Using data from mobile phone apps in the combat of COVID-19 in Norway
A number of countries are currently using location data collected from mobile phones for public health purposes. On 19 March 2020, the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the context of the COVID-19 outbreak. I will below describe how the processing of location data is carried out in Norway, also referring to the EDPB statement.
The EDPB states that public authorities should first seek to process location data in an anonymous way, for example in connection with sending of public health messages to individuals in a specific area by text message, and by generating reports on the concentration of mobile devices at a certain location, without identifying each physical person. Under the GDPR, mobile phone location data is not considered as personal data If the physical person cannot be identified, directly or indirectly, ref. the GDPR Article 4 (1).
Such technology has been used by local public authorities in Norway on several occasions, including, in connection with the much-debated Norwegian temporary legislation which makes overnight stays at your second home (summer house or mountain cabin) during the pandemic a criminal offence. Several local authorities in districts with many such second homes have used mobile device tracking in establishing whether the ban on the use of second homes is being complied with, by comparing the number of mobile phones in the area with the number of residents in the area. Lately, one local authority has started using the warning system to send text messages to the mobile phones of everyone entering the area (including local residents) warning about the second home ban. To my knowledge, the authorities have not taken steps to map the mobile phones present in the area against the registered residential address of each subscriber, nor to establish the identity of non-residents, meaning that such use of mobile data should probably not be considered as personal data processing. However, using emergency geolocation systems for enforcement purposes rather than for the purpose of warning of imminent danger, certainly raises some concerns.
The Norwegian Institute of Public Health is in the process of launching a mobile phone app for more efficient tracing the spread of the COVID-19 virus. The app, once installed on a mobile phone, will record the phone owner’s physical location on a continuous basis and upload these data to the cloud. The location data is then analysed by the public health authorities by the use of algorithms. If the analysis shows that owner has been close to someone who tests positive for the COVID-19 virus, the authorities will via text message impose a 14-day quarantine on the mobile phone owner – such quarantine is also mandatory and non-compliance is subject to criminal sanctions.
The collection and processing of location data in this matter will concern identifiable individuals and will therefore constitute personal data processing. As the personal data concerns health, they will be considered as “special categories” of personal data under the GDPR Article 9. In the EDPB statement (referenced above), the EDPB states that the GDPR Articles 6 and 9 do allow processing of personal data when this is necessary for reasons of substantial public interest in the area of public health. This applies in particular for processing carried out by the public health authority within its mandate provided under national legislation. Under those circumstances, the EDBP states, there is no need to rely on consent of individuals.
With regard to location data, the ePrivacy Directive is also relevant, as the directive and the Norwegian legislation implementing the directive set out that location data cannot be used for purposes other than communication and invoicing unless the user has consented to the use, or in order to fulfil other requirements set out in national legislation. Under the ePrivacy Directive, such legislation can only be introduced if it constitutes a necessary, appropriate and proportionate measure within a democratic society.
The Norwegian DPA has taken the view that the authorities cannot rely solely on user consent for such processing, as any consent given will not fulfil the GDPR requirements in particular as the information requirement is not fulfilled (in order to be valid, a consent must i.a. be “informed”, ref. the GDPR Art. 4 (11)). The Norwegian government has therefore on 27 March passed temporary secondary legislation which allows for such data processing, but which also limits the purpose for which the personal data can be processed, limits the retention time of location data to 30 days and explicitly sets out that any use of the tool shall be voluntary and that sufficient and comprehensible information shall be easily available, including information on how personal data will be processed.
The legislation has been drafted in close collaboration with the Norwegian DPA, who strongly emphasizes that the processing of personal data related to the use of the app may potentially have serious consequences for the data subject, and that it therefore must be fully voluntary for the data subjects to download and install the app. The DPA emphasizes that it is vital that the public authorities are fully transparent as to how the data will be used, and that measures are taken in order to limit the negative consequences for the privacy of the data subjects. At the same time, the DPA emphasizes that Norway is in a very difficult situation, and that the most important task at hand right now is to handle the pandemic and to save lives.
According to the public health authorities, the success of the app is dependent on the app being downloaded and used by around 60 % of the Norwegian population.
Some critical voices have maintained that the authorities have not been fully transparent in the process, i.a. as the app source code is not being made available as open source and that it is therefore not possible to consider whether the app contains security flaws which may result in data breaches. Judging from experience both abroad and also to some extent from Norway, there is a tendency that personal data once collected may be used for other purposes, in particular in a time of crisis where the combat of the pandemic is the main concern of both the public authorities and the population as a whole. Many have also argued that the proposed mandatory and full-scale central storage and processing of data also relating to data subjects who have not been diagnosed with COVID-19 is unfortunate. Such central storage could possibly have been avoided by limiting the central database to individuals who have tested positive for the virus, similar to how the data collection takes place in other European countries. Even if such measures could possibly make the app less efficient in the fight against COVID-19, added data privacy could possibly lead to a larger proportion of the population being willing to download the app, so that there is a greater possibility that the 60 % coverage requirement is reached.
All in all, the serious situation calls for serious measures, but we must act so that important principles such as basic human rights and the rule of law have not been lost, once our society (hopefully shortly) returns to its normal state.
Article provided by: Øystein Flagstad (GjessingReimers, Norway)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)