Series on Data Protection and Corona – Part 6: Data Sharing Practices to Fight the Corona Pandemic

26. March 2020

The newest developments of public lockdowns in many countries and states show that the Coronavirus is an unprecedented challenge to governments, administrations and law enforcement across the whole world. In an attempt to contain the spread of the pandemic, governments are seeking out all the possible options that are available to them. One promising option may be to make use of existing data by sharing, comparing and evaluating them to gain insights into how to best address the current challenges. It becomes apparent that countries take different approaches to allowing and using data sharing as a means to fight the pandemic.

Today’s blogpost will take a look at how data sharing is practiced around the world and what this might mean for the privacy of individuals.

Data Sharing by Public Authorities to Public Authorities

The Executive Committee of the Global Privacy Assembly (GPA) published a statement on 17 March 2020, calling for the sharing of personal data as necessary by organisations and governments, even across borders.

The GPA is a data protection entity comprising more than 130 international data protection authorities (DPAs) on the national and state level. Among many others, the accredited members include the DPA of Japan, USA, Canada, Mexico, Australia, Israel, Hong Kong, Argentina and all EU countries.

In its statement, the GPA makes clear that the data protection rules will not be a hinderance to effectively tackling the Corona pandemic. In fact, across all member jurisdictions, the data protection laws allow the processing of personal data in the public interest (e.g. Art. 6 para. 1 s. 1 lit. e  and Art. 9 para. 2 lit. i GDPR). In the current crisis, the DPAs all over the world will help facilitate swift and safe data sharing to fight Corona, whilst still maintaining the privacy rights of individuals proportionately.

Data Sharing by Private Entities to Public Authorities

In the meantime, private entities all over the world have started to share personal data with public bodies in an effort to fight the pandemic. The extent of these data sharing practices largely depend on the national data protection laws that the respective countries have in place. Since the level of data protection still varies greatly in different jurisdictions, the data sharing practices vary greatly also.

In several EU countries like Germany and Austria, telecommunications companies have started sharing anonymised mobile location data of customers with governmental agencies in order to trace the movement patterns of mobile phone users. The German governmental health agency Robert-Koch-Institue (RKI) for example, received more than 5 Gigabyte of anonymised data from Deutsche Telekom. The RKI will use the data to model the flows of movement which shall provide the researchers new insights into the spread of the virus.

The European Data Protection Board (EDPB) affirms in its statement from 19 March 2020 that within the jurisdiction of the GDPR, personal data protection rules do not apply to data which has been appropriately anonymised. Even the processing of non-anonymised location data by public authorities is possible if a EU Member State introduces national legislation to safeguard public security pursuant to Art. 15 para. 1 ePrivacy Directive (2002/58/EC). However in this case, a Member State must also put in place adequate safeguards to individual rights such as the right to a judicial remedy, as well as abide by the proportionality principle.

In other countries like Taiwan, South Korea and Israel, telecommunications companies and credit card companies are already sharing non-anonymised mobile location data and payment data with their governments, in order to track cases, cut transmission chains and enforce quarantines.

The authorities in Taiwan, for instance, make use of the mobile location data far more rigorously than the authorities in Western countries, as they have established the so-called “electronic fence” which is fed with data from telecommunications providers. This system monitors the mobile location data constantly and informs police and local officials if people in mandated home quarantine move away from their addresses or turn off their mobile phones. In the event of such an alert, the authorities will contact or visit these people within 15 minutes. Quaratine violators in Taiwan will face a fine of up to 1 Mio Taiwanese Dollars (31.000 Euros).

Israel is mainly using mobile location data to trace people who came in close contact with known Coronavirus carriers, and send them text messages ordering them to self-isolate immediately. However, the authorities shall also track whether a virus carrier is adhering to quarantine rules. Last week, the Israeli government approved of emergency regulations that allow the domestic security agency Shin Bet the processing of non-anonymised location data for a limited period of 30 days, with the permission of the attorney general.

As governments are taking measures against the spread of Corona, some more and some less intrusive to the privacy rights of individuals, time will tell whether the measures have worked effectively in containing the pandemic.

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Data Protection and Online learning tools”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.