Privacy and Health Regulation updates during Covid-19: Must-know updates

The Covid-19 pandemic affected ordinary life in an extraordinary way. Not only it impacted our health, our lifestyle, our economy, but also regulations enforcement. If the governments are still striking to find the right balance between fighting the pandemic and addressing privacy issues, they recognize the urgent need to adapt and are already starting to give updates on existing and forthcoming regulations. Here are the essentials you need to know to navigate the changes (at least for now, we’ll keep you posted!) within regards to managing personal and health data.

*This is a living document that will be updated on a regular basis.

GDPR: remaining within the rules.

The European Data Protection Board (EDPB) says that it is possible to adapt to the situation while remaining within the rules.

Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic,” says EDPB chair Andrea Jelinek.

“However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

Consent and Data Collection

Data Protection Authorities all agree: only essential information should be collected

So, only in case that it’s necessary for public health reasons, public health authorities and employers can process personal data without having the consent of the concerned individuals.

If the concept might be simple in theory, it leaves organisations with a lot of questions and challenges to solve. To provide guidance on the subject, International Law Firm White & Case has set out “an overview of some of the key issues for organisations to consider during this crisis, from an EU data protection compliance perspective”.

Mobile location data

« For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals. » 

« When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security *. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy. »

European Commission’s Recommendation on apps for contact tracing, published on 8 April and setting out the process towards a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis

Andrea Jelinek, Chair of the EDPB, said: “The EDPB welcomes the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.

Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic

In its letter, the EDPB specifically addresses the use of apps for the contact tracing and warning functionality, because this is where increased attention must be paid in order to minimise interferences with private life while still allowing data processing with the goal of preserving public health.

MDR: Postponed. 

Parliament adopted the European Commission proposal, allowing the application of the Medical Devices Regulation to be postponed by one year until 26 May 2021.

«This postponement will take the pressure off national authorities, notified bodies, manufacturers and other actors so they can focus fully on urgent priorities related to the coronavirus crisis.

Vice-President for Promoting our European Way of Life, Margaritis Schinas, said: “Shortages or delays in getting key medical devices certified and on the market are not an option right now. The Commission is therefore taking a pragmatic approach and delaying the entry into application of new EU rules on medical devices, so we can have our medical industries pouring all their energy into what we need them to be doing: helping fight the pandemic. This shows once again that the European Union is leaving no stone unturned in our support to national public health systems in their hour of need.


Switzerland: The principles of the Federal Act on Data Protection, must be respected.

The authorities, in cooperation with health institutions, are doing everything possible to stem the rapid spread of the coronavirus. Insofar as private individuals (in particular employers) process personal data to combat the pandemic, the principles set out in Article 4 of the Federal Act on Data Protection must be respected.


France: CNIL Recalls Data Protection Rules in the Context of the COVID-19 Outbreak

The French Data Protection Authority (the “CNIL”) issued guidance which outlines some of the principles relating to personal data processing. 

The Guidance stresses that employers may not implement measures to fight against the coronavirus pandemic that would infringe on employees’ or visitors’ right to privacy, especially by collecting personal health data that would go beyond what is necessary to determine potential exposure to the virus. 


Germany: A solid framework for privacy and health innovation

German Authorities Issue Guidance Related to Coronavirus.

Germany is among a few countries that have already set-up the scene for effective promotion of remote patient monitoring and digital health adoption. Digital Health Innovators can apply for the DiGA “Fast Track” and have their solutions reimbursed and prescribed by physicians. 

« The Health Innovation Hub, established by Germany’s Ministry of Health, published a list of trusted telemedicine services. Most of these are available for free, towards which citizens can turn during the pandemic. » 


UK: marks a shift in its privacy policy on patient data collection and usage 

The National Health Service in England has sent out a document that marks a shift in its policy on patient data. It mentions the use of data to understand trends in the spread and impact of the virus and “and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients”.

In this regard, the UK Information Commissioner’s Office (ICO) also published “a handy guide to what you need to know about data protection during the pandemic” that specifically addresses the concerns of healthcare organisations and professionals.


Globally: A closer look at privacy updates during pandemic, at a glance

The latest guidance and information from The Global Privacy Assembly (GPA members) and observers on data protection and COVID-19 can be find in the source below: