1 Sadly, in many other areas of the world, such as the USA, India and many African countries, the number of reported cases is still increasing, and a second wave is thought to be starting in others, such as South Korea and China.

2 For example, see B Keogh, “Coronavirus Weekly: Balancing a ‘new normal’ While Keeping COVID-19 in Check” (The Conversation, 18 May 2020) <https://theconversation.com/coronavirus-weekly-balancing-a-new-normal-while-keeping-covid-19-in-check-138577> (last accessed 3 July 2020).

3 For a general overview, see Eurostat, “Economy” <https://ec.europa.eu/eurostat/web/covid-19/economy> (last accessed 3 July 2020); on employment, see European Commission, “Jobs and Economy during the Coronavirus Pandemic” <https://ec.europa.eu/info/live-work-travel-eu/health/coronavirus-response/jobs-and-economy-during-coronavirus-pandemic_en> (last accessed 3 July 2020).

4 For example, see KPMG, “Airlines – Financial Reporting Implications of COVID-19” (April 2020) <https://assets.kpmg/content/dam/kpmg/xx/pdf/2020/04/airlines-financial-reporting-implications-of-covid-19.pdf> (last accessed 3 July 2020) (on the aviation industry); European Cultural Foundation, “Future of Culture and Creative Sectors in post COVID-19 Europe” (30 April 2020) <https://www.culturalfoundation.eu/library/future-of-culture-and-creative-sectors-in-post-covid-19-europe> (last accessed 3 July 2020) (on the cultural sector).

5 See KP Purnhagen, A de Ruijter, ML Flear, TK Hervey and A Herwig, “More Competences than You Knew? The Web of Health Competences for Union Action in Response to the COVID-19 Outbreak” (2020) 11(2) European Journal of Risk Regulation 297.

6 J van Zeben and A Bobić, Polycentricity in the European Union (Cambridge, Cambridge University Press 2019) pp 1–6.

7 European Commission, Guidelines on EU Emergency Assistance on Cross-Border Cooperation in Healthcare related to the COVID-19 crisis COM (2020) 2153 OJ C111I/1, 3 April 2020.

8 A Alemanno, “The European Response to COVID-19: From Regulatory Emulation to Regulatory Coordination?” (2020) 11(2) European Journal of Risk Regulation 307.

9 A de Ruijter, EU Health Law & Policy: The Expansion of EU Power in Public Health and Health Care (Oxford, Oxford University Press 2019) p 190.

10 We will focus primarily on privacy-related regulation. With respect to health, most national and international rights systems now recognise a “right to health”, which encompasses elements of public health protection and access to healthcare in order to ensure individual health. For example, see International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) OHCHR Art 12; Convention on the Elimination of All Forms of Discrimination Against Women (ratified on 18 December 1979, entered into force 3 September 1981) UNGA Art 12; Convention on the Rights of the Child (adopted 20 November 1989, entered into force 2 September 1990) OHCHR Art 12. Many consider a high standard of health to be a prerequisite to attaining a good quality of life; see, for example, A Sen, “Why Health Equity” in S Anand et al (eds), Public Health, Ethics, and Equity (Oxford, Oxford University Press 2004) pp 21–33.

11 Many SARS-CoV-2-related measures also have important implications for the free movement rights of EU citizens. Although very important, these cannot all be discussed within the scope of this short contribution. For further reading, see G Di Federico, “COVID-19 and Labour Law: Free Movement of Healthcare Personnel within the EU” (2020) 13(1) ILL E-Journal <https://illej.unibo.it/article/view/10789/10725> (last accessed 3 July 2020); A Renda and R Castro, “Towards Stronger EU Governance of Health Threats after the COVID-19 Pandemic” (2020) 11(2) European Journal of Risk Regulation 273; Recommendation 2020/C 156/01 of 8 May 2020 Communication from the Commission Guidance on free movement of health professionals and minimum harmonisation of training in relation to COVID-19 emergency measures regarding Directive 2005/36/EC; J Brunsden, “Brussels tells UK it must honour EU free-movement rules” (Financial Times, 14 May 2020) <https://www.ft.com/content/c33730c8-8499-4ade-93bd-ec42411cc5f8> (last accessed 3 July 2020).

