Is GDPR an Obstacle in the European Fight against COVID-19?

French translation

I was in my doctor’s office for a post-coronavirus antibody test. As he was taking my blood, I asked him if the government was collecting this data for research on trends in antibody decline.
No” he replied. “There are GDPR measures protecting you from that.” My doctor thought he was reassuring me.
What a pity” I thought. As a “survivor” of SARS-CoV-2, I would hope that any longitudinal statistical data I could provide the research community would be valuable. Because of my battles with heart disease and a persistent organ infection, I get my blood tested every six months. My annual COVID-19 antibody data, combined with millions of others having routine blood tests, could help researchers trying to understand the evolution of this virus.

European healthcare is the envy of the world and we should be leading the way in the fight against COVID-19. But in our dismal failure to effectively manage the pandemic risks, I need to ask whether the European GDPR (General Data Protection Regulation) is one further policy tool standing in the way of risk management.

Is my personal data worth more than my health? Or my life?

The European GDPR legislation was passed in 2016 to ensure privacy and personal data protection at a time when Google and Facebook knew more about me than Mrs Monger. It was meant to update the pre-Internet 1995 European Data Protection Directive but had suffered a series of orchestrated delays (until Angela Merkel’s phone was hacked). It essentially gives Europeans some measure of control over their personal data and how it is processed and used. But the legislation has important ramifications on research and public safety concerns. This law was not written with the idea of managing a pandemic in mind.

Protecting privacy is sacrosanct in certain countries like Germany where there was a brutal history of authorities using personal information to commit atrocities on their populations. GDPR reflects the values of a generation that had grown up during the Cold War and then believing every stranger on the Internet was a predator. This policy though is being imposed on two subsequent generations that consider these predators as members of their tribes, colleagues and trustworthy information sources. Most people under 35 are not terribly concerned how their personal data is used so long as it provides them with benefits.

As most European countries lock down their populations in a second round of colossal COVID-19 risk management failure, protecting the sanctity of this unwanted legislation may be a tough sell if we realise how GDPR has got in the way of protecting Europeans and controlling the virus.

Tracking Saves Lives

Test, track and trace” was the mantra back in March when people looked to Asia to learn how to contain the coronavirus. The Chinese introduced a system where I would receive a code on my phone and at every point in my public movement (into shops, onto trains or public facilities) I would have my phone scanned and my body temperature taken. My whereabouts were known not just to the authorities but to others around me who would receive an alert on their phones if a person testing as ‘high-risk’ was near me. If I didn’t like that, I would have to stay indoors.

The South Korean tracking system passed its muster when, in May, a super-spreader event occurred in a crowded LGBTQ nightclub district in Seoul potentially infecting thousands. Prejudice and taboo around homosexuality in certain quarters of Korean culture made voluntary tracking well-nigh impossible but the authorities were able to quickly track down and test thousands of individuals, putting them into (monitored) quarantine and successfully containing the spread.

Both China and Korea had controlled the coronavirus spread early on in the outbreak, have suffered far lower infection and mortality rates than in the West and have not strangled their economies. I don’t see much outrage from a public allowed to get back to some degree of normalcy and economic activity.

We have the technology in the West to track people – from CCTV on every street corner to face recognition tools on every smart phone. What we lack is the regulatory permission to use these technologies to protect populations in times of crisis. The British call their COVID-19 strategy: Test and Trace (no tracking) but they rely on voluntary information and self-quarantining. As contracting the coronavirus has become the new social shaming equivalent of venereal disease, should we be surprised (as seen in Adelaide this week) that people lie?

Give me Liberty or Give me COVID!

Does GDPR reflect European culture? Do most Europeans demand privacy and data protection or is this a policy strategy of a small but loud political faction? As they age and millennials assume their roles in governance, will such echoes fade? If authorities were openly collecting data that would help contain COVID-19 and track down those who may have been unknowingly exposed, how many Europeans would object? How many thousands of lives could have been spared if our researchers and governments were not limited by such privacy and data access restrictions.

In the United States the cultural and historical roots of independence and liberty run deeper through the societal narrative. No doubt imposing an Asian style tracking system would have even a harder time in the hyper-litigious US than some untimely regulation coming out of Brussels. Even implementing a basic test and trace system has been proven to be woefully inadequate in the US with only one state barely passing.

But how strong is this cultural value of privacy in the face of widespread death and suffering? Is my personal data worth more than my ability to freely move around or enjoy gainful employment? Is it worth more than my life? In times of war, people readily surrender certain freedoms and privileges. It strikes me as ridiculous that spineless precautionistas readily locked down European populations while preserving the sanctity of GDPR and refusing to allow tracking tools that have been proven successful elsewhere.

