Governments are increasingly seeking to leverage consumer geolocation data collected by industry as a tool to assist with fighting the spread of COVID-19. Location data can be of significant value to public health models trying to understand the efficacy of self-quarantine orders, what areas could be exposed to heightened risk, and how the virus has propagated.
Of course, using, sharing, or making location data available raises significant privacy issues and concerns of potential government overreach. Different nations have responded by taking different approaches. This blog post briefly summarizes the state of how the United States and other leading nations are approaching leveraging location data to fight COVID-19. Given the urgency of this matter, privacy-protective jurisdictions such as Germany, Belgium, Italy and the United Kingdom have already found methods – some of which have already been approved by privacy regulators – for leveraging mobile location data in the fight against COVID.
1. United States
In the U.S., the federal government has reached out to technology companies to discuss how mobile phone location data can be used to combat COVID-19. Reports indicated that the government is not attempting to build a database of Americans’ movements, but instead seeking to leverage only aggregated, anonymized data for COVID-19 analytics. Around the same time, an open letter of scientists, technologists and epidemiologists was published in support of leveraging mobile data against COVID-19.
- The prospect of making location data available to government has met resistance from Congressional Democrats, however. For example, Senator Ed Markey published a letter to the CTO of the Office of Science & Technology Policy encouraging the government to “balance privacy with any data-driven solutions to the current public health crisis.” Sen. Markey’s letter also contained several questions on how location data would be used, and what protections would be in place for its use. No technology company has publicly stated as of yet that it has made location data (or insights based on such data) available to the federal government in connection with these ongoing discussions.
- In parallel, technology companies are reported to be in discussions with state and local agencies. For example, Clearview AI is reported to be in discussion with state agencies about how its technology can be used to conduct “contact tracing,” i.e. to determine who has been in contact with COVID-diagnosed individuals to help mitigate the resulting public-health risks. Some technology companies have also launched COVID-19 resource centers, such as Facebook’s “Coronavirus Information Center” at the top of users’ newsfeeds, and Google’s “Covid19” resources page.
2. Rest of World
Outside of the United States, a number of countries have begun to leverage mobile phone location information in their fight against COVID-19. In many of these countries, collaboration is occurring directly between telecommunications providers and government agencies.
The approaches vary from anonymized, aggregated data sets used to model disease transmission to individual-level tracking to determine if individuals are violating social-distancing rules or have come into contact with COVID-positive individuals. Below is a brief summary of how countries are leveraging location data as of the time of this post:
1. In Belgium, three of the country’s largest telecoms (Proximus, Orange, and Telenet) have agreed to share telecommunications data with the federal government to help analyze the propagation of COVID-19. Belgium’s Data Protection Authority (DPA) reviewed a data protection impact assessment conducted for the envisaged sharing, and issued its approval. Approval was apparently based in part on the fact that all data shared by the telecoms will be anonymized and used for pandemic response. The data will be used by a cross-agency task force to generate insights on COVID-19.
2. In Germany, Deutsche Telekom has shared mobile geolocation information with the Robert Koch Institute, Germany’s CDC-like federal public health institution. This data will be used to model movement to develop solutions for understanding and combatting the spread of COVID-19. Germany’s Federal Data Protection Authority (DPA) was originally strongly against this sharing, calling it “more than problematic.” But last week, the Federal DPA permitted the sharing. It appears Deutsche Telekom was able to work out an arrangement with the DPA, under which the DPA was satisfied that the data sets Deutsche Telekom were sufficiently anonymized. This is a potentially important development for telecoms. German privacy regulators are known for stringency and rigor (for example, the same Federal DPA that permitted Deutsche Telekom to share location data recently fined another German telecom €10 million for call center procedures the DPA alleged placed customer data at risk, even though it appeared there had been only a single case where the procedures resulted in an incident.) The Federal DPA’s approval may thus possibly provide a model for permissible anonymized privacy-protective sharing of subscriber location data in connection with corona prevention.
3. In Israel, Benjamin Netanyahu’s government has authorized the Shin Bet (Israel’s internal security service) to use identifiable cellphone location data from customers in Israel and the West Bank to help combat the coronavirus. Tracking is performed at an individual level to determine whether individuals have come into contact with COVID-positive individuals. If this occurs, Israel’s Health Ministry can send text messages alerting the individuals that they have been in proximity to a COVID-positive individual, and ordering them to quarantine. According to reports, Shin Bet may use location data without a prior court order, but must delete any personal data within 30 days.
