Following the release of the European Commission’s recommendation and toolbox on the use of contact tracing technologies supporting the fight of the COVID-19 pandemic, the European Data Protection Board has published two news Covid-19 outbreak-related guidelines on:
– The use of location data and contact tracing tools; and
– The processing of health data for research purpose in the context of the COVID-19 outbreak.
Overall, the new EDPB guidelines are in line with and do not go beyond the European Commission’s recommendation on the use of contact tracing tools (see here). However, it provides its analysis on the use of location data (1) and the conditions applicable to the processing of personal data for scientific research in the context of the pandemic (2).
1. Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak
1.1. Conditions for processing and anonymising location data
Processing location data
The collection of location data may occur (i) when electronic communication service providers (such as mobile telecommunication operators) provides their service or (ii) where individuals use applications provided by organisations and whose functionality requires the use of location data (e.g. navigation, transportation services etc.).
Electronic communication service providers may transmit location data to the authorities only on an anonymised basis or with the individual’s consent.
Consent is also necessary for the reuse of location data for new purposes such as modelling.
However, the EDPB reminds that article 15 of the e-privacy directive provides that derogations are possible when they constitute a necessary, appropriate and proportionate measure within a democratic society for certain objectives. Unlike the Commission, it does not provide its position or recommendation on the application of this article.
Anonymisation of location data
Even though the GDPR does not apply to anonymised data, the EDPB stresses the fact that the anonymisation of location data is very difficult and, often confused with pseudonymisation.
In this regard, the EDPB sets out the main principles to assess the robustness of the anonymisation techniques used (i.e. singling out, linkability (to another record) and inference (of information)).
1.2. Use of contact tracing tools
Like the European Commission, the EDPB considers the systematic and large scale monitoring of location and/or contacts between natural persons a grave intrusion into their privacy.
As a result, it provides that:
- Individuals should have the choice to download and use each of the apps’ functionalities to legitimise the use of this technology;
- However, the most relevant legal basis for the processing is the necessity for the performance of a task in the public interest. This legal basis must be laid down by Union or Members State law to which the controller is subject and must provide details and safeguards including a reference to the voluntary nature of the application;
- The controller(s) of the apps may be the national health authorities;
- The purposes of the application must be specific enough to exclude further processing for purposes unrelated to the management of the COVID- 19 health crisis (e.g., commercial or law enforcement purposes);
- The controllers should process proximity data instead of location data as the latter is not necessary for this processing activities.
When it comes to the technical issues and data minimisation, the EDPB suggests that:
- the Controllers implement appropriate measures to prevent the individuals’ re-identification since pseudonymised data are sufficient;
- The collected information resides on the users’ terminal equipment and is transmitted to the controllers only when necessary.
Furthermore, the EDPB considers decentralised system less intrusive than centralised system. However, it also points out that the former solution would prevent the controllers from accessing anonymised information that may be necessary for other purposes.
2. Use of personal data for research and scientific purposes in the context of the COVID-19 outbreak
In the context of the COVID-19 outbreak, the Member States and private companies around the world may need to process personal data to carry out scientific research.
2.1. What does “processing health data for scientific research” mean?
“Data concerning health” means “personal data related to the physical or mental health of a natural person, including, the provision of health care services, which reveal information about his or her health status”.
The term “Scientific research”, should, according to the EDPB, mean “a research project set up following relevant sector-related methodological and ethical standards, in conformity with good practice”.
2.2. Legal bases for processing health data for scientific research
Where scientific research is one of the primary purposes of the data processing operations (i.e. scientific research is part of the initial plan at the time of the data collection), controllers may:
– process personal data based on the individuals’ consent, their legitimate interest or a task for the public interest; and
– process health data based on individuals’ explicit consent, a task for the public interest in the area of public health or archiving in the public interest, for scientific or historical purposes.
However, the drawback of relying on consent is that users may withdraw their consent at any time, which entails the deletion of their data.
Therefore, the EDPB recommends that the Member States rely on the other legal basis set out above, in particular, those based on the public interest, and enact the necessary law setting out the conditions for processing the data.
Where scientific research is a secondary purpose of processing, there is a presumption that such a purpose is compatible with the primary purpose and does not require controllers to rely on an additional legal basis for processing the data. However, the EDPB points will address the complex compatibility issue in specific guidelines to be released later this year.
2.3. Information notice and individuals’ rights
In the case where data is not collected directly from the individuals, Controller should deliver the information notice within a reasonable period before the implementation of the new research project.
According to the EDPB, in certain circumstances, the controllers may rely on exemptions provided for in article 14 GDPR (e.g. it would involve disproportionate effort or, obtaining or disclosing the data is expressly laid down by law). However, controllers should be able to prove these conditions apply to them.
Furthermore, the national law may provide for restrictions to data subject rights in accordance with article 89 GDPR.
2.4. International data transfers
In principle, controllers must implement a transfer mechanism (e.g. adequacy decision, BCR, EU model clauses etc.) when they transfer personal data outside of the EEA.
However, the nature of the COVID-19 crisis may justify that controllers base their international data transfers on the individuals’ explicit consent or the public interest derogations as provided for in article 49 GDPR.
Nonetheless, such exemptions do not apply to repetitive transfers of data to third countries carried out as part of a long-lasting research project.