The European Commission requests metadata of European citizens in the battle against the coronavirus

During the current global fight against the coronavirus and the use of
all available and conceivable means to combat it, the European Commission (EC) asked
European telecom companies on Monday 23rd of March to share anonymized
data from mobile devices. The EC wants to use this data to analyze the outbreak
of COVID-19. The information requested by the EC concerns metadata.

Simply put, metadata is information about information. It concerns for
example data that shows how often you sent WhatsApp-messages to your colleague
or at what time you send out most e-mails every week (for example Friday’s at
4PM). It can also be data from which can be deduced at what moment you have
been at a certain location.

Although metadata does not directly contain substantive information
(i.e. not the texts of the messages you send to your colleague), substantive
information can be derived from it. For example, an email that is sent by one
colleague to another on a random Monday morning at 9:52 AM with the subject
"Coffee?", provides an indication about the contents of that email.

The Economist published a study on the spreading
of the coronavirus on the 17th of March, for which they used
metadata from Instagram. They discovered a possible link between the spreading
of the virus and the information about the locations of Instagram users which,
according to them, could possibly be infected by COVID-19.

But what about privacy regulations and the use of metadata?

The privacy regulations (including the General Data Protection
Regulation "GDPR") apply to the processing of personal data. These
are all data that can provide information about an identifiable natural person.
Personal data can directly provide information about an individual, such as a
person's first and/or last name, or indirectly, such as, that you may derive
information about one person’s income from the location where a person goes
shopping.

The GDPR distinguishes between normal personal data and sensitive - or
special categories of - personal data (e.g. personal data revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs, or trade
union membership, and the processing of genetic data and more). The use of
sensitive or special categories of personal data is, in principle, prohibited,
unless certain legal requirements are met.

Metadata are almost always personal data because a lot of information
about an individual can be deduced from metadata.

The EC would now like to use the telecom data of individuals, including
location data, for its research. However, in the context of location data, the
highest court of the European Union ruled in 2016 (CJEU 21-12-2016, ECLI:EU:C:2016:970, Tele 2 Sverige) that these
may be sensitive (i.e. special categories of) data. The European Data
Protection Board and its predecessor (the Article 29 Working Party) already clarified
before, that the use of location data can be intrusive for data subjects and can pose privacy risks to data subjects.

Metadata, however, no longer qualify as personal data if they are
sufficiently anonymized. This is the case when you cannot identify an
individual from the data anymore. If so, the privacy legislation does not apply
to the processing of the metadata.

For this reason, the EC has indicated that it only wants to use anonymized
metadata for its research. But how does the EC ensure that the metadata are
made anonymous and that this anonymization does not deteriorate the insight
into the spread of virus? As for location data, the question remains whether these
can be anonymized at all. A lot of personal information can be derived from a
dataset of location data, even without combining them with other personal data.

The EC may only take measures that are necessary to achieve its purpose,
which is: to gain insight into the spreading of the virus. In that perspective
it is important that the least intrusive measures (for the data subjects) are
preferred. The importance of health and the right to privacy should not stand
in each other's way, but can be safeguarded together. It is hoped, for example,
that the use of these data will ultimately help to combat the coronavirus, and
that these data will be used in such a way that the invasion of the privacy of
European citizens is minimized. How the EC intends to specifically implement
this will ultimately have to be shown by additional information about the
intended research.