Wiewiórowski: Europe must use data together to fight covid-19

European Data Protection Supervisor Wojciech Wiewiórowski tells GDR how European institutions are working together to leverage data to tackle the covid-19 pandemic. 

What are EU institutions doing to tackle the pandemic? 

The European Commission is expected to prepare a document on its exit strategy this week. One of the exit strategies, and one of the tools that countries want to establish, is the use of mobile apps. The commission would like to find some kind of framework to make these interoperable. We fully support this approach.  A week ago we issued a statement saying this. I said very clearly that we are expecting that these mobile apps should have a pan-European standard. If we don't talk with each other, if the applications don’t talk with each other, it will be very hard to re-introduce the free flow of persons; the free flow of persons is one of the pillars the European Union is based on. Of course, the whole idea of economic cooperation and a digital single market is fully dependent on the fact that people are able to work and trade and move from country to country. We are definitely in favour of that, and the commission is, first of all, going to propose guidelines on the use of these kinds of applications for member states and by EU institutions. 

On Friday [10 April], EU institutions were informed of the joint common initiative of Apple and Google. Though this initiative is not directed towards EU institutions, it also concerns interoperability which is important to consider. I think interoperability will be important between platforms – between Android and iOS – but also among the countries that would probably like to offer their applications to other Europeans. 

 What do you make of member states working with tech companies?

I’m not the right person to comment on what’s going on in member states. That’s for the data protection authorities to decide on. 

I respect the work of the [UK Information Commissioner’s Office] so I’m not going to comment on what’s going on with the NHS and its services, although of course I try to follow what’s going on.  I also try to follow possible solutions, like the use of Palantir, but I generally trust the approach of the ICO. I had a long discussion with Elizabeth Denham a few days ago when sharing our positions between the ICO and EDPS. I found that there’s absolutely no difference between the approach of the involved institutions and the kinds of solutions in the EU and the UK, despite the fact that in the UK there were articles pointing to differences between statements made between the EDPS and the ICO. We agreed that we cannot see those differences. Actually, the approach of two institutions is exactly the same, but of course we are commenting on different solutions, so sometimes we put more stress on different aspects of the same solution.

I respect the fact that the UK is going to do its own solution, and I’m sure that we should still foster cooperation between the EU and the UK. I hope we can reach interoperability between the UK’s solutions and the EU ones. 

Are you aware of any EU institutions – which you monitor – reaching out to work with tech companies in the same way many member states are?

I’m probably not the best person to ask about plans of European Commission. I can say what I know at the moment, what we’ve asked about: the EU is going to prepare a solution that is based on data from the telecoms companies, but which is not going to trace anybody or to track any individual persons. The idea is to reflect the general movement of the population. The telecoms operators deliver aggregated and anonymised data. Agencies of the European Commission are preparing IT solutions out of that.

The second part of the answer to that from the EU institutions is coordinating member states’ work and trying to find interoperability between national solutions. In this sense the proposal from Apple and Google is interesting. Without judging the proposal itself, I can say that it goes in the direction of preparing one environment in which there is cooperation between the tech companies and the developers of the applications – no matter if these are governments directly, or private bodies, or academic or scientific developers. I would, however, be very cautious in comparing this solution and those appearing in other parts of the world. Both the legal situation and also the cultural experiences of different countries are so different that copying solutions from one country to another is a very difficult topic. 

There has been some reported disagreement between various DPAs on the use of telecoms data as a covid-19 strategy. Some, notably the Dutch, have said this may be illegal. Do you share these worries?

We tried to find the disagreements or differences between the DPAs, but actually they are saying exactly the same things. Top-down anonymisation of everything is very very difficult, and it’s probably even technically not possible to anonymise things absolutely and totally. But at the same time when we are talking about the GDPR and about anonymisation we are talking about effective anonymisation – meaning that using the available resources you are not able to reidentify the data. For this reason the anonymisation is usually supplemented with the aggregation of the data … this combination of anonymisation techniques and the aggregation of data can effectively make the data anonymous. I would not say there is a difference between the DPAs. The [Dutch] data authority was absolutely right in saying that it’s difficult or almost impossible to anonymise the data, and there’s also nothing strange by statements made by the EDPS that we are searching for effective anonymisation.

Of course, you can argue that there are different kinds of aggregation; you can aggregate by individual, by number of persons, by whatever –  and this may not be effective. Everything is based on risk analysis. The privacy impact assessment is to be done. The data protection impact assessment is to be done. 

What we want to stress is that while the GDPR is allowing us to use extraordinary tools in extraordinary situations, this does not mean that we can open the Wild West in the processing of the data. We still have to follow the principles of data protection. 

One idea that keeps coming up is that of immunity passports. Is this something you’ve been consulted on, or thought much about?

We haven’t been consulted in this field but of course we’re fully aware of the fact that this is one of the proposals people are talking about in the discussion of different future IT solutions.

If we have an agreement right now among people in member states, it is that solutions based on consent should be favoured. But if you introduce a solution involving some kind of immunity passports, it could make consent a little bit questionable, because everything depends on what this immunity passport would mean, or what it would give to the person.If you can only go back to work or out in public if you have this kind of immunity passport, which might be given in some kind of app, then in fact you are forcing people to use that app. If you say that you will only be able to buy a train ticket or enter public transportation only by showing this kind of immunity passport, as it is in some countries in Asia, then I would say the idea of a voluntary app based on consent is gone. So we should look for another legal basis for the processing of the data. I’m not saying that it couldn’t work, but I would say that from a legal point of view the game has changed. 

You’re rethinking your five-year strategy at the moment. How do you think this is going to change?

The only answer I can give right now, before I start to work on the text, is that we are not going to change the core of the strategy. The core will stay the same. It’s not that the world is starting from scratch. No, we are going to continue our work. But definitely some things will change, at least in the introductory part of the strategy. When we’re talking about what data protection is, what privacy is and about the role of the EDPS, we will have to discuss some of the questions the covid crisis has raised and what has been asked of us. 

Our answer is not that the world has stopped and that we will have to start something from scratch. We are continuing with the principles that we have, but observing that while the direction of the world is changing and that there is a definite acceleration in the speed of change in society, in technology, in public administration. It’s especially important in public administration – smart European administration is more and more important.

What developments are you keeping an eye on at the moment?

While we’re definitely paying attention to the use of apps in the crisis, I think most challenges in the nearest future will be to do with e-health, or rather m-health. So all the solutions connected with the diagnostic and observance of health issues through mobile devices, apps and  all electronic means will need to be watched, especially as they will be more and more popular when we come out the other side of the current crisis.


Unlock unlimited access to all Global Data Review content