The European Commission asks telecoms companies to share anonymised metadata in the fight against the coronavirus. How does this request relate to privacy regulations? Herewith my comments.
In the current era of the global fight against the coronavirus and deploying all available and imaginable means against it, The European Commission (EC) on Monday (March 23) asked European telecom companies to share anonymised data from mobile devices with it.
The EC wants to use this data to use it to analyse the COVID-19 outbreak. The information requested by the EC is metadata.
What are metadata?
Metadata – simply put – means information about information. Think here, for example, of data showing how often you chat with your colleague or when you send the most number of e-mails each week (e.g. always on Fridays at 16:00).
It can also involve dates from which it can be deduced when you have been where.
Although metadata does not directly contain content information (i.e. not the texts of the messages you send to your colleague), content information can be derived from it. This can already be done, for example, from an e-mail sent by one colleague to another on a random Monday morning at 9.52am with the subject line “Coffee?”.
The Economist published 17 March a study on the spread of the coronavirus, for which they used metadata from Instagram.
They discovered a possible link between the spread of the virus and information about the locations of Instagram users who, they said, might have COVID-19.
Privacy and metadata processing
But what about privacy regulations and the use of metadata?
Privacy regulations (including the General Data Protection Regulation ‘AVG’) apply to the processing of personal data. This is any data that can provide information about an identifiable natural person.
Personal data can provide information about an individual directly, such as someone’s first and/or last name, or indirectly, such as, for example, the location where someone does their shopping, from which you can potentially derive information about that person’s income.
Normal and sensitive personal data
The AVG distinguishes between normal personal data and sensitive – or special personal data (including about an individual’s health, orientation, religion, political views, religious beliefs, biometric data and other data sensitive to an individual).
The use of sensitive – or special personal data is in principle prohibited, unless you meet certain legal requirements.
In fact, metadata is almost always personal data because a lot of information about an individual can be derived from metadata.
Telecom data of individuals
So the EC is now keen to use individuals’ telecoms data, including location data, for its investigation. However, in the context of location data, the CJEU ruled in 2016 (CJEU 21-12-2016, ECLI:EU:C:2016:970, Tele 2 Sverige) that this can be sensitive (i.e. special) data.
The European privacy watchdog (the European Data Protection Board, ‘EDPB’) and its predecessor (the Article 29 Working Party) also previously made it clear that the use of location data can be intrusive for data subjects and pose privacy risks for data subjects.
However, metadata no longer qualifies as personal data if it is sufficiently anonymised. This is the case when the data is no longer traceable to an individual. In that case, privacy laws no longer apply to the processing of the metadata.
Anonymised metadata only
For this reason, the EC has indicated that it wants to use only anonymised metadata for its investigation. But how does the EC ensure that the metadata is anonymised and that this does not detract from gaining insight into the virus spread? Indeed, especially with location data, it remains to be seen whether it can be anonymised at all.
Lots of personal information
Indeed, a lot of personal information can be derived from a dataset of location data, even without combining it with other personal data.
The EC may only take measures that are necessary to achieve its goal of understanding the spread of the virus. In doing so, it must also always give preference to the least (for those affected) intrusive measures.
Importance of health and right to privacy
The interests of health and the right to privacy need not interfere with each other, but can be secured together. Thus, the hope is that the use of this data will eventually help in the fight against the coronavirus, and that it will be used in such a way that it minimises the invasion of privacy of European citizens.
How specifically the EC intends to interpret this will ultimately have to be revealed through additional information on the proposed investigation.