12 PWC Slovenskia, “What Does Lex Corona Bring?” (31 March 2020) <https://www.pwc.com/sk/en/tax-news/lex-corona.html> (last accessed 15 July 2020).

13 Project de Loi (Sénat commission des Lois) Fair face à l’épidémie de COVID-19 – PJL N-Com 57 Amendement Rejeté (19 March 2020) <http://www.senat.fr/amendements/commissions/2019-2020/376/Amdt_COM-57.html> (last accessed 15 July 2020).

14 BJ Fogg, Persuasive Technology: Using Computers to Change What We Think and Do (Burlington, MA, Morgan Kaufman Publishers 2003).

15 M Quigley, “Nudging for Health: on Public Policy and Designing Choice Architecture” (2013) 21(4) Medical Law Review 588.

16 Another contribution to the current volume by Simonelli and Iacob also focuses on data-driven health services and the role that the EHU may play in achieving a European Health Data ecosystem; M Iacob and F Simonelli, “Towards a European Health Data Ecosystem” (2020) European Journal of Risk Regulation 10.1017/err.2020.88.

17 P Ganley, “Access to the Individual: Digital Rights Management Systems and the Intersection of Informational and Decisional Privacy Interests” (2002) 11(3) International Journal of Law and Information Technology 241, at 264. See also Electronic Privacy Information Center, International, Privacy and Human Rights 2006: An International Survey of Privacy Laws and Developments (Washington, DC, Electronic Privacy Information Center 2006) p 5.

18 See, in detail, M Friedewald, “A New Concept for Privacy in the Light of Emerging Sciences and Technologies” (2010) 19(1) TATuP Zeitschrift für Technikfolgenabschätzung in Theorie und Praxis 71.

19 For example, see O Rene and J Polentsky, “Privacy in the Age of Big Data: A Time for Big Decisions” (2012) 64 Stanford Law Review Online 63.

20 A Westin, Privacy and Freedom (New York, Ig Publishing 1967) p 7.

21 For example, see Universal Declaration of Human Rights (proclaimed 10 December 1948) UNGA Art 12; European Convention on Human Rights (adopted 4 November 1950, entered into force 3 September 1953) CE Art 8; Charter of Fundamental Rights of the European Union (adopted 2 October 2000, ratified 7 December 2000) OJ 2012/C 326/02 Art 8. See also C Veghes et al, “European Union Consumers’ Views on the Protection of Their Personal Data: An Exploratory Assessment” (2009) 11(2) Annales Universitatis Apulensis Series Oeconomica 988.

22 Regulation (EU) 2016/679 of 4 May 2016 General Data Protection Regulation OJ L119, replacing Data Protection Directive 95/46/EC. See, in detail, Council of Europe and FRA, Handbook on European Data Protection Law (2018) <https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law-2018-edition> (last accessed 15 July 2020); PGanley, supra, note 17, at 253.

23 This is not to say that its adoption has not met considerable resistance and controversy, nor that each of the Regulation’s provisions were entirely new. See, in detail, C Hoofnagle, B van der Sloot and F Zuiderveen, “The European Union general data protection regulation: what it is and what it means” (2010) 28(1) Information & Communications Technology Law 65; Recommendation 2020/C 156/01 of 8 May 2020 Communication from the Commission Guidance on free movement of health professionals and minimum harmonisation of training in relation to COVID-19 emergency measures regarding Directive 2005/36/EC.

24 The EU has also imposed data protection rules on the EU institutions: see Regulation (EU) 2018/1725 of 23 October 2018. The European Data Protection Supervisor (EDPS) and the Member State-based Data Protection Authorities (DPAs) are important actors in ensuring a high level of data protection in the EU, and their independence is safeguarded within primary EU law: see Treaty on the Functioning of the European Union (2012) OJ C 326/1 Art 16(2) and [29] CFREU Art 8.2.

25 Regulations (EU) 2016/679 of 27 April 2016 on the Protection of Natural Persons with the Regard of Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC, Art 3.2.

