Imperial privacy expert’s warnings about location data influence EU guidelines

A data privacy academic’s warnings about using location data during the COVID-19 outbreak has helped influence European data guidelines.

Dr Yves-Alexandre de Montjoye’s research found that it may be possible to identify individuals from ‘anonymised’ location data used in contact tracing tools during the pandemic.

This work has helped to inform the European Data Protection Board (EDPB), which has just adopted new guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak.

This is reflected in the new guidelines, which state: “mobility traces of individuals are inherently highly correlated and unique. Therefore, they can be vulnerable to re-identification attempts under certain circumstances.”

Research by Dr de Montjoye, who leads the Computational Privacy Group at Imperial’s Data Science Institute, showed that in a dataset where the location of an individual is specified hourly and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.

It is these findings which informed the EDPB that location data thought to be anonymised may in fact not be. 

The EDPB oversees the European Union’s data protection authorities and favours a common European approach in response to the current crisis "or at least put in place an interoperable framework."

Contact tracing requires handling very sensitive data at scale, and solid and proven techniques exist to help us do it while protecting our fundamental right to privacy. We cannot afford to not use them Dr Yves-Alexandre de Montjoye

The guidelines clarify the conditions and principles for using location data and contact tracing tools proportionately. This includes using location data to support the pandemic response by modelling the virus’s spread and to assess the effectiveness of confinement measures; and, for contact tracing, which aims to notify those who have been close to someone who is eventually confirmed to carry the virus.

Also referenced by the EDPB is Dr de Montjoye and colleagues' paper which proposed four models for the privacy-conscientious use of mobile phone data during epidemics which aim to help properly balance technically the need to use data for good and legitimate privacy concerns.

The work has also been cited in Towards a European strategy on business-to-government data sharing for the public interest, as the recommended technical approach by the European Commission's High-Level Expert Group on Business-to-Government Data Sharing.

The EDPB’s guidelines for contact tracing tools come as the NHS begins testing a mobile application designed to trace the spread of the coronavirus. Health Secretary Matt Hancock has said the app would be available in a “matter of weeks”.

Putting privacy at the heart of the debate

This also comes in light of a new white paper by Dr de Montjoye, where he outlines eight questions that should be asked to understand how protective of privacy an app is.

"Contact tracing requires handling very sensitive data at scale, and solid and proven techniques exist to help us do it while protecting our fundamental right to privacy. We cannot afford to not use them," he said. However, the eight questions should help policy-makers, citizens and app-developers evaluate an app's privacy.