In general, devices should not collide with a data subject’s position as the holder of the right to privacy. This means that, in general, users must be protected against being unnecessarily deprived of their privacy. Thus, a user should not have to take action to prevent tracking, as the device should provide this by default. If the tool can function without direct identification of individuals, appropriate measures should be put in place to prevent re-identification. Moreover, the collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary. In general, data should only be processed if it is strictly necessary.
Furthermore, a developer should only use the type of data that is strictly necessary for the purpose of the processing, and in order to avoid the use of any third-party software developer kit (SDK) collecting data for other purposes. By default, developers must ensure that the device does not send data to third parties without notification to the data subject. For instance, no identifiers should be included in the server logs. Similarly, information on the proximity between users of the application should be obtainable without locating them. This kind of application does not need, and thus should not involve, the use of location data (directly or by combination of data), but only proximity data. Instead, if you wish to know the concrete geolocation of an individual, you should not gain access to proximity data by combining different datasets. Thus, the device should be designed to avoid such a scenario by default. In general, the tool should not collect additional data that are not strictly necessary for its purposes, except on an optional basis and for the sole purpose of assisting in the decision-making process of informing the user. For instance, if some features of the tool may enhance the user experience, but are not strictly necessary for the tool to function properly, e.g. geolocation to simplify a geographic search, the participant should be able to choose whether or not to use geolocation to simplify the geographic search. In these cases, more invasive tracking must be deactivated by default, leaving it to the user’s decision to opt-in.
|Box 7. The issue of the exactitudine
In principle, personal data must be accurate. However, in the case of location or proximity data, excessive accuracy may threaten the privacy of the data subject or third parties. Therefore, the developer of the tool should attempt to reduce the precision or accuracy with respect to the location data to the minimum level necessary to ensure that it fulfils the purpose for which it was designed. Location data can be very precise (such as a device being located on a specific street corner) or more imprecise (postal codes, quadrants, a city or even a country). The more precise and accurate the data, the more revealing it tends to be, and the greater the risk of re-identification.
It is particularly important to avoid, as much as possible, known locations that are linked to a person’s identity, such as that person’s home or workplace. The reason is that these data often contribute to the identification of the subject.
In addition, some locations are especially sensitive because of what they may reveal about the owner of the device, such as hospitals, schools, nightclubs, abortion clinics, dispensaries, or political organizations and events. While these locations do not always increase the risks of re-identification, they do carry greater risks of abuse or unexpected uses. Therefore, it is ideal to avoid accuracy in the use of data referring to these locations as much as possible.
|Checklist: Minimizing data (II)
The tool does not collect data in addition to those that are strictly necessary for its purposes, except on an optional basis and for the sole purpose of assisting in the decision-making process of informing the user.
If the tool is aimed at tracing contact purposes, it does not allow users to identify other users’ movements
In general, no data leaves the users’ equipment if it is not strictly necessary.
The design of the devices or the tool takes into account privacy by design principles and aims at not collecting more data than necessary.
If the design of the device or the tools allow for several options regarding the collection and further processing of data, the most protective one will be set by default.
1EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020, p. 7. At: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf ↑
2This checklist has been built on the basis of the one included in the EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020, at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf ↑