EU privacy rules no obstacle to coronavirus fight; smartphone tracking a no-no

By Douglas Busvine

BERLIN (Reuters) – Europe’s privacy rulebook does not create obstacles to taking action to curb the coronavirus epidemic but mass tracking of people’s movements and contacts using smartphone location data would represent a clear violation.

Technophiles support the use of such data to reconstruct the movements of people exposed to the flu-like virus and identify others at risk of infection. Privacy advocates counter that this approach, used in China, subjects people to the kind of digital surveillance that has no place in a Western democracy.

The General Data Protection Regulation (GDPR), which took effect in the European Union in mid-2018, states that people’s data is their own and requires anyone seeking to process it to obtain their consent.

WHAT DO EMPLOYERS HAVE TO DO?

Companies should take action to minimise both the risk of infection and violations of privacy. They can obtain information on whether an employee has travelled to a region with confirmed coronavirus cases, according to law firm CMS https://cms.law/en/nld/publication/coronavirus-employer-measures-and-policies.

Some systemic data collection may also be required, such as through workplace questionnaires or requiring staff to report their travel plans.

This is covered under Articles 6 and 9 of the GDPR, which cover workplace health and safety, and using preventive or occupational medicine to address serious cross-border health threats.

WHAT CAN’T THEY DO?

Employers are not allowed to take mandatory readings of the temperature of employees or visitors, nor can they require them to fill out compulsory medical questionnaires, according to French data protection office CNIL.

In practical terms that means a receptionist may only take the temperature of a visitor under certain conditions, as this may require processing of health data that can only be done by a doctor, said Holger Lutz, partner at law firm Baker & McKenzie.

CAN NATIONAL GOVERNMENTS OVERRIDE THE GDPR?

Italy, the European country hardest hit by coronavirus, has passed emergency legislation requiring anyone who has recently stayed in an at-risk area to notify health authorities either directly or through their doctor.

Germany, meanwhile, recently inserted wording into its GDPR enabling legislation that specifically allows for the processing of personal data in the event of an epidemic, or natural and man-made catastrophes, said Lutz.

COULD SMARTPHONE TRACKING HELP?

The head of the Robert Koch Institute, Germany’s main public health body, caused a stir last week by suggesting that smartphone location data could be used to track people as a tool for curbing the spread of the coronavirus.

The technology exists – Google Maps for example uses smartphone GPS location data to estimate traffic congestion and calculate journey times.

A Hamburg geotracking startup called Ubilabs is working with the Hannover School of Medicine on a data analysis platform that could track people who have tested positive for the coronavirus and their contacts, Der Tagesspiegel reported on Tuesday.

HOW COULD TRACKING COMPLY WITH THE GDPR?

Such smartphone tracking would in all probability require people’s consent to have a valid legal basis, Federal Data Protection Officer Ulrich Kelber told Reuters.

Any tracking-based system would need to undergo detailed analysis to ensure an acceptable level of data protection, Kelber said. It should also be proportionate, both in terms of whether the accuracy of the location data gathered serves the intended purpose and whether a less intrusive method is available.

WHAT ARE OTHER COUNTRIES DOING?

China, the source of the coronavirus epidemic, has introduced a mandatory traffic-light system https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html that uses smartphone software to determine whether people can move about or meet.

Individuals rated red or yellow on the Alipay Health Code app are not allowed to travel or visit public places such as restaurants or shopping malls for 14 or 7 days respectively.

In Taiwan, visitors are required https://jamanetwork.com/journals/jama/fullarticle/2762689 on arrival to download a questionnaire using a QR code and report the airport they came from, their 14-day travel history and health symptoms.

Those assessed to have low risk receive a text message telling them that they are free to travel. Those deemed to pose a risk are required to self-isolate for 14 days, with their compliance monitored using location data from their smartphones.

(This story has been refiled to clarify comment from legal expert, paragraph 8)

(Additional reporting by Foo Yun Chee; Editing by Nick Macfie)

U.S. seeks input on privacy rules to protect consumer data

People look at data on their mobiles as background with internet wire cables on switch hub is projected in this picture illustration taken May 30, 2018. Picture taken May 30, 2018. REUTERS/Kacper Pempel/Illustration

By David Shepardson

WASHINGTON (Reuters) – The U.S. Commerce Department on Tuesday said it was seeking comments on how to set nationwide data privacy rules in the wake of tough new requirements adopted by the European Union and California this year.

The Senate Commerce Committee has scheduled a privacy hearing on Wednesday with major companies including Alphabet Inc, AT&T Inc, Apple Inc. This summer, the Trump administration held more than 50 meetings with tech companies, internet providers, privacy advocates and others.

Data privacy has become an increasingly important issue since massive breaches compromised the personal information of millions of U.S. internet and social media users, as well as breaches involving large retailers and credit reporting agency Equifax Inc.

Commerce’s National Telecommunications and Information Administration (NTIA) issued the request for comment after noting “a growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape.”

The administration said companies and other organizations that use consumer data should be transparent about how they use personal information, individuals should be able to exercise control over personal information and data use “should be reasonably minimized.”

David Redl, who heads NTIA, said “the Trump administration is beginning this conversation to solicit ideas on a path for adapting privacy to today’s data-driven world.”

The Internet Association, which represents more than 40 major internet and technology companies, said this month it backed modernizing data privacy rules but wants a national approach that would pre-empt new regulations in California that take effect in 2020.

California Governor Jerry Brown signed data privacy legislation in June aimed at giving consumers more control over how companies collect and manage their personal information, although it was not as stringent as new rules in Europe.

The European Union General Data Protection Regulation took effect in May, replacing the bloc’s patchwork of rules dating back to 1995.

Breaking privacy laws can now result in fines of up to 4 percent of global revenue or 20 million euros ($23.2 million), whichever is higher, as opposed to a few hundred thousand euros.

Also testifying Wednesday will be Twitter Inc, Amazon.com Inc and Charter Communications Inc to give them “an opportunity to explain their approaches to privacy,” said U.S. Senator John Thune.

Google on Monday said it backed “responsible, interoperable and adaptable data protection regulations” as it offered a list of principles.

(Reporting by David Shepardson; Editing by David Gregorio)