I know where you are. Does anyone else know?
08.04.2020 – Authors: Roxana Ionescu & Simona Furnica
Since public health has been affected by the spread of COVID-19, Member States’ governments have adopted several measures to contain its diffusion and reduce the risk of exposure. Some Member States recommend social distancing measures, while others have also declared state of emergencies and lockdowns. This is also the case for Romania, where a lock-down is in place starting from 25 March 2020.
To ensure individuals actually comply with such measures, as well as with quarantine and isolation measures for persons at risk, governments may seek to process personal data, such as location data of individuals. While this may be motivated by public health reasons, any such actions need to be in line with the provisions of the General Data Protection Regulation 679/2016 (“GDPR”) and the provisions of the e-Privacy Directive 58/2002 (“e-Privacy Directive”).
Telecom operators have expressed their commitment to support governments and society by giving an insight on users and / or subscribers’ movement. The provision of this information is possible by using electronic communication data, such as mobile location data. But, again, such processing needs to be aligned with the specific e-privacy rules.
So the practical question arises: can authorities use location and movement data provided by telecom operators and if so, how?
1. Processing of location data in Romania
Romania has transposed the e-Privacy Directive by Law No. 506/2004 on the processing of personal data and protection of privacy in the electronic communications sector (“Law 506/2004”).
Under this enactment, processing of location data of users and / or subscribers in order to analyze their movement is possible if (i) the data are made anonymous or (ii) with the express prior consent of the user and / or subscriber to whom the data relate. By consequence, location data may be used only if one of the above rules is complied with.
i. Processing of anonymous data
Since Law 506/2004 does not define the meaning of anonymized data, we need to consider Recital 26 of GDPR to clarify its meaning. This recital states that anonymized data are those that can no longer identify a person directly or indirectly, either by the controller or by another person / entity. Furthermore, Recital 26 of GDPR states “to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly”.
To the extent the data are anonymized and do not relate to a natural person, the provisions of GDPR do not apply.
This conclusion is also acknowledged by the European Data Protection Supervisor (“EDPS”), which in its 25 March 2020 statement with regard to monitoring spread of COVID-19 stated that “effectively anonymized data fall outside of the scope of data protection rules”.
The European Data Protection Board (“EDPB”) recommended in its recent statement with regard to processing of personal data in the context of COVID-19 that “public authorities should first seek to process location data in an anonymous way (i.e., processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”)”.
What does that mean in practice?
- For public authorities, it means that they should consider privacy implications when requesting data from private entities, such as the telecom operators or other entities that process location data of their customers (g., app providers, etc.). If public authorities consider accessing location data as a way to investigate actual exposure of individuals considering their contact with confirmed COVID-19 cases (e.g., in epidemiological investigations), this should be accompanied by clear safeguarding measures in the enactments regulating this activity.
- For controllers who process location data, it means that they need to ensure that data anonymization solutions meet the irreversibility standard prior to providing it to public authorities. Controllers may provide to public authorities aggregated data in the form of graphic representation of the data that use colors to indicate the presence of natural persons (heatmaps). If actual personal data is requested from them, controllers should verify if the conditions for allowing access to such data are met.
ii. Consent of the data subjects
In certain situations, using anonymized data might not fulfill the purposes pursued by public authorities. In such cases, telecom operators must ensure, before providing the personal data to public authorities, that users and / or subscribers have expressly consented prior to the processing of their location data.
However, the implementation of such approach is difficult in practice, taking into consideration the large volume of data that need to be processed from numerous data subjects. Moreover, telecom operators need to comply with additional requirements for such processing (e.g., providing information on the type of localization data to be processed, on the purposes and duration of processing and on possible disclosure of the data to a third party).
What should controllers do?
- Provide information to the users and / or subscribers in accordance with the applicable legislation before collecting their consent.
- Ensure that users and / or subscribers have the right to withdraw their consent at any given moment or to temporarily refuse the processing of the data in question.
In its Statement, EDPB understands that in certain situations it is not possible to process only anonymous data. In this context, EDPB encourages public authorities to make use of Art. 15 of e-Privacy Directive which enables Member States to adopt restrictive legislative measures to safeguard the public security. In such a case, by adopting an emergency legislation, public authorities might process non-anonymized location data.
Such exceptional legislation must constitute a necessary, appropriate and proportionate measure within a democratic society, and be limited to the emergency’s duration. Moreover, if such a measure for processing of non-anonymized location data is adopted, adequate safeguards must be put in place, such as a right to judicial remedy.
2. Additional requirements – GDPR and Law 506/2004
In addition to the above-mentioned rules, controllers must ensure that each processing activity complies with the data protection principles, as mentioned in Art. 5 of GDPR. For this purpose, we would like to highlight the importance of ensuring compliance especially with the transparency and with the storage limitation principles.
In this regard, EDPS also advised in its statement on full transparency towards the public with regard to the processing purposes envisaged. In this respect, telecom operators must inform the data subjects on the processing purposes and the procedure to be enacted. For example, in order to comply with this requirement, telecom operators could update and amend the privacy policies published on their websites, if the case.
Since the processing activity is envisaged taking into consideration the current crisis, the data obtained from telecom operators should be deleted as soon as the need to process them ends. The use of the data provided by telecom operators in this context should be temporary.
Back to the (possible) future
The Romanian government issued several public statements in which it mentioned that, in order to ensure compliance with quarantine and isolation measures, additional restrictive measures for monitoring and processing location data are considered (e.g., monitoring bracelets). Although no such measures were adopted so far, Art. 15 of e-Privacy Directive enables the Romanian government to take more restrictive measures if it consider that citizens do not respect the isolation and quarantine measures. But any such use of Art. 15 of the e-Privacy Directive needs to be proportional and justified and public authorities need to set out adequate safeguards for protecting individuals’ privacy if they will opt to activate this provision.