19/04/2020

As the world struggles to deal with the rapid spread of the coronavirus, governments globally are turning to technology to help “flatten the curve” and slow the rate of transmissions (we have previously discussed some of these methods in this article).  A popular strategy is the use of location and proximity data to monitor the movement and interactions of individuals

This article looks at two methods that have been employed by the Australian Government that leverage location data.

  1. On 29 March, the Australian Government launched its app ‘Coronavirus’, developed in partnership with Atlassian, along with its WhatsApp messaging service.  The app provides users with links to advice, resources and updates about the current status of infections in Australia and allows users to check symptoms.

    It also has a feature allowing users to register their self-isolation.  The app states that the data collected is voluntary and will only be collected when a user submits that information and consents to its provision.  If a user chooses to register their isolation, they are prompted to enable location services for the app on a landing page which “is intended to be completed by those who are registering self-isolation for themselves and are currently at the location of their self-isolation.”  It’s not clear for what purpose the location data is collected by the app – however, in other countries (such as South Korea), individual location data has been used by government to monitor compliance with isolation.
  2. More recently, on 5 April it was reported that Vodafone provided anonymised and aggregated mobile phone location data of its customers to the NSW Department of Customer Service and the Department of Prime Minister and Cabinet, so the government can monitor compliance with social distancing restrictions.

We note that on 14 April it was announced that the Australian Government is in the process of launching a contact tracing app (which will use Bluetooth technology, not mobile location data) to detect a user’s proximity to other users.  The data collected would allow a person who later tests positive to the virus to easily trace and contact those people they have interacted with during the period they may have been infectious.  The Australian app will use the source code of the Singaporean app, TraceTogether (which we have discussed in more detail in this article).  Whilst it does not yet appear that location data will be collected through this new app, it has been reported that telecommunications providers have offered to provide metadata that they have collected under the Telecommunications (Interception and Access) Act 1979 (Cth) to the government.  It’s not currently clear what metadata is being proposed to be provided, although the Telecommunications (Interception and Access) Act 1979 (Cth) does require telcos to collect some location-based data (item 6, s 187AA).

What is mobile location data?

Mobile phones generate and use location data in a range of ways and this information is collected by different parties.  One source of location data is cell tower data.  Mobile carriers (such as Vodafone) receive information about a phone’s proximity to cell towers which allows an approximate location of that phone to be ascertained based on signal strength.  The precision of this data is variable but can be enhanced when combined with GPS data (detected via satellite) and WiFi networks, where location can be determined based on proximity to nearby WiFi networks.  On a smartphone this data is often collected by mobile phone carriers (in respect of cell tower data), operating systems such as Android and iOS, apps that use location features such as maps or ridesharing apps, and Internet of Things devices such as fitness trackers.

It’s commonplace for mobile location data to be collected – most phones do this – but it is less common for governments to access this data on an individual level (outside of a criminal context) or to monitor large-scale population movements.  

Is the collection and use of this information covered by privacy laws?

Australia’s Privacy Act 1988 (Cth) (Privacy Act) regulates many private entities’ and most Australian Government agencies’ collection, use, storage and disclosure of “personal information”.  “Personal information” is defined in the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.  Similar to many other jurisdictions around the world, the Privacy Act does not govern the use of information or data which is not personal information. 

Would mobile location data be considered personal information for the purposes of the Privacy Act?  Courts in Australia have previously found that certain mobile phone metadata was not personal information as it was not ‘about’ the relevant individual (and therefore, in that particular instance, its collection and use was not subject to the restrictions contained in the Privacy Act) – we have recently discussed this here.[1] 

However, it’s not clear whether this position would be different in the context of mobile phone data that was more definitively ‘about’ an identified or reasonably identifiable individual. In both Australia and Europe, mobile phone carriers have provided anonymised and aggregated mobile phone location data to governments.  The fact that the data is anonymised and aggregated acts as a privacy buffer for individuals whose location data might be included in these data sets.  However, there is evidence to suggest that mobile location data cannot be effectively anonymised.  A key study of human mobility data published in Nature indicates that where the location of an individual is specified hourly and with a spatial resolution equal to that given by the carrier's antennas, “four spatio-temporal points are enough to uniquely identify 95% of the individuals”. Among others, the Dutch privacy regulator has indicated it does not consider it possible to anonymise telecom location data.

In respect of any location data that is collected from an individual who may be registering their isolation, the position may be different.  Where an individual is isolating at their home, that individual could likely be reasonably identifiable from the location data collected about them, given the other data about them that may be held by or available to the government.  In fact, when an individual registers for self-isolation they are asked to provide data including their name, telephone number, age, gender, address of their place of residence, number of other residents in the household, and details about the individual’s coronavirus test status (i.e. health information).  As a result, the location data collected may well constitute personal information.  If this is the case, there are restrictions imposed on the use of this information by the Privacy Act, including that the personal information can generally only be used or disclosed for the reason it is collected (known as the ‘primary purpose’ for collection), or for certain secondary purposes.  In the case of the Coronavirus app the primary purpose for collection of location data in particular is not entirely clear, as the linked Privacy Policy doesn’t explicitly mention location data.[2]

The personal information collected by the app could also be used or disclosed for certain secondary purposes (i.e. for a purpose other than the primary purpose that the information was collected for) without consent, if APP 6.2 or 6.3 applied to the use or disclosure. This includes if a “permitted general situation” exists (APP 6.2(c)), including where the government agency believed the collection, use or disclosure was necessary to lessen or prevent a serious threat to public health or safety (item 1, s 16A, Privacy Act).  In this case, the entity would have to show that it was unreasonable or impracticable to obtain the individual’s consent to the use or disclosure and the permitted general situation would cease to apply after the threat had passed.

