21 April 2020

Apple mobility data re Covid-19; Irish & Belgium Cookie Guidance and more…

Data Blast; Apple mobility data re Covid-19; Irish & Belgium Cookie Guidance; EDPB looking to create Covid-19 guidance; and Brazilian law update

Apple releases mobility data as part of effort to slow spread of coronavirus

On April 14th, 2020, Apple released user data generated from Apple Maps, in an attempt to help governments and health agencies combat the spread of the coronavirus.

The ‘Mobility Trends Reports’ include aggregated and anonymised data regarding the movements of Apple users globally, for the three months of 2020 between January 13th and April 13th. The data measures user movement, including walking, driving and public transit use, and shows a marked drop off in movement as coronavirus lockdowns were implemented internationally.

In a statement, Apple explained that the data ‘is generated by counting the number of requests made to Apple Maps for directions. The data sets are then compared to reflect a change in volume of people driving, walking or taking public transit around the world. Data availability in a particular city, country, or region is subject to a number of factors, including minimum thresholds for direction requests made per day.

Apple has justified the release of the mobility data, arguing that it may provide helpful insights to local governments and health authorities seeking to slow the spread of the virus, and confirmed that such data sharing will not continue after the pandemic passes. Furthermore, they claim that the data could be used in crafting new public policies, by showing the change in volume of people driving, walking or taking public transit in their communities. Apple has also provided a means of exporting the data in spreadsheet format, making it more user-friendly for researchers and media outlets.

Apple also emphasised it has built privacy into the core of Maps, stating that the data collected by Maps, like search terms, navigation routing, and traffic information, is associated with random, rotating identifiers that continually reset, so Apple doesn’t have a profile of your movements and searches. This enables Maps to provide a great experience, while protecting user privacy.’ Furthermore, the company does not believe that this sharing of user data compromises user privacy, explaining that Apple Maps does not associate mobility data with a user’s Apple ID, and that a history of where users have been is not kept.

While Apple did not explain precisely how this data will be put to use in slowing the spread of the coronavirus, the considerable drop off in user movement suggests that users are generally complying with government lockdown efforts internationally.

Irish and Belgian data protection authorities issues new cookie guidance

On April 6th, the Irish Data Protection Commission (DPC) issued new guidance regarding the use of cookies on websites.

The guidance follows on from a DPC report outlining the results of a ‘cookie sweep’ of popular websites in Ireland from a range of sectors. While not an in-depth investigation, the DPC flagged several issues with the current use of cookies, including:

  • The use of non-necessary cookies on website landing pages of almost all of the websites reviewed;
  • The presence of pre-checked consent boxes, including for marketing and analytics cookies, on roughly a quarter of the websites reviewed;
  • The use of implied consent was relied upon by roughly two-thirds of organisations for their use of cookies;
  • The bundling of consent; whereby users were unable to provide consent for particular purposes for which cookies were used; and
  • The misclassification of cookies as necessary on a majority of the websites reviewed.

The DPC explained that almost half of the organisations stated that they were aware of their non-compliance with existing rules regarding the use of cookies. The guidance aims to direct organisation to remedy several of the report’s problematic findings, and the key points include:

  • Organisations ensuring that non-necessary cookies are not set on their website landing pages;
  • Organisations obtaining user consent, through the use of acceptable banners or pop-ups, and that analytics and marketing cookies require user consent; and
  • Users must be able to change their cookie preferences at all times on each webpage.

The DPC has afforded organisations a 6 month window to establish compliant cookie policies on their websites, after which the DPC may take enforcement action. The DPC guidance, unsurprisingly, is similar to the cookie guidance issued by the ICO last year (which we covered in detail here).

Similarly, on April 6th, the Belgian Data Protection Authority (DPA) released guidance on the use of cookies and other tracking technologies, focusing on the issues of transparency and consent.

Regarding transparency, the DPA guidance notes that users must be made aware of the use of cookies, and that an easily understandable and accessible cookie policy should be included on relevant sites or apps, containing contact information about the relevant data controller and processor.

Specifically, the policy should identify the types of cookies used, their purpose and duration, whether third-parties are granted access to the cookies, the legal basis relied upon for the use of cookies (including consent for non-essential cookies and the legitimate interests of the data controller for essential ones), as well as provide information regarding automated decision making and how cookies may be deleted.

The guidance emphasises the importance of obtaining consent for the use of all non-essential cookies, and that audience measuring cookies are not exempt from this requirement. The use of social media plug-ins on web sites and apps similarly requires consent. When consenting to the use of cookies, users must be provided the following information: The entity responsible for the use of cookies, the cookies’ purpose and expiration, and which data is being collected. The guidance also makes clear that the use of ‘cookie walls,’ whereby users who do not consent to the use of cookies are prevented from accessing the site or app, is unlawful. Companies must also ensure that consent for the use of cookies is easy to withdraw, and that a log of user consent must be kept.

Regarding cookie duration, lifespan must be limited to what is necessary for achieving the cookies’ purpose and should not be unlimited. Cookies that are exempt from the requirement for user consent (I.e which are strictly those necessary for a website’s function) must be deleted once their purpose is achieved. Generally, this requires the deletion of those cookies at the end of the user’s session.

EDPB assigns mandates to develop COVID-19 data processing guidance

On April 7th the European Data Protection Board (EDPB) announced that it had assigned to its expert subgroups mandates to produce guidance on data processing issues related to the coronavirus pandemic.

The EDPB technology subgroup was mandated to focus on geolocation and other tracking tools, and tasked with producing guidance focusing on a variety of issues, including:

  • Applying data protection principles to available tools for tracking individuals and their locations;
  • The use of aggregated and anonymised location data;
  • Safeguards to be used to ensure compliance with data protection principles;
  • Providing legal analysis of applications used to contain the spread of the virus;
  • Recommendations for the use and development of contract tracing applications; and
  • The limiting of these measures to a specific timeframe.

A mandate was also assigned to the compliance, e-government and health subgroup to prepare guidance on the processing of health data for research purposes; specifically:

  • The processing of health data to advance scientific research;
  • Applying data protection principles to health-related data processing;
  • The possibility of re-using medical research data in connection with broader coronavirus data sharing; and
  • The dissemination of information, and its impact on data subject rights, in emergency situations.

Brazilian House to vote on Senate’s proposed delay of data protection law

On April 3rd, the Brazilian Senate voted in favour of PL1179/2020 (the Bill) which includes several emergency measures aimed at addressing the coronavirus pandemic. The Bill includes a provision to delay the effective date of the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, the ‘LGPD’) until January 2021.

Furthermore, the fines and sanctions to be handed out to organisations that do not comply with LGPD are now to become effective in August 2021.

The Bill noted that the postponement of the LGPD was being undertaken ‘so as not to hinder companies in the face of enormous technical and economic difficulties arising from the pandemic.’ We previously covered the various GDPR-like provisions of the LGPD here.

For more information please contact Partner, James Tumbridge at