4 - 2020 - Future of Privacy Forum

European Union’s Data-Based Policy Against the Pandemic, Explained

Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. Here is an overview of key recent events essential to understand EU’s data-based approach against the pandemic:

Early on, the European Data Protection Supervisor (EDPS) – which is the supervisory authority of the EU institutions and bodies and also the consultative body on EU legislation that may impact data protection, issued Comments on the European Commission’s plan to access telecommunications data from telecommunications service providers to monitor the COVID-19 spread (March 25), and also issued a public call for a pan-European approach against the pandemic (April 6).
Following a detailed Recommendation issued by the European Commission on April 8, the eHealth Network, a voluntary network providing a platform of Member States’ competent authorities dealing with digital health, published a week later a common EU Toolbox for Member States on contact tracing mobile applications.
The Presidents of the European Commission and the European Council – which reunites the heads of state or government of EU Member States, published on April 15 an exit strategy, or Joint European Roadmap towards lifting COVID-19 containment measures, where the first two of seven measures proposed are based on the collection and use of data.
The Commission also issued guidelines specifically on how these mobile applications should be designed and implemented to respect data protection requirements (April 16).
The European Parliament adopted, on April 17, a resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, including specific recommendations and even ‘demands’ for certain safeguards around contact tracing applications, including a decentralized approach.
The European Data Protection Board, the EU body reuniting the leaders of all Data Protection Authorities (DPAs) in the EU – meaning the only authorities that are competent to enforce data protection law within Member States both in the public and private sectors, published its Guidelines on contact tracing apps and the use of telecommunications data to fight the effects of the pandemic and Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (April 23). These guidelines come after several other instances where the EDPB quickly provided its view on related pressing issues: a letter to the Commission responding to a consultation on its data protection guidelines mentioned above, and a Statement on the processing of personal data in the context of the COVID-19 outbreak, with a focus on the employer-employee relationship.

This report will further look closer to each of these guidelines, opinions, recommendations, resolutions, to analyze what are the solutions for processing personal data through contact tracing apps or the creation of heat maps based on mobility data in support of lifting the COVID-19 containment measures in the EU, and their data protection implications (see Table 1 for a list of relevant documents, in chronological order). This contribution looks solely at EU-level policy, which will trickle down to national level. The responses of national data protection authorities will be analyzed in a second part. It is important to keep in mind that the EDPB acts as a liant between EU level/agreed-upon data protection policy and national implementation.

1. Preamble: Scientists were here first

Before the calls and guidelines of policymakers at EU level favoring a pan-European approach, scientists and researchers across Europe (from several EU Member States, but also from Switzerland and the UK) were the first ones that rallied to propose a pan-European technical solution for contact tracing apps, at the end of March, initially as part of a broader pan-European project (in the meantime, the broader project seems to lose partners and support due to lack of transparency, including about its original conveners, and differences among scientists on whether centralized or decentralized solutions are preferable).

A lot of attention is now paid to one protocol developed initially under that umbrella but which became independent: the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol. This protocol was developed by ‘over 25 scientists and academic researchers from across Europe’ and ‘it was also scrutinized and improved by the wider community’ after being published. The DP-3T project is ‘an open protocol for COVID-19 proximity tracing using Bluetooth Low Energy functionality on mobile devices that ensures personal data and computation stays entirely on an individual’s phone’ (a decentralized solution). The protocol is being implemented in a ‘soon-to-be-released, open-sourced app and server’. Its data protection and security claims are scrutinized and open to feedback on GitHub.

Apple and Google announced a joint program early on in this debate that supports the creation of infrastructure on their platforms suited for the decentralized approach to contact tracing, leaving a centralized approach with few technical options for implementation.

Officials from Switzerland (non-EU, but ‘associated country’), Austria (EU) and Estonia (EU) announced they plan to implement the DP-3T protocol. But other Member States, like France (who even called for Apple and Google to modify their decentralized framework) and Italy (where the debate is still ongoing), are pushing for a different architecture of a national contact tracing app, based on centralization of information, mimicking the real life contact tracing that is conducted by public health authorities and relies on centralization and identification of all contacts a person that tested positive recalls of having been in touch with. These decisions are currently being taken at national level, with the debate shifting every day.

2. The European Data Protection Supervisor: Early call for Digital Solidarity in the EU

EDPS’ first call for a European approach to rely on data to fight the pandemic came in the Comments the institution issued on March 25 in response to a consultation from the European Commission on a proposal to rely on telecommunications data, shared by service providers, to monitor the spread of COVID-19. The EDPS called for ‘an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible’, considering that fragmentation at national level may stay in the way of effectiveness. The EDPS also pointed out in the Comments that ‘data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics.’

As for the safeguards proposed for the use of telecommunications data, they focused on transparency about the data sets to be made available by telecommunications service providers and how will they be used; anonymization to the extent possible, and aggregation of data; contractual accountability for all third parties that will process the data; limitation of access rights to authorized experts in spatial epidemiology, data protection and data science; strict retention limitation – ‘the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end.’

On April 6, the European Data Protection Supervisor, Wojciech Wiewiórowski, doubled down on the European approach against the pandemic and issued a public message for EU Digital Solidarity. He recalled that ‘big data means big responsibility’ and pointed out that responsibility also means ‘we should not hesitate to act when it is necessary. There is also responsibility for not using the tools we have in our hands to fight the pandemic.’

Wiewiórowski called for a pan-European model of a COVID-19 mobile application, ‘coordinated at EU level.’ ‘Legality, transparency and proportionality are essential’, the Supervisor added.

There are four key safeguards the EDPS proposes so the data-based solutions to counter the effects of the pandemic are compliant with data protection law: the measures are temporary – ‘they are not here to stay after the crisis’; ‘Their purposes are limited – we know what we are doing’; ‘Access to the data is limited – we know who is doing what’; and ‘We know what we will do both with results of our operations and with raw data used in the process’ – which seems to refer to justifiable necessity of such measures.

3. The European Commission: Recommendation for a common approach to contact tracing apps and eHealth Network’s Toolbox

On April 8, the European Commission published a Recommendation on ‘a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data’. This Recommendation set up a process for developing a common approach within the EU to use digital means to address this crisis, referred to as a Toolbox.

3.1. The Recommendation: Build a common Toolbox, a fragmented approach will not be effective

In this early document, the Commission acknowledged that ‘digital technologies and data have a valuable role to play in combating the COVID-19 crisis, given that many people in Europe are connected to the internet via mobile devices.’ It also pointed out that ‘a fragmented and uncoordinated approach risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms.’ Therefore, the Commission considers that a pan-European approach is necessary both for the economy – preserving the single market, and for a coherent fundamental rights approach across the EU.

The Commission enumerated several factors that would render these applications effective, such as user penetration, public trust that the data will be protected by appropriate data protection and security measures, integration and data sharing with other systems and applications, cross-border and cross-regional interoperability with other systems. According to the Commission, interoperability between applications is recommended, as well as the possibility of national health authorities supervising infection transmission chains to be able to ‘exchange interoperable information about users that have tested positive with other Member States or regions in order to address cross-border transmission chains.’

In addition to a pan-European approach for mobile apps designed to fight the pandemic, the Recommendation also pushes for ‘a common scheme for using anonymized and aggregated data on mobility of populations’, specifically in order to:

Model and predict the evolution of the disease;
Monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement;
Inform a coordinated strategy for exiting from the COVID-19 crisis.

According to the Commission, ‘respect for all fundamental rights, notably privacy as well as data protection, the prevention of surveillance and stigmatization’ should be ‘paramount throughout the process’. To this end, three key principles are laid out. The proposed Toolbox should:

Strictly apply the purpose limitation principle (‘ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes’);
Ensure regular review of the technical solutions proposed and ‘set appropriate sunset clauses’;
Ensure that ‘the processing is effectively terminated and the personal data concerned irreversibly destroyed’, unless their scientific values for research outweighs the impact on the rights concerned. Any such further processing should be done ‘on the advice of ethics boards and data protection authorities’.

Further recommendations are made for each of the two envisaged scenarios involving data – mobile apps and the use of aggregated telecommunications data. The Commission does not express any preference for a specific architecture of contact tracing apps (centralized v. decentralized). Importantly, this Recommendation highlights the key role DPAs play: ‘consultation with data protection authorities … is essential to ensure that personal data is processed lawfully and that the rights of the individuals concerned are respected.’

3.2. The Common Toolbox: adopted by the eHealth Network and pushed against tech solutionism

Version 1 of the Common EU Toolbox called for in this Recommendation was developed at incredible speed and it was published a week later, on April 15. The Toolbox was adopted by the ‘eHealth Network’ which is a voluntary network¹ that provides a platform of Member States’ competent authorities dealing with digital health. Enlisting the support of Member States for a pan-European approach of relying on data to fight the pandemic is essential. This is because the European Union does not have exclusive competence on health matters. Primary responsibility for health protection and, in particular, healthcare systems continues to lie with the Member States.²

The document solely focuses on mobile apps for contact tracing. As opposed to most recent policy documents in this area, it also contains an explanation of what contact tracing means during an epidemic or pandemic and it details how it is usually carried out manually, by public health authorities: ‘This is a time-consuming process where cases are interviewed in order to determine who they remember being in contact with from 48 hours before symptom onset and up to the point of self-isolation and diagnosis. (…) Such manual processes rely on the patient’s memory and obviously cannot trace individuals who have been in contact with the patient but who are unknown to him/her.’ Nonetheless, the eHealth Network is clear in its recommendation that mobile apps should be complemented by manual contact tracing, which will ‘continue to play an important role, in particular for those, such as elderly or disabled persons, who could be more vulnerable to infection but less likely to have a mobile phone or have access to these applications’.

The Toolbox was built by taking the position that both centralized and decentralized solutions can be relied on, without a preference being expressed for either, and with advantages and shortcomings of both being laid out in the document. For the decentralized option, the Toolbox notes that ‘this approach would considerably reduce the risks to privacy as close contacts would not be directly identifiable and this option would thereby enhance the attractiveness of the application’, but in this case public health authorities would not have ‘access to any anonymised and aggregated information on social distancing, on the effectiveness of the app or on the potential diffusion of the virus’ and ‘this information can be important to manage the exit of the crisis’. The centralized option described in the Toolbox presupposes that ‘users cannot be directly identified’ through the data stored in the backend server, which are ‘arbitrary identifiers generated by the app’. According to the eHealth Network, ‘the advantage is that the data stored in the server can be anonymised by aggregation and further used by public authorities as a source of important aggregated information on the intensity of contacts in the population, on the effectiveness of the app in tracing and alerting contacts and on the aggregated number of people that could potentially develop symptoms.’

The Toolbox concludes that ‘none of the above two options includes storing of unnecessary personal information’. However, it alerts developers that centralized solutions which do involve ‘directly-identifiable data on every person downloading the app’ that is held centrally by public health authorities, ‘would have major disadvantage, as noted by the EDPB in its response to consultation on Commission draft guidance on data protection and tracing apps.’

Compared to other guidelines, there is more detailed focus in this Toolbox on the epidemiological relevance of any technological solution proposed. As such, apps should be following national legislation and international guidance ‘that defines which contacts should be followed up and what the management of these contacts should be’ under the coordination of public health authorities.

The Toolbox sets out various relevant parameters to enable a coordinated development and use of ‘officially recognized contact tracing applications and the monitoring of their performances.’ It provides a detailed list of baseline requirements and functionalities that should be taken into account (see Annex I of the document), which have been ‘identified collectively by Member State authorities who are considering the launch of an app to support contact tracing.’ In eHealth Network’s view, the essential requirements for national apps are that they should be:

Voluntary;
Approved by the national health authority;
Privacy-preserving, with personal data securely encrypted;
Dismantled as soon as no longer necessary.

4. Joint Statement of the Presidents of the Commission and the Council: EU Exit Strategy Roadmap enlists data as key to lifting confinement

European Commission’s President, Ursula von der Leyen, and the President of the European Council, Charles Michel, co-signed a Joint European Roadmap towards lifting COVID-19 containment measures, on April 15, which sets out recommendations to Member States with the goal of preserving public health while gradually lifting containment measures to restart community life and the economy. This Roadmap contains principles that should guide the Member States and the EU in their exit strategy and a set of seven recommended measures. The first two of these seven measures rely on using data.

The first recommended measure is to ‘gather data and develop a robust system of reporting’. By this, the Roadmap means ‘gathering and sharing of data at national and subnational level by public health authorities in a harmonised way on the spread of the virus, the characteristics of infected and recovered persons and their potential direct contacts’. Recognizing that reporting only cases that are known to health authorities is not enough (they ‘may only represent the tip of the iceberg’), the document refers to both ‘social media and mobile network operators’ as being in the position to ‘offer a wealth of data on mobility, social interactions, as well as voluntary reports of mild disease cases (e.g. via participatory surveillance) and/or indirect early signals of disease spread (e.g. searches/posts on unusual symptoms).’

The Roadmap refers to anonymizing and aggregating such data before being used, and offers the Joint Research Center and the European Center for Disease Control as centralizing bodies for this data collection and for conducting modelling work. This is interesting, since this is the only instance where social media data is being brought to the discussion among the different EU-level policymaking sources. On the other hand, telecommunications data has been enlisted early on in the pandemic to offer an EU-wide window into how individuals are moving during lockdowns, following a push initiated by Thierry Breton, the commissioner for the internal market (see also Section 2 of this report).

The second recommended measure is to ‘create a framework for contact tracing and warning with the use of mobile apps which respect data privacy’. According to the signatories of the Joint Statement, contact tracing apps are ‘particularly relevant in the phase of lifting containment measures’. Because they can ‘help interrupt infection chains and reduce the risk of further transmission’, contact tracing apps ‘should be an important element in the strategies put in place by Member States’, as long as they complement other measures, including increased testing capacities. In fact, the third recommended measures in the document is expanding testing capacity and harmonising testing methodologies. As for the mobile apps, it is recommended in the Exit Strategy that they are voluntary and that ‘national health authorities should be involved in the design of the system.’

The safeguards proposed are a mix of technical safeguards – anonymization and aggregation of data, no tracking of users; and governance safeguards – transparency and expiration ‘as soon as the COVID-19 crisis is over’, with a recommendation to erase any remaining data at that time and have the apps being deactivated. According to the document, ‘confidence in these applications and their respect of privacy and data protection are paramount to their success and effectiveness.’ The document refers to the earlier Recommendation made by the Commission to set up the framework for a data protection centered contact tracing app and to guidance by the Commission on how such apps can be respectful of data protection law. However, the Roadmap omits to include the crucial role that Data Protection Authorities and their pan-EU body, the European Data Protection Board, will have in ensuring contact tracing apps, if deployed, are fully respectful of the rights and freedoms of individuals by complying with data protection law requirements.

Finally, the Presidents of the Commission and the Council state that a pan-EU reference app, or at least interoperability and sharing of results between contact tracing apps at EU level, ‘allows a more effective warning of people concerned and a more efficient public health policy follow-up’. Indeed, the lack of a pan-EU approach to deploying and relying on contact tracing apps would risk enderanging the freedom of movement which is so central to the EU.

5. The European Commission: Data protection guidance on apps to support the fight against COVID-19

To complement the features recommended in the Toolbox for contact tracing apps by the eHealth Network, the Commission published separately, on April 16, data protection guidance for apps to support the fight against COVID-19. This abundance of data protection guidance may be confusing for app developers and for the public authorities wanting to implement apps, considering that both the EDPS and the EDPB have been very active in giving input, following their specific mandate. In fact, the Commission includes as the last point in its guidance the fact that DPAs ‘should be fully involved and consulted in the context of the development of the app and they should keep its deployment under review.’

One interesting nuance is that the Commission includes in the scope of its analysis several variations of mobile apps that could potentially be useful in the fight against the pandemic: apps that provide accurate information to individuals about the COVID-19 pandemic; that provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality); that provide contact tracing and warning functionality; and that provide a communication forum between patients and doctors in situation of self isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine).

This guidance identifies and details ten elements that ensure ‘a trustful and accountable use of apps’:

National health authorities (or entities carrying out tasks in the public interest in the field of health) should be the data controller.
Ensuring that the individual remains in control (for example, different app functionalities – like information, symptom checker, contact tracing and warning functionalities, should not be bundled so that the individual can provide his/her consent specifically for each functionality).
As lawful grounds for processing: relying on consent for the installation of the apps and for placing information, such as random identifiers, on devices, in compliance with the ePrivacy Directive; for further processing, relying on a legal obligation for processing of the personal data by health authorities (Article 6(1)(c) and Article 9(2)(i) GDPR), as long as the law, even if pre-existent to the COVID-19 pandemic, provides for measures allowing for the monitoring of epidemics and meets further requirements set out in Article 6(3) GDPR; keeping in mind that there is a ‘prohibition’ of subjecting individuals to a decision based solely on automated processing which produces legal effect or similarly significantly affects the individual (Article 22 GDPR).
Data minimisation (for example, ‘if the purpose of the functionality is symptom checking or telemedicine, these purposes do not require access to the contact list of the person owning the device’; for contact tracing, the Commission recommends the use of Bluetooth Low Energy (BLE) communications data, or data generated by equivalent technology, to determine proximity, considering that ‘for the metering of proximity and close contacts BLE communications between devices appears more precise, and therefore more appropriate, than the use of geolocation data (GNSS/GPS, or cellular location data).
Limiting the disclosure of/access to data, with different recommended access permissions depending on the functionality of the app.
Providing for precise purposes of processing: the Commission also advises against the use of the data gathered under the above conditions for other purposes than the fight against COVID-19, recommending additional limitations even with regard to processing for scientific research and statistics, which ‘should be included in the original list of purposes and clearly communicated to users.’
Setting strict limits to data storage: timelines should be based on ‘medical relevance’, as well as ‘realistic durations for administrative steps that may need to be taken’; for example, proximity data collected by contact tracing apps should be deleted ‘after maximum one month (incubation period plus margin) or after the person was tested and the result is negative’; health authorities may retain it for longer periods ‘for surveillance reporting and research provided it is in an anonymised form.’
Ensuring data security: the Commission recommends that the data should be stored on the terminal device of the individual ‘in an encrypted form using state-of-the art cryptographic techniques’; in the case that the data is stored in a central server, the access, including the administrative access, should be logged.
Ensuring the accuracy of data: accuracy on whether a contact with an infected person (epidemiological distance and duration) has taken place is essential, to minimise the risk of having false positives.
Involving DPAs, which should be consulted in the context of the development of the app; further along, they should keep its deployment under review.

The Guidelines do not specifically recommend a centralized or decentralized approach to contact tracing apps, but they do highlight that ‘the decentralised solution is more in line with the minimisation principle’. This specification was included in the letter the EDPB sent to the Commission in response to a consultation on this draft guidance. The Commission also states that ‘health authorities should have access only to proximity data from the device of an infected person so that they are able to contact people at risk of infection.’ This would mean that proximity data ‘will be available to the health authorities only after the infected person (after having been tested) proactively shares these data with them.’

6. The European Parliament: A Resolution on EU coordinated action to combat the COVID-19 pandemic

The European Parliament adopted on April 17 a Resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, where it recalled that ‘solidarity among the Member States is not an option but a Treaty obligation and forms part of the European values’ and it sanctioned the lack of coordination and solidarity among Member States at the beginning of the pandemic. The Resolution is broad in scope and it looks beyond an immediate exit strategy, by tackling issues related to longer term public health goals, solutions to overcome the economic and social consequences and recommendations to protect democracy, rule of law and fundamental rights. Under this latter headline, the Resolution includes specific references to relying on telecommunications data and on contact tracing applications in a way that is congruent with fundamental rights.

The Parliament took a stance unequivocally in favor of decentralized contact tracing apps, as opposed to centralized apps, and it pushed for transparency and demonstrable necessity of these apps. It used strong wording and noted that it ‘demands that all storage of data be decentralised, full transparency be given on (non-EU) commercial interests of developers of these applications, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, in combination with specific other measures, will lead to a significantly lower number of infected people.’ In its Resolution, the Parliament also asked for the code of contact tracing apps to be public and recommended that ‘sunset clauses are set and the principles of data protection by design and data minimisation are fully observed’.

