On March 25, 2020, the European Data Protection Supervisor (“EDPS”) sent a letter to the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”) addressing the various initiatives involving telecommunications providers at the Member State level to monitor the spread of the COVID-19 outbreak using location data.

In the letter, the EDPS states that the data protection rules currently in force in the EU are flexible enough to allow for the implementation of measures to fight against pandemics like the COVID-19 crisis. The EDPS stresses the importance of adopting a coordinated approach to handle this crisis and the urgent need for action at the European level.

The EDPS also outlines some factors to be taken into account when working on initiatives that will make use of location data to track the spread of the virus:

  • Data Anonymization: With respect to using anonymous data to track individuals’ location data, the EDPS reminds those monitoring the spread of COVID-19 that effective anonymization requires more than simply removing personal identifiers (such as phone numbers).
  • Data Security and Data Access: According to the EDPS, even to the extent the data obtained would be anonymous and therefore fall outside the scope of the EU General Data Protection Regulation, certain security and confidentiality requirements still apply. In addition, to the extent third parties are relied on to process the information, those security and confidentiality requirements would also apply to them.
  • Data Retention: The EDPS urges that the data obtained from telecommunication providers would be deleted as soon as the COVID-19 crisis ends and further stresses that these measures should only be extraordinary and temporary.
  • Transparency: The EDPS emphasizes the importance of clearly defining the types of data the EU Commission wants to obtain and providing appropriate information to the public to ensure transparency, in particular, the purposes and procedure of the measures to be implemented.