AEPD (Spain) - E/03690/2020
AEPD (Spain) - E/03690/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 89(1) GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | 20.04.2021 |
Published: | |
Fine: | None |
Parties: | Ministerio de Transportes, Movilidad y Agenda Urbana |
National Case Number/Name: | E/03690/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA found that an impact study carried out by the Spanish Government on daily commuting trends during the COVID-19 pandemic was carried out in compliance with the GDPR.
English Summary
Facts
The Spanish DPA investigated the impact study carried out by the Spanish Ministry of Transport on the daily commuting trends during the first days of COVID pandemic. In particular the investigation focused on whether the data used for the study was appropriately pseudonymised and whether there was any risk of re-using the data for different purposes to the original ones.
Data from individuals' mobile phones belonging to one operator were collected during several days to measure daily commuting trends of people on regular days. This data was pseudonymised by the operator with hash techniques and by grouping the data by areas of origin of at least 5000 people. Then the data was provided to a consultant firm that aggregated such data automatically and then processed it to produce the indicators required by the Ministry of Transport.
All the measures put in place to unlink the data, pseudonymise, aggregate and further group and process it to produce the final indicators are considered enough to make practically impossible the identification of the data subjects that originate it.
Dispute
Has the mobility study of the Spanish Ministry of Transport been conducted in compliance with GDPR in particular with the appropriate pseudonymisation of the data and the impossibility to re-use the data for incompatible purposes?
Holding
The Spanish DPA held that the measures put in place by the Spanish Ministry of Transport to conduct the mobility study were enough to ensure that the data could not be associated to individual people or re-used for purposes incompatible with the original ones.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 * Procedure Nº: E / 03690/2020 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: On April 21, 2020, the Director of the Spanish Agency for Data Protection agrees to initiate investigative actions in relation to the study and analysis tool of mobility data during the state of alarm through a study with Big Data technology for which the Ministry of Transport, Mobility and Urban Agenda (MITMA), NIF S2817040E, with in order to determine if such facts gave rise to indications of infringement in the Competence area of the Spanish Agency for Data Protection. SECOND: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts, having knowledge of the following points: The MITMA states that "The work called" analysis of mobility in Spain with big data technology, after the application of Royal Decree 463/2020, of March 14, by the one that declares the State of Alarm for the management of the health crisis situation caused by covid-19 ”is part of the set of studies that the Government is developing on the mobility of the population with the aim of have data on movements throughout the national territory and contribute to decision-making in the current scenario derived from the COVID-19 pandemic. According to Order SND / 297/2020, of March 27, which entrusts the State Secretariat for Digitalization and Artificial Intelligence, Ministry of Affairs Economic and Digital Transformation, the development of various actions for the management of the health crisis caused by COVID-19, in its Second point. DataCOVID-19: study of mobility applied to the health crisis, the Ministry of Health entrusts the Secretary of State for Digitization and Intelligence Artificial, of the Ministry of Economic Affairs and Digital Transformation, following the model undertaken by the National Institute of Statistics in its mobility study and through the crossing of data from mobile operators, in an aggregate and anonymized, the analysis of the mobility of people in the days before and during confinement. The conclusion reached, after all the coordination meetings, coincided clearly in that the work carried out by the INE and the MITMA, were complementary, to the extent that the MITMA provided general mobility of all citizens, at all hours for time periods, with ranges of distances and also quantified the population that did not travel. Meanwhile he The INE study was more specific, focusing on daily movements by work or study in the areas of proximity outside your zonal area and for a limited period of hours in the day (from 10 a.m. to 4 p.m.). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 On the other hand, mobility and the transport of people and goods are a direct competence of the Ministry of Transport, Mobility and Urban Agenda. On In this sense, the realization of this work also responds, within the framework of the COVID-19 pandemic, to the need to know the existing reality and its evolution during the State of Alarm in terms of the mobility of citizens, trips made, their radius of action, their origin or destination, what time they occur ..., with the aim of being able to attend and dimension public transport services, dimension the extra-peninsular services with the islands and autonomous cities, avoid crowds in the terminals, maintain social distance on trains, buses, airplanes, vehicles and other means. The work provides, in short, a tool that allows characterizing the mobility at the national, autonomous community, provincial and local level which, in addition It also allows to support the work of monitoring the evolution of the disease, to evaluate the effectiveness of the mobility restriction measures adopted, as well as supporting decision-making during the de-escalation period. " According to the MITMA press release on the publication of the tool of mobility analysis, the mobility analyzed starts from March 1 and measures its evolution throughout the alarm and de-escalation period of the measures to control the pandemic. It also specifies that, as part of the analysis, daily mobility is compared with that of a typical week equivalent to prior to the crisis, having chosen the week of February 14-20, 2020. MITMA states that the work uses as its main source of data, the provided by the positioning of mobile phones in telephony cells defined by the terrestrial antennas of the companies. At work you use the positioning of terminals of the Operadora company *** COMPANY.1 Said operator has indicated to the Ministry, in an email sent to it, that provides this service, guaranteeing that the statistical indicators supplied to *** COMPANY. 2 have all the appropriate measures in place to prevent the identification of any user, not only anonymizing the information with character prior to its analysis, but also by applying aggregation rules that prevent any data referring to a single person or a small group of people potentially identifiable are displayed as statistical value. The information is aggregated, according to the specifications of the Ministry, by administrative units (districts, municipalities or groupings of municipalities, depending on the case) with a general population greater than 5,000 inhabitants, and in no case less than 1,000. This already added and anonymous information is post-processed by the consultant *** COMPANY. 2 to generate different indicators that are also aggregated, and that, in addition, are raised to the total population universe, depending on the degree of penetration of the operator by territories, which introduces a new barrier between the original data and the result of the work. These already high mobility indicators are the objective results of the work that, finally, in various manageable formats are referred to the Ministry. In other words, the only information received by the Ministry is made up of inter-zone mobility indicators that do not allow reconstruction of any personal information. Finally, the MITMA with the mobility results obtained at work, has created an ad hoc tool on its website, open to all citizens, that allows analysis and visualization of work results C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 Regarding the guarantees that the data will not be used for purposes different from the object of the study, it is stated that the pseudonymized data initially provided by the operator, are processed for aggregation in a secure infrastructure managed by the telephone operator itself. It's a automatic process in which no consultant worker has read access to the registers. Once processed to generate the aggregated information, the records Initially, which were already pseudonymised, they are eliminated from the infrastructure operator managed insurance. That is, the original data never leaves the custody of the operator. The consultant can only work with data already anonymized and grouped and the Ministry receives mobility indicators that come from the process of pooled, anonymized and expanded data. Ultimately, the original data does not are known or never leave the telephone operator, therefore, it is difficult They can be used for purposes other than the object of the study. Regarding the processes and guarantees of personal data protection applied, in particular in relation to the processes involved in anonymization: (aggregation, summary or hash functions, etc.). The following is exposed: to. The telephone operator pseudonymizes the mobile telephone records by eliminating any information that allows to uniquely identify the users of the net. In this operation, it uses a cryptographic hash-type function, of the SHA- family. 2, which breaks any association between the original values of the processed fields and those that are used during the analysis, maintaining only the relationships between the records that are relevant to the purpose of the analysis. b. Pseudonymised records are stored in a secure infrastructure managed by the telephone operator in which the specialized software is installed developed by *** EMPRESA.2 for the processing and anonymization of the data. During this process, no employee of *** COMPANY.2 has read access to the starting records. Once processed to generate the aggregated information, these departure records are removed from the secure infrastructure enabled for the analysis. *** COMPANY.2 software processes these records on a daily basis, to generate the aggregate mobility information that is delivered to MITMA as well daily. The data analysis and aggregation process lasts approximately 3 days: thus, the mobility information corresponding to day N is delivery to MITMA on day N + 3 ”. Departure records are kept in the *** COMPANY.1 secure infrastructure for a maximum period of 30 days, in case it is necessary to reprocess them (for example, to correct any errors that may detected in the output results). After that time, the departure records that have already been processed are removed. c. The result of the processing is information already added according to the specifications made by the Ministry, extrapolated to the total population and completely anonymous. The information is aggregated by administrative units (districts, municipalities or groupings of municipalities, depending on the case) with a general population greater than 5,000 inhabitants, and in no case less than 1,000 population. The areas used for the study generally correspond to census tracts, except in the case of census tracts with a population of less than 5,000 inhabitants which are added to other adjacent census tracts to build zones that, in general they have a population equal to or greater than 5,000 inhabitants. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 The mobility analysis that corresponds to the movements and displacements produced four days before. *** COMPANY. 2 delivery to MITMA three master matrices from which it is elaborated, by means of the application of an aggregation software, the rest of the mobility matrices predicted that are obtained by aggregation to municipality, province, community autonomous or at the national level. The master matrices are as follows: 1. “Teacher1_mitma_district. It is the mobility matrix between the defined areas. The Mobility is measured in travelers and traveler-km and other attributes of the trip are provided, such as the distance (measured by Km intervals), the time period of the start of the trip (measured at intervals of one hour), the province of residence (induced from the observations) and activity at origin or destination (induced from the continuous time stay in the same place at night or during the day). There is also a age field, which does not contain results (NA = not applicable). According to the sample provided, the fields in this table would be: Date (day in “YYYYMMDD” format); Source (identifier of the area where the trip originates); Destination (zone identifier where the trip ends); Activity at source (home | work | others); Activity at destination (home | work | others); Residence (province of residence of travelers); Age, the value recorded in the sample in any case is "NA"; Period (time identifier in which the trip originates in “HH” format); Distance (distance range of the trip). It can take the following values: 0005-002, for trips between 500 meters and 2 kilometers; 002-005, for trips between 2 and 5 km; 005-010, for trips between 5 and 10 km; 010-050, for trips included between 10 and 50 km; 050-100, for trips between 50 and 100 km; 100+, for trips of more than 100 km .; Trips (number of trips); Travel_km (number of travelers * kilometer). 2. “Teacher2_mitma_district. It is the matrix of daily movements of citizens by zone. 4 blocks of movements are established in fusion of the number of trips (0, 1, 2, +2) ". According to the sample provided, the fields in this table would be: Date (day on format "YYYYMMDD"); District; Number of trips (0; 1; 2; 2+); People (number of people) 3. “Maestra3_mitma_municipality. It is the matrix of overnight stays. Indicates by zone the overnight stays made by residents or non-residents in said area. The degree of The zoning of this matrix is superior to that of the other two, given that the purpose of the contained fields is linked to residence and overnight stays at a minimum level of municipality". According to the sample provided, the fields in this table would be: Date (day on format "YYYYMMDD"); Municipality; Province Residence; Residence in municipality (SI | NOT); People (number of people) Regarding the possibilities of “re-identification” it is pointed out that “since all the information generated is aggregate information, the only risk identified lies in the possibility that the level of aggregation was insufficient to eliminate completely the risk of re-identification of users. The impact of bliss re-identification would be to be able to infer some of the trips made by the person re-identified. Given the spatial aggregation used for the study, this impact is It would limit to knowing the areas of origin and destination of the trip and never the specific points of origin and destination. It is considered that the level of aggregation used for the study, with population units always greater than 1,000 inhabitants, it eliminates completely any risk of re-identification of individual users. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 It also points out in this regard that “The main measure to eliminate the risk of reidentification (…) is to use a zoning made up of zones whose population it is generally greater than 5,000 inhabitants, and in no case less than 1,000 population. The population size of the areas considered is considered to be sufficient so that the risk of re-identification is negligible. Refering to measure taken by the INE to censor the result provided that the number of observations is less than ten in a mobility cell for an operator, it is possible note that the MITMA project design de facto incorporates a similar measure: On the one hand, the population size of the areas considered is generally more than 5,000 people (exceptionally 1,000). On the other hand, when in a area, there is a sample of users of less than 2% of the population, it is considers that the results may not be reliable enough and the data of the trips with origin and / or destination in said area. Also, taking into account this criterion for limiting the sample