24. Data Privacy and Protection Relating to Healthcare in Europe, the United States and Brazil
This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight
We are currently experiencing the third major global economic wave, dubbed the Information Age by writer Alvin Tofler, in which information, knowledge and high-end technology are essential for the development and success of companies. We live in a completely digital world that allows instant and fluid communication; information is an extremely valuable asset in today’s highly globalised market.
Owing to the fluidity with which information is transmitted today, individuals began to lose control over their privacy and intimacy and, to some extent, may become victims of social networks, public databases, information migration and big data, among others. In this context, how to implement an effective system for protecting individuals’ data in the digital era is critical.
In our rapidly evolving digital world, technologies are advancing by the minute. In healthcare, in particular, rapid digitisation and innovation is taking place by using the latest and most advanced technologies. Further, outside the medical context, people use all sorts of modern technologies to track and measure their health fitness, get into shape, keep fit, lose weight and reduce stress. With the covid-19 pandemic, this issue has gained notoriety around the world given several measures adopted for monitoring and processing personal information.
In this sense, individuals’ privacy has become a particularly important issue. On the one hand, data protection is based on respect for privacy, inviolability of intimacy and on the preservation and free development of personality. On the other hand, one cannot forget other essential foundations for this new discipline, such as the need for economic, social and technological development, as well as the importance more generally of innovation.
Privacy background in the European Union, United States and Brazil
The United States privacy experience
In 1890, Samuel Warren and Louis Brandeis published ‘The Right to Privacy’ in the Harvard Law Review, which structured the concept of privacy as ‘the right to be let alone’. In the United States, the definition of privacy consists of ‘the desire of people to freely choose the circumstances and the degree to which individuals will expose their attitude and behavior to others’.
Based on this notion, the United States has divided its privacy concept into four categories: information privacy, focused on establishing rules that govern the collection and handling of personal information; bodily privacy, focused on an individual’s physical being and any invasion thereof; territorial privacy, focused on placing limits in the ability to intrude into another individual’s environment; and communication privacy, encompassing the protection of the means of correspondence.
As the US legal framework is structured on the federal system, each state has its own set of laws, rules and regulations regarding privacy issues. Typically, these localised laws, rules and regulations aim to provide the requirements for safeguarding data, disposal of data, data breach notifications and privacy policies.
As an exception, in the healthcare sector, the US Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a federal act to govern privacy and security of healthcare information relating to health. This is analysed further in the chapter.
The European experience
In 1970, within individual states’ legal frameworks in Europe, there were already some rules aimed at protecting individual’s personal information, such as laws on privacy, tort, secrecy and confidentiality. However, owing to the increase in the use of computers to process information about individuals and the transborder trade, facilitated by the formation of the European Economic Community (EEC), there was a need for new standards that allowed individuals to exercise control over their personal information.
In the European Union, the right to a private life and associated freedoms are considered as fundamental rights. Containing specific provisions related to the right to privacy and family life and freedom of expression, the Universal Declaration of Human Rights was a starting point for framing standards for the protection of individuals. The principles set forth therein have provided basis for the subsequent European data protection law and standards.
In 1995, the Directive 95/46/EC was enacted by the EU with the purpose of creating a set of rules for its member states on the protection of individuals with regard to the processing of personal data and on the free movement of such data between member states.
From 1995 to 2016, there were a series of regulations and rules issued by the European Union regarding privacy and data protection matters. In 2016, the General Data Protection Regulation (GDPR), a more rigid regulation about data protection, was enacted.
The Brazilian Experience
Prior to Law No. 13,709/2018 (LGPD), Brazil did not have consolidated legislation related to data protection, but a series of sparse laws to deal with privacy.
Only on 14 August 2018, LGPD was enacted. In recent years, other rules related to privacy have also been approved in Brazil, including: Decree No. 9,637/2018 which set forth the National Information Security Policy; and (Law No. 13,787/2018 related to Computerised Systems for the storage of patient records.