Couldn’t certain privacy and data protection measures become more elastic in the face of a crisis? I would suggest imposing a type of reverse data protection: you have a right to not be tracked or informed of a potential virus exposure but you would have to make the effort to have yourself removed from the prevention programme (something like a Google Street View’s option for the Privatollahs).

We basically have the means to track everyone (even before Bill Gates put that chip in our brains) so we could always gather the beneficial data quietly. Researchers could still benefit from virus and antibody data without sharing the information. Would that be such a big deal?

Data is Power

In the 1990s I can recall having rather animated research ethics debates about the American Centers for Disease Control and Prevention’s use of biomonitoring data from their national programme. While the collection was intended to measure environmental exposures to certain toxins across a wide population, they were also quietly testing samples for the presence of HIV (at the time when this viral transmission dominated the narrative in the United States). The goal of this testing was to measure the prevalence of the disease in the population and as the subjects did not request the tests, the HIV positive results were not conveyed to the programme participants (contentiously allowing the virus to further spread undetected in the population).

I would agree with the CDC on this action – such data is essential to understand a disease and determine the resources and strategies needed to fight it. Data today is knowledge, especially in the public health domain, and hence data is power. But European researchers are not allowed to collect such data (without permission) and the cumbersome alternatives have left us with a dearth of vital information on SARS-CoV-2 at a time when informed decisions need to be made.

GDPR is valuable to ensure unscrupulous actors don’t profit from my data for marketing or political ends, but if access to my data will help fight serious diseases and protect individuals, then we should not measure data protection in such absolutist terms. And as the generation born with a Facebook account and a tablet in the crib comes of age, we may have to reconsider how vital such historical concepts are today.

Cover image

8 Comments Add yours

  1. Upfront: I am a passionate follower of the risk monger.
    However in this case I feel the need to straighten a few elementary basics.

    Lets start with Art. 1 GDPR – Subject-matter and objectives
    1) This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
    2) This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
    3) The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

    So no, this is not the law that was intended to bring down the business of Facebook, Google, Amazon and the likes. Nor would it provide for any of the more extreme “theories” that can be heard around GDPR.

    No the GDPR is not in the way of risk management. Rather the opposite applies: I doubt any other regulation or directive has a) listed the word “risk” more often or b) has done more to promote a risk based approach than GDPR.

    No the GDPR does not put privacy above your health. In contrast it explicitly calls out in Art 6 Sec 1 Letter d the explicit permission to “processing is necessary in order to protect the vital interests of the data subject or of another natural person”

    I don’t know what the South Korean tracking tool does to make the call whether GDPR would prevent the same doing here – or not. But I do know for sure that neither a CCTV on every street corner or face recognition on every smart phone would end or even mildly impact the Covid-19 pandemic. As such the headline “Give me Liberty or Give me COVID” is utter rubbish (my apology, it needs to be that frank).

    Speaking of disease control and prevention’s use of biomonitoring data: the GDPR does not generally prevent doing so. What it does require, however, is that anyone intending to do so, do their little homework and ask (and answer) the question why that was only possible with the explicit PII (personal identifiable information). What value add does that single record (say Covid-19 case, male, some overweight, age of 62, generally healthy, started Nov 2002, suchandsuch symptoms) in a big data pool gains when it also holds “Hubert Daubmeier, married to Barbara, address hereandthere, e-mail soandso, telephone suchandsuch”. Anyones likely answer is “no this does not add any value in desase control”. Given there is no purpose, there is no justification to shuffle the data all over the planet. If there was a good reason, anyone needed to contact me personally at a later time, then the system could be built in a way that another (independant) table provides the right people with the information to contact me.


    1. RiskMonger says:

      Thank you for your comment Hubert – indeed I am asking more questions than answers in this article.
      The South Koreans managed the outbreak, I understand, first via CCTV and card payment records – I am not sure it applies here, they have also made names of super-spreaders public (a tad too extreme perhaps). That would not be GDPR compliant – in the US that would be reason for a lawsuit (why I played with the title “Give me Liberty…” – that section looked at cultural differences).
      In GDPR, I am always struggling on the difference of gathering data and processing it since most tools automatically process any data collected. It comes down to anonymisation tools but GDPR still would require my informed consent. The CDC HIV data gathering did not seek consent for the added testing nor did they inform the participants. Part of an informed consent process would also need a policy on incidental findings (which the CDC also apparently ignored – the reason for the debates we had in the 90s). There is a lot of good data that is lost in the EU because of the need for non-tacit informed consent (I started by discussing why my antibody blood test was not going to be used to analyse trends. I would have to be informed and provide my active consent).
      I am proposing a tacit consent approach – eg, I would have to give my consent to not be tracked. Belgium had a problem of a severe shortage of transplant organs (people had to sign forms to allow their organs to be harvested upon death) until they changed the process and made it that you were automatically donating your organs upon death unless you fill out forms refusing to donate them. Belgium no longer has an organ shortage. Could that be applied for COVID-19 tracking?
      Recall the key element for me in this article is that, to the best of my knowledge, Europeans (and Americans) are not using the tracking tools – they all apply Test and Trace apps (the Belgian one does not seem to work well as my wife tested positive and I was still considered as risk-free three days later). It is the tracking tool that we need to have to be able to control hotspots. As far as I understand, these mandatory tracking apps go against GDPR – I would have to allow it and I don’t think there is any means for a tracking tool to be mandatory with me having the right to opt out (in the Chinese case, by staying home, eg, lockdown by choice). If people opted out and protected their personal data, maybe the rest of us would not have to have suffered the lockdowns.


