By Ricardo Barretto, Lorena Pretti Serraglio, Isabella Aragão, Camilla Chicaroni and Bruna Toniolo
First reported to the World Health Organization - WHO due to pneumonia of unknown cause detected in the city of Wuhan, China, on December 31, 2019, the new coronavirus SARS-CoV-2 is a virus that causes mild to moderate respiratory infections in humans and animals, called “coronavirus diseases 2019” (COVID-19 for short). Up to the morning of March 3 this year, 90,893 cases were confirmed in 73 countries, with 3,111 deaths recorded. With the continuous increase in the number of cases of the disease and the number of countries affected, WHO has increased the assessment of the spread risk and impact of COVID-19, classifying it as a “very high” international threat.
In the Brazilian scenario, after suspicion of infection, the first confirmed case of the disease occurred last week, in São Paulo, in a 61 (sixty-one) year old man who was in Italy in early February, coinciding with the period in which there was an “explosion” of infection cases in the European country. Earlier this week, the second confirmed case of the disease in São Paulo was diagnosed and reported, and the patient remained in isolation at home, even though without symptoms.
However, even before these events, Brazil was already adopting actions to combat and prevent the coronavirus - including legislative measures. In this sense, Bill nº 23/2020 (“Bill”) was presented by the Chamber of Deputies, in order to provide for sanitary measures to deal with the public health emergency of international importance arising from the coronavirus. The Bill also gave rise to Law nº 13.979/2020, sanctioned by the President of the Republic, which defined concepts such as “isolation” and “quarantine”, in addition to establishing the measures that could be adopted to guarantee the protection of the community.
From this perspective, a major point of attention in the middle of the coronavirus crisis is the massive use of personal data of those who are under investigation of the disease or with a confirmed diagnosis. In the case of personal health data, the issue becomes even more sensitive, mainly due to the possible discrimination that infected patients could suffer in case of unauthorized disclosure of their personal information. The existence of the aforementioned legal obligation, however, constitutes an express legal authorization for the sharing of such personal data.
Still in this sense, even if the Brazilian General Data Protection Act - LGPD (Law nº 13.709/18) only comes into force in August this year, it is interesting to note that its application would be extremely relevant in the event of sharing sensitive health data about those infected or suspected of coronavirus infection.
This is because, according to article 11 of the LGPD, the processing of sensitive personal data may occur when it is indispensable for the protection of the life or physical safety of the holder or third party - which, given the threat posed by the coronavirus, occurs in the specific case. Furthermore, the recommendation of a specific purpose for the processing of this information (that is, to prevent the spread of the disease) is consistent with the principle of purpose, provided for in article 6, item I, of the statute.
Internationally, in the fight against the outbreak of this new coronavirus, many countries, in addition to providing emergency medical support to people affected by the virus, have imposed quarantines and restricted travel and outdoor activities to their citizens. To control the outbreak and track the spread of the virus, health officials and other stakeholders - ranging from airlines and railway operators, to property management companies, for example - have collected a large amount of personal data, including information from individuals who recently traveled to Wuhan or were in contact with those who developed symptoms of infection. As a result, concerns about privacy and possible discrimination against infected people began to arise.
In addition to massive data collection, technology is being widely used to monitor disease progress and identify infected patients. Chinese private companies have contributed to the mapping of cases of the disease through the use of Big Data. Chinese search giant Baidu, for example, released an epidemic map that shows the location of infected and suspected people in real time so people can avoid these places. Qihoo 360, Chinas largest cybersecurity company, is offering an app that allows users to check whether they’ve been on a train or plane with someone who contracted the virus.
Still in China, the cities most affected by the coronavirus are using drones to spray disinfectants over certain areas, disperse public meetings and issue notices, warning people to wear masks. In the same logic, the city of Moscow, Russia, is using face recognition technologies to monitor and ensure that coronavirus patients remain in quarantine, allowing authorities to track any offenders.
Recently, China also started a mass experiment, using an app for monitoring the health of its citizens on their cell phones, which classifies the need (or not) of isolation of each individual due to the coronavirus, through QR codes and green, yellow or red colored flags. The software, created by the company Ant, linked to the Chinese giant Alibaba, compares "personal integrity reports" and information from the Chinese health system to combat the spread of the coronavirus, but also supplies the Chinese police with personal information of citizens.
In response to concerns that the mapping of infected or suspected cases of coronavirus infection has caused regarding the privacy and protection of personal data of the world population against the disease, some initial measures have been taken by the authorities of nations facing this challenge.
In this sense, in addition to Brazilian law itself, it is also possible to mention the initiatives of the National Health Commission of China, for example, which issued a notice describing the requirements for the protection of personal data in the context of prevention and control of the coronavirus. Furthermore, the Cyberspace Administration of China (CAC), the main Chinese regulator in cybersecurity and data privacy, has issued a “Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control” (CAC Circular), to provide detailed guidance on the protection of personal data under current circumstances.
The challenges remain clear regarding the collection, use and indiscriminate sharing of citizens personal data based on the justification for combating the spread of the coronavirus. For the present, it is expected that the authorities, and private and public, national and international entities will start to consider guidelines for the protection of personal data in their processing for monitoring the coronavirus, guaranteeing an adequate level of protection for the privacy of citizens, even in the midst of a global epidemic.
In the future, in addition to the recommendation to adopt good practices for the processing of personal data when the genesis of technological innovations - such as the creation of privacy by design technologies, which consider the protection of personal data from the conception of products - the following question is expected to be answered: what will happen to the gigantic personal database collected during the coronavirus outbreak after the end of this crisis?
To receive the main news related to privacy and data protection, nationally and internationally, follow the Technology, Media and Telecommunications team of Azevedo Sette Advogados.