European Commissioner for Internal Market and Services Thierry Breton. [EPA-EFE/STEPHANIE LECOCQ]
By Samuel Stolto
The European Commission’s Internal Market chief Thierry Breton has defended plans to obtain mobile data from EU telecom firms during the coronavirus outbreak, saying the acquisition of certain datasets allows for a clearer reading of “the impact of the confinement measures taken by member states.”
The Commission requested telecom firms to hand over “anonymised mobile metadata to help analysing the patterns of diffusion of the coronavirus.”
The decision was made after Breton held talks on Tuesday (24 March) with the CEOs of European telecommunication companies and GSMA, the association of mobile network operators.
A statement from the Commission following the meeting said that the process would be “fully compliant” with the EU’s General Data Protection Regulation and the ePrivacy legislation.
But the move also raised a series of questions as to which data sets were being obtained as well as specifically which unit within the Commission would be handling the data.
Sophie in’t Veld, a Dutch centrist MEP, wrote to Breton, pressing him to ensure that the data received from telecommunications firms remains anonymised.
In’t Veld also wanted to know how useful it would be to aggregate “very large quantities” of location data, when millions of Europeans are under lockdown.
Responding to the Dutch lawmaker on Wednesday evening (25 March), Breton said that “in the fight against this sanitary crisis, it is paramount that we anticipate the spread of the pandemic, and its likely peak in each country.”
“This is crucial in order to plan the supply of medical equipment,” Breton said, adding that the Commission’s Joint Research Centre would be responsible for overseeing this project.
Breton also guaranteed that all data would be deleted as soon as the current crisis comes to an end, and that all information retrieved would be fully “anonymised,” although he did not provide more detail as to how this could be guaranteed.
EU data protection supervisor weighs in
Meanwhile, the European Data Protection Supervisor, Wojciech Wiewiórowski, penned a letter to the chief of the Commission’s DG Connect, Roberto Viola, on Wednesday evening, responding to the executive’s plans to implore EU telecommunications firms to hand over data in the ongoing fight against COVID-19.
The EDPS have been consulted by the Commission on the measures undertaken.
The EDPS highlighted the legality of the Commission’s move, saying that “data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics.”
However, the EDPS did ask the Commission to be transparent on the specific type of data that it is looking to obtain from telecommunications firms. “The Commission should clearly define the dataset it wants to obtain and ensure transparency towards the public, to avoid any possible misunderstandings,” Wiewiórowski said.
The letter also cautioned the Commission about relying on third parties to process the information. Any private firms dealing with the data should be required to apply the necessary security measures as well as strict confidentiality obligations, he stressed.
For their part, the telecoms industry association GSMA adopted a collaborative spirit about the plans. Mats Granryd, the director general of the organisation, tweeted on Wednesday that their members are “committed to working with the Commission, national authorities and international groups to use data in the fight against COVID-19 crisis, while complying with European privacy standards.”
However, other stakeholders in the privacy arena have adopted a more cautious approach to the plans. Diego Naranjo, head of policy at European Digital Rights, recognised the value of data collection in “developing a greater understanding of the spread of the COVID-19 virus” .
He also told EURACTIV that such moves should be “fundamental right-based with necessity and proportionality in mind.”
In this specific case, Naranjo agreed with the Commission that the data falls outside the scope of EU data protection legislation, but only as long it is aggregated and anonymised.