Data Blast; Apple mobility data re Covid-19; Irish & Belgium Cookie Guidance; EDPB looking to create Covid-19 guidance; and Brazilian law update
Apple releases mobility data as part of effort to slow spread of coronavirus
On April 14th, 2020, Apple released user data generated from Apple Maps, in an attempt to help governments and health agencies combat the spread of the coronavirus.
The ‘Mobility Trends Reports’ include aggregated and anonymised data regarding the movements of Apple users globally, for the three months of 2020 between January 13th and April 13th. The data measures user movement, including walking, driving and public transit use, and shows a marked drop off in movement as coronavirus lockdowns were implemented internationally.
In a statement, Apple explained that the data ‘is generated by counting the number of requests made to Apple Maps for directions. The data sets are then compared to reflect a change in volume of people driving, walking or taking public transit around the world. Data availability in a particular city, country, or region is subject to a number of factors, including minimum thresholds for direction requests made per day.
Apple has justified the release of the mobility data, arguing that it may provide helpful insights to local governments and health authorities seeking to slow the spread of the virus, and confirmed that such data sharing will not continue after the pandemic passes. Furthermore, they claim that the data could be used in crafting new public policies, by showing the change in volume of people driving, walking or taking public transit in their communities. Apple has also provided a means of exporting the data in spreadsheet format, making it more user-friendly for researchers and media outlets.
Apple also emphasised it has built privacy into the core of Maps, stating that the data collected by Maps, like search terms, navigation routing, and traffic information, is associated with random, rotating identifiers that continually reset, so Apple doesn’t have a profile of your movements and searches. This enables Maps to provide a great experience, while protecting user privacy.’ Furthermore, the company does not believe that this sharing of user data compromises user privacy, explaining that Apple Maps does not associate mobility data with a user’s Apple ID, and that a history of where users have been is not kept.
While Apple did not explain precisely how this data will be put to use in slowing the spread of the coronavirus, the considerable drop off in user movement suggests that users are generally complying with government lockdown efforts internationally.
Irish and Belgian data protection authorities issues new cookie guidance
- The use of non-necessary cookies on website landing pages of almost all of the websites reviewed;
- The presence of pre-checked consent boxes, including for marketing and analytics cookies, on roughly a quarter of the websites reviewed;
- The bundling of consent; whereby users were unable to provide consent for particular purposes for which cookies were used; and
- The misclassification of cookies as necessary on a majority of the websites reviewed.
- Organisations ensuring that non-necessary cookies are not set on their website landing pages;
- Organisations obtaining user consent, through the use of acceptable banners or pop-ups, and that analytics and marketing cookies require user consent; and
- Users must be able to change their cookie preferences at all times on each webpage.
The DPC has afforded organisations a 6 month window to establish compliant cookie policies on their websites, after which the DPC may take enforcement action. The DPC guidance, unsurprisingly, is similar to the cookie guidance issued by the ICO last year (which we covered in detail here).
Regarding cookie duration, lifespan must be limited to what is necessary for achieving the cookies’ purpose and should not be unlimited. Cookies that are exempt from the requirement for user consent (I.e which are strictly those necessary for a website’s function) must be deleted once their purpose is achieved. Generally, this requires the deletion of those cookies at the end of the user’s session.
EDPB assigns mandates to develop COVID-19 data processing guidance
On April 7th the European Data Protection Board (EDPB) announced that it had assigned to its expert subgroups mandates to produce guidance on data processing issues related to the coronavirus pandemic.
The EDPB technology subgroup was mandated to focus on geolocation and other tracking tools, and tasked with producing guidance focusing on a variety of issues, including:
- Applying data protection principles to available tools for tracking individuals and their locations;
- The use of aggregated and anonymised location data;
- Safeguards to be used to ensure compliance with data protection principles;
- Providing legal analysis of applications used to contain the spread of the virus;
- Recommendations for the use and development of contract tracing applications; and
- The limiting of these measures to a specific timeframe.
A mandate was also assigned to the compliance, e-government and health subgroup to prepare guidance on the processing of health data for research purposes; specifically:
- The processing of health data to advance scientific research;
- Applying data protection principles to health-related data processing;
- The possibility of re-using medical research data in connection with broader coronavirus data sharing; and
- The dissemination of information, and its impact on data subject rights, in emergency situations.
Brazilian House to vote on Senate’s proposed delay of data protection law
On April 3rd, the Brazilian Senate voted in favour of PL1179/2020 (the Bill) which includes several emergency measures aimed at addressing the coronavirus pandemic. The Bill includes a provision to delay the effective date of the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, the ‘LGPD’) until January 2021.
Furthermore, the fines and sanctions to be handed out to organisations that do not comply with LGPD are now to become effective in August 2021.
The Bill noted that the postponement of the LGPD was being undertaken ‘so as not to hinder companies in the face of enormous technical and economic difficulties arising from the pandemic.’ We previously covered the various GDPR-like provisions of the LGPD here.
For more information please contact Partner, James Tumbridge at firstname.lastname@example.org.