While recommending a pan-European approach to the use of contact tracing apps, the Parliament also acknowledged these initiatives seem to be primarily national at this point. Therefore, it called for both the Commission and the Member States ‘to publish the details of these schemes and allow for public scrutiny and full oversight by data protection authorities’. As opposed to the Roadmap published by the Presidents of the Commission and the Council, the European Parliament not only acknowledged the key role DPAs play, but called for their full oversight and urged ‘national and EU authorities’ to fully comply with both data protection and privacy legislation, as well as ‘national DPA oversight and guidance’.

7. The European Data Protection Board: Ample guidance on enlisting data against the spread of the COVID-19 pandemic

In an extraordinary step, at the beginning of April the EDPB converted its monthly plenary meetings into weekly plenary meetings, to respond to the urgency of measures proposed across the EU to rely on personal data in the fight against the COVID-19 pandemic. On April 21, it adopted two sets of Guidelines which are essential to inform the responses at national level, one focused on the use of location data and contact tracing tools, and the other one on the processing of health data for research purposes in the context of the COVID-19 pandemic.

The Guidelines of the EDPB are very important from two points of view. First, they represent the agreed position of all national DPAs, which are the only administrative entities that have competence to enforce the GDPR and the Law Enforcement Directive at national level, both against government bodies and private organizations. Second, they are capable of ensuring a harmonized approach across the EU, at a time when national governments prefer to act by themselves, contributing thus decisively to a pan-European approach of the data-based response to the COVID-19 pandemic.

7.1. Processing of health data for research purposes

Starting from the premise that ‘the GDPR is a broad piece of legislation and provides for several provisions that allow to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection’, the EDPB published guidance to support compliant scientific research involving health data. Here are some of the key points:

What is ‘scientific research’? The EDPB noted that the special GDPR regime for processing of personal data for scientific research purposes applies to ‘a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice’ and the term scientific research ‘may not be stretched beyond its common meaning.’ The EDPB also clarified that when talking about processing of health data for the purpose of scientific research, there are two types of data uses:

Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”).
Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”).’

Compatible purposes for secondary uses. The EDPB notes that this distinction is important in the context of identifying the lawful ground for processing. Even though not specifically explained in the guidance, this has to do with the fact that secondary uses of data are permissible without the need for an additional lawful ground, as long as they are compatible with the purpose for which the data was originally collected. However, the EDPB does not give specific guidance on compatibility of purposes in this context and only mentions that ‘this topic, due to its horizontal and complex nature, will be considered in more detail in the planned EDPB guidelines on the processing of health data for the purpose of scientific research.’ However, the Board emphasizes that strong security measures are highly advisable ‘considering the sensitive nature of health data and the risks when re-using health data for the purpose of scientific research’.
Lawful grounds for processing. A general lawful ground from Article 6 GDPR has to be complemented by a permissible use for special categories of data in Article 9(2) GDPR. EDPB explains that besides consent (as long as all conditions for valid consent are met, including the possibility for individuals to withdraw consent at any time), controllers can also possibly rely on necessity for the performance of a task in the public interest by a public authority – Article 6(1)(e) GDPR, or the legitimate interests of the controller or a third party – Article 6(1)(f) GDPR, in combination with the enacted derogations under Article 9(2)(j) or Article 9(2)(i) GDPR. Under these two paragraphs of Article 9(2), both the EU or the national legislators at Member State level may enact specific laws ‘to provide a legal basis for the processing of health data for the purpose of scientific research’.
International data transfers. A section of the guidance is dedicated to international data transfers, considering the global nature of the COVID-19 pandemic and that ‘there will probably be a need for international cooperation that may also imply international transfers of health data for the purpose of scientific research outside of the EEA [European Economic Area].’ The EDPB gives the green light for health data to be transferred on the basis of derogations, where an adequacy decision is not in place or where one of the other appropriate safeguards are absent (like Standard Contractual Clauses). In particular, data can be transferred on the basis of the express consent of the data subject, or on the basis of the transfer being necessary for important reasons of public interest. The EDPB remarks that not only public authorities, but also private entities playing a role in pursuing a public interest related to the COVID-19 pandemic, such as a university’s research institute cooperating on the development of a vaccine in the context of an international partnership, could, under the current pandemic context, rely upon those derogations. However, the EDPB highlights that such transfers must be ‘a temporary measure, due to the urgency of the medical situation globally’. It adds that while the COVID-19 crisis may justify the initial transfers of data, repetitive transfers, part of a long lasting research project would need to be framed with appropriate safeguards in accordance with Article 46 GDPR (e.g. standard contractual clauses, certification mechanisms, contracts approved by DPAs etc.).

7.2. Location data, ‘notoriously difficult to anonymize’

In the guidance on location data and contact tracing apps, the EDPB expresses its firm belief that ‘when processing of personal data is necessary for managing the COVID-19 pandemic, data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures’. It also clearly calls for ‘a common European approach in response to the current crisis’, or to ‘at least put in place an interoperable framework’, considering that ‘the virus knows no borders’.

The EDPB recalls that ‘the general principles of effectiveness, necessity and proportionality must guide any measure adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19’. This is a call for any data-based solutions to be grounded in actual needs of authorities to manage the pandemic. ‘Such applications need to be a part of a comprehensive public health strategy to fight the pandemic, including, inter alia, testing and subsequent manual contact tracing for the purpose of doubt removal’.

When discussing the processing of location data, the EDPB points out that there are two principal sources of such data available for modelling the spread of the virus and the overall effectiveness of confinement measures: location data collected by electronic communication service providers (such as mobile telecommunication operators) in the course of the provision of their service and location data collected by information society service providers’ applications whose functionality requires the use of such data.

Accessing or collecting location data from both these sources falls under the provisions of the ePrivacy Directive. As such, location data collected from electronic communication providers may only be processed under the conditions of Articles 6 and 9 of the ePrivacy Directive. This means that the location data ‘can only be transmitted to authorities or other third parties if they have been anonymised by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users’. As for collecting location data and other information directly from the terminal equipment (device) of a user, Article 5(3) of the ePrivacy Directive is applicable. As such, ‘the storing of information on the user’s device or gaining access to the information already stored is allowed only if:

(i) the user has given consent;

(ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user.’

The EDPB stopped short of giving some examples on what type of services in the context of COVID-19 can argue they need access to location data because it is strictly necessary to provide the service.

The guidelines point out that derogations to these rules are possible only ‘when they constitute a necessary, appropriate and proportionate measure within a democratic society for certain objectives’, according to Article 15 of the ePrivacy Directive. However, these exceptions can only be adopted if they concern national security, defence, public security and the prosecution of criminal offenses. In addition, according to existing case-law of the CJEU interpreting Article 15, all these areas ‘constitute activities of the State or of State authorities unrelated to the fields of activity of individuals’ (Case C-275/06 Promusicae). This seems to indicate that exceptions can be applicable only if the controllers are public authorities and if Member States can justify they concern one of the areas enumerated, such as public security.

