The European Data Protection Board (hereinafter the 'EDPB') adopted guidelines on the processing of health data for research purposes in the context of the Covid-19 outbreak as well as Guidelines on geolocation and other tracing tools in the context of the Covid-19 outbreak on the 21st April 2020. The first article relating to the former guidelines has already been published and can be accessed here: https://fenechlaw.com/new-data-processing-guidelines-adopted-by-the-edpb-part-1/. This second article discusses the main points put forward by the EDPB in the guidelines on the geolocation and other tracing tools.
Guidelines 04/2020 on the use of location data and contact tracing tools in the context of Covid-19 outbreak
As a starting point, the EDPB considered the main sources of location data available, that is, (i) that collected by electronic communication services providers; and (ii) that collected by information society service providers' applications, whose functionality requires the use of such data. In accordance with the provision of the ePrivacy Directive, the location data collected by the former source can only be transmitted to third parties if the data has been anonymised or with the consent of the users. Nonetheless, derogations exist under the same Directive, when they constitute "a necessary, appropriate and proportionate measure within a democratic society for certain objectives".
The EDPB also shed some light on anonymised location data, stipulating that the backbone of anonymisation is threefold; (i) isolation; (ii) linkability; and (iii) inference, and that any intervention on a single data pattern, rather than datasets in their entirety, do not constitute anonymisation, but pseudonymisation. This is especially important vis-à-vis the particular nature of location data, which of itself is extremely unique. It is the opinion of the author that this emphasis made by the EDPB, was purposely made in order to clarify the great degree of misunderstandings in relation to the concept of anonymisation and the processing of location data. In this regard, it is of relevance to mention a recently published US$ 6 million judgment that was passed in Israel, wherein the Court stipulated that a lot of information, such as habits and preferences can be inferred from location data, without cross referencing the same data with other information. According to the relevant settlement agreement, Trendit, one of the defendant companies in the lawsuit, and which was buying the location data from the electronic communication service provider in question, also provided similar services to customers in Europe, North America and Australia.
Delving directly into the use of contact tracing tools, the guidelines highlight the importance of accountability in the implementation of the same tools, particularly where multiple actors are involved. Due to the highly intrusive nature of large scale and systematic monitoring of location data between natural persons, the objective of any such processing must be clearly defined and should exclude any potential further processing of the same data. This is crucial when the implementation of contact tracing apps is envisaged – for the pursuance of the objective, the location of the individual users is not required, but rather, proximity data should be used.
In relation to the lawful basis for processing, the EDPB had already indicated that the mere fact that the use of contact tracing apps takes place on a voluntary basis does not mean that the relevant legal basis is consent. The consideration as to which legal ground should be relied on for the processing operation should incorporate various factors, such as the level of interference with the private life of the individual and the counterpart safeguards which should be implemented. Of utmost importance, this exercise should also, as soon as practicable, include the criteria to determine when the app should be dismantled.
Due to the high probability of the combined processing of health data linked with the use of these contact tracing apps, the EDPB suggests the undertaking of a data protection impact assessment ('DPIA') prior to implementation of the same apps, and furthermore, recommends that the results of the same DPIA are published and made available.
The EDPB concludes the guidelines with the most important and relevant terms to the discussion of implementation of contact tracing apps and other developing digital technologies in states of crisis, such as the one we are currently facing; "It is our responsibility to ensure that every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation".
The full text of Guidelines 04/2020 can be found here: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042020-use-location-data-and-contact-tracing_en
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.