Collecting citizens’ phone data to fight coronavirus is legal says Euro data protection chief



European network data

The Data Protection Supervisor has made a ruling after many nation states have already started making their data trawl of mobile users in response to the rapidly worsening threat.

The European Data Protection Supervisor has backed the European Commission’s and the telcos’ plans to collect citizens’ mobile phone data to help tackle the coronavirus.

The ongoing collection of data has caused some privacy advocates to fear that the data collected will be used disproportionately, and industry watchers have pointed out the process could go against GDPR or even Human Rights legislation.

Both the European Commission and the telcos themselves have already started collecting data on citizen movements across Europe though, with the publicised intention of making it easier for nation states to control the spread of the virus.

For instance, O2 is already making anonymised user phone data available to the UK government and some local councils in the country have begun handing over car traffic data from their CCTV cameras to the government too.

Similar processes were used in Asian countries to stem the tide of the virus, but some of those, like China, don’t have to comply with legislation like GDPR.

The European Data Protection Supervisor has now confirmed he thinks it’s okay to collect and analyse anonymised and aggregated geo-location data to tackle the pandemic. Over concerns about the legality, the organisation’s head Wojciech Wiewiórowski wrote an open letter to the European Commission.

He said: “I am aware of the discussions taking place in some member states with telecommunications providers with the objective of using data to track the spread of the COVID-19 outbreak.

“Data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics.”

European Commission internal market head Thierry Breton has confirmed that all such data collected will be deleted once the COVID-19 outbreak is over.

Wiewiórowski, in his letter, confirms that “effectively anonymised data” falls outside of the scope of data protection rules, assuming the protections applied are resilient enough. And should third parties be used for the purpose of data collection or analysis, the Commission should ensure “appropriate protections” are applied, he said.

He also confirms that data collected should be deleted as soon as the current emergency comes to an end. Should all these conditions be met, Wiewiórowski believes the European Commission should be able to act within the set down boundaries of data protection regulations.