      1. Difference on gathering data vs processing: there is none. Everything is defined as processing. This ends clumsy word games of the past.

        Art 6 provides six justifications for data processing
        a) consent
        b) contract (could be an option: a cup a coffee in return for data)
        c) legal obligation – a law demanding data gathering (e.g. in Germany innkeepers are [were] required to gather basic data of their guest)
        d) vital interests – this is where the pandemic comes into play
        e) public interest – uncommon in normal business, very suitable in a pandemic
        f) legitimate interest – CCTV need this one and a good portion of marketing uses this. Means a bit of effort though.

        So depending on the purpose (and purpose is the central determining factor), there are several options to justify data processing.

        Now, when there are health data in the play then Art 9 kicks in. In short it says: health data only with informed consent (Art 6-1-a).

        The way out of this – may appears as trap – is to have no personal data and keep the medical data. Anonymization (nobody can ever reconstruct the individual) and pseudonymization (few can or may be able to restore the individual) achieve this. As said before in the other comment: if we are talking processing mass data the individual is no longer of any interest. Hence when there is no reason to know the individual, its purpose is gone (see also above).

        One more thought on consent in the tracking scenario: lets assume there was app and it did its tracking secretly, without the data subjects knowledge. People realise this sooner or later anyway and then they leave their smartphone at home to take the SIM card out. Voila, good intentions, but …

        On your example of antibody blood test. You cannot change the purpose of processing after the fact. Thank our Marketing friends for common past misuse on this rule. But you can always redefine the purpose and ask the next guy with an updated purpose statement. All that is lost would be the samples of previously gathered blood tests. Or keep the blood samples and take the individuals name away.

        BTW: on the organ donorship question. This is a question for society to decide. Privacy is neither roadblock, nor enabler. My thought on this question is: if you are not willing to donate, you cannot receive an organ either. Would increase the number of people supporting and lobbying donation.


      2. RiskMonger says:

        If I am not mistaken, GDPR still allows certain data collection but not processing of said data … which still puzzles me as I have seen people quibbling they are merely collecting data (essentially as one click on Qualtrix and collected data is processed … and why would we collect data if not for the value found in the analysis).
        But it gets me back to the absence of tracking tools in the EU to fight COVID-19. With the Chinese model the authorities would not let you into a shop or a train without your phone QR code so it gives the population a choice – a forced consent or a forced personal lockdown – the image I used for the article was of a security guard scanning a phone. With geotagging, technically we would not even need the police to intervene (except to arrest you). You cannot anonymise this data (the point of being able to track down potentially infected individuals). As I notice most EU and US COVID-19 systems are Test and Trace, I can only assume that this is where GDPR comes in. And if it relies on people voluntarily getting involved and voluntarily informing the authorities (we had the phone call from the Belgian Coronalert body), it becomes rather toothless – it is the capacity to track those infected that allows authorities to control hotspots otherwise they get out of control and the only solution is to lock everyone down.
        So we have the technology to track people, it worked to contain the virus spread in China and Korea in the spring but we are not doing it here. As I said, my article is asking more questions than answers but I can only assume there must be a good reason.

        And as for denying an organ transplant to a patient in need, this might work for an epidemiologist, but probably not a surgeon. 😉


  2. 1. on “data collection but not processing”: I would not know how to make such a distinction as the law is simple and clear. Art 4 Sec 2 GDPR defines: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

    2. On “universal tracking”: lets assume we had such a universal tracking app (no doubt it would be technically feasible) then the reaction of many people in the west is also clear: they would not install the app. If it was forced on them, they would leave their smartphones at home or remove the SIM card or find other ways out. Sorry to say: even in this example privacy is not getting in the way or would even be a determining factor. True, however, privacy can be easily blamed.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s