elevation factors, when for a determined area defined by aggregation, districts that accounted for more than 25% of the sampling frame, the indicators are not provided corresponding to that area. The reason for adopting this measure is twofold, for a On the other hand, the need to avoid too high sample elevation factors that may affect the reliability of the results; and on the other, this measure supposes also that the number of users observed for each study area is always higher than 2%. This means, in the exceptional case of an area of 1,000 inhabitants, a minimum lower limit of 20 users, since otherwise it will not be provide the results for that zone. In practice, therefore, the measure is equivalent to that adopted by the INE, but marking a threshold of 20 observations instead of 10. " FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for Data Protection is competent to perform the functions assigned to it in its article 57, including that of enforcing the Regulations and promoting the sensitization of those responsible and those in charge of the treatment about the obligations incumbent upon them, as well as dealing with claims submitted by a interested and investigate the reason for them. It is also the responsibility of the Spanish Data Protection Agency to exercise the investigative powers regulated in article 58.1 of the same legal text, among the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 which includes the power to order the controller and the person in charge of the treatment that provide any information required for the performance of their duties. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Similarly, the domestic legal system also provides for the possibility of opening a period of information or previous actions. In this sense, article 55 of the Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, grants this power to the competent body in order to know the circumstances of the specific case and the advisability or not of initiating the process. III Article 2 of the RGPD, regarding its scope of material application, provides in its number first that “This Regulation applies to the total treatment or partially automated personal data, as well as non-processing automated personal data contained or intended to be included in a file." Article 4 of the RGPD defines in its number 1, personal data as “all information about an identified or identifiable natural person ("the data subject"); I know Any person whose identity can be considered identifiable be determined, directly or indirectly, in particular by an identifier, such as for example a name, an identification number, location data, a online identifier or one or more elements of physical identity, physiological, genetic, psychic, economic, cultural or social of said person " Recital 26 of the RGPD clarifies in this regard that “The principles of the data protection must apply to all information relating to a natural person identified or identifiable. The pseudonymised personal data, which could be attributed to a natural person through the use of additional information, they must be considered information about an identifiable natural person. To determine if a natural person is identifiable, all means must be taken into account, such as singularization, which can reasonably be used by the person responsible for the treatment or any other person to directly or indirectly identify the natural person. To determine whether there is a reasonable probability that means will be used to identify a natural person, all objective factors must be taken into account, as well as the costs and time required for identification, taking into account both the technology available at the time of treatment as advances technological. Therefore data protection principles should not apply to the anonymous information, that is, information that is not related to a person identifiable or identifiable physical data, or data made anonymous in such a way that the interested party is not identifiable, or ceases to be so. Consequently, the present C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 Regulation does not affect the treatment of said anonymous information, including for purposes statistics or research. " In this same sense, the RGPD provides in its article 89.1 “Treatment for purposes archival in the public interest, scientific or historical research purposes or purposes statistics will be subject to the appropriate guarantees, in accordance with this Regulation, for the rights and freedoms of the interested parties. Said guarantees will make technical and organizational measures available, in particular for guarantee the respect of the principle of minimization of personal data. Such measures may include pseudonymisation, provided that in this way they can these ends be achieved. Provided that these ends can be achieved through a subsequent treatment that does not allow or no longer allows the identification of the interested parties, those ends will be achieved in that way. " In the present case, MITMA states that the work uses as a source main data, those provided by the positioning of mobile phones in telephone cells defined by the terrestrial antennas of the companies. At work the positioning of terminals of a single operating company is used. On a daily basis, the analysis of mobility is delivered to MITMA that corresponds to movements and displacements produced four days before. Of the information provided regarding the treatments so that the