4. In Italy, the Italian Civil Protection Department adopted Civil Protection Ordinance No. 630 on February 3, 2020 to combat the spread of COVID-19. This ordinance gives civil protection personnel the power to process personal data related to the COVID-19 crisis. The ordinance lifts restrictions on, among other things, sharing of personal data necessary for the performance of the civil protection function. Recently, Vodafone indicated it had used anonymized mobile phone data to generate movement heat maps for Italy’s Lombardy region. Further reports indicate that Google has also produced a heat map for Lombardy.
5. In France, the Agence Nationale de Santé Publique and the Agences Regionale de Santé (ARS) issued a joint notice on February 28, 2020 specifically regarding the processing of personal data throughout the investigation of COVID-19. The notice permits the transmission of data to “any partner involved in the control, prevention and evaluation of the epidemic, in particular the General Directorate of Health.” The notice does not specifically call out the use of location data, but does permit the sharing of data that could be used to conduct “contact tracing” of individuals who have come into contact with confirmed COVID cases – one of the use cases for mobile data currently pursued by other countries outlined below. The ARS notice also emphasizes the need to only transmit such data under conditions that preserve confidentiality and security and to avoid indefinite data sharing.
6. Iran, China, and Russia have also used significant amounts of location data and facial recognition tracking to fight the spread of the virus. Iran released an app that supposedly allows users to diagnose coronavirus infections; however, the app also collects real time location and other phone data. China has reportedly used telecommunications companies to track and contact people who had traveled through Hubei province during the early days of the virus; location data was provided to China’s National Health Commission and other agencies, allowing them to re-create the steps of virus carriers and people that they may have encountered and issue warnings via social media. Russia is supposedly using location tracking and facial recognition technology to prevent quarantined individuals from having contact with the public.
7. South Korea already had laws in force allowing the government to collect mobile phone data from those who test positive during a health crisis. These laws have been leveraged to collect information used to reconstruct a victim’s recent whereabouts, and then those locations are shared on social media apps that allow others to determine whether they may have crossed paths with a person infected with the coronavirus.
8. In Taiwan, the government has erected an “electric fence” that uses mobile location tracking to monitor the movements of individuals under quarantine orders. The system reportedly tracks location at the individual level to alert police if a quarantined individual leaves their home or turns off their phone, and is thus creating a risk of spreading the infection further.
9. In the United Kingdom, mobile carrier O2 recently confirmed it is providing aggregated mobile location data to the UK government to help the government observe trends in public movement, such as tracking whether citizens are following recently-issued social distancing rules. Initial reports indicated that to comply with data-protection law, the UK government is only asking O2 (and not additional carriers) for data, to avoid the potential reidentification risks that could arise from combining multiple datasets. However, later reports have claimed that the UK government is also in discussions with mobile carrier EE to obtain more mobile location and usage data. The UK’s privacy regulator has not yet publicly weighed in on location data sharing, but has generally stated that it is “a reasonable and pragmatic regulator” that “does not operate in isolation from matters of serious public concern” – and will “take into account the compelling public interest in the current health emergency.”
10. More generally at the European Union level, the European Data Protection Board (EDPB) has stated that “telecom data, such as location data” can used by telecom operators “when made anonymous,” which would appear to support the Belgian, German, and Italian approaches outlined above. The EDPB also suggests that location data could be used in identified or identifiable form pursuant to exceptional “legislative measures designed to safeguard public security” introduced by European member states, provided that the measures are “necessary, appropriate and proportionate.”
3. New Development: Governmental COVID Mobile Apps
Many national, state, and local governments have begun to develop mobile apps that help governments address various aspects of COVID-19.
- The Region of Catalonia was one of the first governments to offer a COVID-19 app, named “Stop Covid-19 Cat,” which helped track symptoms of Catalan residents who were potentially suffering from COVID-19.
- Now, COVID apps are proliferating, with Singapore a leading example of these recent governmental COVID app publishers. (Singapore’s app exchanges Bluetooth signals with other mobile phones in proximity, thus enabling contact tracing.)
This may be an opportunity for telecommunications and technology companies to work towards a uniform privacy-protective protocol that could be used in response to government requests for mobile phone data.