26 For example, the California Consumer Privacy Act (adopted on 28 June, 2018) CSL.

27 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1 (‘GDPR’), Art 12.

28 ibid, Art 15.

29 ibid, Arts 17 and 20, respectively.

30 ibid, Art 21.

31 ibid, Recital 28.

32 ibid, Arts 33 and 34.

33 ibid, Art 37

34 See Case C-399/11 and Case C-411/10.

35 See, in detail, Section III.

36 For example, see: Formal comments of the EDPS on two proposals to establish the conditions for accessing other EU information systems for ETIAS purposes <https://edps.europa.eu/sites/edp/files/publication/19_03_13_formal_comments_2_proposals_conditions_for_accessing_information_systems_for_etias_purposes_en_0.pdf> (last accessed 27 October 2020).

37 B Roessler, Value of Privacy (Cambridge, Polity Press 2005).

38 See B Roessler, “X – Privacy as a Human Right” (2017) 117(2) Proceedings of the Aristotelian Society 187; and B van der Sloot, “Decisional privacy 2.0: the procedural requirements implicit in Article 8 ECHR and its potential impact on profiling” (2017) 7(3) International Data Privacy Law 190.

39 X v Iceland App no 6825/74 (18 May 1976).

40 Köpke v Germany App no 420/08 (5 October 2010).

41 Hristozov and others v Bulgaria App nos 47039/11 and 358/12 (13 November 2012).

42 See also B van der Sloot, “Privacy as Human Flourishing: Could a Shift towards Virtue Ethics Strengthen Privacy Protection in the Age of Big Data?” (2014) 5(3) Journal of Intellectual Property, Information Technology and Electronic Commerce Law 230.

43 Van der Sloot, supra, note 38, at 201.

44 R Thaler and C Sunstein, Nudge: Improving Decisions about Health, Wealth and Happiness (New Haven, CT, Yale University Press 2008).

45 The Behavioural Insights Team, “Covid-19 – A Behavioural Perspective” <https://www.bi.team> (last accessed 15 July 2020).

46 R Thaler, “The power of nudges, for good and bad” (The New York Times, 31 October 2015) <https://www.nytimes.com/2015/11/01/upshot/the-power-of-nudges-for-good-and-bad.html?_r=0> (last accessed 6 July 2020).

47 For example, see M Wilkinson, “Nudging and manipulation” (2013) 61(2) Political Studies 341.

48 C Evers, D Marchiori, A Junghans, J Cremers and D de Ridder, “Citizen approval of nudging interventions promoting healthy eating: the role of intrusiveness and trustworthiness” (2018) 18(1) BMC Public Health 1182.

49 Notice the difference from the various arrows and lines that have been added to floors in stores and public spaces during the pandemic. These are not nudges in Thaler and Sunstein’s sense, as they typically have a signalling function in service of strict norms that people have to abide by, such as keeping to a required route or maintaining the required social distance.

50 For a taxonomy of behaviour change techniques that can be used in behaviour change interventions, see C Abraha and S Michie, “A taxonomy of behavior change techniques used in interventions” (2008) 27(3) Health Psychology 379.

51 K Yeung, “‘Hypernudge’: Big Data as a mode of regulation by design” (2017) 20(1) Information, Communication & Society 118.

52 M Lanzing, “‘Strongly Recommended’ Revisiting Decisional Privacy to Judge Hypernudging in Self-Tracking Technologies” (2019) 32 Philosophy & Technology 549.

53 An exhaustive overview of measures taken by all 27 Member States goes beyond the scope of this short piece. For a comprehensive overview of global governmental responses to the pandemic, see the Oxford COVID-19 Government Response Tracker <https://covidtracker.bsg.ox.ac.uk/> (last accessed 3 July 2020).

54 Dutch Data Protection Authority (20 April 2020), Onderzoeksrapportage bron-en contactopsporingsapps <https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/onderzoeksrapportage_bron-_en_contactopsporingsapps.pdf> (last accessed 15 October 2020). The Ministry has since continued the development of their contact tracing app in close collaboration with the Dutch DPA and external partners. The resulting “CoronaMelder” app was released to the general public on 10 October 2020, after legislation was adopted on 6 October 2020.

