COVID-19 response and data protection law in the EU and US

Article by Cathy Cosgrove: “Managing the COVID-19 outbreak and stopping its spread is now a global challenge. In addition to the significant health and medical responses underway around the world, governments and public health officials are focused on how to monitor, understand and prevent the spread of the virus. Data protection and privacy laws, including the EU General Data Protection Regulation and various U.S. laws, are informing these responses.

One major response to limiting the spread of infection is contact tracing, which is the practice of identifying and monitoring anyone who may have come into contact with an infected person. Employers and educational institutions are also imposing travel restrictions, instituting self-quarantine policies, limiting visitors, and considering whether to require medical examinations. These responses necessarily involve obtaining and potentially sharing personal information, including data about an individual’s health, travel, personal contacts, and employment. For example, in the U.S., the Centers for Disease Control and Prevention has asked airlines for the name, date of birth, address, phone number and email address for passengers on certain flights. 

As IAPP Editorial Director Jedidiah Bracy, CIPP, explored in his piece on balancing personal privacy with public interest last week, this collection and processing of personal data is creating substantial discussion about what data protection limitations may be required or appropriate. Even China — which is using AI and big data to manage the outbreak — has issued guidance recognizing the need to limit the collection of data and its use during this public health crisis….(More)”.