The scramble for your metadata - Desperate times call for desperate measures, but at what cost?
The Covid-19 data grab
07 April 2020
In an effort to bolster national endeavours to combat the COVID-19 virus, the European Commission and Member States' health authorities are leaning on telcos to share their users' metadata, and in particular location data. Metadata refers to 'electronic communications metadata', which is information that is connected to communications but does not include the content of those communications. Such information can include numbers called, geographical location or the time, date or duration a call was made. A move that would have been unimaginable more than a month ago due to the EU's robust data protection framework, is now being seriously contemplated and already put in practice by some states in an attempt to harness technology as a new means to contain the pandemic.
The European Commission has said the metadata will be used to model the spread of the virus by looking at mobility patterns and analysing and assessing the impact of quarantine measures, and not for tracking individuals. However, this has prompted questions on how such data will be "effectively" anonymised and securely protected.
At a national level, states have devised their own strategies autonomously. The extent to which states are willing to collect and use metadata now also shows the same fragmented pattern. For now, approaches have differed, with some states already working with telcos. The adage of "desperate times call for desperate measures" has not been received well by all, as privacy advocates and data protection regulators cite potential tension with applicable data protection and telecom legislation. Concerns have been raised that privacy rights relinquished are not easily re-attained once the pandemic settles. How are governments across Europe acting and what do the rules say on this matter?
Last week reports surfaced that the European Commission had held a conference with telcos, including Deutsche Telecom and Orange, to request their assistance in providing access to users' location data to help predict the spread of the COVID-19 virus.
The European Commission has since then stated that: “A discussion was kick-started with mobile phone operators about the provision of aggregated and anonymised mobile phone location data”. According to the European Commission, the idea is to analyse mobility patterns including the impact of confinement measures on the intensity of contacts, and hence the risks of contamination. This would be an important input for tools that are modelling the spread of the virus, and would also allow one to assess the current measures adopted to contain the pandemic.
“We want to work with one operator per Member State to have a representative sample,” the European Commission has added. “Having one operator per Member State also means the aggregated and anonymised data could not be used to track individual citizens, that is also not at all the intention. Simply because not all have the same operator. The data will only be kept as long as the crisis is ongoing. We will of course ensure the respect of the ePrivacy Directive and the GDPR.”
By aiming to pool large amounts of European mobile data, the European Commission is following in the footsteps of some of its Members States, many of which have already engaged with local telcos to gain access to user data. Whether the European Commission is aiming to pool data from such existing local efforts — or whether the request to telcos is to provide a different, universal data-set to the European Commission is still unclear.
Both Deutsche Telekom in Germany and Orange in France have already shared geolocation data with national health authorities or research institutes which according to the telcos has been "aggregated and anonymised". Similarly, in Italy and Austria, Telecom Italia, Vodafone, WindTre and A1 Telekom have already offered authorities data showing mass movement of its users. In all cases, the data seems to be mainly used to anticipate and better manage the concentration and movement of the population, and, as of yet, not for tracking individual's movement or verifying compliance with lockdown measures.
However, some states in Europe have gone a step further by deploying smartphone applications to track the spread of the virus, similar to technology used in China and South Korea. In Poland, the government has launched a smartphone application, called Home Quarantine, requiring citizens in self-isolation to choose between daily police visits or having to upload personal data including a selfie to prove they have not left their homes. The application makes use of facial recognition, the individual's geolocation and a time stamp for verification. What would seem a pragmatic approach, does however raise questions as to how this matches with the requirement of consent to be given "freely" under the GDPR.
In the UK, the government is in advanced stages of evaluating the deployment of a contact-tracing app. The app is intended to alert individuals if they have recently been in contact with someone who has tested positive for the virus. Researchers at the University of Oxford's Big Data Institute and the Nuffield Department of Medicine have published a study in the journal Science, stating “digital herd protection” is likely to be crucial in order to lift current restrictions without seeing a huge resurgence of infections.
Although reportedly the app is intended to only make use of bluetooth technology to record proximity rather than continuous location tracking, privacy concerns have been raised about the prospect of the UK government having access to health data, a sub-category of personal data which is afforded extra protection under the GDPR.
The app will be rolled out on an opt-in basis, however in China, where a similar app was deployed, users were only permitted to enter public spaces or public transport after they had downloaded the app. Critics have queried whether private enterprises will impose similar restrictions – barring individuals who cannot prove their COVID-19 status from visiting their local restaurants and bars, or applying for a job. Will such societal ramifications on an individual's fundamental rights also be accounted for when evaluating the app? For now such risks are being downplayed by ethicists involved in the research, but China has shown how such an app can start to live a life of its own once handed over to society.
Therefore, it would seem that any version of the app used in practice, would need to include some form of clear protocols on consent and proportionality, and be safeguarded with proper sunset provisions regulating what happens to data after the pandemic is brought under control.
In the Netherlands, the Data Protection Authority (AP) has reacted to the request to telcos by releasing a statement that location data can only be shared with the government if an explicit law permits such disclosure, such as an emergency law. The AP has stressed the importance of incorporating sufficient safeguards in such emergency law and parliamentary review, as well as the need for clarity and proportionality with respect to the objective of the law.
