The exceptional health crisis that we are facing, leads many of us to compare the methods used in different regions of the world, particularly in Asia, to fight against the COVID-19 pandemic, while regretting that some of them are not being fully implemented in our own country and more generally in the European Union. Among these measures, the use of mobile location data as a way to monitor and contain the spread of COVID-19 deserves particular attention. 

The digital tracking serves two purposes: on the one hand, geolocate an infected individual, and thus, alerting people around that individual, or even isolate those who have been in contact with her or him, and, on the other hand, ensure that individuals who have been placed under containment measures are complying with the authorities’ instructions, thereby slowing the spread of the virus. To this end, authorities can rely on telecom operators which ensure the transmission of individuals’ mobile location data.

There are several reasons such as the fact that the EU has never experienced an epidemic of this scale over a recent period unlike Asian countries, but more importantly its privacy culture and the European regulatory framework, which a priori constitutes an obstacle.  

Indeed, the processing of data necessary for digital tracking falls within the scope of the Regulation (EU) 2016/679 of 27 April 2016 (the GDPR). 

While the GDPR constitutes a very efficient regulation for the protection of individuals’ fundamental rights and freedoms in particular with regard to transparency, the need to obtain individuals’ prior consent to process their personal data, data security and data subjects’ rights, it suffers from a lack of flexibility in its interpretation and application, particularly when we are going through an exceptional crisis which requires immediate and appropriate responses. 

None of the national Supervisory Authorities nor the European Data Protection Board (the EDPB) have issued clear opinions paving the way for individual digital tracking in its most effective version. Yet, the EDPB in an opinion dated 19 March 2020 indicated that the GDPR did not prevent Member States from taking measures to fight the COVID-19 pandemic, while inviting them to collect mobile location data on an anonymous basis and in an aggregated manner. Subsequently, the European Commission invited European telecom operators to share their location data, in an aggregated manner that only allows for global monitoring of population movements. 

These official positions have slightly evolved recently. For instance, on 8 April 2020, the President of the French Supervisory Authority (the CNIL), during her interview before the Legal Commission of the French National Assembly, stated that if individualized monitoring of individuals is implemented, it would have to be on a voluntary basis, with free and informed consent and the system should be in place for a limited period of time. The President further explained that if this tracking system was implemented on a mandatory basis, it would require a legislative provision whose necessity and proportionality would have to be demonstrated. 

On the same day, the European Commission published a recommendation to support exit strategies through mobile data and apps. This recommendation sets out “a process towards the adoption with the Member States of a toolbox” in order to develop, in particular, a common EU approach for the use of tracing apps for in particular, contact tracing, and for predicting and modelling the spread to fight the COVID-19 pandemic through anonymized and aggregated mobile location data. The aim is to implement this toolbox by 15 April 2020. 

In its recommendation, the European Commission recalls privacy and security principles for the use of these apps and data, e.g. for the use of mobile applications, “safeguards ensuring respect for fundamental rights”, “effective cybersecurity requirements to protect the availability, authenticity, integrity, and confidentiality of data”.  

In summary, authorities seem to agree on the use of tracking solution on an anonymized and aggregated basis or if not anonymized on a voluntary basis with a free and informed consent. However, from a strict legal standpoint we may wonder whether the GDPR allows or not the use of tracking solutions under these exceptional circumstances without relying on the individual’s consent.

There is no doubt that the use of such solutions would require the collection of special categories of data (i.e. health data such as the fact that an individual has been infected) as well as geolocation data (the movement of infected person and of individuals in contact with him or her). 

Regarding health data, one may argue that certain provisions of the GDPR could authorize such a collection. Article 9.2(g) of the GDPR allows the processing of health data where it “is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Article 9.2(i) further allows the processing of health data where it “is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”.

One could argue that the fight against the spread of an epidemic is covered by one of the above-mentioned exceptions although the absence of precedent makes the reasoning more challengeable.  

Regarding mobile location data, we have to analyze the provisions of the ePrivacy Directive 2002/58/EC of 12 July 2002 (the ePrivacy Directive). Indeed, the use of location data is strictly regulated by Article 9 of the ePrivacy Directive which provides the following: 

“1. Where location data other than traffic data, relating to users or subscribers of public communications networks or publicly available electronic communications services, can be processed, such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service. Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time.

2. Where consent of the users or subscribers has been obtained for the processing of location data other than traffic data, the user or subscriber must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

3. Processing of location data other than traffic data in accordance with paragraphs 1 and 2 must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service.”

In other words, Article 9 does not contemplate the use of location data for other purposes than those described in Article 9 unless the individual gives his or her consent. 

However, pursuant to Article 15 of the ePrivacy Directive, Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for notably in Article 9 of the ePrivacy Directive “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system”.

As the EDPB confirmed in its statement dated 9 March 2020, nothing prevents EU Member States from adopting legislative measures to authorize the processing of location data in the context of the fight against the spread of COVID-19. 

In conclusion, the implementation of tracking solutions seems possible in the EU if this measure is combined with a certain number of precautions, including limited access to such data only to health authorities, a time limitation of the implementation of this measure and, above all, data security guarantees protecting them against unauthorized access or loss. If such a measure was proposed with all the transparency required in this area, it is highly likely that a very large majority of EU citizens would be in favor of its immediate application. 

It is now the responsibility of the EU, Member States and Supervisory Authorities to decide or not whether the deployment of such solutions is possible in the very short term and under which conditions, without renouncing its fundamental values and principles.