The definition of data is and should be generic. In some cases, it is difficult to define, mainly owing to constant technological advances and the dynamism in which the digital world evolves daily.
Raymond Wacks defines data as ‘acts or signs that require interpretation before they acquire any meaning, remaining in the state of pre-information until they can be understood by someone’.
Based on the above, it is possible to conclude that data is information, for example, numbers, images, texts and documents, including in electronic, analogue, digital or non-electronic format, which, after scrutiny, have some meaning.
Article 4(1) of the GDPR defined personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier’.
In Brazil, the LGPD maintained the broad criteria when setting forth the definition of personal data. For the LGPD, personal data is ‘any information related to an identified or identifiable natural person’.
In the United States, the definition of personal information or personally identifiable information (PII) consists of any information that makes it possible to identify an individual, which includes Social Security numbers or passport numbers, address, telephone number and e-mail address. The definition generally applies to both electronic and paper records.
‘Sensitive personal data’ refers to a type of personal data, as such data must be connected to an identified or identifiable natural person. This type of data is subject to extraordinary protection, as it may bring discrimination or disregard to the individual. This means that this type of data has a greater potential to cause offence to the individual’s fundamental rights.
According to Article 9(1) of the GDPR, the personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, as well as the processing of personal data related to health and sexual preferences require specific protections. LGPD followed the concept introduced by the GDPR.
In the United States, ‘sensitive personal information’ is also an important subset of personal information. The definition of what is considered sensitive data varies depending on the jurisdiction and on particular regulations. For example, Social Security numbers, driver’s licence numbers, and financial, medical and health information are usually treated as sensitive personal information. Sensitive personal information requires additional privacy and security limitations to safeguard its processing (collection, use and disclosure).
Data protection in the pharmaceutical sector
Special privacy protections for healthcare date back thousands of years. The modern Hippocratic Oath states: ‘I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.’
There are many reasons why privacy rules are generally stricter when related to health and healthcare issues. First, medical information is related to the inner workings of an individual’s body or mind. The individual’s sense of intimacy may be violated if others have unlimited access to this type of information. Second, it is a belief that patients will be more open about their medical conditions if they have the certainty that their medical facts or information will not be revealed to unauthorised third parties. Third, medical privacy protections avoid discriminatory situations.
Even though there are strict law protecting health and medical information in the industry, modern insurance, pharmaceutical companies and medical practices often use patient information extensively. For instance, researchers may use medical information, such as those processed during a clinical trial, to discover new patterns as they seek to develop cures for illnesses and promote public health. Healthcare providers may also use patient records to evaluate their overall quality of care.
As mentioned previously, the data protection principles intend to protect one’s privacy, intimacy and free development of personality. However, one cannot focus exclusively on the individual’s privacy and forget the need to promote innovation and social and technological development, in particular, those related to developing cures for illnesses and promoting public health.
Overview of the impacts caused by covid-19 regarding data protection
For the past year, mankind has been fighting an invisible enemy – covid-19. In order to identify and halt the proliferation of the disease and avoid the overload of public health systems, governments have been forced to put in place measures such as social distancing, quarantine and lockdowns, and even adopt the surveillance of citizens through smartphones.
Some governments have chosen to monitor their citizens through the mass collection of non-anonymised mobile phone location data, allowing authorities to see individuals’ physical locations without consent. Other governments have chosen to collect non-anonymised data regarding individuals’ health or immunity status.
The Chinese authorities, for example, have requested that individuals download on to their smartphones the app Alipay Health Code to track and identify suspected coronavirus carriers, follow their movements and identify anyone with whom they might have come in contact. In Hong Kong, it was mandatory for individuals to use a smartwatch for notifying authorities in case the individual were to break quarantine or not respect curfews and other sanitary measures.
