COVID-19 Crisis Shows Limits of EU Data Protection Rules And AI Readiness – Center for Data Innovation
The COVID-19 crisis is exposing many hidden weaknesses in society—the limitations of healthcare systems in advanced countries, the disproportionate impact unexpected emergencies have on those living on the margins of society, and the tendency by some to embrace xenophobia and nationalism in times of fear. The crisis also shows that despite all of its efforts the EU is not yet ready to make full use of AI because its stringent data protection rules, by restricting the collection, use, and sharing of data, are slowing down the bloc’s ability to address the spread of the disease. Given the significant role AI can play in responding to this crisis, this is an urgent problem for policymakers to address.
Communities of AI researchers around the world are coming together to address the COVID-19 crisis. But developing AI solutions requires data, and unfortunately, the EU’s stringent data protection rules restrict organizations from collecting, sharing, and using data. This has been a long-standing issue, but the COVID-19 outbreak suggests that if the EU wants to leverage AI to address the pandemic, it should address this problem now by requiring government authorities to collect and share public health data, revising European data protection rules, and accelerating investments in AI.
First, the Commission should issue an EU-wide data sharing mandate for public health authorities to collect and share data across the EU with researchers, healthcare providers, and companies developing AI solutions to address the crisis. Some European countries are already taking these steps. For example, Italy, one of the countries hardest hit so far by COVID-19, has issued a temporary decree granting its government broad powers to collect and use sensitive public health data. Other member states need to follow suit, and the EU should lead the way. Access to personal medical data such as temperature, blood oxygenation levels, and blood pressure can help public health authorities track the diffusion of the pandemic and its impact on at-risk populations. This data could also be helpful to speed up research, as well as to detect when individuals’ symptoms qualify for additional care or intensive care, thereby ensuring efficient allocation of treatment and healthcare resources.
Second, the Commission should promote a policy of requiring not just patients infected with the virus, but also individuals who are at high-risk of infection because of recent travel or contact with infected individuals, to notify public authorities. The EU’s data protection rules focus heavily on protecting individual rights, but it is important, especially in the face of a global pandemic, to also consider the needs of the community. For example, Italy’s ordinance requires individuals to notify authorities if they recently were in an at-risk area. Public health officials expect that rapid contact tracing of infected individuals will be key to reducing future waves of infections but this is only possible with better data, including data from the private sector such as mobile location data and credit card payment information. This data should only be allowed to be used for specific public health purposes, such as contact tracing, and governments should be required to delete it at regular intervals.
Third, the EU should also consider its longer-term needs. China’s ability to respond to the coronavirus crisis has much to do with access to personal data, something EU researchers and companies working on AI healthcare solutions lack because of the GDPR. Creating special legal frameworks as an ad-hoc emergency measure, as Italy did, amounts to sticking plaster on a wooden leg. It will remain difficult for data controllers and processors, already confronted with burdensome requirements and inconsistent guidance, to navigate through such exceptions. The Commission should amend the GDPR to accommodate for needed flexibility, to ensure data is consistently collected and interoperable across the EU to address this crisis in the long term, and for researchers to be able to use readily available data in case similar events occur in the future.
Finally, the Commission should provide financial backing to public and private sector efforts to use AI to address the risks from the pandemic. The Commission’s urgent call for funding applications for tech SMEs and startups developing solutions which could tackle the COVID-19 pandemic is an encouraging step in the right direction. AI can clearly play a critical role in addressing the coronavirus, such as analyzing compounds used to develop tests and vaccines, monitoring individuals’ health with medical devices that track blood oxygen levels or body temperature, and providing information to the public via chatbots. Now is not the time for the EU to hit the pause button on its ambitious plans to pursue AI.
Healthcare remains a primary competence of member states, but the EU can still use its supranational prerogatives, as it did for border measures, to create consistent methods for collecting and sharing public health data throughout the EU and accelerate its investment in AI. Without an EU-led initiative, country-specific measures will remain patchy efforts that are unlikely to allow emerging technologies to be used to their full potential. The EU has an opportunity to fast-forward the development of critical systems that could help save lives now and in the future, and to reach its ambitious objectives to catch up in the data economy.