Congress to Consider Competing COVID-19 Privacy BillsDemocrats and Republicans Introduce 2 Versions of Legislation With Similar Goals
As COVID-19 rages and technology firms race to develop contact-tracing apps and other digital tools to help contain the spread, congressional Democrats have followed Republicans in introducing privacy legislation aimed at protecting consumer data collected during public health emergencies.
In a Thursday statement, the sponsors of the Democratic legislation - Representatives Anna G. Eshoo, D-Calif., Jan Schakowsky D-Ill., Suzan DelBene, D-Wash., and U.S. Senators Richard Blumenthal D-Conn., and Mark Warner D-Va. said their Public Health Emergency Privacy Act would set “strong and enforceable privacy and data security rights for health information” collected during public health emergencies.
The proposed legislation from Democrats comes nearly a month after Republican senators Roger Wicker, R-Miss., John Thune, R-S.D., Jerry Moran, R-Kan., and Marsha Blackburn, R-Tenn., unveiled the COVID-19 Consumer Data Protection Act.
In an April 20 statement, the GOP senators said their legislation “would provide all Americans with more transparency, choice and control over the collection and use of their personal health, geolocation and proximity data. The bill would also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.”
The Democrats sponsoring the Public Health Emergency Privacy Act say their proposal aims to address the privacy concerns of American consumers.
”After decades of data misuse, breaches and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information,” the statement says. They pointed out that a recent poll found that “more than half of Americans would not use a contact-tracing app and similar tools from Google and Apple over privacy concerns.”
The Democrats say their legislation would:
- Ensure that data collected for public health is strictly limited for use in public health;
- Explicitly prohibit the use of health data for discriminatory, unrelated or intrusive purposes, including commercial advertising, e-commerce or efforts to gate access to employment, finance, insurance, housing or education opportunities;
- Prevent the potential misuse of health data by government agencies with no role in public health;
- Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;
- Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;
- Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent;
- Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.
Meanwhile, the sponsors of the GOP legislation say their proposal addresses similar concerns.
“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important,” Thune said in a statement.
“This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”
The Republicans say their proposal would:
- Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation or proximity information for the purposes of tracking the spread of COVID-19;
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred and how long it will be retained;
- Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified;
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation or proximity information;
- Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19;
- Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity;
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency;
Prospects for Passage
Some observers say Congress might be able to reach a consensus on privacy legislation related to COVID-19.
”I think that a bill has a pretty good chance of getting passed. … So the end result may be a compromise of the two,” says privacy attorney Adam Greene of the law firm David Wright Tremaine. “That being said, I have been wrong plenty of times when betting on the side of Congress getting something done.”
Privacy attorney Kirk Nahra of the law firm WilmerHale says that the level of concern around the privacy of COVID-19 data, including contact-tracing apps, makes passage of some kind of compromise legislation possible.
”There seems to be a reasonable amount of interest in ‘doing something’ to address these kinds of concerns about how data is being collected and used in this overall context,” he says. “These are challenging and important issues. So, that increases the likelihood of something emerging - but also highlights the differences in approach so far.”
These bills target some of the gaps in current US privacy law, because some health data is not covered under HIPAA, Nahra says.
”At the same time, these bills purport to be temporary - even though they are designed to fill in existing gaps in privacy law,” he notes. “So it will be really interesting to watch how these temporary measures, designed to deal with pandemic emergency issues, impact the ongoing debate over a broader national privacy law.”
Twila Brase, president and co-founder of privacy advocacy group Citizens’ Council for Health Freedom, says the Democratic proposal’s provisions about consent come up short.
The consent provision in the Democratic bill “sounds good until you look further into the bill, where there are exclusions and limitations on that consent,” she notes.
Meanwhile, the U.S. is not alone in attempting to craft legislation to tackle sticky COVID-19 privacy issues. On Thursday, Australia's Parliament passed a law to deal with a range of legal and privacy concerns arising from its quickly developed contact-tracing app, COVIDSafe (see: Australia Passes Privacy Law for Contact Tracing App).