Which way for EU data governance during COVID-19?

Since the unprecedented outbreak of the COVID-19 virus, the use of data has extensively been discussed. What obstacles do scientists, public health officials and private companies face when processing datasets? And how much digital privacy can EU citizens afford in times of crisis?

In light of the exponential COVID-19 outbreak, governments make use of data with the aim of overseeing the spread of the virus. However, it is unclear whether individual or societal tracking actually delivers quality results and effectively contributes to mitigating the outbreak. While data protection experts raise concerns about individuals’ data subject rights put at risk, the technological scientific community argues to improve pan-European research on COVID-19 by facilitating access to datasets. This article lays out the EU’s regulatory requirements for data collection, assesses the use of data for public administrations and health experts, and asks what the “right balance” between public health and individual privacy ought to be.

Different types of data have been used worldwide, both by public and private entities, to mitigate the COVID-19 spread. As such, the South Korean government uses smartphone apps to monitor if people remain under forced quarantine. Furthermore, location/GPS data from smartphones and cars, information from credit cards and surveillance cameras are evaluated to more effectively oversee the COVID-19 outbreak over the South Korean peninsula. Individuals are informed via text message if they were in contact with another infected person. The government publishes the precise location of all identified cases on the Corona Map. Also EU public policymakers discuss if data-driven tracing could mitigate the COVID-19 spread, given the unprecedented situation and little time for scientific tests.

Which rules related to the processing of personal data apply in the COVID-19 crisis?

The GDPR provides a general set of rules on the processing of personal data in EU countries. The European Data Protection Board (EDPB) issued a statement on the processing of personal data in the context of the COVID-19 outbreak, underlining that the GDPR does not hinder the effective use of digital technologies and datasets to deal with the emergency situation. As such, employers and public health authorities are legally entitled to process personal data in the context of health emergencies and epidemics without the consent of individuals. This applies in exceptional circumstances, for instance when the processing of personal data is deemed “necessary for the employers for reasons of public interest in the area of public health or to protect vital interests” (GDPR, Art. 6 and 9).

Specific rules apply to the processing of electronic communication data, including mobile location data. Also the ePrivacy Directive, applied through individual national laws, grants Member States the power to process location data, but with the consent of the individual or in an anonymous way, i.e. when aggregated datasets are not suitable for tracing potentially contagious people through their personal data. When it is not possible to only process anonymous data, member states can introduce a legislation pursuing public security with adequate safeguards, e.g. judicial remedy. These measures should represent a “necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence, public security […]” (Art. 15 of the ePrivacy Directive). In sum, data processing must be anchored to its original scope, and datasets of personal data must be processed only in compliance with an emergency legislation.

ESMH scientist Innocenza GennaInnocenzo Genna emphasises the safeguarding of personal data within the EU’s regulatory framework for data – especially in times of crisis: “GDPR and ePrivacy must remain robust and set rules for protecting citizens’ data by both ‘Big Tech’ and the State. Monitoring citizens could therefore be appropriate when data are anonymised and aggregated. Individual tracking should be an exception and only possible with clear evidence that tracking is the only effective way to achieve a given objective.”

How can location data be used to mitigate the COVID-19 outbreak?

Also in the EU, national governments have started to request and evaluate location data. As such, the leading Austrian network provider A1 shared location datasets of every mobile phone user with the Austrian Government. Despite using pseudonymous datasets – compliant with GDPR – the transfer is criticised by data protection experts: It is unclear which data was actually transferred, and if historical data was used. Further, historical data was used to compare current location profiles, and customers were not informed about the data exchange.

ESMH scientist Andrea RendaProf. Andrea Renda, Senior Research Fellow at CEPS, critically assesses the unprecedented data processing by governments : “Use of geolocation data to enforce social distancing is possible but relatively inaccurate especially outside densely populated areas. Governments can use such information to locate violations of social distancing rules. There is no pseudonymisation in these cases: the purpose is law enforcement, thereby the information is used to track people’s movement and enforce the social distancing rules. However, due to the inaccuracy of the geolocational data, one can only use this information as evidence to be confirmed through other means, […] for example asking employers to track employees, or using facial recognition to avoid that certain people break out of containment zones. These measures would amount to a disproportionate and untrustworthy use of technology, and a violation of fundamental rights, however temporary. […] The use of geo-locational data to track social movements should never become the rule.”

Also Germany’s largest network provider Telekom supplied location data to the Robert-Koch Institut. Based on 46 million mobile phone users, aggregated location data was analysed to predict further the territorial COVID-19 expansion in Germany. Such emergency data sharing procedures were tested and approved already in 2015 by the Federal Data Protection Officer. These aggregated, pseudonymous datasets do not allow feedback on individuals, and are GDPR-conform. Most important, however, is the independent and continuous monitoring of such location tracking activities, especially for public-private initiatives.

ESMH scientist Anna OdoneProf. Anna Odone, Associate Professor of Public Health at the University San Raffaele in Milan and President of Digital Health for the European Public Health Association (EUPHA), explains the challenges of using data in the healthcare sector : “GDPR is often perceived as a complex matter for public health practitioners and researchers. The best strategy to overcome this issue and to fruitfully manage and share personal data for public health purposes is to “know” GDPR. Next, we need to work hand in hand with data protection officers and GDPR experts who can support us to use data in the best possible way, acknowledging that and that in most cases its derogations are designed to promote research endeavours and ultimately pursue population wellbeing, even more so during health emergencies.”