The AP has gone on to say that pursuant to the currently existing data protection and telecom laws in the Netherlands, telcos would not be permitted to share user data with the government unless user consent is obtained or the data is anonymised. The AP has deemed obtaining consent of all Dutch telecom users infeasible, and has held that anonymisation of location data is not possible as it is never fully irreversible. The AP refers to guidance that anonymisation means that the severance of the link between the data concerned and an individual's identity must be irreversible. EU law entails that if you could at any point use any "reasonably available means" to re-identify the individuals to which the data relates, that data will not have been effectively anonymised but will have merely been pseudonymised. This means that despite an attempt at anonymisation, the data concerned will continue to qualify as personal data subject to data protection laws. In its publication the AP not only points to the risk that combining location data with an individual's home or work address can lead to re-identification of the location data, but also to academic research evidencing the uniqueness of human mobility traces. The research argues that even publishing aggregated mobility data could lead to a privacy breach in that it allows to identify individuals' trajectories.
The Dutch Telecommunications Act does provide for emergency powers which the government can invoke in times of extraordinary circumstances. However, in order to make use of such powers, the Dutch parliament would have to pass an emergency bill. An alternative route under the Act exists, which can only be used to compel telcos when required to safeguard national security. This has been interpreted to include situations such as a member of the royal family being held hostage, a terrorist attack, or to protect state property. It is not apparent that under the current circumstances that route is open to the government.
In addition to the general data protection rules set out in the GDPR, the European ePrivacy Directive (Directive 2002/58/EC) sets out specific rules relevant to the processing of mobile location data by telcos. The main rule is that such data may not be processed or retained for longer than is necessary to provide the relevant communications service. Under the ePrivacy Directive, telcos are required to either delete or anonymise the data at that point. However, Member States are allowed to deviate from this obligation and may retain such data for a limited time — when such restriction constitutes “a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph.”
On these grounds disclosure of metadata may be permitted depending on how Member States have transposed the ePrivacy Directive into their local law, as the legal framework does rightly bake in flexibility for a pressing public purpose, such as COVID-19 pandemic. However it does not mean that privacy rights can be set aside altogether, as Member States are still required to observe the data protection requirements set out in the ePrivacy Directive, such as the obligation to anonymise the data prior to the disclosure. Exactly this point, lays bare the current discrepancy between the ePrivacy Directive and the GDPR. The outdated ePrivacy Directive had been intended to be replaced with a more modern and far-reaching ePrivacy Regulation, to sit alongside the GDPR, but as of yet this Regulation has not been implemented.
The ePrivacy Directive still refers to certain provisions of Directive 1995/46/EC (the Data Protection Directive), which was replaced by the GDPR. On the relationship between the ePrivacy Directive and the GDPR, the latter provides that the GDPR applies to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in the ePrivacy Directive. In an opinion issued by the European Data Protection Board (EDPB), this has been held to mean that the ePrivacy Directive is the lex specialis to the GDPR, meaning that wherever it provides a “special rule” for the processing of personal data that is more specific than general rules of the GDPR, it takes precedence over the GDPR. In addition, some provisions of the ePrivacy Directive may supplement the GDPR so as to protect not only natural persons, but also legal persons. As a result, any disclosure by telcos to their respective governments or the European Commission would not only need to adhere to the requirements under the ePrivacy Directive but also the more general requirements in the GDPR on topics which the ePrivacy Directive is silent.
This explains the concerns which have been raised amongst privacy advocates, questioning whether the right level of privacy protection is being afforded to such metadata, whether transparency requirements will be upheld and what safeguards there will be in place with respect to the transfer of any such data to third parties used to analyse such metadata.
In an open letter addressed to EU commissioner Breton, Member of the European Parliament, Sophie in 't Veld sharply probes the European Commission by asking how it will guarantee the metadata will remain fully anonymous? What techniques and third parties it has used to achieve this? – and whether such data, in a (semi) lockdown situation really provides much insight?
As underlined by European Data Protection Supervisor, Wojciech Wiewiórowski, it would seem that the data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics but that effective anonymisation requires more than simply removing obvious identifiers such as phone numbers and IMEI numbers. Clearly national regulators have taken different approaches on this matter, as evidenced by the AP's position that metadata cannot be effectively anonymised and therefore an overruling emergency law is required. For states relying on anonymisation, the risk of re-identification has still not been addressed. Is a user's location data simply too unique to ever be anonymised? Aggregation may serve as a useful safeguard, but more importantly, key to any disclosure will be transparency on the exact scope of the dataset and a robust mechanism to ensure the deletion and halting of any disclosure once the COVID-19 pandemic has come to an end.
Whilst the debate continues, a new player has entered the arena. Google last week released a set of Corona-virus mobility reports using its users GPS locations. The tech giant states it uses differential privacy, a technology which adds artificial noise to Google's datasets results without allegedly identifying any individual person. Google states that its insights are created with aggregated, anonymised sets of data from users who have turned on the location history setting, which is off by default.
Governments attempting to contain the pandemic justifiably are looking to technology for solutions, whilst in parallel pushing the boundaries of the legal privacy framework in place. As this debate continues, spectators on both side of the spectrum will keep a close eye on which way the pendulum will ultimately swing.