The EDPB established that after the location data has been accessed in compliance with Article 5(3) ePrivacy, they can be further processed only on the basis of additional consent or on the basis of a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR. Even though technically organizations could rely on the fact that further processing of location data for modelling purposes to combat the pandemic is compatible with the original purpose of accessing the data, the EDPB considers that further processing on the basis of a compatibility test according to Article 6(4) GDPR is not possible in these cases where original access is obtained under the conditions of the ePrivacy Directive, since it would undermine the data protection standard of the ePrivacy Directive, as explained in the earlier Guidelines on Connected Vehicles.³

The EDPB advises that preference should always be given to the processing of anonymized data rather than personal data, but cautions that location data ‘are known to be notoriously difficult to anonymize’, since ‘mobility traces of individuals are inherently highly correlated and unique’ and ‘they can be vulnerable to re-identification attempts under certain circumstances.’ The EDPB further states that ‘data cannot be anonymized on their own, meaning that only datasets as a whole may or may not be made anonymous’. To highlight this point, it is further argued that ‘any intervention ona single data pattern (by means of encryption, or any other mathematical transformations) can at best be considered a pseudonymisation.’

The EDPB also proposes a test to evaluate the robustness of anonymization, which relies on three criteria:

‘(i) singling-out (isolating an individual in a larger group based on the data);

(ii) linkability (linking together two records concerning the same individual); and

(iii) inference (deducing, with significant probability, unknown information about an individual).’

7.3. Contact tracing: the door was kept open for both centralized and decentralized apps

With regard to contact tracing apps, the EDPB points out from the outset that ‘the systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy.’ This is why ‘it can only be legitimised by relying on a voluntary adoption by the users’. The EDPB continues with a series of recommendations:

Responsibility: As a first rule, the EDPB underscores that the controller of any contact tracing application should be clearly defined, to ensure accountability. Public health authorities are a natural choice, but ‘other controllers may also be envisaged’. In any case, regardless of the number and nature of actors involved in controlling the data processing through the app, their responsibilities ‘must be clearly established from the outset and be explained to users.’
Purpose limitation: the purposes of the app must be specific enough to exclude further processing for purposes unrelated to the management of COVID-19, like commercial or law enforcement purposes.
General lawful basis: the storage and access to information already stored on devices are subject to Article 5(3) GDPR, which means that for all data that is not strictly necessary to provide the service requested by the user, consent will be required. For the further processing of data, the EDPB highlights that ‘the mere fact that the use of contact-tracing applications takes place on a voluntary basis does not mean that the processing of personal data will necessarily be based on consent.’ The Board advises that Article 6(1)(e) GDPR is the most relevant legal basis whenever public health authorities or other public authorities are the controllers (meaning the necessity to process data for the performance of a task in a public interest). If this lawful ground will be relied on, additional Union or Member State laws that detail the tasks must be in place. The EDPB seems to suggest new, dedicated legislation is needed, because it will have to provide for meaningful safeguards, including ‘a reference to the voluntary nature of the application’, a clear specification of purpose and explicit limitations concerning the further use of personal data, a clear identification of the controllers involved, and, potentially, ‘as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination. Controllers could also rely on consent as a basis for processing, but in that case they need to ensure all conditions for valid consent are met, including the possibility for users to withdraw consent at any time.

Permissible use for sensitive data. Since personal data related to health may be collected by a contact tracing app, one of the permissible uses under article 9(2) must also be in place, in addition to the general lawful ground for processing. ‘Processing of such data is allowed when such processing is necessary for reasons of public interest in the area of public health, meeting the conditions of art. 9(2)(i) GDPR14 or for healthcare purposes as described in Art. 9(2)(h) GDPR. Depending on the legal basis, it might also be based on explicit consent (Art. 9(2)(a) GDPR).’

Data retention should be dependent on true needs and medical relevance. ‘Personal data should be kept only for the duration of the COVID-19 crisis. Afterwards, as a general rule, all personal data should be erased or anonymized.’

Human supervision. Given that contact tracing apps cannot replace, but only support manual contact tracing, the EDPB underlines that ‘procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives.’

Fairness and accountability: ‘algorithms must be auditable and should be regularly reviewed by independent experts.’ To this end, ‘source code should be made publicly available for the widest possible scrutiny.’

Risk assessment: a data protection impact assessment must be carried out before implementing contact tracing apps, and the EDPB ‘strongly recommends’ its publication.

Data minimisation, Data protection by design and by default: the application should not collect unrelated or not needed information, ‘which may include civil status, communication identifiers, equipment director items, messages, call logs, location data, device identifiers, etc.’

Centralization v. Decentralization. The members of the EDPB did not agree on a recommendation that would harmonize approaches EU-wide in the centralization versus decentralization debate, a fact which may end up hampering the pan-European approach if Member States will end up implementing different architecture which are not interoperable. The EDPB merely stated that ‘both should be considered viable options, provided that adequate security measures are in place, each being accompanied by a set of advantages and disadvantages.’ It did add in a footnote that ‘in general, the decentralised solution is more in line with the minimisation principle’. However, the guidelines leave the door open to both types of architectures, while giving specific recommendations for servers to rely on pseudonymous identifiers and very short retention times.
Data security: State-of-the-art cryptographic techniques must be implemented to secure the data, as well as mutual authentication between the application and the server, proper authorization for reporting infected users.

In its closing remarks, the EDPB showed that ‘data and digital technologies can be key components in the fight against COVID-19’, but it also warned against the ‘ratchet effect’: ‘It is our responsibility to ensure that every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation.’ The EDPB added that one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights. ‘We can achieve both, and moreover data protection principles can play a very important role in the fight against the virus’.

8. Conclusion

The EU took advantage of its mature data protection legal framework and acted rapidly to outline the possibility of a pan-European approach to support the fight against the pandemic with data, be it under the guise of mobility data for heat maps and modelling, health data for research purposes or proximity data for contact tracing, while ensuring fundamental rights and freedoms remain protected. The push for a pan-European approach, which was sparked by scientists working across borders to build a protocol for a contact tracing app that is privacy preserving, seems to be successful, even if not entirely. Several Member States already announced they will implement the same decentralized protocol for a contact tracing app (Estonia, Austria, but also Switzerland as associated country to the EU), with others, like Germany and Italy, considering now a decentralized approach to contact tracing after having initially announced plans for a centralized approach.

