Amid the rising number of cases of COVID-19 in Europe, it has been reported that certain telecommunication companies may have agreed to share anonymous mobile phone geolocation data with the European Commission (the "Commission"). According to the report, the Commission will aggregate this geolocation data to coordinate measures to halt the spread of COVID-19 and delete the data once the health crisis is over.

The European Data Protection Supervisor (the "EDPS") has cautioned that while anonymised data fall outside of the scope of the General Data Protection Regulation (the "GDPR"), effective anonymization requires more than simply removing identifiers such as phone or IMEI numbers. The UK Information Commissioner's Office (the "ICO") issued a statement that generalised location data trend analysis based on properly anonymised and aggregated mobile phone data falls outside the GDPR and the Data Protection Act 2018. However, businesses need to be very careful that any location information they share with third parties is fully anonymised (in Europe, normally by anonymisation and aggregation) and cannot be traced back to individuals. The EDPS also stressed that the Commission has to ensure that any third parties that process the data comply with strict information security and confidentiality obligations.

Business can be instrumental in fighting the pandemic but they need to carefully consider their data protection obligations. The European Data Protection Board and some national data protection authorities have stressed that while the GDPR should not hinder measures taken in the fight against the pandemic, controllers are still responsible for ensuring the protection of personal data and ensuring that they process it in accordance with the existing legal requirements.

For example, recent reports indicate that different organisations are developing tools that will alert people to self-isolate if they are identified as having recently been in contact with someone diagnosed with COVID-19. These tools will rely on collecting and monitoring large amounts of geolocation and health information about individuals on an ongoing basis in order to be effective. Although the deployment of these types of technologies could have numerous benefits in terms of protecting public health and helping public and private sector organisations manage and minimise disruption within their workforce, naturally businesses will need to consider how to address solutions such as these in a way that addresses the applicable data protection legislation (not to mention employment law and human rights requirements) in the jurisdictions in which they may be implemented.

In Europe, businesses have to comply with the GDPR, the ePrivacy Directive and its local implementation when processing personal data. Under the GDPR, organisations will need to establish a legal basis for processing the personal data collected (for example, whether the data subject's freely given, specific, informed and unambiguous consent needs to be obtained and if so, how).

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.