55 Commission Recommendation (EU) 2020/518 of 8 April 2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data, C/2020/3300, OJ L 114, 14.4.2020, 7–15.

56 Gobierno de España, “La aplicación oficial de autodiagnóstico, Asistencia COVID-19, disponible ya en cinco nuevas comunidades autónomas” (6 April 2020) <https://www.mineco.gob.es/portal/site/mineco/menuitem.ac30f9268750bd56a0b0240e026041a0/> (last accessed 3 July 2020); R Muñoz, “Spain’s new Coronavirus App Could Detect Violators of Lockdown Rules” (El País, 6 April 2020) <https://english.elpais.com/science_tech/2020-04-06/spains-new-coronavirus-app-could-check-whether-a-person-is-breaking-the-lockdown-rules.html> (last accessed 3 July 2020).

57 Slovakia followed Poland’s early example with its own “Smart Quarantine” app that also relies on GPS data: see Office of the Deputy Prime Minister of Slovac Republic for Investments and Informatization, “Smart-Quarantine – Self-isolation as an Alternative to Institutional Quarantine” (24 March 2020) <https://korona.gov.sk/en/smart-quarantine-self-isolation-as-an-alternative-to-institutional-quarantine/> (last accessed 15 July 2020).

58 M Scott and Z Wanat, “Poland’s Coronavirus app Offers Playbook for Other Governments” (Politico, 4 February 2020) <https://www.politico.eu/article/poland-coronavirus-app-offers-playbook-for-other-governments/> (last accessed 3 July 2020).

59 <https://www.gov.pl/web/cyfryzacja/aplikacja-kwarantanna-domowa--to-musisz-wiedziec> (last accessed 15 July 2020).

60 W Mariner, “Mission Creep: Public Health Surveillance and Medical Privacy” (2007) 87 Boston University Law Review 347.

61 Van der Sloot, supra, note 38, at 192.

62 Notice that we do not claim that infringements on decisional privacy through the use of nudging and hypernudging, particularly towards behaviours that are deemed beneficial to public health under the conditions of a pandemic, can never be justified. Preventing loss of life, protecting vulnerable populations and ensuring the continued viability of public healthcare systems are policy goals that can legitimate certain restrictions on privacy and personal freedom. Rather, the point is that this balancing act should be undertaken in a principled way, underwritten by legal remedies in case of shortcomings in process or outcome.

63 See Section III.1.

64 H van Kolfschooten and A de Ruijter, “COVID-19 and Privacy in the European Union: A Legal Perspective on Contract Tracing” (2020) 41(3) Contemporary Security Policy 478; G Fortuna, “EU Stands by its Data Privacy Rules in Response to COVID-19” (EURACTIV, 28 April 2020) <https://www.euractiv.com/section/coronavirus/news/eu-stands-by-its-data-privacy-rules-in-response-to-covid-19/> (last accessed 4 July 2020). See generally, Alemanno, supra, note 8.

65 Press Release (EC), “Coronavirus: Member States agree on an interoperability solution for mobile tracing and warning apps” (European Commission, 16 June 2020) <https://ec.europa.eu/digital-single-market/en/news/coronavirus-member-states-agree-interoperability-solution-mobile-tracing-and-warning-apps> (last accessed 3 July 2020).

66 See, generally, H Leino-Kilpi, Patient’s Autonomy, Privacy and Informed Consent (Amsterdam, IOS Press 2000) ch 3.2.2.

67 It is worth noting that there are also important questions about fundamental rights as relating to individual healthcare, most of which are discussed through patients’ rights. Consider, for example, the confinement of persons with mental disabilities or, more generally, an individual’s choice to receive, reject or be denied medical treatment. Medical ethics and bioethics provide rich debates on these questions. See, for example, S Anand et al (eds), Public Health, Ethics, and Equity (Oxford, Oxford University Press 2004); and J Mason and G Laurie, Law and Medical Ethics (Oxford, Oxford University Press 2006).