Developments at national level, at least in the Member States of the EU, will be ultimately influenced by EU policy. Even if public health is primarily a regulatory area where national governments lead – with the EU just complementing policies, data protection is an area where the EU has been granted powers to lead the rulemaking (see Article 16 of the Treaty on the Functioning of the European Union). Be it a decentralized or centralized approach to contact tracing, or any of the other necessary uses of personal data for modelling or research in the context of the COVID-19 pandemic, they will all need to follow data protection rules and principles, as provided by EU law.

Table 1. List of EU policy documents and guidance in relation to COVID-19 and data protection

Date	Institution	Resource
March 19, 2020	European Data Protection Board	Statement on the processing of personal data in the context of the COVID-19 outbreak
March 25, 2020	European Data Protection Supervisor	Monitoring Spread of COVID-19 Comments to DG JUST on its plan to use mobility data
April 6, 2020	European Data Protection Supervisor	EU Digital Solidarity: a call for a pan-European approach against the pandemic
April 8, 2020	European Commission (DG CONNECT)	COMMISSION RECOMMENDATION of 8.4.2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data
April 14, 2020	European Data Protection Board	Letter to Olivier Micol (European Commission, DG JUST) on the draft Guidance on Apps supporting the fight against COVID 19 in relation to data protection
April 15, 2020	eHealth Network	Mobile applications to support contact tracing in the EU’s fight against COVID-19 Common EU Toolbox for Member States
April 15, 2020	Ursula von der Leyen (President of the Commission) Charles Michel (President of the Council)	Joint European Roadmap towards lifting COVID-19 containment measures
April 16, 2020	European Commission (DG JUST)	COMMUNICATION FROM THE COMMISSION Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection
April 17, 2020	European Parliament	EU coordinated action to combat the COVID-19 pandemic and its consequences European Parliament resolution of 17 April 2020 on EU coordinated action to combat the COVID-19 pandemic and its consequences (2020/2616(RSP))
April 21, 2020	European Data Protection Board	Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak
April 21, 2020	European Data Protection Board	Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak

Footnotes

¹Set up under article 14 of Directive 2011/24/EU.

²European Parliament, Factsheets on the European Union: Public Health, available at https://www.europarl.europa.eu/factsheets/en/sheet/49/public-health, retrieved on April 27, 2020.

³ EDPB, Guidelines 1/2020 on Processing personal data in the context of connected vehicles and mobility related applications, available at https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-12020-processing-personal-data-context_en, retrieved on April 30, 2020.

FPF Submits Comments to NIH on the NIH-Wide Strategic Plan for Fiscal Years 2021-2025

Earlier this month, the Future of Privacy Forum (FPF) submitted comments to the National Institutes of Health (NIH) on the NIH-Wide Strategic Plan covering fiscal years 2021-2025. In the letter, Health Policy Counsel Rachele Hendricks-Sturrup and Artificial Intelligence Policy Counsel Sara Jordan propose the addition of a cross-cutting theme to NIH’s strategic plan as well as opportunities for collaboration between the two organizations.

Overall, FPF prompts the NIH to:

Consider “balancing health data privacy with data access and use” as an additional cross-cutting theme. By adding this additional cross-cutting theme, a balance might be achieved between the NIH’s drive to advance health and preserving the privacy of individuals who offer their data for the development of new medical procedures, products, pharmaceuticals, and devices.
Support research resources and infrastructure with ethical review models. In particular, the NIH should consider adopting or working with FPF to refine our ethical review tools, which could help the NIH identify, consider, and mitigate privacy risks raised by the terms of use and re-use of data held in the NIH repositories; and
Foster a culture of good scientific stewardship around consent to data use. Consent may be an appropriate mechanism for protecting the privacy and data rights of research participants in many cases, but not in all cases, especially given that health data is no longer exclusively generated or processed by health care providers and insurers.

Read the Full Letter

FPF and Privacy Analytics Identify “A Practical Path Toward Genetic Privacy”

Paper highlights de-identification standards, re-identification research, and emerging technical, contractual, and policy protections that can safeguard genetic data while supporting research.

Genomic data is arguably the most personal of all personally identifiable information (“PII”). Techniques to de-identify genomic data to limit privacy and security risks to individuals–while that data is used for research and statistical purposes–are at the center of discussions among stakeholders engaged in genetic research.

The Future of Privacy Forum (FPF) and Privacy Analytics have partnered to publish “A Practical Path Toward Genetic Privacy in the United States.” The white paper is intended to highlight the personal nature of genetic data, describe existing regulatory requirements, and discuss emerging developments regarding the de-identification & re-identification of genetic data while highlighting consensus practices organizations are taking to safeguard genomic information.

“Genetics has become increasingly valuable to cutting-edge medical research, with implications from public health to rare disease diagnostics,” said Katelyn Ringrose, FPF Policy Fellow. “Observing this evolution, FPF and Privacy Analytics collaborated to create a practical path forward; one which will protect the privacy of those individuals who contribute their genomes to fuel such incredible discoveries.”

The white paper explores and drives discussion around two prominent examples of privacy engineering solutions applicable to genetic privacy: differential privacy and secure (multi-party) computation. Although technical solutions like these show promise in protecting genetic data, companies should also follow emerging privacy and security-centric norms that are evolving in the space, including the use of:

Access Controls – Depending on the nature of the data and its identifiability, access controls can limit access to certain individuals and institutions.
Contractual Controls – Researchers and institutions can be required to enter into a data use agreement prior to being able to access data, in order to ensure that that data is accessed only for legitimate purposes and that identifiability remains low.
Security Protocols – Organizations sharing genetic data can create specific security protocols dictating how researchers utilize data in open access or controlled-access data repositories.

FPF hopes that this white paper will help guide stakeholders in the genetics arena, including those stakeholders providing and utilizing genetic data to identify health risks, learning more about rare diseases, and creating new treatments and precise diagnostics. We look forward to continuing to support cutting-edge research, while aiming to mitigate the risks associated with the use of genetic data.

The Future of Privacy Forum works on issues regarding de-identification, ethics, and health data.

Read the White Paper

For additional information about this publication or the Future of Privacy Forum’s health working group, please contact Rachele Hendricks Sturrup ([email protected]) and Katelyn Ringrose ([email protected]).

