![European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources](https://eaccny.com/wp-content/uploads/2020/06/eaccny-logo.png){kind=logo}
With the help of our members, this thought-leadership series explores the acceleration of “digitalization” due to COVID-19 on both sides of the Atlantic, and across various industries. Today, we present Thora Johnson, Partner at Orrick in Washington D.C.; along with Douglas McMahon, Partner, at McCann FitzGerald in Dublin, Ireland. They will address: “EU & US Privacy and Security Considerations for Covid-19 Data Processing Activities From Pandemic to Living with Covid”.
Test and trace activities have been at the heart of the response to the Covid-19 pandemic in the EU and the United States. On both sides of the Atlantic, both public authorities and the private sector have put in place complex systems to manage these test and trace activities. At the core of these test and trace activities is the processing of personal data of those who are tested and traced, bringing privacy and security to the forefront. Companies collecting Covid test and trace data, therefore, need to consider the various EU and U.S. laws governing the privacy and security of personal health information.
EU Considerations
In the European context Covid-related data processing is primarily governed by obligations under the General Data Protection Regulation (“GDPR”), as supplemented by local Member State laws.
From a GDPR perspective, there is a clear distinction between the processing of personal data in the context of state mandated test and trace services, and the processing of personal data for private Covid testing purposes. However, in each case the same basic requirements must be met:
- Core GDPR Principles – All processing of personal data must comply with the core principles set out under Article 5 of the GDPR:
- Lawful, fair and transparent – personal data should only be processed where there is a lawful basis, where it is fair to do so, and where data subjects have been provided with all the required information
- Data minimisation – personal data that is processed must be adequate, relevant and limited to what is necessary to achieve the purpose for which it is processed
- Accuracy – personal data must be accurate and where necessary kept up to date
- Storage limitation – personal data should be stored for no longer than necessary for the purposes for which it was collected
- Security – personal data should be stored, processed and transferred securely
- Legal Basis – Under Article 6 of the GDPR the processing of personal data must take place under one of a number of general lawful bases (e.g. consent, contract, legal obligations etc). Where health data is processed, one of the more limited exemptions under Article 9 of the GDPR must apply.
- Data Subject Rights – Data subjects have various rights under the GDPR, both in relation to transparency (i.e. the provision of information about processing), and in connection with the on-going processing of personal data (e.g. a right to receive a copy of their personal data).
- Restrictions on Transfer – The GDPR places restrictions on the transfer of personal data outside of the European Economic Area. Recent case law indicates that the mechanisms that are used to permit such transfers are potentially subject to challenge, particularly in the context of transfers to the USA.
- Personal Data Breach Reporting – In the event of a breach of security that results in a risk to data subjects, a report must be made to the relevant supervisory authorities within 72 hours. Where the breach may result in a high risk to data subjects, the breach must be reported to data subjects without undue delay.
For the purposes of this article, we consider some of the more interesting challenges that the GDPR presents for processing data in the public and private sectors.
State Mandated Testing
Under the GDPR, processing of personal data for the purposes of state mandated test and trace services must have a basis in EU or Member State law. Whilst certain aspects of processing of Covid related data are harmonised at an EU level (e.g. the EU COVID digital certificate used to enable travel), test and trace services are largely established under Member State law.
Although the pandemic has now been with us for over two years, in an Irish context the processing of personal data to support state mandated testing and tracing is still based on a patchwork of primary (i.e. legislative branch) and secondary (i.e. executive branch) legislation. For example, the Irish Minister for Health was empowered under the Health (Preservation and Protection and other Emergency Measures in the Public interest) Act 2020 to make regulations which provide for measures necessary for the purpose of preventing, limiting, minimising or slowing the spread of Covid-19. This power was then used at various points in the pandemic to impose requirements on travellers entering Ireland to provide evidence of test results.
Although the Irish Data Protection Commission has issued guidance highlighting the compatibility of public Covid test and trace measures with the GDPR, it is perhaps reasonable to say that the State has to date been given a fairly significant amount of leeway in demonstrating a GDPR compliant legal basis for the processing of personal data.