In Japan, the government put in place the ‘Covid-19 Contact Confirming Application’ (COCOA), which uses bluetooth on smartphones to detect proximity to other smartphones. COCOA is also used to monitor those who have tested positive for covid-19. The registration on COCOA is voluntary, and it does not disclose where, when and with whom there has been contact.
In Russia, authorities are using facial recognition technology to locate and identify suspected coronavirus carriers, and, in South Korea, the government has used credit card transactions, mobile phone location and even security cameras to track suspected coronavirus carriers.
The global pandemic intensified governments’ interest in massively collecting data, and owing to the large number of deaths along with the economic and social losses caused by covid-19, many citizens have come to comply with the processing of their personal data with the expectation that the data collected and processed will assist in the fight against covid-19.
Laws and regulations regarding the protection of personal data and privacy have gone from fundamental to prevent the pandemic to becoming a basis for governments to justify expanding their surveillance and collection of data.
Data protection specific to the healthcare sector in the United States
Currently, in the United States, there is no single principal and federal data protection legislation. This means that the US data protection and privacy legal framework encompasses hundreds of laws enacted on both federal and state levels that intend to protect personal data. The Federal Data Protection laws are sector specific, such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 or focused on a particular type of data.
HIPAA is the federal act that governs privacy and security of healthcare information held by covered entities that concern health status, such as healthcare providers, doctors’ offices and hospitals, health plans or health insurers, healthcare clearing houses and any other third-party organisations that host, handle or process medical information. Even though HIPAA is a federal law, there are other several state laws dealing with privacy in the health sector across the United States.
HIPPA provides two important definitions related to healthcare information: (1) protected health information (PHI), which is any individually identifiable health information that is transmitted or maintained in any form or way; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and related to a past, present or future physical or mental condition, provision of health care or payment for health care to an individual; and (2) electronic protected health information (ePHI) is any PHI that is transmitted or maintained in electronic media, for example, computer, hard drives, magnetic tapes or disks, or digital memory cards. Paper records, paper-to-paper, fax transmissions are not considered transmissions via electronic media.
Compared with other US privacy laws, HIPAA provides perhaps the most detailed implementation of the Fair Information Privacy Practice, as it includes requirements concerning privacy notices, authorisations for use and disclosure of PHI, limits on use and disclosure to the minimum necessary, individual access and accounting rights, security safeguards and accountability through administrative requirements and enforcement.
As the objective of the PHI is to improve the efficiency of the healthcare system, HIPAA does not require from covered entities the need for authorisations granted by individuals for certain categories of medical treatment, payment and healthcare surgeries. Also, it does not apply to medical research and de-identified information, which means that, if the information does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual, HIPAA does not apply.
Additionally, compared with other legislation, HIPAA also provides minimum security requirements for PHI, with the objective of ensuring that the covered entities adopt procedures to prevent, detect and correct security violations, such as: ensure the confidentiality, integrity and availability of all ePHI covered entity creates, receives, maintains or transmits; protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI; protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under privacy rules; and ensure compliance with the security rules by its workforce.
During the development of its security programme, each covered entity must observe:
- the size, complexity and capabilities of the covered entity;
- the covered entity’s technical infrastructure, hardware and software security capabilities;
- the costs of security measures;
- the probability of potential risks to electronic protected health information;
- an individual for each covered entity who is responsible for the implementation and oversight of the compliance programme;
- initial and ongoing risk assessments, in order to identify potential risks and vulnerabilities, each of which must be addressed; and
- implementation of a security awareness and training programme for its workforce.
It is important to point out that HIPAA does not pre-empt state laws that provide more protection than the federal law.
This may be one of the most sensitive issues in relation to the processing of individual’s data in the United States. Each state may enact different rules, being few more rigid than the other. This situation may allow certain covered entities to move from one state to another, pursuing more flexible rules that may benefit its activities and business. Also, considering the data fluidity between entities across the states and the world, this scenario may create an unsecure environment for those parties who process data in the United States, whether in the pharmaceutical sector or not.
