Medicina de precisão do Hospital Israelita Albert Einstein

The importance of GDPR during Covid-19


Nothing will be as it was before! The “new coronavirus” (COVID-19), a disease caused by the SARS-CoV-2 virus, has impacted the world in unprecedented ways in history. Little is known about it, however, since its outbreak, discussions about the immune system have gained relevance. While the cure for this disease is ceaselessly sought, doctors recommend that we have a strengthened and balanced immune system.

I dare say that we must do the same with our democracy. We are experiencing an exception state due to a public health emergency, caused by the disease, considered to be a state of abnormality and collective risk. This impacts the public institutions regular functioning and social economic life, characterized by the temporary rights and guarantees suspension, being of paramount importance to take actions in order not to undermine citizens’ rights.

By analogy, it can be said that just as we must take precautions to strengthen our immune system, steps must be taken to strengthen our democratic rule of law. Therefore, it is exactly at this moment, so delicate for society, that we must talk about the need to protect the personal data of both those infected by COVID-19 and those not infected.

Why should we be concerned with protecting personal data during the COVID-19 era?

Covid-19 created a number of issues not necessarily related to medicine. In pandemic times, many measures are taken in order to preserve life, and the protection of personal data has never been more in evidence than now. Since the start of the pandemic, governments and stakeholders involved in the fight against the virus, such as the scientific research community, have been relying on data analytics and digital technologies to face the disease. Some examples are the use of telemedicine and monitoring, that can share data about infected and non-infected people. 

We live in a technological age where technologies are replaced in a short amount of time.  Because of this, our data is shared and stored at speed and size never seen before. Furthermore, those tools, which rely on the processing of personal data, have an impact on privacy and data protection and other fundamental rights and individual freedom. Therefore, it is crucial to ensure that measures and related data processing are provided to entities with a legitimate objective, generating a fair balance between all the interests involved without putting rights and freedoms at stake.

Does this mean that we cannot use telemedicine and other technological resources to fight the epidemic?

Technology and the use of data are the perfect combination for governments and private entities to understand the disease progresses and to anticipate actions more efficiently. Governments around the world have created legislation to fight COVID-19 which includes several measures, including sharing personal data from people who are infected or suspected of being infected. For example, in Brazil, the Law number 13.975/2020, known as the “Quarantine Law”, determined, among other limitations to our basic constitutional rights, the compulsory conduct of: clinical samples collection; vaccination and other prophylactic measures; specific medical treatments and epidemiological study or investigation. All that for the public health promotion and preservation, respecting human rights and fundamental freedoms through Decree law number 10.212 / 2020 that promulgates the International Health Regulations revised text produced by the World Health Organization – WHO.

It would be terrible to say that in pandemic times we cannot use technology to preserve public health and eradicate the disease. The intention here is to reflect on how data should be treated in this scenario. In the eagerness to seek more efficient ways to fight the disease, fundamental rights and freedoms, foreseen in the Brazilian Federal Constitution and in the infraconstitutional legislation, can be limited during the pandemic but can never be violated.

But what about Europe, are they concerned with data protection in the COVID-19 era?

In Europe, the General Data Protection Regulation – GDPR is already in force and, therefore, studies and measures adopted to combat the disease are always in line with European data protection law. As an example, in April 2020, the Belgian authority published an article with principles that must be followed by Health Applications during the pandemic. Thus, the European Data Protection Board – EPDB adopted guidelines on the personal data treatment for the use of geolocation data and contact tracing tools on COVID-19 pandemic context.

Do we have a data protection law in Brazil?

The General Data Protection law – GDPR– n.13.709 / 2018, was published in August 2018 with a term of “vacatio legis” and should have come into force in August 2020. However, there are several obstacles. Some proposed bills were created to postpone its entry into force and, now with the pandemic, when we need it the most, new bills are being passed in Congress for a new postponement, not to mention the Provisional Measure published on April 30 postponing it to May 3rd, 2021.

The fact is that even before COVID-19 appeared, the subject of data protection was already taking shape in Brazil, with a certain shyness and concern from some sectors, because they still believe that this issue imposes barriers to economic, technological and free development competition. However, this is not true.

And what is the truth of GDPR?

GDPR is a window of opportunity that goes far beyond data privacy. In addition to protect citizens’ fundamental rights and freedoms, it encourages the promotion of technological and economic development, providing a logical system to create an auditable trail of data through which citizens and other economic agents can see their entire life cycle and its repercussions on the economic activities and social relations to which they belong. This way, it brings innovation to rethink business models, adding value to the field.

In short, what is this law like?

As stated earlier, the law is not intended to stop anything. It only aims to protect the citizens as owners of their personal data, by giving them tools to determine and control the use of it, in order to be less vulnerable at the face of this immense market that is the processing of personal data. For that, it brings data “governance” rules so that confidentiality is guaranteed and that the risks concerning the invasion of privacy, the manipulation of our data and the bias are mitigated or null.

What needs to be done?

The postponement of the law is counterproductive now. We must be careful with the state of exception, due to the public health emergency, which will not last forever, therefore, it is necessary for GDPR to be enforced immediately. The penalties provided must be postponed, but its applicability becomes urgent in this new scenario. Another point of paramount importance is the urgent creation of the National Data Protection Authority – ANPD, also provided in GDPR but, preferably, independent. I dare say that the ANPD should be created even before the law is enforced.

In summary, we can say that, like COVID-19, it is necessary to increase our immunity to prevent disease, but it is also necessary to increase the strengths of our democracy during the state of exception, due to public health risks, so that we do not have a sick post-pandemic state.

About the author:

Sandra Ramirez is a professional with work experience in multinational companies, who has also worked as a university professor, wrote an article published in a book about the importance of mediation and reconciliation in multicultural societies and assumed the position of Legal Manager of an English multinational. She currently works in the area of Data Protection and Privacy, helping Brazilian and multinational companies to be compliant with the GDPR.


[1] BIONI, Bruno; ZANATTA, Rafael; MONTEIRO, Renato; RIELLI, Mariana. Privacidade e pandemia: recomendações para o uso legítimo de dados no combate à COVID-19. Conciliando o combate à COVID-19 com o uso legítimo de dados pessoais e o respeito aos direitos fundamentais. São Paulo: Data Privacy Brasil, 2020.

[2] Coronavírus, ‘estado de exceção sanitária’ e restrições a direitos fundamentais:   visited on 04/30/2020                         

[3] Joint Statement on Digital Contact Tracing, visited on 04/28/2020

[4]  visited on 04/27/2020

[5]  visited on 04/27/2020

[6]   visited on 04/28/2020

[7] visited on 04/28/2020

[8] visited on 04/28/2020

[9] visited on 04/28/2020

[10]  visited on 04/28/2020

[11] visited on 04/28/2020

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts