Governments Use Smartphone Location Data to Fight the Pandemic, Raising Privacy Concerns

According to the recent reports, the U.S. government has been in discussions with Facebook, Google, and other tech companies to use geolocation and smartphone movement data to combat the coronavirus pandemic.  Federal health officials consider using anonymous, aggregated user data collected by the tech companies to map the spread of the virus and prevent further infections. The government would presumably not have access to specific individuals’ locations and users would be required to opt-in to the effort.  Currently, there is no law in the United States that would directly regulate any privacy implications from the use of these surveillance activities.

As of March 23, 2020, governments in at least fifteen countries have introduced new digital tracking measures to combat the coronavirus.  For example, South Korea has been aggregating geolocation data, credit card records, and face-to-face interviews to create a publicly available map that allows citizens to find out if they have encountered any coronavirus patients.

On March 20, the Singapore authorities released an app called TraceTogether, which already has 650,000 users, that can identify people who have been in close proximity to the coronavirus patients using wireless Bluetooth technology.  According to the government, it is not collecting any geolocation or other personal data as part of that effort.

On March 17, the Israeli government introduced new measures that would allow it to track citizens by monitoring their mobile phones.  The technology was originally developed to assist with counter-terrorism and is believed to be able to track the physical location of all mobile phones in the country, as well as to monitor calls and messages.

Location tracking measures have also been introduced in Europe. For example, Germany’s mobile operator Deutsche Telekom has been passing anonymized location data of its users to the Robert-Koch Institute, a research institute and government agency responsible for disease control and prevention.   Mobile operators in Austria have also reportedly begun sharing anonymized mobile location data with the government.  The  Italian mobile operators have similarly been shown to be sharing aggregated location data with the health authorities.  The Belgian government, in turn, has confirmed that it would allow local mobile operators to share anonymized data with a third party to help track the spread of the virus.

The United Kingdom, similarly to Israel and South Korea, is considering to use the mobile phone data to track people who are already infected with the virus, as well as those who may have been in contact with the infected individuals.  The government, however, has not yet made a final decision on the use of such measures.

On March 19, 2020, the European Data Protection Board, in its Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak, specifically addressed the use of mobile location data in the context of the EU’s governments’ efforts to monitor, contain and mitigate the spread of COVID-19.  According to the EDPB, public authorities should first seek to process location data in an anonymous way, which could in turn enable generating reports on the concentration of mobile devices at a certain location.

Personal data protection rules do not apply to data which has been appropriately anonymized.

However, when it is not possible to only process anonymous data, the EU’s ePrivacy Directive enables the Member States to introduce the required measures to safeguard security, such as providing individuals of electronic communication services the right to a judicial remedy.  In addition, the EDPB reiterated that the proportionality principle also applies and the least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved.   Processing of historical non-anonymized location data could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing, but remains subject to enhanced scrutiny and safeguards to ensure the respect of the GDPR data protection principles.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653