Alongside HIPAA, the US health legal framework also contemplates:
- the Health Information Technology for Economic and Clinical Health Act (HITECH), which governs the adoption and meaningful use of health information technology and strengthened HIPAA to address the privacy impacts of the expended use of electronic health records;
- the Genetic Information Nondiscrimination Act of 2008 (GINA), which sets forth limits on the use of genetic information in health insurance and employment.;
- the 21st Century Cures Act of 2016 (the Cures Act), which has the purpose of expediting the research process for new medical devices and prescription drugs, quickening the process for drug approval and reforming mental health treatment; and
- the Americans with Disabilities Act (ADA).
GINA prohibits health insurance companies from discriminating based on genetic predispositions in the absence of manifest symptoms or from requesting that applicants receive genetic testing and prohibits employers from using genetic information in making employment decisions.
The Cures Act provides the following privacy provisions: certain individual biomedical research information exempted from disclosure under freedom of information act; researchers permitted to remotely review PHI; certificates of confidentiality for researchers; and compassionate sharing of mental health or substance abuse information with family or caregivers.
The impact of covid-19 on the US data protection and privacy landscape
Owing to the pandemic, the US Department of Health and Human Services (HHS) issued a bulletin to ensure that covered entities and their business associates are aware of the ways that patient information may be shared under HIPAA. HIPAA aims to ensure the appropriate uses and disclosures of information still may be made when necessary to treat a patient, to protect the nation’s public health and for other critical purposes.
Despite HIPAA, in response to the pandemic, HHS released an enforcement guidance related to telehealth. According to HHS, health care providers interested in providing telehealth services, which consists in using electronic information and telecommunications technologies to support and promote long-distance clinical healthcare, will not be subject to penalties for violations of HIPAA privacy, security and breach notification rules that occur in the good-faith provision of telehealth during the covid-19 pandemic.
Considering the pandemic and the increase in patients interested in receiving health care, the HHS ruling benefits consumers, as well as healthcare systems. However, in the long term, data subjects will be subject to greater risks as the information shared with these healthcare providers through telehealth will not be subject to the penalties for violations of HIPAA privacy, security and breach notification rules.
Another issue involving HIPAA is that employee information is not encompassed. This means that for these individuals there may be no generally applicable privacy law in the United States and that the health data collected from these individuals during the rendering of their services may not be protected or have any safeguards.
In addition to HIPAA, the US health legal framework also contemplates:
- the Equal Employment Opportunity Commission (EEOC) Guidance (19 March 2020) that set forth as non-violations to ask employees if they are experiencing covid-19 symptoms and to measure employees’ body temperatures;
- the Federal Trade Commission (FTC) Guidance (9 April 2020) that reinforced the obligations protect the confidentiality of personal information collected from children as education moves online under Children’s Online Privacy Act (COPPA);
- the Department of Education (DOE) FAQ (March, 2020) related to student privacy obligations; and
- Cybersecurity and Infrastructure Security Agency (CISA) Guidance (13 March 2020) that recommended organisations to adopted stronger levels of cybersecurity.
In light of the pandemic, important issues and challenges related to privacy and health privacy law have been raised in the United States, such as how federal, state and local governments can have a faster response to public health crises and at the same time protect its citizens’ privacy. Also raised is the question of whether governments should create databases to monitor such data. If the answer is yes, a further question is raised whether this database should be created on a federal or a state level. Even though these issues are not new, the focus on implementing measures that will halt the advance of covid-19 has made their need for discussion and resolution even more critical.
Data protection specific to the healthcare sector in the European Union
The GDPR presents challenges for all industries and sectors of the economy, in particular for the pharmaceutical sector, as it considers data concerning health as a special category of data and provides a specific definition for health data.
As set forth in the GDPR:
- ‘data concerning health’ is defined as ‘personal data related to the physical or mental health of a natural person, which reveal information about his or her health status’;
- ‘genetic data’ is understood as ‘personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of biological sample from the natural person in question’; and
- ‘biometric data’ is ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person’.
