The General Data Protection Regulation (GDPR), hailed by many EU policymakers since its inception as the global “gold standard” for data protection, has come under renewed scrutiny recently as its regulations have stood in the way of providing relief to European citizens and businesses hit hard by the COVID-19 pandemic. Indeed, if the GDPR were a drug, it would have been recalled by now for all its unintended side effects. As other countries consider whether to follow in the EU’s footsteps with similar legislation, it is worth looking back at where the law has fallen short during the pandemic.
At the beginning of the pandemic, Italy, one of the countries in Europe hit hardest by COVID-19, found that the GDPR prevented businesses from taking basic steps to track and trace potential infections. In early March last year, as Italy was entering an eventual lockdown and cases and deaths from the virus were spiking, the Italian Data Protection Authority (DPA) issued a statement explaining that employers could not collect from workers “information on the presence of any signs of influenza in the worker and his or her closest contacts.” This meant, for example, that employers could not record body temperatures to ensure compliance with safety protocols for essential workers. The French DPA issued similar guidance and noted also that the GDPR banned employers from using thermal cameras to automatically check temperatures of their workers.
As the pandemic progressed, it became clear that the GDPR had also become a barrier to biomedical research—the very research necessary to save lives and reopen the economy. The GDPR creates significant challenges to research organizations in the EU sharing data with researchers located in most countries outside the EU. Indeed, a team of researchers from the United States, Canada, and the EU published an article in Science this fall arguing that “the GDPR’s limitation on data transfers will hamper science globally in general and biomedical science in particular.” These obstacles have only grown during the COVID-19 crisis because last summer the European Court of Justice invalidated the agreement allowing EU-US data flows, a serious blow considering 55 percent of clinical trials taking place in Europe also have at least one site in the United States.
The most recent incident illustrating the flaws in the GDPR occurred when public health officials in Brussels reported in February that nearly three out of four primary care workers did not show up for vaccines, and local officials in charge of vaccinations could not find out who had received vaccination invitations or follow up directly with these individuals because of the GDPR. The GDPR imposes strict rules on how organizations can share data with third parties and organizations that violate these rules face the risk of steep penalties. In this case, local health officials could not obtain the data from the federal health platform, resulting in 8,000 primary care workers missing their first shot and slowing down the vaccine campaign as they could not contact these healthcare workers.
The multitude of problems from the GDPR has created some interest within the EU for reform. Already, some countries have made minor changes. For example, recognizing the constraints of their data protection laws, the Italian government issued a decree creating a special legal framework for public health authorities to collect and share health data for the duration of the state of emergency. Likewise, Germany updated its laws to clarify the rules for processing personal data during an epidemic.
But temporary or incremental changes will not be enough. Axel Voss, one of the authors of the GDPR, has suggested it is time for updates to this law to make it fit for the digital economy, but few other EU policymakers have been willing to publicly embrace this view yet. At some point, the EU will need to reform the GDPR to reduce obstacles to innovation, such as allowing greater use of pseudonymized data and supporting additional legal mechanisms for cross-border data sharing, if it wants to be competitive in the digital economy. Hopefully, it will not take another global crisis to provide the necessary wake up call.
Image credit: Polina Tankilevitch