In March 2021, the European Commission released a proposal for the creation of a “Digital Green Certificate,” which will allow EU citizens to travel easier throughout the EU during the COVID-19 pandemic. Last week, the EU Member States agreed on some proposed changes to the proposal, including strengthening of the data privacy provisions. According to the proposal, in order to obtain a Digital Green Certificate, individuals must prove that they have been vaccinated, present a negative test result, or have recently recovered from COVID-19. The proposal allows the issuance of a certificate for all COVID-19 vaccines, which have received an EU-wide marketing authorisation, however only the results of certain in vitro diagnostic tests will be considered valid.
With the roll-out of the COVID-19 vaccine and the start of easing of social distancing measures, the latest initiative being considered at a national as well as an international level is the introduction of so-called “digital health passports” or “immunity passports,” i.e., a tool to record and share the immune status of an individual whether by virtue of a COVID-19 test result or vaccination record – indeed, it is estimated there are currently more than 70 digital health passports and 14 vaccine passport apps in operation globally. However, the privacy concerns (and indeed the broader ethical implications) of introducing such measures, without the implementation of appropriate safeguards are significant and a current topic of intense debate.
On February 12, 2021, the European Commission (Commission) published an “Assessment of the EU Member States’ rules on health data in the light of GDPR” (the Assessment). The Assessment concludes, amongst other things, that there are variations in the implementation of the EU General Data Protection Regulation (GDPR) at a national level with regards to the processing of health data. In turn, this has led to a fragmented approach to the processing of health data for health and research purposes across the EU. To avoid further fragmentation, the Assessment proposes various future EU-level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific legislation.
For over two and a half years, California has enjoyed the spotlight of having the most comprehensive data privacy law in the United States. On March 2, 2021, Virginia forced California to share the honors, when Democratic Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).
The VCDPA, which will not enter into effect until January 1, 2023, borrows heavily from the California Consumer Privacy Act (CCPA) and the European Union (EU) General Data Protection Regulation (GDPR). Perhaps because Virginia was able to benefit from the experience of businesses that have spent the better part of the last five years implementing the GDPR or the CCPA, the Virginia law is less prescriptive and more straightforward than its predecessors, with (one would hope) a correspondingly lighter implementation burden on companies. Nonetheless, there is just enough different in the VCDPA that businesses with a connection to Virginia will need to evaluate whether the law applies to them and how they will comply.
While an exegesis of the VCDPA is beyond the scope of today’s Data Matters post, this alert is designed to assist such efforts in three ways. First, we lay out the VCDPA’s scope, providing preliminary insight into which businesses the law will cover. Second, we highlight the key ways the VCDPA differs from — and, more important, extends beyond — the CCPA and GDPR so that businesses will have an initial sense of what, if any, unique obligations the VCDPA will place on them. Finally, for completeness’s sake, the post briefly summarizes the law’s key elements.
On February 17, 2021 the European Medicines Agency (EMA) published an updated version of its good clinical practice questions and answers (GCP Q&A). The updated section relates to access to patient medical records by GCP inspectors from European Economic Area (EEA) Member States. It stresses the importance of sponsors conducting studies in countries outside the EEA obtaining the prior explicit consent of a clinical trial participant for the review of their medical records by EEA GCP inspectors.
Taking a step into the digital age, the European Commission announced that the 2020s shall become the EU’s Digital Decade. The EU’s digitalization, including in the area of health, is one of the Commission’s key priorities and covers a wide range of actions and related initiatives.
Building on prior initiatives, in 2019 the Commission announced six key priorities (since supplemented by the COVID-19 recovery plan) that would shape the coming five years of policy making. One of these six key priorities is to create a Europe fit for the digital age and work on a digital strategy that will empower people with a new generation of technologies.
On December 10, 2020, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a proposed rule (the Proposed Rule) that would make a number of key changes to the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, HIPAA). HHS stated that the Proposed Rule is intended to reduce burdens that may limit or discourage care coordination and case management communications among individuals and HIPAA-covered entities while continuing to protect the privacy of individuals. The proposed changes are designed to lead to increased data access, sharing, and portability and to further HHS’s emphasis on patients’ right of information access, which has been highlighted through a series of enforcement actions in 2020. If enacted as proposed, the amendments would require healthcare providers and electronic health records (EHR) vendors to update policies and disclosures related to information access and perhaps even to redesign certain EHR processes. Comments are due 60 days after publication in the Federal Register.
Sidley associate Michael R. Roberts is the author of “Mobile Technologies and COVID-19: A Primer on Fighting the Virus with Cell Phones,” an article published in the Fall 2020 issue of Infrastructure, a quarterly publication of the American Bar Association’s Infrastructure and Regulated Industries Section. The article was also featured on the American Bar Association’s website homepage.
The article provides a primer on key privacy considerations and issues in order to assist businesses considering whether to develop or use mobile technologies to fight COVID-19. It first outlines the main ways governments and businesses might use mobile technologies to fight the virus and the potential applicability of current laws to these uses. The article then details how those laws might change as legislatures and regulators address the novel privacy and civil liberties issues raised by COVID-19. Finally, the article offers a checklist to capture important data privacy and security legal considerations relevant to the use of mobile technologies to combat COVID-19.
California’s Governor Gavin Newsom recently signed into law two bills to amend the California Consumer Privacy Act (“CCPA”). He also vetoed two other consumer privacy bills based on concerns about potential conflicts with existing state and federal law. Collectively, these four bills represented the most significant privacy legislation that came out of the California Legislature’s 2019-20 term, which came to a close on September 30th.
Only one of the two new CCPA amendments, AB713, includes substantive changes to the law. It streamlines the CCPA’s health information exception and imposes new obligations on CCPA businesses and others that handle deidentified patient information.
The other CCPA amendment, AB1281, simply extends the CCPA’s employee and B2B exemptions to January 1, 2022 if voters fail to pass Proposition 24 (CPRA or CCPA 2.0) in November. Those exemptions are currently set to expire on December 31st of this year.
Newsom also vetoed two consumer privacy bills despite expressing support for the goals of each. SB980 would have expanded consumer rights with respect to genetic information collected by direct-to-consumer genetic testing companies. Newsom’s veto was motivated by concerns that the law could have “unintended consequences” for the operation of the state’s communicable disease reporting requirements, including those applicable to COVID-19. The other bill, AB1138, would have imposed additional parental consent requirements on social media network operators. Newsom vetoed it to avoid potentially overlapping state and federal compliance obligations, citing parallels between the bill and federal regulations under the Children’s Online Privacy Protection Act (“COPPA”).
Here we outline the significant features of each of the new CCPA amendments.
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.