The Virus – a lot to process

By Rubén Cano

by Rubén Cano

The role of data protection in the pandemic with a focus on scientific research

Personal data protection plays a fundamental role in the “data economy” which, now more than ever, constitutes a crucial asset in designing effective pandemic plans and identifying appropriate solutions. In this vein, the dichotomy between public health and data protection, the latter recognized as a fundamental right in Article 8(1) of the Charter of Fundamental Rights of the European Union, becomes today more important than ever. However, the tension between the restrictions to data processing and the need, or convenience, of their processing to achieve certain purposes, is a challenge for authorities and individuals.

Who said data?

At the apex of the pandemic, we all became familiar with data processing activities such as geolocation of individuals, mobile applications for collecting infected persons’ information, infection self-assessments, immunity passports or infrared cameras. In addition to the above, directing our view to the future, there are also issues such as: (i) the use of biological data collected from infected individuals with the only purpose to find the vaccine, excluding ulterior uses of such data; (ii) the use of health data and biological samples, initially collected for another purpose, could now become relevant to manage the health crisis – e.g., blood analysis data from individuals affected by a regular flu are now used to compare its effects against the particularities of the coronavirus; or (iii) the processing of data for categorization of individuals, so that more vulnerable people are first served with vaccines following a risk-based approach. In this line, many initiatives related to data aggregation were also launched, such as platforms aimed at sharing coronavirus related data for researchers to upload, access and analyse datasets to accelerate research (see, for instance, Covid-19 Data Portal).

Consider point (iii) as an example. One cannot exclude that, now that the vaccine is a reality, there might be certain restrictions on its purchase and supply due to lack of availability. The latter could induce regulators, again, to prioritize more vulnerable segments of the population, based on, inter alia, the location of the individual, profession, age, previous pathologies and whether the patient already has the antibodies. In this sense, although vaccination criteria are constantly being updated and revisited, some countries or organizations have already issued their respective recommendations or strategies as: (i) the recommendations issued by the Centers for Disease Control and Prevention the in the United States; (ii) the guidelines issued by the Italian Ministry of Health; or (iii) the Vaccination Strategy issued by the Inter-Territorial Counsil of the Health System in Spain.

As could not be otherwise, data protection would necessarily also play a role in the selection and identification of the appropriate profiles and the supply of the corresponding vaccines.

In this context, monitoring the different applicable regulations together with an assessment of the proportionality, necessity, and adequacy of data processing activities constitutes an obligation for data controllers and processors. This is considering, inter alia, the particularities of health data, which has a special status and protection.

Here, different regulations interact creating a hieroglyphic ecosystem: (i) Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data (“GDPR”); (ii) regulations implementing the GDPR at a national level; and (iii) sectorial / special regimes regulating health and uses that make data processing necessary for the management of the crisis.

It goes without saying that, although there is no general prohibition to carry out practices entailing personal data processing in the coronavirus context, data controllers and processors must comply with the above-mentioned legislation, which may include obligations such as (i) having the appropriate legal basis for the data processing; or (ii) informing data subjects about the processing of their personal data.

For a non-expert in data protection law, the above means that, in the current system, there are mechanisms providing flexibility to regulators in order to enable the processing of personal data for health-related purposes. These mechanisms, with greater or lesser effectivity, make health research or management possible. However, to some extent the practical application of such flexibilities highly depends on regulatory guidance and ad hoc interpretation from local authorities. As a result, a heterogeneous application of such flexibilities may generate doubts and divergences when it comes to its implementation in the different national legislations, which eventually could hinder the achievement of a “pan-European” solution: a heterogeneous answer to a common problem. This could, for instance: (i) make it challenging for data controllers and processors conducting their businesses in different EU countries – they will have to evaluate and adapt to the particularities of every jurisdiction; (ii) result in the inconsistent interpretation and application of data subjects’ rights throughout the EU; or (iii) facilitate the emergence of Private International Law issues as forum shopping.