Private Testing
Private testing for infectious diseases is not generally a feature of EU health systems, which tend to be nationalised and provided through the state. However, one of the cornerstones to opening up societies after extensive lockdowns has been the advent of requirements to demonstrate a recent negative Covid test. This has required the creation or at least significant expansion of private testing services.
In order to provide a private testing service companies must ensure that any personal data that is collected is processed in accordance with the GDPR. In order to provide a private testing service, private operators must be mindful of the following:
- Legal basis for processing – Private testing companies will need to consider whether their processing of personal data in relation to tests should be based on the consent of the data subject, or if it is possible to rely on the exemption under Article 9 of the GDPR in connection with the provision of medical services.
- Data Subject Rights – Putting in place systems to be able to efficiently respond to requests from data subjects to exercise their data subject rights is essential.
- Personal Data Breaches – Given the nature of the personal data that is processed, it is highly likely that security breaches will need to be reported to supervisory authorities and data subjects. Testing providers must therefore ensure that their security incident response plans are robust and allow for reporting within the appropriate timeframes.
- Transfers of Personal Data – The restrictions on the transfer of personal data outside of the EEA, and the current trends in their interpretation, weigh against putting in place systems that rely on such transfers of personal data. If such transfers are unavoidable, an impact assessment must be carried out and a transfer mechanism must be implemented before such transfers can take place.
Looking Ahead
The advent of Covid testing and tracing services were essential public health responses to the pandemic. As we move into the “living with Covid” stage of the pandemic the associated processing of personal data will increasingly be undertaken by private sector operators. These operators may also consider how to leverage the Covid testing systems to provide other services which are less common in EU markets (e.g. at home testing services for other infectious diseases). A key part of any plans by such operators should be their GDPR compliance programme, given the well-publicised potential fines and damages claims that may arise in the event of a breach of GDPR obligations.
U.S. Considerations
Unlike the EU, the U.S. does not have one comprehensive federal privacy or cybersecurity law. Instead, a patchwork of federal and state laws regulates the privacy and security of personal information, including health information. Additionally, much testing and tracing has been conducted by private companies. These companies have several U.S. laws to consider.
HIPAA
First, a company collecting Covid testing or tracing data should evaluate whether the federal Health Insurance Portability and Accountability Act (“HIPAA”) applies. HIPAA governs the privacy and security of individually identifiable health information, or “protected health information” (“PHI”), collected by “covered entities”—such as health care providers that engage in certain electronic transactions (mostly related to billing and payment), and health plans—and “business associates,” the service providers process PHI on covered entities’ behalf. A covered entity subject to HIPAA must comply with three comprehensive rules:
- The Privacy Rule, which sets limits and conditions on how a covered entity may use and disclose an individual’s PHI without the individual’s authorization.
- The Security Rule, which requires a covered entity to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI.
- The Breach Notification Rule, which, in the event of a breach of unsecured PHI, requires covered entities to notify affected individuals, the U.S. Department of Health and Human Services, and, for larger breaches, the media.
HIPAA violations can carry steep penalties of $100 to upwards of $50,000 per violation, depending on the nature of the violation. Companies should also keep in mind that many U.S. states have their own state versions of HIPAA, and some, like California’s Confidentiality of Medical Information Act, may apply even more broadly.
Even if HIPAA does not apply, however, a company’s Covid-related data processing could come within the purview of several other U.S. privacy and security legal regimes.
Federal Trade Commission Rules and Regulations
The Federal Trade Commission (“FTC”) is the U.S. federal agency tasked with enforcing antitrust and consumer protection law. Particularly relevant for companies that collect Covid testing and tracing data are: (i) the FTC’s Health Breach Notification Rule; and (ii) the FTC’s enforcement of unfair or deceptive acts or practices in commerce, generally.
Health Breach Notification Rule
The FTC issued its Health Breach Notification Rule (the “Rule”) in 2009 with the goal of imposing HIPAA-like breach reporting requirements on companies that are not otherwise covered by HIPAA but that still process individually identifiable health information. The Rule applies to a vendor of personal health records (that is not subject to HIPAA) that maintains an electronic record of individually identifiable health information that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. While the Rule does not impose freestanding privacy or security obligations, it requires a vendor of personal health records to notify affected individuals and the FTC within 60 days of a breach of security where individually identifiable information in a personal health record has been acquired without the individual’s authorization.
