might start to give ground in the interests of safeguarding lives, and it is hard to argue with that”.