Greetings from Brussels!
In these difficult and unprecedented times, I have been keeping an eye on the EU’s response to the COVID-19 pandemic. Notably, European member states have been responding at different speeds to the emerging crisis with an array of measures specific to their national conditions. (The IAPP has compiled guidance from data protection authorities here.)
On Tuesday, and as part of the commission's response to the coronavirus, Internal Market Commissioner ThierryBreton held a videoconference with CEOs of European telecommunication companies and the GSMA on how to join forces to combat COVID-19. The key areas under discussion were network resilience and security, as well as the sharing of anonymized metadata for modeling and predicting the propagation of the virus. Importantly, data collection and its processing were on the discussion agenda with respect to "full" compliance with the GDPR and the ePrivacy Directive.
It was February when the European Commission unveiled its new EU data strategy, and core to that vision was a broader open data policy across member states. The current virus pandemic only accentuates the value for good that could be derived from utilizing available tech in a meaningful way. Yvo Volman, head of DG Connect’s Data Policy and Innovation Unit at the European Commission, recently said, “the current crisis shows the enormous potential of data, and the impact of data analytics on decision making has been huge.” On sharing health care data, Volman went further suggesting it was problematic to "pitch privacy against data use" under the extraordinary circumstances we are faced with, stating, "this is about a conscious and proactive way of dealing with data."
The EDPS this week also responded to DG Connect on the monitoring of the spread of COVID-19. In a communication addressed to Robert Viola, director-general of DG Connect, European Data Protection Supervisor Wojciech Wiewiórowski outlined a number of key considerations. First, the EDPS underlines that data protection rules currently in force in Europe are flexible enough to allow for various measures in the fight against pandemics. The EDPS also acknowledges and supports the call for an urgent and coordinated effort at the European level.
The communication goes on to discuss key elements. In what concerns data anonymization, the EDPS points out that effective anonymization requires more than the simple removal of obvious identifiers, such as phone numbers and IMEI numbers. Moreover, the European Commission should clearly define the datasets sought for any eventual sharing with or between member states to ensure transparency with the public. It also refers to a Health Security Committee platform that appears to be the vehicle through which the member states would share information.
With respect to data security and access, existing information security and confidentiality provisions would still be in force for any commission staff processing datasets and information (received from operators). Furthermore, where the commission to rely on third parties to process information, those parties would be bound to the same obligations and prohibited on further use, as well. Adequate data transfer measures and controlled access are also stressed. Lastly, data retention is emphasized. Any data obtained from technology operators would need to be deleted once the current emergency has ended. The nature of such services is deemed to be exceptional and temporary in response to the specifics of the pandemic.
It remains to be seen how the proposed efforts to coordinate data sharing between member states will materialize. This may truly be an important test for the EU — and its EU data strategy — to demonstrate its influence on the current crisis and leverage the member states to act in unison, at least in part. The European citizen will be watching and expecting results.