May the government track people through telecom data to contain the spread of the corona virus?
Date: March 30, 2020
Modified November 14, 2023
Written by: Annemarie van Woudenberg
Reading time: +/- 2 minutes
Date: March 30, 2020
Modified November 14, 2023
Written by: Annemarie van Woudenberg
Reading time: +/- 2 minutes
Currently, everyone's life is being controlled by the corona virus. Last week, the government again announced measures in an attempt to contain the spread of the corona virus, and now the idea of collecting telecom data is being raised from various quarters.
This call stems from the successful policies of Taiwan, Singapore and Hong Kong, among others. They have managed, with more limited measures than, say, China, to contain the spread of the virus. For example, they have conducted early medical border checks for flights coming from infected areas and hold fever checks at entrances to public buildings. They are also collecting big data that allows them to track infected people at the individual level, mapping the areas where they have been.
However, Asian countries are not the only ones using phone data in an effort to combat the corona virus. It is also being used in Europe. For example, Reuters reported that Italy, Germany and Austria are passing this data along with users' location data to public health officials. Meanwhile, the European Commission and the European Data Protection Supervisor have called on major European telecom companies to also share such data with governments so that the spread of the virus and places where crowds gather can be mapped.
The Personal Data Authority has indicated that it has not yet received any requests to share telecom data. However, it is conceivable that this will not be long in coming. Suppose it does receive a request, is it legally permissible to honor it?
In Europe, the e-Privacy Directive applies, which in the Netherlands has been transposed into the Telecommunications Act (hereafter: Tw). This regulates, among other things, when and under what conditions electronic personal data may be processed.
The intention of the European Commission is to collect location data. Location data refers to data processed in a public communications network that indicates the geographic position of the equipment.[1] About this location data, the Tw stipulates that it is prohibited to process it unless the data has been anonymized or the user in question has given consent to the processing of the data for the purpose of providing a value-added service.[2]
In addition, the Tw regulates an exception to the processing prohibition when the processing is necessary in the interests of national security or for the prevention, detection and prosecution of criminal offenses.[3]
In principle, then, a processing ban applies to location data, unless one of the aforementioned exceptions in the Tw applies. First of all, in the case of the corona virus, there is of course no question of a value-added service being provided. Nor does it involve the prevention, detection or prosecution of criminal offenses.
Although at first glance the national security exception would seem to provide a basis, even this is presumably not the case. This is because national security does not refer to public health, but to sectors such as energy, drinking water and public order.
This leaves only one possible basis: anonymization of location data.
Brussels believes that processing location data does not pose a problem with user privacy because the data is aggregated. That is, data is aggregated rather than looking at the data of individuals. The idea is that it can be monitored where masses of people congregate so that this can be addressed and the spread risk reduced. The only question is whether this end justifies the means.
There are certainly advantages to collecting this data. The perfect example is Taiwan. There, data has been collected on a large scale and it has worked: there are almost no infections with the virus. Still, I am skeptical about implementing this measure. Despite Brussels' belief that the data is aggregated and cannot be traced back to individuals, I find it hard to imagine. It seems to me that all users need to be tracked in some, perhaps minimal, way in order to find that a lot of individuals are coming together somewhere. That way, it would still end up being fairly easy to trace the data back to individuals. Based on routes that a particular device travels regularly or locations where a device is at certain times, an individual can easily be pinpointed. Should it actually be possible to completely anonymize this location data and really not be able to identify to whom the data relates, you can still ask yourself whether it is desirable and necessary to process this data.
The risk is that if this measure is introduced, it will not be reversed soon when the crisis is over. Once this privacy boundary is crossed, it becomes easier to keep this measure in place or to cross it again later, for smaller problems.
Finally, I wonder to what extent collecting this data is necessary and is actually going to help in the fight against the corona virus. In the Asian countries mentioned, this method was successful because it was applied at the individual level. It looked at exactly who, where, when had been. If someone had been in an infected area, that person was monitored for the next few days in case he became ill. In addition, people who were in self-quarantine were monitored using an app. This way, it was immediately noticed if someone did not comply with the quarantine and went outside. So this intense monitoring of infected individuals has kept the virus from spreading much in Asia.
The problem is, however, that in the Netherlands and the rest of Europe the virus has already spread well. So in that sense, there is no longer an opportunity to contain the virus, as Taiwan, among others, has done. So the question is whether the European Data Protection Supervisor is not too late with the proposal to process location data in the fight against the corona virus. The only thing that could still be done using location data in the Netherlands is to determine where masses of people are at what times. Granted, this is the goal Brussels has in mind, but is it necessary to collect location data and thus invade privacy to do so? In my opinion, there are other ways to determine where masses of people are. That this can be done was proven last weekend when it was determined that far too many people were heading to the beach and woods. Last weekend came the update that those places were considerably quieter than the previous weekend.
In conclusion, then, the Tw offers the possibility of processing anonymized location data in the fight against the corona virus and the Personal Data Authority would be allowed to honor a request to share this data. However, we have to ask ourselves to what extent this can actually be anonymized and is going to help limit the spread of the virus. As far as I am concerned, it does not seem desirable or necessary to process this data and the government would be better off looking for other measures that do not invade privacy.
[1] Article 11.1(d) Tw.
[2] Article 11.5a(1) Tw.
[3] Article 11.13(1) Tw.
As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.