EU planning coordinated use of telecoms data to monitor spread of coronavirus

As part of the EU Commission's response to the coronavirus, it has held talks on a video link with European telecommunication companies and GSMA, the association of mobile telecommunications operators, to discuss the sharing of anonymised metadata for modelling and predicting the spread of the virus.

According to reports, the Commission has asked telecoms operators to hand over anonymised mobile metadata. The data can be used in a way that is fully compliant with the GDPR and e-Privacy legislation, Internal Market Commissioner, Thierry Breton, said.

The European Data Protection Supervisor, Wojciech Wiewiórowski, said in a letter directed to DG CNECT at the European Commission that ‘data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics. I share and support your call for an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible. There is a clear need to act at the European level now.’

Wiewiórowski highlighted data anonymisation and wrote that anonymised data falls outside of the scope of data protection rules: ‘At the same time, effective anonymisation requires more than simply removing obvious identifiers such as phone numbers and IMEI [International Mobile Equipment Identity] numbers.’

He also called for data security and transparency towards the public, to avoid any possible misunderstandings.

‘Should the Commission rely on third parties to process the information, these third parties have to apply equivalent security measures and be bound by strict confidentiality obligations and prohibitions on further use as well.’

Any data obtained from mobile operators should be deleted as soon as the current emergency comes to an end.

The European Data Protection Board (EDPB) has said that ‘emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.’

‘With regard to the processing of telecom data, such as location data, national laws implementing the e-Privacy Directive must also be respected. In principle, location data can only be used by the operator when made anonymous or with the consent of individuals. However, Art. 15 of the e-Privacy Directive enables Member States to introduce legislative measures to safeguard public security.’


Privacy Laws & Business International Report monitors data privacy developments around the world. The April issue will feature an interview with Finland’s Data Protection Ombudsman, Reijo Aarnio, and the Deputy Data Protection Ombudsman, Anu Talus, who explain GDPR trends in Finland.