Amid the rising number of cases of COVID-19 in Europe, it has been reported that certain telecommunication companies may have agreed to share anonymous mobile phone geolocation data with the European Commission (the “Commission”). According to the report, the Commission will aggregate this geolocation data to coordinate measures to halt the spread of COVID-19 and delete the data once the health crisis is over.
The European Data Protection Supervisor (the “EDPS”) has cautioned that while anonymised data fall outside of the scope of the General Data Protection Regulation (the “GDPR”), effective anonymization requires more than simply removing identifiers such as phone or IMEI numbers. The UK Information Commissioner’s Office (the “ICO”) issued a statement that generalised location data trend analysis based on properly anonymised and aggregated mobile phone data falls outside the GDPR and the Data Protection Act 2018. However, businesses need to be very careful that any location information they share with third parties is fully anonymised (in Europe, normally by anonymisation and aggregation) and cannot be traced back to individuals. The EDPS also stressed that the Commission has to ensure that any third parties that process the data comply with strict information security and confidentiality obligations.