On April 7, 2020, the European Data Protection Board (“EDPB”) announced that it assigned specific mandates to two expert subgroups to prepare guidance on a number of Covid-19 related topics. The list of topics chosen by the EDPB reflects those that have received the closest scrutiny by the national authorities. These topics are the following:

  • geolocation and other tracing tools, in particular,
    • the use of aggregated / anonymised location data (e.g., provided by telecom or information society service providers) and the effectiveness of aggregation and anonymization techniques;
    • the application of data protection principles to the different means available to gather location data or trace interactions between data subjects;
    • general legal analysis of the use of apps and collection of personal data by apps to help contain the spread of the virus;
    • the required safeguards to ensure respect for data protection principles, including with regard to data retention, in the context of using geo-location or other tracing tools;
    • the identification of recommendations or functional requirements for contact tracing applications; and
    • the necessity to subject the measures taken to a pre-defined timeframe limited to what is strictly necessary to tackle the pandemic.
  • processing of health data for research purposes, in particular:
    • processing for the purpose of advancing scientific and medical research connected to the COVID-19 crisis;
    • the re-use of medical research data connected to the COVID-19 crisis and data sharing; and
    • information and exercise of the rights of data subjects in an emergency situation.

The EDPB’s announcement is not surprising.  On the one hand, it is motivated by the proliferation of private and public-sector initiatives (e.g., telecom operators, payment operators, social media and search engines) to use personal data (health data and location data) to stop the spread of COVID-19 in the EU.  One the other hand, the guidance and statements issued by the different EU Supervisory Authorities on some of these topics have been far from aligned and would benefit from some EU-wide harmonization.  Covington will continue to monitor this and related developments.

Print:
EmailTweetLikeLinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.