original information becomes anonymous so that the interested party is not identifiable, it follows that the operator initially provides pseudonymized data, which is processed to generate aggregated and anonymous information, which in turn is processes to generate different indicators that are also aggregated, noting that, In addition, they are raised to the total population universe, depending on the degree of penetration of the operator by territories, which introduces a new barrier between original data and the result of the work. These already high mobility indicators, are the objective results of the work that, finally, in various formats manageable are referred to MITMA. As guarantees that the data will not be used for other purposes, it is exposed that the telephone operator pseudonymizes the mobile telephone records by eliminating any information that allows to uniquely identify the users of the network, for this it uses a cryptographic hash-type function, of the SHA-2 family, which breaks any association between the original values of the processed fields and those that are used during the analysis, maintaining only the relationships between the records that are relevant to the purpose of the analysis. The registers pseudonymised are stored in a secure infrastructure managed by the telephone operator in which the specialized software developed by *** COMPANY.2 for the processing and anonymization of the data. One time processed to generate the aggregated information, these starting records are removed from the secure infrastructure enabled by the operator. Specifies that original data, never leave the custody of the operator and are deleted after being processed, without prejudice to the fact that they can be kept for a maximum of 30 days in the safe infrastructure of the operator in case it is necessary to reprocess them (for For example, to correct any errors that may be detected in the output results). The result of the processing is information already added according to the specifications made by the Ministry, extrapolated to the total population and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 completely anonymous. The information is aggregated by administrative units (districts, municipalities or groupings of municipalities, depending on the case) with a general population greater than 5,000 inhabitants, and in no case less than 1,000 population. Regarding the possibilities of “re-identification, it is stated that“ The main measure to to eliminate the risk of re-identification (…) is to use a zoning composed of areas whose population is generally greater than 5,000 inhabitants, and in no case less than 1,000 inhabitants. Regarding the measure adopted by the INE to censor the result whenever the number of observations is less than ten in a cell of mobility for an operator, it should be noted that the MITMA project design de facto incorporates a similar measure: On the one hand, the population size of the areas considered is generally more than 5,000 people (exceptionally 1,000). On the other hand, when an area has a sample of users less than 2% of the population, it is considered that the results may not be reliable enough and travel data is deleted with origin and / or destination in said area. In addition, taking into account this criterion of limitation of the sample elevation factors, when for a certain area defined by aggregation, districts representing more than 25% would have been discarded of the sampling frame, the corresponding indicators are not provided zone. The reason for adopting this measure is twofold, on the one hand, the need to avoid too high sample elevation factors that may affect the reliability of the results; and on the other, this measure also assumes that the number of users observed for each study area is always greater than 2%. This means, in the exceptional case of an area of 1,000 inhabitants, a minimum lower limit of 20 users, as otherwise the results corresponding to said area. In accordance with the definition of “personal data” contained in article 4.1 of the RGPD, the information that is communicated to MITMA, insofar as they have been subjected to a prior anonymization and aggregation process that does not allow the re-identification of the interested in such information, would be outside the scope of the RGPD, in accordance with the provisions of its article 2. In this sense, it specifies the Considering 26 of the RGPD in its last paragraph “Therefore the principles of data protection should not apply to anonymous information, that is, information that is not related to an identified or identifiable natural person, or to the data made anonymous so that the interested party is not identifiable, or leaves to be. Consequently, this Regulation does not affect the treatment of said anonymous information, including for statistical or research purposes. " Therefore, the documentation analyzed in the previous paragraphs does not they give off rational indications of infringement by the MITMA of the regulations on data protection. Therefore, in accordance with what was stated, by the director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: PROCEED WITH THE FILING of these actions. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 SECOND: NOTIFY this resolution to the MINISTRY OF TRANSPORTATION, MOBILITY AND URBAN AGENDA. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations, and in accordance with the established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es