Since so many persons hold a smart mobile phone nowadays, the idea to use the mobile technology in the fight against COVID-19 came almost naturally. The national authorities consulted with telecommunications operators and major technology platforms and they received important geolocation data of the users in order to assess the impact of the imposed social distancing measures and the need for further actions.
Google made public the information it has provided to the national authorities in 131 countries. The geolocation data was provided in anonymized form and it showed a considerable decrease in the moving of the people in February – March 2020 to recreation locations, transport stations, workplaces, grocery stores and even pharmacies. You can consult your Google Mobility country report here.
The telecom operators from Italy, Germany and Austria shared geolocation data of their users with the national health authorities, to check if people respect the obligation to stay at home . The data was provided also in anonymized and aggregated form, mapping concentrations and not individuals.
However, the public concern focuses on the possibility that the national authorities to use the geolocation data from telecom providers or from technology platforms in order to directly track the coronavirus infected persons and their contacts. The rights to private life and protection of personal data might be at risk.
South Korean government created and made available to the public a map of potentially exposed locations to coronavirus. The map is generated using geolocation data provided by telecom and credit card companies. If a person is confirmed as being infected, the map is showing the locations that the person visited before tested positive.
In other countries, the information extracted from geolocation data is available only to the authorities.
Israel has authorized the internal security agency (Shin Bet) to use the data from the telecom operators to track the movements of the confirmed infected persons and to determine which persons to put under quarantine .
Taiwan’s government is using an application to determine if the quarantined persons are staying at home. If they move from home or turn off the phone, the police visits them in a short while to check the situation .
Iran’s government has asked the citizens to download an application called the AC19, which claims to determine the chances that the users have the coronavirus and send back the location data to the officials .
In China, people in the cities are obliged to sign up through a popular wallet application, Alipay, hold by Ant Financial (partially owned by Alibaba) and they must receive the Alipay Health Code before being allowed to transport stations, to their work place, malls and other public spaces . The Alipay color Code may be green, yellow or red, indicating the user health status and contagion risk, with only greens allowed to public spaces. In the sign-up form, people are reporting on their symptoms, their contact with infected persons and their visits to virus hot zones. The application is noticeably processing also other information from officials’ own sources about coronavirus cases and bookings to trains, buses and planes. Although it was not obvious from the beginning, the system is directly reporting also to the police, making it a mass surveillance tool. The Health Code is supposed to be implemented nationwide.
Of course, these are extreme measures, taken just in few countries, but enough to raise the public concern globally. It is a matter of fact that in most of the countries worldwide there is a proliferation of the mobile phone applications dedicated to COVID-19 pandemic, either self-diagnoses/ symptom checker applications, or warning and tracing applications.
Did you check your app store to see how many applications are available these days?
Even the European Commission recognized that “warning and tracing applications can play an important role in contact tracing, limiting the propagation of disease and interrupting transmission chains” . After noticing individual initiatives of several EU Member States to develop such applications (either in the public or private sector), the European Commission issued on 8 April 2020 a Recommendation for developing a common European approach on the use of digital means in the fight against COVID-19, referred to as a Toolbox. The Commission wants to ensure that the use of digital means is in full compliance with the European Law, especially with the GDPR (Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data) and the ePrivacy Directive (Directive 2002/58/EC on processing of personal data and protection of privacy in the electronic communications sector).
The European Commission stated that it would explore even the possibility of a pan-European application.
Location and health condition are personal data that fall under the GDPR, probably the most strict data protection norms across the globe. The European Commission underlined that the GDPR contains exceptions  and thus personal data can be processed without the consent of the individuals when processing is in the public interest including for monitoring epidemics and their spread (see articles 6.1.d. and 9.2.i. of the GDPR and Recital 46). Even the data protection activists agreed with the assessment that COVID-19 situation is a cross-border threat to health, which allows the processing of personal data like location and health condition .
The good part is that, if processing of these data will happen, the European citizens are still protected by the GDPR, as the processing has to respect the principles of transparency, purpose limitation, accuracy, data minimization, storage limitation, integrity and confidentiality. For instance, the processing of these data will be strictly limited to the purpose of combating the COVID-19 epidemic (which has to be defined even more specifically) and not for other purposes such as law enforcement. Also, the European Union and the Member States have to take measures to ensure that the processing is effectively terminated when the pandemic is declared to be under control.
We look forward to see in the next months what kind of pan-European application will be proposed. The European Commission recommended “the least intrusive measures, including the use of proximity data and the avoidance of processing data on location or movements of individuals, and the use of anonymized and aggregated data where possible”.
In any case, according to the transparency principle of GDPR, we shall be explained exactly what data is processed and in what manner and purpose, in an easy to understand, clear and plain language (Recital 39 GDPR). Transparency is crucial for the acceptance of any COVID-19 application by the public.
The European Commission developed the Toolbox in collaboration with the European Center for Disease Control and with the Member States represented in the eHealth network. A first version of the Toolbox was released on 16 April 2020 and refers to a common European approach on the use of mobile applications for warning, preventing and contact tracing. A common European scheme for using anonymized and aggregated data on mobility of the population is still under development.