The GDPR aims to ensure that the data subject has the fundamental right to the protection of their health data in numerous situations, such as the cross-border healthcare context and in medical research, such as clinical trials, clinical investigations, epidemiological research and patient registry.
Consequently, healthcare organisations, such as hospitals and medical practices that typically manage health data, have an added burden to maintain ‘data concerning health’, ‘genetic data’ and ‘biometric data’ on a higher standard of protection than personal data in general.
Additionally, processes that foster innovation and better-quality healthcare, such as clinical trials or mobile health, need robust data protection safeguards in order to maintain the trust and confidence of individuals in the rules designed to protect their data.
The impacts of covid-19 to the European data protection and privacy landscape
Following the outbreak of the pandemic, the European Data Protection Board (EDPB) was quick to instruct governments and public and private organisations throughout Europe. The GDPR provides legal grounds to enable employers and competent public health authorities to process personal data in view of the pandemic (articles 6 and 9). However, the data controller must always ensure the protection of the data subject’s personal data.
Furthermore, for the processing of electronic communication data, such as mobile location data, additional rules apply, in accordance with the ePrivacy Directive (Directive 2002/58/EC). The location data may only be used by the operator when they are made anonymous or with the consent of the data subject.
The EDPB also released specific guidelines regarding the processing of data concerning health for the purpose of scientific research in the context of covid-19, and guidelines regarding the use of location data and contact tracing tools in the context of covid-19.
To provide safeguards for citizens’ fundamental rights to liberty and privacy during the pandemic, in April 2020, the European Commission (EC) published data protection guidelines for the use of mobile applications developed specifically to assist in the fight against the covid-19 pandemic. The EC guidelines attempt to limit the use of these technologies in order to ensure fundamental rights to its users.
The EC recommends that these applications focus on functionalities such as:
- providing accurate information to individuals about the coronavirus pandemic;
- providing questionnaires for self-assessment and for individuals to report their symptoms;
- alerting individuals who have had contact or have been in proximity to an infected person, in order to recommend self-quarantine and testing locations (as well as contact tracing and warning functionality); and
- providing communication forums between patients in self-isolation and doctors including cases in which further diagnosis and treatment advice may be provided, such as telemedicine.
These applications must also be deactivated when the pandemic is declared under control at the latest, in addition to implementing, during its operations, information security protections more advanced than usual.
Further to the EBPB and the EC guidelines, Member States also published specific guidelines regarding data privacy matters adjusted to their realities and the spread of the coronavirus. For example, the French Data Protection Authority (CNIL) put in place guidelines on IT security when teleworking, researching covid-19 and sending messages to citizens. The UK government determined through regulations made under the Health Service Control of Patient Information Regulations 2002 that the data must be shared with health organisations and local authorities for the purpose of fighting the spread of covid-19 and to assist the healthcare system. The processing of data must still comply with relevant and appropriate data protection standards.
Data protection specific to the healthcare sector in Brazil
In Brazil, health is a fundamental right established in the Federal Constitution and regulated by Law No. 8080/1990. Law No. 8080/1990 set forth principles related to the rendering of public and private healthcare services, such as:
- universal access to health services at all levels of assistance;
- comprehensive care, understood as an articulated and continuous set of preventive actions and services;
- preservation of people’s autonomy in the defence of their physical and moral integrity;
- equality of healthcare, without prejudice or privileges of any kind;
- right to information regarding you healthcare; and
- disclosure of information regarding healthcare services.
In the past few months, the Brazilian legal framework for privacy and data protection has change significantly, as the LGPD partially came into force on 18 September 2020, and, in December 2020, the members of the National Supervisory Authority (ANPD) were appointed and started to prepare guidelines and opinions.