Privacy & Pandemics Virtual Workshop: The Role of Mobile Apps

The Future of Privacy Forum and the Israel Tech Policy Institute recently convened a briefing with experts from government, academia, and leading companies about the use of mobile apps related to the COVID-19 public health crisis, and how data protection and ethics can be managed when sensitive health and location data are collected. The briefing featured privacy experts from around the world, including:

Sarit Deshe, Head of Nationwide Information Projects Department, Ministry of Health Israel
Talia Agmon, Deputy Chief Legal Counsel, Ministry of Health Israel
Professor Michael Birnhack, Associate Dean for Research, The Buchmann Faculty of Law, Tel Aviv University
Hyunik Kim, Deputy Director, Planning & Management Division, and Head, International Cooperation for Personal Information Protection Commission (PIPC), Republic of Korea
Riddhiman Das, Co-Founder & CEO, TripleBlind (U.S.)
Steve Penrod, Vice President of Product Development, TripleBlind (U.S.)
Bart Preneel, leads COSIC (Computer Security and Industrial Cryptography group) in the Department of Electrical Engineering at KU Leuven, Belgium
Leaders from the Future of Privacy Forum and the Israel Tech Policy Institute, including FPF CEO Jules Polonetsky, Managing Director of the Israel Tech Policy Institute Limor Shmerling Magazanik, FPF Director of Technology and Privacy Research Christy Harris, Policy Counsel Polly Sanderson, and FPF Managing Director for Europe Rob van Eijk.

Participants discussed the privacy implications and utility of storing data locally versus centrally; strategies for improving the accuracy of data; promotion of apps to ensure sufficient scale; and how to assess the usefulness of certain data types (such as Bluetooth data) for public health purposes. Insights from the discussion will inform FPF’s ongoing work with stakeholders to identify best practices and policy recommendations for decision–makers.

To complement the virtual workshop, FPF released a detailed comparison of specific objectives and methods employed by “contact tracing” apps and software development kits (SDKs) that have been developed in various countries and regions to help public and private entities mitigate the COVID-19 pandemic. Stakeholders interested in how leading apps are collecting and using data in response to the COVID-19 pandemic and policymakers considering the use of one of these apps will want to take a look at the chart.

Through a series of original Privacy & Pandemics publications and resources, FPF is exploring the challenges the COVID-19 pandemic poses to existing ethical, privacy, and data protection frameworks. This series is intended to help governments, researchers, companies, and other organizations navigate essential privacy questions regarding the collection and use of data in response to a global pandemic.

FPF Provides Senate Testimony on Strategies to Mitigate Privacy Risks of Using Data to Combat COVID-19

Future of Privacy Forum (FPF) Senior Counsel Stacey Gray today provided the Senate Committee on Commerce, Science, and Transportation with written testimony, including recommendations based on how experts in the U.S. and around the world are currently mitigating the risks of using data to combat the COVID-19 pandemic.

“The collection and use of data, including personal data, to respond to a public health crisis like a pandemic can be compatible with privacy and data protection principles,” said Gray. “In many cases, commercial data can be shared in a way that does not reveal any information about identified or identifiable individuals.”

Gray offered recommendations, based on recent FPF workshops with global experts, to mitigate the risks of processing location data and other consumer data for public health initiatives, including:

Follow the lead of public health experts. Rather than leading the way with data that is already available, technology companies should play a supporting role to epidemiologists, established research partners, and public health experts and rely on their expertise in determining what data is useful to achieving specific, clear public health goals.
Ensure transparency and lawfulness. In order to ensure public trust, including in the use of voluntary pandemic apps, companies should be as transparent as possible about data shared with government or public health officials.
Apply privacy enhancing technologies (PETs). Companies should take advantage of advances made by privacy engineers in recent years, and apply privacy enhancing technologies (PETs), such as differential privacy, in accordance with principles of data minimization and privacy by design.
Employ privacy risk assessments. Companies should use well-established privacy and data protection impact assessment frameworks to help identify risks and find ways to mitigate or eliminate them.
Follow core purpose limitation principles. Any personal data collection and use enlisted to fight the pandemic should be limited in time and limited to a specific, well-defined purpose identified in advance, with clear limitations on secondary uses.

Gray also explored the commercial sources and relative risks and benefits of precise location data generated by consumer devices, and highlighted the needs for baseline federal consumer privacy legislation. In addition to providing legal protections for individuals, a federal privacy law would also provide much-needed legal clarity for US companies to be able to respond quickly and understand what kind of data they may or may not share legally and ethically to support emergency public health initiatives.

Gray provided testimony to a full Commerce, Science, and Transportation Committee paper hearing, “Enlisting Big Data in the Fight Against Coronavirus.” Witness testimony was published by the committee on Thursday, April 9, 2020, at 10:00 a.m. Questions from committee members will be posted by the end of the day, and witnesses will have 96 business hours to respond.

FPF is exploring the challenges posed by the COVID-19 pandemic to existing ethical, privacy, and data protection frameworks through a series of original Privacy and Pandemics publications, workshops, and resources, accessible on the FPF website. The series is intended to help governments, researchers, companies, and other organizations navigate essential privacy questions regarding the response to the coronavirus pandemic. Resources include a chart that compares the specific objectives and methods of apps and software development kits (SDKs) that have been deployed to help public and private entities tackle the COVID-19 pandemic, and lessons learned from a workshop on corporate data-sharing for COVID-19 research.

CONTACT

Jackson Lingane

[email protected]

650-465-5387

ICYMI: FPF Experts Raise Concerns about Protecting Student Privacy During Rapid Switch to Online Learning

Experts from the Future of Privacy Forum, the nation’s leading think tank focused on advancing responsible consumer privacy practices, have spoken out in numerous articles and publications to raise awareness about privacy concerns stemming from the rapid adoption of general-use technologies to support online learning at K-12 and higher education institutions nationwide.

As FPF’s Director of Education Privacy Amelia Vance told Ed Tech Magazine, there are numerous questions schools should consider before adopting new technologies, especially technologies that were not developed for education use. Watch a recent FPF webinar exploring these and other COVID-related student privacy questions.

Vance said, “You obviously have all of the privacy concerns that carry over from the use of ed tech generally… Is this company using data in an inappropriate way? Is this a privacy-protected product? Does the school have a data governance policy? When is information going to be deleted? Who has access to that information? Do people just have what information they need to do their job and no more? Because every additional person who has access to information can increase the risk that that information is shared and inappropriately or breached.”

As more schools and teachers move to quickly adapt existing general use apps and software for the virtual classroom, Vance warned in EdSurge, “We are likely to see more uncontrolled and unregulated use of technology by educators and others who suddenly have to move things online without clear guidance from the institution.”

In an interview with the Washington Post, Vance stated, “There is a very complex legal landscape around student privacy, and products made for consumers generally—for offices, for adults—are unlikely to comply with those laws.” She added to EdSurge that those products generally have not been set-up in a private-protective way, noting that “many companies are set up to allow ease of access and broad information collection as default settings instead of thinking more completely about preventing harms or protecting privacy.”

FPF CEO Jules Polonetsky spoke to the New York Times about the expanded use of Zoom in the virtual classroom. From the article: “some of [Zoom’s] standard terms are not consistent with the Family Educational Rights and Privacy Act, or FERPA, ‘in addition to many of the 130+ state student privacy laws passed since 2014,’ [Polonetsky] added.”

Vance echoed Polonetsky’s concerns about Zoom in interviews with EdSurge and NPR, flagging the privacy and legal implications of the tool: “A standard Zoom account is ‘not at all’ compliant with FERPA, COPPA or state student privacy laws” according to Vance.

