Use of smartphone data to manage COVID-19 must respect EU data protection rules 

Press Releases 

The current developments in the EU on the use of smartphone data to understand and contain the spread of COVID-19 need to comply with data protection and privacy rules.

The Chair of the Civil Liberties Committee, Juan Fernando López Aguilar (S&D, ES) , said: “Even in these exceptional times, the EU’s data protection principles, namely the General Data Protection Rules (GDPR) and the e-Privacy Directive, must continue to apply and be respected”. He underlined that “the Civil Liberties Committee is following these developments closely because of the serious risks that such tools may imply for an individual’s fundamental rights to a private life and data protection.”

Several member states and the European Commission have set up or are currently developing different tools to understand the spread of COVID-19 based on individuals’ mobile phone data transmitted to national authorities by national telecom providers. Before they are transmitted, data are anonymised in order to not contain any personal identifiers and aggregated.

The European Data Protection Supervisor and the European Data Protection Board have stressed that as long as the information shared with national authorities is anonymised and does not allow for individuals to be identified in any way, it can be used. However, strong security measures regarding the use, access and storage of the information as well as strict retention periods must be implemented”, added Mr López Aguilar.

However, other measures and tools implemented in several member states by public authorities or the private sector require the provision of personal health data and enable the application to trace the individual’s location and contacts. While some of these applications are based on the individual giving their consent to upload and provide the information, in some EU countries people may feel compelled to make them available once they have tested positive for COVID-19. This would allow the public authorities to trace the person’s location and previous contacts and verify if the individual complies with their confinement obligations.

Mr López Aguilar stressed that these tools could seriously interfere with people’s fundamental rights to a private life and the protection of personal data, and are tantamount to a state of surveillance of individuals. He also underlined that national data protection authorities remain fully competent to supervise these processing activities and to enforce EU data protection law. Mr López Aguilar calls on national data protection authorities to follow current developments closely and on the European Data Protection Board to immediately adopt clear guidance.