European Data Protection Board Issues Guidelines On The Use of Location Data and Contact Tracing Tools In the Context of COVID-19

Written by: Richard Sheinis, Esq.

Unlike the United States, where Senators are first introducing legislation to deal with the use of personal information in the context of COVID-19, the European Data Protection Board (“EDPB”) relies on established legislation to govern the use of location data and contact tracing tools.  (Hint: the U.S. needs to pass comprehensive privacy legislation, rather than introducing legislation based on whatever crisis the country might be in at the time.)  The EDPB relies upon the General Data Protection Regulation (“GDPR”) and directive 2002/58/EC (“ePrivacy Directive”), which allow for the use of anonymous or personal data to support public authorities in monitoring and containing the spread of COVID-19.

It is the EDPB’s position that the use of contact tracing applications should be voluntary and should not trace individual movements, but rather rely on proximity information regarding users.  The EDPB emphases that although consent is required for the use of location data, the ePrivacy Directive provides derogations which allow for the use of such data when it constitutes “a necessary, appropriate and proportionate measure within a democratic society for certain objectives.”  In other words, if the data is really important, and the government decides what is important, the requirement for consent can go by the wayside.  The EDPB goes on to remind everyone of the importance of other data processing principals such as transparency, data minimization, data anonymization, and data retention.

The EDPB guidance ends with cautioning against the “ratchet effect.”  Any use personal data to fight COVID-19 should be limited in time, of minimal extent, and subject to periodic and continuing review as well as scientific evaluation.  The EDPB maintains that European Data Protection law allows for the responsible use of personal data for health management purposes, while also ensuring that individual rights and freedoms are not eroded in the process.  So, if the government thinks it is important to have and use your personal data, they can do so, but they promise to be careful about it.