Alternatively, if the government agency reasonably believed the use or disclosure of the information was reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 6.2(e)) the information could be used for a secondary purpose without consent.  An enforcement related activity includes (among other things) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction and the conduct of surveillance activities, intelligence gathering activities or monitoring activities.  This encompasses lawful surveillance, intelligence gathering or monitoring activities where there may not be an existing investigation, such as the collection of personal information to detect whether an offence has occurred or to determine whether to initiate an investigation.

Does surveillance law have an impact on the collection and use of location data?

Australia has state-based legislation regulating the use of surveillance devices, which in most Australian states and territories[3] includes “tracking devices” that can be used to determine the geographical location of a person.  In most of these instruments, the definition of a “tracking device” is wide enough to capture mobile phones where the devices capture location data (although uniquely in Victoria, the Surveillance Devices Act 1999 (Vic) only covers tracking devices where the primary purpose of that device is to determine the geographical location of a person or object).[4]

In general terms, surveillance legislation in NSW, NT, SA and WA prohibits the installation, use or maintenance of a tracking device to determine the geographical location of a person or thing without the express or implied consent of the person.[5]  The prohibitions are targeted at individuals and corporations and carry criminal penalties. 

Mobile location data, which is collected by mobile carriers, operating systems and apps, would likely not fall within the scope of these prohibitions given the prohibitions are targeted at the installation, use or maintenance of a tracking device without a person’s consent.  Mobile phone users would likely have either expressly consented or be considered to have impliedly consented to the use of mobile location services, through use of specific location-based services (in apps or IoT devices) or through use of a mobile network.

Further still, the prohibitions in the relevant instruments are subject to a number of exceptions which vary from state to state and include the installation, use or maintenance in accordance with a law of the Commonwealth.[6]  There is scope in a number of Commonwealth Acts for the exercise of various powers to permit the disclosure of mobile location data, including under the Telecommunications Act 1997 (Cth) and the Biosecurity Act 2015 (Cth) – we have previously discussed this here.

Privacy concerns

In emergencies and crises, the use of use of mobile phone location data to trace population movements is not unprecedented.  Following the earthquake and cholera outbreak in Haiti in 2010 (and in many disasters since), SIM data was used to track population displacement to assist in the provision of relief.  Well before we’d ever heard of COVID-19, literature reported that obtaining an understanding of the mobility of populations would be of paramount importance in the case of a possible pandemic (and likely to be aided by mobile network data and location data) – a statement which has been very recently reaffirmed

Despite this, privacy advocates around the world have expressed concern about the use and collection of mobile location data.  In a statement made on 1 April by the NSW Council for Civil Liberties, that organisation noted that monitoring citizens’ movements could set a dangerous precedent.

Where privacy rights are to be limited, legal regimes typically require that measures be proportionate to their aims.  In the current pandemic context, this analysis would require an assessment of whether the measures being implemented are for a legitimate objective and whether the design of the measures is reasonable and necessary to achieve those objectives.  The objective of limiting infections, saving lives and managing health resources is clearly a legitimate aim.  However, the way in which we design measures that use mobile location data to achieve those aims needs to be closely considered.  This should include an analysis of how the proposed measures directly contribute to achieving those aims and defining a clear dataset which is limited to the minimum level of data required for effectiveness.  Other restraints such as purpose limitation, clear policies and procedures, independent oversight and transparent messaging would also be key tools in developing a privacy enhancing framework.

Authors: Michael Caplan, Stephanie Essey and Sophie Bogard

 

[1] Note that the definition of ‘personal information’ in the Privacy Act has changed slightly from the version considered in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4.

[2] Clicking on a link which describes “how your location information is used” takes users to a Privacy Policy, which does not refer to location data and instead focuses on the collection of personal information more generally.  The option to register isolation on the Coronavirus app is framed in general terms and states that the information collected “will provide a better understanding of the experiences of those in the community and help in the development of better information and response from Government”, and the short-form privacy policy provides that the information collected will help the Commonwealth, state and territory governments to put in place appropriate steps to safeguard public health and safety, conduct appropriate analysis and research, and contact the individual if necessary.  Likewise, it does not reference location data.  The ‘primary purpose’ for collection of this location data could be made clearer by adding to these documents a more specific description of the purpose for which location data is being collected through the app and how it will be used.

[3] Excluding Queensland, Tasmania and the Australian Capital Territory.

[4] Surveillance Devices Act 1999 (Vic), s 3.

[5] Surveillance Devices Act 2007 (NSW), s 9(1); Surveillance Devices Act 2007 (NT), s 13(1); Surveillance Devices Act 2016 (SA), s 7(1); Surveillance Devices Act 1998 (WA), s 7(1).

[6] Surveillance Devices Act 2007 (NSW), s 9(2)(b); Surveillance Devices Act 2007 (NT), s 13(2)(b); Surveillance Devices Act 2016 (SA), s 7(2)(a); Surveillance Devices Act 1998 (WA), s 7(2)(e).

""

Our COVID-19 hub collates important articles and legal advice on various aspects of COVID-19 on how it may impact your business.