Currently, there is no specific data protection legislation or opinion regarding processing health data. Until this time, it is also not clear what kind of activities or situations would fall in the hypotheses of ‘protection of life’ or of ‘the physical safety of the data subject or of third-parties and for the protection of health’ set forth by LGPD, in a procedure performed by healthcare professions or by healthcare entities. In other words, it is not crystal clear what is the extent of the definition of these terminologies for the LGPD and for the ANPD.
Despite not having a specific legal framework for data protection and privacy matters related to health data, there are legal provisions scattered in the Brazilian legal framework that address confidentiality issues related to healthcare information, which includes personal information, for example, the Charter of Rights of Health Users’, Code of Medical Ethic, Good Pharmacy Practices and ANVISA Resolution No. 9/2015 on Clinical Trails.
From a Brazilian law perspective, the concept of confidentiality is different from privacy. Confidentiality means that the information disclosed by one party to another shall not be made publicly available to any third party. Confidentiality provisions usually do not provide the necessary safeguards or protections when it comes to the processing of data.
Even though the LGPD has come partially into force, these legal provisions also remain in force. Bearing in mind that there is a complex and intense flow of data when it comes to health, for example, in clinical trials, there are various parties, such as the sponsor, the researcher and his medical team and the research facility and each party has access to different levels of personal and sensitive personal data. This means that, in particular, for health information it will be necessary to perform case-by-case analysis and assessments when it comes to privacy and data protection matters.
The protection of life and the physical safety of the data subject or of third parties and for the protection of health, in theory, are not applicable to the main activities performed by the pharmaceutical industry, which generally consists of manufacturing and distributing drugs and medical devices. This does not mean, however, that the support activities developed by the industry, such as patient support programmes, do not fall into this category. Therefore, the challenge of the Brazilian data protection professionals is to analyse and assess these activities on a case-by-case basis and check if they fall into these hypotheses of the LGPD.
Once the law comes fully into force, data breaches shall be subject to penalties that go from warnings issued by the ANPD, with a deadline for the adoption of corrective measures; a fine of up to 2 per cent of the sales revenue of the legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited to 50 million reais per infraction; to partial or total prohibition of processing of personal data and all related processing activities.
The impact of covid-19 on the Brazilian data protection and privacy landscape
Similar to the Chinese model, in April 2020, Brazil’s President Jair Bolsonaro enacted Provisional Measure No. 954 (MP 954), which required all telecommunication companies that provide Telephone Services and Personal Mobile Services to share data, for example, names, phone, numbers and addresses from their users, with the Brazilian Institute of Geography and Statistics (IBGE) in order to allow IBGE to perform long-distance interviews with Brazilian citizens and to improve the accuracy of the official statistics during the covid-19 public health emergency.
Even though the LGPD had not entered into force yet, immediately after the enactment of MP 954, the Council of the Brazilian Federal Bar Association (CFOAB) and some political parties filed a motion claiming unconstitutionality (judicial review), with a request for enjoining MP 954 before the president of the Federal Supreme Court of Brazil (STF).
The main argument presented by the claimants was that MP 954 violated the personal rights set forth in the Brazilian Federal Constitution of personal human dignity, people’s intimacy, private life, honour and image inviolability, data secrecy and informational self-determination.
The claimants also argued that:
- MP 954 has a generic scope and an imprecise purpose, which does not comply with the principle purpose provided in article 6, I of the LGPD;
- when the telephone company collected the personal data, that data was provided for the provision of telephone services and not for statistical research;
- MP 954 does not provide for what purposes the statistical research will be used;
- MP 954 does not describe security measures applicable to the processing of personal data and data sharing, which is inconsistent with the data quality and security principles provided in LGPD article 6, V and VII; and
- MP 954 does not provide measures to prevent damages as the personal data processing does not comply with the prevention principles provided in article 6, VIII of the LGPD.
After the filing of the motion, a preliminary injunction was granted, which had the objective of preventing irreparable damages to the citizens’ private lives, and stopping IBGE from requesting any data provided in MP 954. If such data had already been requested, the request was to be suspended, and the telecommunication companies should be immediately informed.
