Scientific research has probably never played a more central, time-sensitive role in our society than during the COVID-19 pandemic. Researchers are being pressed to produce results as quickly as possible. And processing health-related data is a key element of this research—which raises significant questions on how to reconcile privacy and public safety. News articles, LinkedIn posts, and Tweets highlight concerns around the tradeoff between, for example, privacy and health, privacy and public interest, and privacy and safety, with privacy regimes being depicted as obstacles to overcome in the fight against COVID-19.
On April 21, 2020, the European Data Protection Board (the "EDPB") issued its "Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak" (the "Guidelines"). The EDPB states that "[d]ata protection rules (such as the GDPR) do not hinder measures taken in the fight against the COVID-19 pandemic." The Guidelines’ main objective is to shed some light on this statement. The Guidelines also provide some direction on which are the relevant GDPR (European General Data Protection Regulation) provisions to take into account when conducting scientific research in the context of the COVID-19 pandemic.
Unfortunately, and with the exception of some limited practical examples, the Guidelines are mainly a patchwork of cross references to and quotes taken from GDPR provisions and recitals, previous guidelines published by the EDPB, or by the Article 29 Working Party, its predecessor. The EDPB did not take the opportunity (possibly due to lack of time) to provide more detailed thought and insight on processing personal health data for scientific research.1
However, there are points from the Guidelines that we think you should know about:
- Broad definition of data concerning health. The EDPB indicates that the concept covers data collected from a wide range of sources, including the data traditionally collected by a doctor from a patient record as well as information that is inferred from a combination of different data. With regard to the latter, the EDPB states that information obtained by cross-referring data and that reveals information on the state of health or health risks is to be considered personal (health) data. In the same way, information derived from "self-check" surveys or information about travel in regions affected with COVID-19, although not considered health information per se, might become that if processed in a specific manner (e.g., by a doctor to make a diagnosis).
- COVID-19 research meets the public interest threshold. The EDPB clearly recognizes the processing of special categories of data carried out in the context of the fight against COVID-19 as a "processing serving important grounds of public interest." It does so by referring to Recitals No. 46 and No. 112 GDPR. Indeed, if someone reads the GDPR again in the light of the COVID-19 outbreak, they will probably realize that these recitals are relevant to the situation in which we live today. The recitals refer to the necessities of processing data to "monitor epidemics and their spread or in situations of humanitarian emergencies" (Recital No. 46) and of transferring necessary data "in the case of contact tracing for contagious diseases" (Recital No. 112). COVID-19 scientific researchers could justify their use of personal health data by pointing to Article 9(2)(j)—which states that processing is necessary for archiving purposes in the public interest, scientific or historical research purposes—and to Article 9(2)(i) GDPR—which states that processing is necessary for reasons of public interest in the area of public health.
- GDPR does not preclude international cooperation in the field of research. The EDPB stresses that international cooperation might be critical to dealing with the pandemic and that this might entail international transfers of personal health data to countries outside the European Economic Area ("EEA"). In these cases, data exporters will have to comply with the provisions included in Chapter V of the GDPR, which impose certain restrictions on the transfer of personal data. The EDPB suggests that, when adequacy decisions or other safeguards are not available, the derogations of Article 49(1)(a) GDPR (i.e., explicit consent of the data subject) and 49(1)(d) GDPR (i.e., "transfer necessary for important reasons of public interest") may be relied on. However, one should recall that the derogations should be considered "mainly as a temporary measure due to the urgency of the medical situation globally." So while the derogations might justify the initial transfers of personal health data for the purpose of COVID-19 research needed right now, justification for later data transfers, as part of a longer COVID-19 research project, would need to be based on an appropriate safeguard under Article 46 GDPR.
The Guidelines likely will not end the debate around what is the right balance between privacy and public health in the current health crisis; however, they should be reviewed at least for getting clarity that the GDPR is not an obstacle toward global public health.
1 However, before year end, the EDPB will come back with broader guidelines (not specific to COVID-19) on the processing of personal data for scientific research, as this is part of the EDPB's work plan for 2020.