skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.

Omdia view


As the COVID-19 pandemic progresses, more and more regulators and governments are turning to technology and, in particular, geo location data to track the progress of the virus in an effort to tackle it. This throws up a number of data protection and privacy concerns. Recent regulations in the EU such as the GDPR and the ePrivacy Directive advocate principles for the appropriate use of personal information, and these are now coming under increasing strain. The EC has announced its aim for a coordinated approach to using geo location data across the EU and has outlined how national regulators can use such data while ensuring they remain within the region’s existing data protection and privacy frameworks. This includes adhering to data anonymization, data security, and access, as well as data retention.

EU regulators to adhere to principles of data anonymization, security, access, and retention when tracking the coronavirus

On March 25, 2020 the European Data Protection Supervisor (EDPS) announced it is backing the EC's plans to collect anonymized data from operators to help track developments in the coronavirus crisis. The plans do not violate EU data protection laws and set the example for national regulators looking to adopt their own measures. There are already discussions taking place in some member states with operators regarding using geo location data to track the spread of the COVID-19 outbreak.

The data protection rules currently in force in the EU are flexible enough to allow for various measures that might be taken in the fight against pandemics. The EC is pushing for a coordinated European approach as well as ensuring member states looking to take national approaches are aware of the most effective and compliant way of handling personal data. In particular, the EC and member states are expected to adhere to principles of data anonymization, data security and access, and data retention.

To ensure that the data protection and privacy laws in the EU are not violated, data should be anonymized before being used to map the movements of people. This is because anonymized data falls outside of the scope of data protection rules. However, effective anonymization requires more action than just removing obvious identifiers such as phone numbers and IMEI numbers. Aggregating data should be used to provide an additional safeguard and any anonymized data should be overseen by a data protection officer. The EU approach to tracking the coronavirus is expected to use data that only comes from a clearly defined dataset, which will need to be communicated to the public to ensure transparency. Transparency will be vitally important to ensure the public is fully aware of the purpose and procedure of any measures enacted by regional or national regulators.

Even if data is anonymized, information security obligations still apply and any third parties processing the data must apply equivalent security measures, be bound by strict confidentiality obligations and be prohibited from further using the information. Operators must also ensure the data they share with national and regional regulators is securely transmitted and access to the data should be limited to authorized experts in spatial epidemiology, data protection, and data science.

A key principle that regulators must adhere to is data retention. The EC has stated that the data it plans to obtain from mobile operators would be deleted as soon as the current emergency comes to an end. The decision to track geo location data must be temporary in nature and clearly be defined as an extraordinary case in order to respond to this specific crisis. The concern is that without the temporary nature being clearly outlined; the use of geo-location data might continue even when the crisis is over and could end up violating data protection regulation in the future.


Further reading

“COVID-19 in Regulation: Regulators and operators work together to ensure connectivity is maintained amid the crisis”, GLB005-000240 (March 2020)

“COVID-19 in Regulation: Spectrum can be an ally to immediately increase broadband capacity”, GLB007-000361 (March 2020)

“COVID-19 in Europe: Telcos provide a vital connection; can they afford to keep the continent going?”, GLB003-000076 (March 2020)

“COVID-19 in the Americas: The FCC and service providers commit to keeping Americans connected”, GLB007-000363 (March 2020)


Sarah McBride, Analyst, Regulation

[email protected]

Recommended Articles