Home Blogs EU member states loosen privacy rules for location data to contain COVID-19

EU member states loosen privacy rules for location data to contain COVID-19

In addition to the human health drama that COVID-19 causes worldwide, another victim presents itself: privacy. Privacy advocates fear that surveillance methods will be stretched further. Asia is at the forefront of monitoring individual location data, but governments of EU member states are also increasingly using location data from smartphones.

Technology and data are crucial in research into COVID-19 and the spread of the corona virus. How we can process data and convert them into valuable information depends on the political system and local laws and regulations. Most countries deploy temporary data harvesting. But, the future is yet to show ‘how temporary’ this will be. In effect, temporary surveillance laws in Israel and in the United States (Patriot Act, 2001) have proven that ‘temporary’ is a fairly flexible concept. Now the European Commission wants large EU member states’ telecom providers to provide metadata to their users to analyze mobility patterns.

Read more: Data privacy worries as govts collect location data to track Coronavirus spread

Masts versus Apps

Telecom data give a good indication of where someone is, or how groups move. This said, radio masts have a limited range, in cities often only a few hundred meters. This way you can keep an eye on whether people really stay near their house. In addition to telecom networks, app developers also make use of location data. These are much more accurate than data coming from cell towers. That’s because they leverage multiple data sources. Most apps supplement the phone’s GPS data with external sources, such as cell towers and nearby Wi-Fi networks. This way, they can ‘see’ whether someone is at home. Moreover, when someone is connecting to a trusted wireless network, one can be sure that it is either work, or the home address. Phones also ‘know’ where they are based on nearby bluetooth devices.

GDPR and the ePrivacy guideline

In Europe, strict requirements apply to the processing of health data and location data. Organizations can process health data under the General Data Protection Regulation (GDPR) without the consent of the data subjects, with a ‘but’. Only if this is necessary for reasons of public interest in the field of public health and when required by specific laws and regulations. In addition to the GDPR, the ePrivacy Directive applies to the use of location data of mobile phones. In the context of the coronavirus outbreak, the European Data Protection Board has recently emphasized the need to anonymize location data or obtain prior authorization. As a result of which, EU member states’ governments and market parties are prone to look for privacy-friendly alternatives. Good examples for this are apps that work on the basis of permission. Or apps that delete location data immediately after the COVID-19 has come to an end.

Read more: COVID-19 triggers debate for self-reliant societies – adding a new dimension to global sustainability

Commission wants carriers to hand over mobile data

On March 23rd, the European Commission urged some of Europe’s telecom giants, including Deutsche Telekom and Orange, to share anonymized and aggregated mobile phone big data. Across the region this should help predict the spread of the virus. The draft plans would allow the Commission to manage how the data was used, and give EU officials control over so-called metadata on hundreds of millions of people’s mobile phones. That would represent a significant step for Brussels, as it would make the EU executive liable for any hefty fines if the digital information was hacked or misused. To Politico, Breton explained: “We will select one big operator by country. We want to be very fast and follow this on a daily basis.” The Commission insisted the operation would respect the bloc’s GDPR and e-privacy legislation. The European Data Protection Supervisor would also be involved, the EU executive added.



EU member states loosen privacy rules for location data to contain COVID-19 Italy was the first EU member state where the COVID-19 epidemic has triggered an ongoing series of restrictions on travel and individual mobility. In this country, ISI Foundation and consumer insights company Cuebiq collaborated to make a first quantitative assessment of the impact of these interventions. They went by mobility flows, individual mobility and contact patterns. Conclusions were based on the analysis of smartphone apps and location-data collection software. The data came from Cuebiq’s Data for Good Program. They measured changes in traffic fluxes between provinces, in the average distance traveled by users and in the spatial proximity of users. The researchers state that their results can be helpful to modelers and policymakers of other EU member states and worldwide. This is especially true now that travel and social restrictions are becoming more common on a global scale. The analysis is updated daily as new data becomes available.

Lombardy region

Italy’s worst affected region, Lombardy, has been using a cell-to-cell displacement analysis system for cell phones. This is done to understand how many inhabitants move around its territory. It does so thanks to the telephone companies that have made available the traffic data of the repeaters and the index of ‘signals’ that move from one cell to another. This technique will not allow you to track single mobile phones. Not only because the privacy rules would not allow it, but a technology that allows you to derive how many less shifts occur compared to a certain period. The span of the space between one cell and another is 300-500 meters. So who goes out in the garden is not, as well as those who buy bread under the house (movement allowed by the government decree).


EU member states loosen privacy rules for location data to contain COVID-19Austria is already relying on the analysis of cellular data to contain COVID-19. The leading network operator there, A1, passed on anonymized data to the government. Here, too, we are dealing with combined data records which, according to A1, comprise at least twenty people. The nine million inhabitants in EU member state Austria should only leave houses and apartments for good reasons, for example for work or for urgent errands, such as the purchase of food. Police controls should ensure that there are not many people in public spaces. When comparing current movement data with those prior to the exit restrictions, the mobile data should have shown that the movement radius of citizens has shrunk by an average of 40 to 50 percent. The measures in Austria are controversial and are strongly criticized by data protectionists and the opposition in Austria.