She recommended that “schools stick with platforms designed for education” and noted to NPR that this problem is not unique to Zoom, saying’ “‘I don’t know that Zoom is any worse, and it may in many ways be better than a lot of the platforms out there, especially when it comes to security, accessibility and certainly when it comes to ease of use.’ But, she says, Zoom could have anticipated these privacy issues. “‘And now Zoom has the very difficult task of attempting to regain trust.’”

Vance also spoke with Inside Higher Ed about the potential for online learning to result in increased monitoring of students due to accountability reporting requirements. “Moving classes online will also raise questions about the extent to which school-issued devices with surveillance software pre-installed will monitor student activity at home, since officials are still supposed to ensure that students are receiving an education at home. Vance asks: “‘How comfortable will we be with schools monitoring students and what they do at home, now that home is going to be school?’”

The Future of Privacy Forum has released several resources to provide guidance to K-12 and higher education institutions about appropriately adhering to privacy laws while disclosing student health information with AASA, The School Superintendents Association; incorporating social media platforms into online learning; and a guest blog with tips to prevent cybersecurity attacks during the COVID-19 pandemic. Click here to access these materials.

Last Friday, FPF hosted a webinar with California IT in Education (CITE) and education law firm Fagen Friedman & Fulfrost (F3) entitled “Classrooms in the Cloud: Student Privacy & Safety During the COVID-19 Pandemic” that examined the tough privacy questions facing K-12 schools and higher education institutions during the rapid transition to online learning platforms. View the archived webinar here.

To learn more about the Future of Privacy Forum’s student privacy work, visit studentprivacycompass.org.

About FPF

The Future of Privacy Forum (FPF) is a Washington, DC-based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts and includes an advisory board comprised of leading figures from industry, academia, law, and advocacy groups. For more information, visit www.fpf.org.

Contact

[email protected]

Why Data Protection Law Is Uniquely Equipped to Let Us Fight a Pandemic with Personal Data

Data protection law is different than “privacy”. We, data protection lawyers, have been complacent recently and have failed to clarify this loud and clear for the general public. Perhaps happy to finally see this field of law taking the front stage of public debate through the GDPR, we have not stopped anyone from saying that the GDPR is a privacy law.

The truth is, the GDPR is a “data protection” law (it stands for the General “Data Protection” Regulation). And this makes a world of difference these days, when governments, individuals, companies, public health authorities are looking at the collection of personal data and digital tracking of people as a potential effective way to stop the spread of the COVID-19 pandemic.

The GDPR is the culmination of about half a century of legislative developments in Europe, which saw data protection evolve from a preoccupation of regional laws, to national laws, to EU laws, to a fundamental right in the EU Charter of Fundamental Rights. A fundamental right (Article 8) which is provided for distinctly than the fundamental right to respect for private and family life (Article 7). What a wonderous distinction!

The right to the protection of personal data has been conceived particularly to support societies in facing the reality of massive automation of systems fed with data about individuals. At the very beginning, the introduction of computerized databases in public administration pushed for the necessity of adopting detailed safeguards that would ensure the rights of individuals are not breached by the collection and use of their data.

In the following decades, waves of development added layers to those safeguards and shaped data protection law as we know it today, layers such as the need for a justification to collect and use personal data; fair information principles like purpose limitation and data minimization; transparency and fairness; control of data subjects over their own data through specific rights like access, correction and deletion; the need of having a dedicated, independent supervisory authority to explain and enforce data protection law; accountability of whomever is responsible for the collection and use of personal data.

The right to data protection is procedural in nature. It does have a flavor of substantial protection, which will certainly grow in importance and will likely be developed in the age of AI and Machine Learning – in particular I am thinking of fairness, but at its core the right to data protection remains procedural. Data protection sets up specific measures or safeguards that must be implemented to reach its goal, in relation to personal data being collected and used.

Importantly, the goal of data protection is to ensure that information relating to individuals are collected and used in such a way that all their other fundamental rights are protected. This includes freedom of speech, the right to private life/privacy, the right to life, the right to security, the right to non-discrimination and so on. Even though I have not seen this spelled out anywhere, I believe it has also been developed to support the rule of law.

This is why data protection is uniquely equipped to let us fight the pandemic using personal data. It has literally been conceived and developed to allow the use of personal data by automated systems in a way that guarantees the rule of law and the respect of all fundamental rights. This might be the golden hour for data protection.

That is, if its imperatives are being applied to any technological or digital responses to the COVID-19 pandemic relying on personal data:

The dataflow proposed must be clear, including all the categories of data that will be collected and used.
The purpose(s) must be clear, specific, granular, well-defined.
Have a lawful ground for processing in place.
Building any solution that necessitates personal data must be done by taking into account from the outset data protection requirements (data protection by design).
The web of responsibility must be clear (who are the controllers and the processors?).
Personal data must not be shared, or given access to, beyond the defined web of responsibility (for example, through controller-processor agreements).
There must be transparency in an intelligible way for the individuals whose personal data are collected.
The necessity of collecting any of the personal data items must be assessed (can the project do without some of them and achieve the same purpose?).
All personal data must be accurate.
Ensure that individuals have a way to obtain access to their own data and to ask for correction, erasure if it is justified (as well as for the other rights they have).
Ensure the security of data.
The personal data collected must be retained only for as long as it is necessary to achieve the purpose (afterwards, it must be deleted; anonymization may be accepted as an alternative to deletion, but there is an ongoing debate about this).
Data Protection Impact Assessments (even if loose) should be conducted and then engaging with supervisory authorities to discuss the risks identified which cannot be mitigated could be helpful (and may even be obligatory under certain circumstances).

Therefore, all the data-based solutions proposed to diminish the effects of the COVID-19 pandemic are not being proposed and accepted in Europe in spite of the GDPR, as media has been portraying it. It is almost as if data protection has been developing in the past half a century to give us the right instruments to be able to face this challenge and preserve our freedoms and our democracies. I hope we will be smart enough to properly use them.

This piece was originally published on pdpEcho.

FPF Charts the Role of Mobile Apps in Pandemic Response

Multiple apps and software development kits (SDK) have been deployed to help both private and public entities tackle the COVID-19 pandemic. In order to better understand these technologies, the Future of Privacy Forum has created a comparison chart to contrast the objectives and methods of specific apps and SDKs.

The chart compares relevant privacy and data protection issues – such as data collection, retention, purpose, and sharing – as well as what privacy and data security safeguards are employed. The key question is the extent to which each technology appropriately and ethically balances public health and safety with privacy risks and other interferences with civil liberties throughout the crisis and in the future.

If you’re interested in data collection and use in response to the COVID-19 pandemic – or a decision-maker considering the use of one of these apps – you’ll want to take a look at the chart.