Historically, the FTC had not actively enforced the Rule. In recent months, however, the FTC has both proclaimed the Rule’s broad application and announced plans to enforce the Rule with renewed vigor. In its September 15, 2021, Policy Statement[1], the FTC stated that:
- The Rule applies to health apps and connected devices if they are capable of drawing information from multiple sources, such as consumer inputs and APIs, even if the health information comes from only one source.
- A “breach” under the Rule is not limited to traditional cybersecurity breaches, such as nefarious intrusions by unauthorized third parties, but also includes disclosure of covered health information without an individual’s authorization.
Violations of the Rule may incur civil penalties of up to $46,517 per violation per day.
Section 5 of the FTC Act
Even if the Health Breach Notification Rule does not apply, the FTC still has general authority to regulate and enforce unfair or deceptive acts or practices under Section 5 of the Federal Trade Commission Act (“FTC Act”). When conducting Covid testing and tracing data processing activities, companies should consider the FTC’s longstanding privacy and security principles,[2] which include:
- Notice – Companies should clearly and conspicuously disclose their data practices to consumers in their privacy notices, and the representations should be accurate;
- Consent – Companies should obtain consent before collecting sensitive information, such as health information, and before using consumer data in a materially different manner than disclosed at the time of collection; and
- Security – Companies should implement reasonable security safeguards to protect personal information, including health information.
Medical Devices / Food & Drug Administration
The Food & Drug Administration (“FDA”) regulates the sale of medical devices in the U.S., including potentially those collecting COVID test results, and has issued its own cybersecurity guidance that device manufacturers need to consider. The FDA has issued both “premarket”[3] and “postmarket” [4] cybersecurity guidance.
The FDA’s premarket guidance provides cybersecurity recommendations for device design and development prior to FDA approval. The FDA emphasizes that cybersecurity should be addressed throughout the device’s lifecycle, including by identifying cybersecurity threats and vulnerabilities, assessing the impact of those threats and vulnerabilities on device functionality and end users/patients, assessing the likelihood of exploitation, determining mitigation strategies, and assessing residual risk.
The FDA’s postmarket guidance provides recommendations for managing cybersecurity vulnerabilities for medical devices that are marketed and distributed to consumers. The FDA recommends implementing a comprehensive cybersecurity risk management program that enables a company to address vulnerabilities which may permit the unauthorized access or use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may result in patient harm.
Other U.S. State Laws
Last, but certainly not least, Covid testing and tracing data may yet be subject to other U.S. state privacy and cybersecurity laws, including:
State Privacy Laws
In the absence of one comprehensive federal privacy law, states like California, Virginia, Colorado, Utah, and Connecticut have enacted their own state privacy laws. Under these laws, “health information” is considered “personal information” subject to privacy notice and consumer rights obligations, such as rights to access and deletion. The laws also generally treat health data as “sensitive personal data” that requires either opt-in consent before collection or an opt-out to limit certain uses/disclosures, depending on the law. There are also complicated rules regarding how they interact with HIPAA and state medical privacy laws, such as the California Confidentiality of Medical Information Act.
Data Breach Notification Laws
Just about every U.S. state has its own data breach notification law. If a company’s COVID-testing data is subject to unauthorized access or acquisition by a third party, the company may need to provide notice to consumers, and, if certain thresholds are met, state attorneys general.
Data Security Laws
Many U.S. state laws require companies to implement “reasonable” security measures to protect personal information, including health information.
Conclusion
Over the course of the Covid-19 pandemic—from early days to now these “living with COVID” days, consumers and regulators alike have increasingly scrutinized the privacy and security practices of companies that collect personal health information. As companies continue to engage in Covid-related testing and data collection, therefore, they should consider the privacy and security principles and legal frameworks established in both the EU and the U.S. and monitor for updated guidance.
Authors:
- Thora Johnson, Partner, Orrick Herrington & Sutcliffe LLP
- Douglas McMahon, Partner, McCann FitzGerald LLP
Stay tuned for more on this series! We hope you enjoy these Thought-Leadership pieces written by our members: Orrick Herrington & Sutcliffe LLP & McCann FitzGerald LLP.