On the EU level, several projects are underway. The COVID-19 outbreak response study is one of the first assessments of mobility data in Italy following the national lockdown on March 09, 2020. Location data was used to better understand the reduction of contact patterns. The incremental closure of public spaces, leading up to the lockdown, resulted in up to almost 20% less potential encounters. The measures taken by regional and national governments have thus significantly decreased citizens’ proximity network. In some regions, potential encounters even decreased about 30% on average, compared to the pre-outbreak period.

Anna Odone : “For the first time in history, self-generated data are contributing to the fight against an epidemic: Via digital participatory surveillance through social media and apps, people actively generate and communicate data to allow to monitor disease trends, identify risk factors or for suspects’ symptoms monitoring. Data digitalisation offers great potential to control outbreaks but my feeling is that preparedness was not in place in every context to maximise its potential.”

What is significant about the COVID-19 outbreak response study is the GDPR-compliant methodology: the researchers obtained de-identified, large-scale data from a location intelligence company. Their analysis is therefore based on anonymised data from users who actively opted in. To preserve privacy, the data of residential areas were inferred at an aggregated geohash level, which means that individual homes and addresses cannot be singled out to prohibit potential data misuses.

Beyond tracking: Medical and logistical data to mitigate the COVID-19 crisis

European scientists in various fields collectively respond to the emergency situation. The Confederation of Laboratories for Artificial Intelligence Research in Europe (CLAIRE), the world’s largest AI research network, links European data science research hubs. Lately, CLAIRE created a COVID-19 taskforce with AI experts to share technological knowledge and to support public administrations, institutions, healthcare infrastructures and alike. Prof. Holger Hoos, chair of the executive board of CLAIRE and professor at Leiden University, underlines that many EU scientists are motivated to offer their academic and professional resources and research networks. The CLAIRE COVID-19 taskforce in line with its core values ‘AI for good’ and ‘AI for all’ works on a voluntary basis. In their open letter, CLAIRE’s AI scientists suggest to deploy intense day care data to predict critical cases and to better assess priorities in triage and therapy or to use datasets of computer tomography (CT), antiviral drugs to assist doctors in making more informed choices for more patients.

Despite outstanding medical resources and a pan-European expertise in health research, scientists and health practitioners still struggle to access useful data. Anna Odone also notices several issues in optimising clinical management:

“Case definitions and surveillance standards are sometimes not harmonised, therefore making it difficult to interpret and compare figures. In addition, for example in Italy, only a fraction of data on the COVID-19 epidemic are made available to the wider public health community and to the general population, which limits its use and exploitation for health education and communication purposes, as well as for public health practice and research. From a research perspective, it is now important to design solid and comprehensive prospective studies to make sure we collect, link and share large sets of clinical, laboratory and personal data which will allow us to understand SARS-CoV-2 so as to contrast its spread in a constructive and collaborative way.”

Moreover, Innocenzo Genna suggests that mitigating the COVID-19 spread does not only depend on governments, but is inherently linked to norms and national sociocultural practices as well. There is a lot of attention on South Korea where the epidemic is slowing down. However, such reports are normally descriptive and do not scientifically analyse the circumstances. In other words, they show a correlation between the use of geolocation apps and the trend of epidemics, not their link of causality. An interesting counter-case could be Japan, where the epidemic has been initially controlled without the use of geolocation apps. In Japan, basic social habits preventing epidemics exist by default – irrespective from emergencies: social distance (few shaking hands or kisses), frequent hand washing, not touching people or objects eg. It could be the same in South Korea. In other words, we are still far from clear evidence about how to better fight epidemics. At this stage we must be cautious about the use of data, especially geolocation data. These might be useful but there is also the risk of over-evaluation. The effectiveness still needs to be proved.”

In line with its norms and values, the fundamental question in Europe is about whose data is shared with public health authorities, and which datasets are appropriate and useful. Ideally, such strategies would maximise benefits for the public health and research community, while not affecting users’ privacy and individual data rights online. A clear distinction to non-European ways to deal with personal data, as reported in China, should be put forward and stringently pursued. More generally, a potential long-term chilling effect on the EU population at large should be taken seriously, if data – especially location data – were to be used by both governments and private companies. In sum, the “European way” to deal with such emergency situations is to clearly maintain a balance between the public interest to protect common health and the safeguarding of individual privacy.

Useful links:
Data & AI can help ease lockdowns
Commission adopts Recommendation to support exit strategies through mobile data & apps
Use of smartphone data to manage COVID-19 must respect EU data protection rules
What if we could fight coronavirus with artificial intelligence?
What if smartphones could help contain COVID19?
Will privacy be one of the victims of COVID-19?
Coronavirus: Google reveals travel habits during the pandemic:
COVID-19 Outbreak Response Study
CLAIRE Taskforce on COVID19
Data Protection Law and COVID-19
COVID-19 Digital Rights Tracker
Europe shares code for new coronavirus warning app

Related Content:
A scientist’s opinion : Interview with Prof. Andrea Renda
A scientist’s opinion : Interview with Innocenzo Genna
A scientist’s opinion : Interview with Prof. Anna Odone

Leave a Reply