Data Protection and the Pandemic: What We Can Learn For Future Policy

Jennifer Huddleston


The ongoing  COVID-19 pandemic provides a useful case study for the impact of privacy regulations. U.S. policymakers have been considering federal data protection legislation for some time, and whether the current less regulatory approach remains appropriate. The European Union’s (EU) General Data Protection Regulation (GDPR) provides an example of a sweeping and highly regulatory approach to data privacy and security while the less stringent approach in the United States leaves more room for innovation, flexibility, and choice. The COVID-19 pandemic illustrates the tradeoffs associated with stringent policies and the different choices individuals may make when it comes to their data privacy, highlighting the value of a flexible and less prescriptive approach to privacy regulation. 

The Impact of Data Protection Regulations on Pandemic Responses: Distinctions in the European and American Approaches 

The COVID-19 pandemic has illustrated some of the unintended consequences that stringent data protection laws can have. Such policies prioritize strong data privacy and security over other concerns and potential benefits. But the social and business situations arising from the pandemic have shown that the risks associated with inperson meetings or the limitations of analog technologies may outweigh the risks of using technology or data that would be rendered difficult or impossible with heavy-handed regulations. 

While officials claim the GDPR should not hinder the response to COVID-19, there has been an impact on certain technologically enabled responses as a result of the requirements and restrictions regarding individuals data. EU guidance on GDPR and the pandemic requires member countries to pass legislative exceptions to allow responses using location information or employment information, exceptions that would not be necessary in other countries including the United States. Stringent data privacy regulations can also place burdens on businesses transitioning to remote work that must consider the concerns of GDPR compliance for data and document transfers and the risk of security breaches. The regulations are also increasing burdens on innovative and charitable responses. For example, in the United Kingdom, grocery stores seeking to deliver food boxes to 1.5 million vulnerable individuals were unable to receive the needed information due to GDPR “protections” against the mass sharing of personal information such as individuals’ names, addresses, and emails. GDPR’s limitations on such data sharing also make it more difficult for developers seeking to create an app that could help with contact tracing of individuals with COVID-19.  

In general, the United States already had a less regulatory approach to data protection than the EU, and this distinction has become even more apparent in the decision to lift certain data protection restrictions during the pandemic. Loosening certain requirements around the Health Insurance Portability and Accountability Act (HIPAA) has enabled the broader use of telemedicine via publicly available messaging and videoconferencing services such as FaceTime and WhatsApp. Telemedicine is playing an important role in preserving limited health resources and allowing triage and the continued social distancing for certain needed visits. As with other regulations removed during the pandemic, policymakers should carefully reexamine if they were truly needed before reinstating such restrictions. 

Policymakers should consider that the consequences of stringent data protection regulation might prevent other benefits including the potential innovative responses to emergencies like COVID-19. While at times regulation may be necessary to prevent harm, such regulations presume that minimizing data privacy and security risks should always be the priority. The pandemic has illustrated that such an approach has its own risks and harms, and individuals and private institutions are often in a better position to weigh the risks and make decisions that fit their own circumstances 

Data Protection Preferences and Tradeoffs: Considering Concerns About Zoom, Privacy, and Security 

Videoconferencing services have become increasingly popular particularly for individuals who have to work or attend school from home. While a variety of options are available, Zoom has quickly risen to become a household nameBut along with its meteoritic rise, Zoom is facing new questions about the data security risk it may pose and its privacy policy. A class action lawsuit was filed against Zoom in California alleging it improperly shares user data with Facebook, and the New York Attorney General is investigating the company’s privacy practices as well. Senator Sherrod Brown has requested that the Federal Trade Commission (FTC) investigate whether the company’s claims regarding the encryption of its services were deceptive. Some headlines have even gone so far as to refer to Zoom as malware.  

Click here to read more this American Action Forum post by Jennifer Huddleston.