The case of data processing and scientific research

Both the above-mentioned flexibilities and the complexities in complying with the applicable legal regime may be illustrated through the example of scientific research, where data is being processed to fight against the SARS-CoV-2 and its new strains, in an attempt to return to the new normal. One clear example is the processing of data for clinical trials. Here, many legal issues arise as, for instance: (i) the definition of “scientific research” definition; (ii) the legal grounds based on which data processing for scientific research purposes can be conducted; (iii) the proper mechanism to carry out international transfers of data; (iv) the necessity to notify (or not) such processing to the relevant Data Protection Authority; (v) the organizational and security measures the data controller has to put in place; or (vi) the retention period of personal data for this very purpose.

In the area of scientific research, the European Data Protection Board (“EDPB”) recently shed light on the matter, indicating, inter alia, that:

  • Countries of the European Union may approve legislation to enable the processing of special categories of personal data (including health data) for research purposes: (i) out of necessity for “reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to ensure high standards of quality and safety of health care and medicinal products or medical devices“; or (ii) because it is necessary for “archiving purposes in the public interest, for scientific or historical research or for statistical purposes“;
  • Limitations and exceptions to rights in the area of data protection must be interpreted with caution and in a restrictive manner;
  • Potentially, there may be a need to conduct a Data Protection Impact Assessment (“DPIA”);
  • Calculation of data retention periods has to be carried out in a proportionate manner and periodically revisited;
  • Regarding international transfers of personal data, Article 49(1)(a) or 49(1)(d) of the GDPR could be applied when this is necessary for important reasons of public interest or by explicit consent.

Although such guidelines are more than welcome, their development, interpretation and application, currently, greatly depend on the specific characteristics of each case, national Data Protection Authorities guidelines, the influence of complementary local legal frameworks and sectorial legislation applying to, for instance, the approval of pharmaceutical products. Thesecreate a complex regime that, definitely, affects the ability to adopt a uniform approach compliant with personal data protection regulations which at the same time fosters research within the European Union.

Acta est fabula?

Exceptional situations require exceptional measures. However, while it can be argued that the system must ensure some flexibility for health management and achieve efficiently and effectively a cure against the virus, minimum standards must be met to prevent or mitigate the risk for individuals connected to the processing of their data. On the other hand, excessively restrictive interpretation could lead to ineffective crisis management and the loss of opportunities to use technology and data to fight the virus.

The circumstances of the specific case will determine issues such as the application of complementary legislation, requirements such as anonymization or pseudonymization, or further obligations determined by the characteristics of the case, for example, if it is a public or private entity.

Moreover, it is worth reminding that data protection is not an end in itself but, as indicated in Recital 4 of the GDPR, “the processing of personal data must be designed to serve humanity“. The development of the pandemic is setting in motion unprecedented mechanisms that, as in many other legal fields, have had a minor impact until now. In the use of such unprecedented flexibility mechanisms, a proportional approach will be necessary to adequately weigh, on the one hand, health and public interests and, on the other, the protection of personal data, providing a cross-jurisdiction solution to a common problem.

As we had the opportunity to explore throughout this text, nature has a devastating capacity to show us that law always follows societal trends, and not the other way around. The pandemic has shown how current EU regimes do not have the answer to all potential scenarios and, as such, legislation has to be flexible enough to bridge societal needs to legal structures, making sure law serves society. The future will show with more accuracy how these flexibility mechanisms were used by regulators and market operators in order to make sure we win the battle against the pandemic. Sadly, this is not finished yet. In the meantime, doubts about the heterogeneous practical implementation of GDPR flexibility provisions, the complex interaction between multi-level legal regimes, and the particularities of the approaches adopted by Data Protection Authorities will continue to emerge.

Rubén Cano currently practices as an Associate at Baker McKenzie in the areas of Intellectual Property and ITC. He studied at the universities of Alicante, Panthéon-Sorbonne and Bocconi. He holds an LL.M. in Intellectual Property and IT (University of Alicante) and an LL.M. in Law of Internet Technology (Bocconi University). He regularly writes academic and business oriented articles, and participates in events and seminars on technology and IP law related issues.

Photo via Unsplash. Image created by Samuel Rodriguez. Submitted for United Nations Global Call Out To Creatives – help stop the spread of COVID-19.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s