A telecommunications lobbying group, the GSMA, has confirmed that several telecom companies in Europe are providing mobile phone location data with the European Union as a way to track the spread of COVID-19. According to Reuters and other media sources, these are the telecommunications companies that are working with the European Union to provide “anonymized” data sets: Vodafone, Deutsche Telekom, Orange, Proximus, Swisscom, Telefonica, Telecom Italia, Telenet, Telenor, Telia and A1 Telekom Austria, and Windtre
Telecoms are also working with individual countries such as Italy, Austria, Switzerland, and Belgium to provide this data for virus tracking purposes. In Germany, the information is being shared with the Robert Koch Institute, Germany’s CDC. A Deutsche Telekom spokesperson told Die Welt:
“With this we can model how people are moving around nationwide, on a state level, and even on a community level.”
But wait, aren’t there privacy laws against that?The allegedly anonymized and aggregated data being provided by these telecoms doesn’t fall under the purview of EU’s data protection laws – which have been lauded around the world as being some of the best. Max Schrems, a well known privacy advocate in Austria, told Reuters:
There-in lies the crux of telecoms sharing supposedly anonymized data with the government. De-anonymization of large data sets is a real, proven problem. The European Data Protection Supervisor (EDPS) has stated that no privacy laws are being breached – as long as there are safeguards. The EDPS head, Wojciech Wiewiorowski, wrote in a letter:
“As long as the data is properly anonymized this is clearly legal.”
“The Commission should clearly define the dataset it wants to obtain and ensure transparency towards the public, to avoid any possible misunderstanding. […] It would also be preferable to limit access to the data to authorised experts in spatial epidemiology, data protection and data science.”
While it is easy to imagine the potential good that such data could do for public health, it is hard to do so without also imagining the possibility of deanonymization of the data set and other privacy issues. As Benjamin Franklin once wrote:
“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”It doesn’t matter that Franklin wrote this quote in an entirely different context, the adage is astutely accurate in this time of expanding government surveillance powers under the guise of better science and crisis management.
A potential new norm that is not good for privacy: Telecoms sharing “anonymized” location data with governmentsThe main concern being voiced by privacy advocates such as Edward Snowden is that governments are unlikely to give up such access after the crisis is over once they’ve gotten a taste of the new power. Wiewiorowski also wrote:
“The EDPS often stresses that such developments usually do not contain the possibility to step back when the emergency is gone. I would like to stress that such solution should be still recognised as extraordinary.”
Even if the situation is recognized as extraordinary, the mere fact that it . Words mean little compared to actions, and now that this privacy breaching action has been taken, the seal has been broken as they say. The next time a slightly less. How long will it be before supposedly anonymized location data is sent to governments by telecoms on a yearly basis to combat the seasonal flu? It’s hard to put the cat back in the bag once it is out; make no mistake, it is currently raining cats and bags and the forecast calls for even more privacy violations.