Despite the preliminary injunction, the judicial review would still be subject to the STF’s plenary analysis and ruling. Once the STF’s plenary analysed the judicial review, the ministers issued a historic decision, which suspended the effects of MP 954 and acknowledged data protection as an independent fundamental right in Brazil. This means that personal data in Brazil is court protected as a fundamental right and shall be protected alongside the other fundamental rights provided in Article 5 of the Brazilian Federal Constitution.
The STF’s main concerns were regarding the dangers of surveillance. It was agreed between the ministers of the STF that, owing to the covid-19 pandemic, the processing of personal data may be justified for specific reasons; however, this processing may end up being enhanced and therefore inevitably limit or overcome other fundamental rights.
Another aspect that concerned the STF was the use of the mass amounts of data collected by governments and companies to promote discriminatory classifications and effect individuals’ social life, for example, with the allocation of opportunities, access to jobs, businesses and other social assets.
As data protection is understood as an independent fundamental right, STF’s Ministers understood that the right to data privacy aims to protect a different scope than the right to intimacy and privacy and, therefore, must be properly protected.
Today, we live in a digital environment filled with several types of artificial intelligence and highly sophisticated electronic devices, assisting society worldwide in its development. This brings enormous advantages, particularly in the health sector with the development of treatments, exams and new drugs that improve our quality of life and increase life expectancy, among others.
In this sense, the first challenge is to balance preserving individuals’ privacy, inviolability of intimacy and free development of personality with not disabling the development of new technologies and innovative initiatives.
As data is fluid and abstract and can easily be transferred from one side of the world to the other, another challenge, in particular, for the pharmaceutical industry, involves guaranteeing that all the parties of the same data chain are processing data in accordance with all applicable data protection laws, which may include one or more. It seems that the security measures available and the structure for the protection of data are insufficient for the nature of the activities developed by mankind. It is important to consider the possibility of creating new tools that enable data subjects with the possibility of controlling the processing of their own data by third parties, controllers and processors.
Taking into account the enormous amount of data that is transferred between different countries, we also face the challenge of harmonising the understanding of privacy and data protection matters to maintain appropriate data protection programmes. Further, it is fundamental to create a standard understanding of privacy and data protection for controllers and processors headquartered in multiple jurisdictions. In this case, the federalist system of the United States and the deviation mechanism set forth by the GDPR may bring some kind of conflict or insecurity in connection with this matter.
It is clear that the world has advanced considerably when it comes to data protection, but it cannot stop and assume that individuals’ privacy will always be safe and protected. Indeed, the difficulties presented by the pandemic have challenged governments and organisations and will not disappear when the pandemic ends. Once the pandemic recedes, it will be necessary to address these issues and balance the processing of health data by governments and organisations and data subjects’ privacy protections.
 Fabio Alonso Vieira is a founding partner and Carolina Barbosa Cunha Costa is an associate at Kestener, Granja & Vieira Advogados.
 TOFLER, Alvim. A terceira onda. 31ª ed. São Paulo: Editora Record, 2012.
 Alan F Westin, Privacy and Freedom (New York: Atheneum, 1967).
 David Banisar and Simon Davies, ‘Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection and Surveillance Laws and Developments’, John Marshall Journal of Computer and Information Law 18 (Fall 1999). Available at: https://papers.ssrn.com/sol13/papers.cfm?abstracts_id=2138799. Accessed on 8 February 2020.
 Wacks, Raymond. Personal Information: Privacy and the Law. Oxford: Clarendon Press, 1989, p. 25.
 Peter Tyson, ‘The Hippocratic Oath: Modern Version’, WGBH Educational Foundation, 2001. Available at: http://www.pbs.org/wgbh/nova/body/hippocratic-oath-today.html. Accessed on: 8 February 2020.
 The previsions regarding administrative sanctions (articles 52, 53 and 54 of the LGPD) are expected to come into force on 1 August 2021.