As part of its broader open data policy, the European Commission is to task EU member states with establishing structures that facilitate the use of data for the ‘common good.’ And the executive is hoping that the Coronavirus crisis can be leveraged to demonstrate the power of data analytics.
However, concerns have been raised by privacy activists about the use of temporary ‘symptom tracker’ applications used in the fight against the outbreak, as well as the Commission’s recent announcement to implore EU telecommunications firms to hand over data streams as a means to track the spread of the virus.
Speaking to EURACTIV at the European Cybersecurity Forum, CYBERSEC, on Tuesday (24 March), Yvo Volman, Head of DG Connect’s Data Policy and Innovation Unit said that “the current crisis shows the enormous potential of data, and the impact of data analytics on decision making has been huge.”
Volman added that at the EU level as part of the bloc’s open data policy, the Commission wants to ensure that relevant sector data is being made available for everyone “in the most easily findable” way.
“Data is making a massive difference in the crisis,” he said, adding that there will be “calls to speed up” the European Strategy for Data, but that the Commission wants to ensure a proportionate roll out of the measures included in the plan announced in February.
Privacy Vs Data Use
The strategy includes measures to create nine common EU data spaces across sectors including heathcare, agriculture and energy, as well as the establishment of a Data Act in 2021, that could “foster business-to-government data sharing for the public interest.”
Commission President Ursula von der Leyen said in February that the plan seeks to exploit the “untapped potential” of vast troves of industrial data, allowing public and private actors “easy access” to huge reserves of information.
On the subject of heath data sharing, Volman said that it was not correct to “pitch privacy against data use,” in the current circumstances. “This is about a conscious and proactive way of dealing with data. It’s not one against the other,” he said.
EU Telco data sharing
Meanwhile, on Tuesday, Internal Market Commissioner Thierry Breton held a video conference call with CEOs of European telecommunication companies and GSMA, the association of mobile telecommunications operators.
A statement from the Commission noted that the discussion “covered the need to collect anonymised mobile metadata to help analysing the patterns of diffusion of the coronavirus.” The process would nonetheless need to be “fully compliant” with the EU’s General Data Protection Regulation and the ePrivacy legislation, the statement said.
The request provoked concern from others in the EU institutional cycle, with Renew MEP Sophie in’t Veld penning a letter to Breton, in which the Dutch politician highlighted issues relating to how the EU could ensure that the data received from telecommunications firms remains anonymised, as well as the general usefulness of “aggregating very large quantities” of location data, when millions of Europeans are under lockdown.
Criticism along these lines has also been raised by those working in the privacy field. Edin Omanovic, Advocacy Director at Privacy International, told EURACTIV that this was the kind of measure he “feared Breton would propose.”
“Location data from telecommunications isn’t accurate, is incredibly difficult to anonymise, and at a time when large parts of Europe are already in total lockdown, it’s hard to see how this would be meaningfully helpful.”
“If the Commission wants to know how the virus is spreading, it could just ask national authorities. It’s difficult to see who at the Commission is trained and capable of processing such a sensitive dataset of millions of people’s locations, and how they will be held accountable,” he added.
Coronavirus apps raise concerns
Elsewhere in the fight against the spread of the coronavirus, the use of symptom tracker applications has also recently caused concern among privacy activists.
Researchers from King’s College London and Guy’s and St Thomas’ hospitals in collaboration with the health data science company ZOE have developed the Covid symptom tracker app, which allows coronavirus patients to submit data about themselves and their condition, as a means to analyse the development and spread of the virus.
The ZOE platform says that it complies with the GDPR, and that data is only shared with “people doing health research,” including those working in the UK’s National Health Service, as well as health charities and research institutions.
However, the company also states that they use third parties to process personal data on their behalf. ZOE state that they “have in place with each processor, a contract that requires them only to process the data on our instructions and to take proper care in using it.” The third party firms with whom the data will be shared include Amazon Web Services and Google.
In addition, the Austrian Red Cross has developed an application called ‘Stop Corona,’ which functions as a ‘contact diary,’ that records personal encounters via the use of a ‘digital handshake.’
“If symptoms of a corona disease then appear in a person, you are automatically notified as a contact and asked to isolate yourself,” a statement from the Austrian Red Cross reads. While the app claims to be ‘anonymous,’ Austrian Privacy activist Max Schrems questioned this claim on Wednesday, saying that the data tracking is rather ‘pseudonymous’ because while there is no name or specific determining information saved of the patient, an ID number is issued.
EURACTIV heard from Diego Naranjo, Head of Policy at European Digital Rights, about the potential risks to privacy resulting from the use of such applications.
“New local apps are appearing by the minute and it is not clear if all of them are in line with GDPR and ePrivacy. Therefore, DPAs need to act as the watchdogs and enforce quickly,” he said.
“Necessity, proportionality, purpose limitation (only for public health reasons) and storage limitation are key principles when thinking of technological solutions involving the use of personal data.”
“Any personal data collected should be disclosed directly only to health authorities, and not under any circumstances shared with other authorities (law enforcement, intelligence services, immigration authorities),” added Naranjo.
On the subject of citizens submitting their own data for medial research, DG Connect’s Volman was hopeful that member states would be able to establish a more coherent framework for what he referred to as ‘data donations’ in the future.
“If I want to give my body for science, I know how to do that,” he said. “But if I want to give my health data to combat COVID-19, for example, I don’t know how to do this. There aren’t the structures in place,” he told EURACTIV, adding that citizens should be informed on how they can use the data they generate for the public good.
Edited by Benjamin Fox