The Netherlands

EU member states loosen privacy rules for location data to contain COVID-19In the Netherlands, the Public Health Act is the basis for data processing in the event of a threat to public health. The corona virus has been added to this via a new ministerial emergency regulation. As a result, GGD doctors can conduct contact investigations and RIVM can conduct investigations. This does not provide a basis for monitoring based on location data. Aleid Wolfsen of the Dutch Data Protection Authority has taken a clear position: “We must continue to pay close attention to this. The corona crisis should not become an excuse for throwing away privacy completely. The crisis should not become the prelude to a big brother society. It would be a shame if we look back in a year and see that we have undone everything that we have built up in the field of privacy over decades.”

Privacy not an absolute right

Perhaps the right to privacy in this time of crisis is not absolute, suggests tech journalist Peter Olsthoorn in nationwide Dutch daily newspaper De Volkskrant. The privacy law is currently ‘not that important’ and it is best to be ‘put out of operation’, he writes. “Well, that’s too bad for privacy. Or should it be written on the tombstones of corona dead: But she kept her privacy until the end?” Even Bas Filippini, chairman of privacy organization Privacy First, pleaded in a column for ‘temporarily less privacy’ at the service of the general interest. He says, in an explanation to De Volkskrant. “I think many people voluntarily want to temporarily give up their privacy by installing an app that tracks them.”


EU member states loosen privacy rules for location dataFor weeks there has been a discussion in Germany about whether and how mobile data or user data from smartphones can, should or should be used to prevent the spread of the corona virus. German telecom provider Deutsche Telekom wishes to support the national health organization, the Robert Koch Institute (RKI), in containing the coronavirus. For this purpose, the mobile operator has apparently already handed over part of its customer data to the federal authority in an anonymous form. And free of charge. RKI boss Lothar Wieler is working on a mobile tracking solution. The first data delivery consited of a volume of five gigabytes. More deliveries followed soon after. The data will provide RKI researchers with new insights into the spread and better containment of COVID-19. However, it would not be possible to track individual citizens or infected people, as is done in Asian countries and in Israel.

COVID-19 patients on district-community level

What Telekom calls ‘signaling data’, is in fact information about two things. 1) When a cell phone established a voice or data connection. 2) Which cell phone mast the device used to dial in. The data should enable detailed analysis and models, but only to district-community level. In order for the data of Telekom customers to be analyzed at all, high GDPR requirements apply. For this reason, the smallest level of a data set always includes at least the combined data of thirty users. It is not possible to draw conclusions about a single customer. The process had been developed together with the data protection authorities. Furthermore, earlier on it had been assessed by the then Federal Data Protection Officer Andrea Voßhoff as compliant with data protection.

The next step: personalized data

RKI boss Lothar Wieler said that the evaluation of personalized cell phone data by the RKI could represent an enormous improvement for the work of the health authorities. Despite technical and legal issues. “We think it’s a sensible concept,” he said. At the RKI, a team of 25 people from twelve different institutions are currently working on a solution on a voluntary basis. In the discussion about the acquisition of cell phone data via apps or data directly from the mobile network, experts had rather opted for a solution via app at the beginning of the debate. The Federal Data Protection Commissioner Ulrich Kelber also warned that deeper access to the cell phone data can only be justified with the consent of those affected.

Other European countries

EU member states loosen privacy rules for location data to contain COVID-19Poland has a different approach, since the government has implemented a home quarantine application.  Quarantined citizens can download an app. It asks them irregularly to send a photo in their environment within twenty minutes. Automatic facial recognition determines whether it is indeed the person in quarantine. Participation in this digital quarantine check is voluntary, but it does replace a control visit by a police officer. EU member states loosen privacy rules for location data to contain COVID-19The Slovak government is going a step further. It is preparing a law that will allow the government to use phone location data to check whether corona patients remain in isolation. That said Prime Minister Igor Matovic on Tuesday, reports news agency Reuters. These are people infected with the virus and people who have traveled to Slovakia from abroad.

EU member states pushing the boundaries

In the fight against COVID-19, policy makers are pushing the boundaries of privacy legislation. Also in EU member states. Emergency breaks law when millions of lives are at stake. So far, most Western countries seem to limit themselves to anonymized data and voluntary apps. It’s unlikely that this data will be completely anonymous. Although, the European Commission and EU member states concerned do emphasize that this is aggregated data.  Metadata are usually easy to trace back to an individual. Location data can be processed more precisely through an app. In that case, it’s perfectly possible to ask for permission from those involved. Concluding, the European Commission and the EU member states will have to ensure two things. 1) that the measures are limited in duration and 2) that only data that is really necessary is processed.

corriere.it: Coronavirus cosi lombardia controlla movimenti via cellulare
isi.it: Mobility changes after COVID-19 lockdown-A first scientific assessment of the Italian case
volkskrant.nl: Apps kunnen helpen de Coronacrisis te bezweren-helpt dit privacy om zeep?
solv.nl: Data in de strijd tegen Corona hoe zit het met de privacy?
tagesspiegel.de: Coronakrise; Telekom teilt Handydaten mit RKI
politico.eu: European Commission tells carriers to hand over mobile data in coronavirus fight