EDPB Weighs in on the Use of Location Data and Contact Tracing Apps

European Data Protection Board (EDPB) issues guidance on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. In addition to legal analysis, the guidance includes specifications for designing the apps. Key takeaways:

General:

• When processing of personal data is necessary for managing the COVID-19 pandemic, data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures.
• Because the virus knows no borders, it seems preferable to develop a common European approach in response to the current crisis, or at least put in place an interoperable framework.
• Data and technology used to help fight COVID-19 should be used to empower, rather than to control, stigmatize, or repress individuals.
• The general principles of effectiveness, necessity, and proportionality must guide any measure adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.
• The GDPR and Directive 2002/58/EC (the “ePrivacy Directive”) both contain specific rules allowing for the use of anonymous or personal data to support public authorities and other actors at national and EU levels in monitoring and containing the spread of the SARS-CoV-2 virus.
• Every measure taken in these extraordinary circumstances must be, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation.
• One should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights: we can achieve both, and moreover data protection principles can play a very important role in the fight against the virus.
• European data protection law allows for the responsible use of personal data for health management purposes, while also ensuring that individual rights and freedoms are not eroded.
• The use of contact tracing applications should be voluntary and should not rely on tracing individual movements but rather on proximity information regarding users.

Location Data

Location data refers to all data processed in an electronic communications network or by an electronic communications service indicating the geographical position of the terminal equipment of a user of a publicly available electronic communications service (as defined in the e-Privacy Directive), as well as data from potential other sources, relating to:

• the latitude, longitude or altitude of the terminal equipment;
• the direction of travel of the user; or
• the time the location information was recorded.

Location data collected from electronic communication providers may only be processed within the remits of articles 6 and 9 of the ePrivacy Directive. This means that these data can only be transmitted to authorities or other third parties if they have been anonymized by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users.

When it comes to using location data, preference should always be given to the processing of anonymized data rather than personal data.

Anonymization:

• Evaluating the robustness of anonymization relies on three criteria: (i) singling-out (isolating an individual in a larger group based on the data); (ii) linkability (linking together two records concerning the same individual); and (iii) inference (deducing, with significant probability, unknown information about an individual).
• Data cannot be anonymized on their own, meaning that only datasets as a whole may or may not be made anonymous.
• It is crucial for any controller implementing anonymization solutions to monitor recent developments in this field, especially concerning location data (originating from telecom operators and/or information society services) which are known to be notoriously difficult to anonymize.
• A single data pattern tracing the location of an individual over a significant period of time cannot be fully anonymized. This assessment may still hold true if the precision of the recorded geographical coordinates is not sufficiently lowered, or if details of the track are removed and even if only the location of places where the data subject stays for substantial amounts of time are retained. This also holds for location data that is poorly aggregated.
• To achieve anonymization, location data must be carefully processed in order to meet the reasonability test. In this sense, such a processing includes considering location datasets as a whole, as well as processing data from a reasonably large set of individuals using available robust anonymization techniques, provided that they are adequately and effectively implemented.
• Given the complexity of anonymization processes, transparency regarding the anonymization methodology is highly encouraged.

Contact Tracing Apps

• The systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy. It can only be legitimized by relying on a voluntary adoption by the users for each of the respective purposes.
• The controller of any contact tracing application should be clearly defined.
• If the deployment of contact tracing apps involves different actors their roles and responsibilities must be clearly established from the outset and be explained to the users.
• The purposes must be specific enough to exclude further processing for purposes unrelated to the management of the COVID- 19 health crisis (e.g., commercial or law enforcement purposes).
• In the context of a contact tracing application, careful consideration should be given to the principle of data minimization and data protection by design and by default:

= contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used;

= as contact tracing applications can function without direct identification of individuals, appropriate measures should be put in place to prevent re-identification;

= the collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.

• The application should not convey to the users information that allows them to infer the identity or the diagnosis of others. The central server must neither identify users, nor infer information about them
• Contact tracing applications involve storage and/or access to information already stored in the terminal, which are subject to Art. 5(3) of the “ePrivacy” Directive. If those operations are strictly necessary in order for the provider of the application to provide the service explicitly requested by the user the processing would not require his/her consent. For operations that are not strictly necessary, the provider would need to seek the consent of the user.

Legal Basis

• When public authorities provide a service based on a mandate assigned by and in line with requirements laid down by law, it appears that the most relevant legal basis for the processing is the necessity for the performance of a task in the public interest, i.e. Art. 6(1)(e) GDPR.
• Processing of such data is allowed when such processing is necessary for reasons of public interest in the area of public health, meeting the conditions of art. 9(2)(i) GDPR14 or for health care purposes as described in Art. 9(2)(h) GDPR15. Depending on the legal basis, it might also be based on explicit consent (Art. 9(2)(a) GDPR)

Safeguards

• Applications should incorporate meaningful safeguards including:

= a reference to the voluntary nature of the application

= clear specification of purpose

= explicit limitations concerning the further use of personal data

= a clear identification of the controller(s) involved

= the categories of data

= the entities to (and purposes for which, the personal data may be disclosed)

= depending on the level of interference, additional safeguards should be incorporated, taking into account the nature, scope and purposes of the processing.

= As soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination.

• The current health crisis should not be used as an opportunity to establish disproportionate data retention mandates. Storage limitation should consider the true needs and the medical relevance (this may include epidemiology-motivated considerations like the incubation period, etc.) and personal data should be kept only for the duration of the COVID-19 crisis. Afterwards, as a general rule, all personal data should be erased or anonymized.
• Procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives. In particular, the task of providing advice on next steps should not be based solely on automated processing.
• In order to ensure their fairness, accountability and, more broadly, their compliance with the law, algorithms must be auditable and should be regularly reviewed by independent experts.
• The application’s source code should be made publicly available for the widest possible scrutiny.
• A data protection impact assessment (DPIA) must be carried out before implementing such tool as the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technological solution). The EDPB strongly recommends the publication of DPIAs.
• The data processed should be reduced to the strict minimum. The application should not collect unrelated or not needed information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc.
• Data broadcasted by applications must only include some unique and pseudonymous identifiers, generated by and specific to the application. Those identifiers must be renewed regularly, at a frequency compatible with the purpose of containing the spread of the virus, and sufficient to limit the risk of identification and of physical tracking of individuals.
• Implementations for contact tracing can follow a centralized or a decentralized approach. Both should be considered viable options, provided that adequate security measures are in place, each being accompanied by a set of advantages and disadvantages.
• Any server involved in the contact tracing system must only collect the contact history or the pseudonymous identifiers of a user diagnosed as infected as the result of a proper assessment made by health authorities and of a voluntary action of the user.
• Alternately, the server must keep a list of pseudonymous identifiers of infected users or their contact history only for the time to inform potentially infected users of their exposure, and should not try to identify potentially infected users.
• Additional information should remain on the user terminal and only be processed when strictly necessary and with his prior and specific consent.
• State-of-the-art cryptographic techniques must be implemented to secure the data stored in servers and applications, exchanges between applications and the remote server.
• The reporting of users as COVID-19 infected on the application must be subject to proper authorization, for example through a single-use code tied to a pseudonymous identity of the infected person and linked to a test station or health care professional.