Imagine someone asked you to download a software application that would track your location and share it with others to protect public health, would you be willing to use it? An intelligent guess would be that five months ago your response or at least the considerations that went into it would have been different from today. No doubt that protecting our data privacy, in general, and our health data privacy, in particular, is of significant importance to most of us…. OR is it!? When we use apps and wearable tracking devices to count steps, measure deep sleep, visualize our heartbeats, keep track of how many times we have been out to eat (imagine we’re 5 months ago again) or gone to the gym, we are gathering personal data and sharing it with private companies for our own benefit, but, of course, also theirs. Most or at least many of us happily hand over these personal data for the sake of convenience, even if we may feel a bit queasy when we really start to think about how much personal data of ours is out there.

The domain of health data is changing across the world

Recently, the Dutch government announced that it will consider using a software application to limit the spread of COVID-19. Other European governments and European non-governmental organizations have been working on similar applications for controlling the COVID-19 pandemic, like the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) toolkit. PEPP-PT provides information to its volunteering users about whether they maintain the required social distance. To do so, the app uses Bluetooth technology imbedded in smartphones to monitor distances between phones.

Photo from Clay Banks on Unsplashed

On the European side, these efforts came after the efficacy that these types of apps have shown in containing the virus in South Korea, China, Taiwan and Singapore. South Korea was hit hard by the Middle East Respiratory Syndrome (MERS) epidemic in 2015 and learned from the experience. The government used an app to contact-trace COVID-19 patients and to warn the members of the public when they were within 100 meters of COVID-19 cases. South Korea was able to flatten the infection curve in a very short time. In the EU, the use of this kind of apps is subject to a fair number of procedures before they can be made operational. These procedures have delayed a proper response to this time-sensitive crisis. The governmental measures that EU member-state governments took to contain the spread were outdated and excluded due to tighter data protection regulations the use of technologies that could have made a difference.

South Korea amended its data privacy regulations after 2015 following the MERS epidemic. Presently, South Korean law provides the health minster with extra authority in times of epidemics in order to use all kinds of personal data without a prior consent. As a result, the South Korean government was able to maximize its use of track-and-trace technologies when the COVID-19 outbreak happened and thus contain the spread. In the EU, the General Data Protection Regulation (GDPR) categorizes health data under a special personal data category. As health care researchers know well, holding and processing health data is a road fraught with obstacles. For example, The European Data Protection Board (EDPB)[1] stated that “the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users” and it issued Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. Never mind that the EDPB was late in issuing its guidelines, the procedures within the guidelines delay any real-time response to the pandemic and thus decrease the effectiveness of the use of technology aimed at combatting the spread of COVID19. These hand-tying procedures with the absence of a clear framework and strategy are an obstacle to the best use of data-driven technology for public health.

This is not a call for relinquishing privacy standards altogether or ditching the data protection principles embedded in GDPR, neither is it an attempt to undermine the EU’s efforts to contain the spread. Instead, it’s a plea for a more strategic look forward so as to better contain future epidemics. Modifying EU privacy standards is needed to allow public health care systems in the member states to make optimal use of our technological knowledge. Also, it is the time to move from our current ‘patient’ care system to a real ‘health’ care system, so we become prepared for the upcoming outbreaks.

[1] “The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.” EDPB’s website

On the European side, these efforts came after the efficacy that these types of apps have shown in containing the virus in South Korea, China, Taiwan and Singapore. South Korea was hit hard by the Middle East Respiratory Syndrome (MERS) epidemic in 2015 and learned from the experience. The government used an app to contact-trace COVID-19 patients and to warn the members of the public when they were within 100 meters of COVID-19 cases. South Korea was able to flatten the infection curve in a very short time. In the EU, the use of this kind of apps is subject to a fair number of procedures before they can be made operational. These procedures have delayed a proper response to this time-sensitive crisis. The governmental measures that EU member-state governments took to contain the spread were outdated and excluded due to tighter data protection regulations the use of technologies that could have made a difference.

South Korea amended its data privacy regulations after 2015 following the MERS epidemic. Presently, South Korean law provides the health minster with extra authority in times of epidemics in order to use all kinds of personal data without a prior consent. As a result, the South Korean government was able to maximize its use of track-and-trace technologies when the COVID-19 outbreak happened and thus contain the spread. In the EU, the General Data Protection Regulation (GDPR) categorizes health data under a special personal data category. As health care researchers know well, holding and processing health data is a road fraught with obstacles. For example, The European Data Protection Board (EDPB)[1] stated that “the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users” and it issued Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. Never mind that the EDPB was late in issuing its guidelines, the procedures within the guidelines delay any real-time response to the pandemic and thus decrease the effectiveness of the use of technology aimed at combating the spread of COVID19. These hand-tying procedures with the absence of a clear framework and strategy are an obstacle to the best use of data-driven technology for public health.

This is not a call for relinquishing privacy standards altogether or ditching the data protection principles embedded in GDPR, neither is it an attempt to undermine the EU’s efforts to contain the spread. Instead, it’s a plea for a more strategic look forward so as to better contain future epidemics. Modifying EU privacy standards is needed to allow public health care systems in the member states to make optimal use of our technological knowledge. Also, it is the time to move from our current ‘patient’ care system to a real ‘health’ care system, so we become prepared for the upcoming outbreaks.

 

Blog overview