How Badly Will COVID-19 Hurt the Data Privacy Movement?
Before COVID-19 swept into our lives, citizens of the United States were grappling with another major issue: coming to grips with our data rights. The California Consumer Privacy Act (CCPA) went into effect, and similar laws were expected to follow. But ever since, the data rights movement has taken a back seat in the life-and-death battle against the novel coronavirus, the question becomes whether the setback is temporary or permanent.
Modeled broadly after the European Union’s GDPR initiative, the CCPA puts citizens in control of their data destinies (or at least more so than they previously were). Large companies must collect the permission of California residents (citizens and non-citizens alike) to collect and analyze their personal data, and the permission can be revoked at any time.
CCPA went into effect on January 1, 2020, and the California Attorney General was set to begin enforcement on July 1. That six-month grace period was intended to help companies come up-to-speed with their CCPA compliance efforts and data governance projects in general. But since the beginning of March, the COVID-19 epidemic has upended life as we know it, including preparations for CCPA.
“It’s hard to believe that just a few weeks ago, my mind was focused on things such as FedRamp and the California Privacy Act (CCPA),” writes George Gerchow, the chief security officer (CSO) for Sumo Logic, in a blog post. “Now the majority of my time is focused on ensuring our employees safety and productivity, so they can continue to deliver products and support our customers and partners.”
Instead of architecting new frameworks to ensure the proper handling of sensitive data across multiple databases and applications, enterprises have been forced to deal with more pressing issues, such as setting up remote workstations for employees to work from home. On a practical level, security experts are spending more time ensuring that intruders can’t ”Zoom bomb” their video calls than coming to grips with CCPA and its requirements.
Last month, dozens of businesses signed a letter sent to the California Attorney General Xavier Becerra to postpone enforcement of CCPA. The companies, including the California Chamber of Commerce, UPS and the Association of National Advertisers, cited compliance challenges raised by the rapid spread of the novel coronavirus, as well as the fact that CCPA regulations have not been completely finalized. Becerra declined to delay enforcement, raising the possibility that his office will begin handing out fines starting this summer.
With the lockdown in place and the Internet more critical for work and education, it’s even more important to enforce digital rights, says Maureen Mahoney, a policy analyst at Consumer Reports. “Now that more consumers are working from home and relying on tech companies for crucial communications, the Attorney General needs to ensure that appropriate safeguards are in place,” Mahoney told Law360. “Consumers shouldn’t have to give up their constitutional rights to engage in essential activities.”
But the battle against privacy continues elsewhere. Data has emerged as important materiel in the war against COVID-19, including sensitive data that would normally be protected. In some parts of China and South Korea, the government is requiring citizens to download an app to their phones that tracks their movement. Governments in Europe are building similar apps that use Bluetooth radio technology to determine who you’ve come in close physical proximity to.
Now we’re seeing Apple and Google partnering to build a contact tracing app for Americans to use with their iPhone and Android phones. Like the apps in Europe and Asia, the Google and Apple apps use Bluetooth to collect information about who users have been around. In the event that a user tests positive for COVID-19, they would tell the app, and the app would then notify everybody whose smartphones came near the infected person’s phone in the prior 14 days.
Like the Europeans’ apps, the Apple and Google apps are voluntary. And unlike the Asian contact-tracing apps, the Apple and Google apps don’t violate the privacy of the users, the companies claim. “Privacy, transparency, and consent are of utmost importance in this effort,” the companies said in a joint statement.
But the COVID-19 response raises other concerns about the privacy of data. While medical data, ostensibly, is already protected in the U.S. through laws like HIPAA, the novel coronavirus is creating a surge in demand for detailed medical data to help researchers and decision-makers get in front of the virus.
Public health officials can make some decisions based on aggregate or population-level data. But the natural tension between the desire to protect data to preserve privacy on the one hand, and the desire to share important data to ensure good policy decisions on the other hand, puts a mortal twist in the public debate over data privacy.
The Federal Government has come down on the side of sharing data for the benefit of public health at the expense of individual’s data rights. The Department of Health and Human Services (HHS) recently issued a notification that relaxes enforcement of HIPAA.
“As a matter of enforcement discretion, effective immediately, the HHS Office for Civil Rights (OCR) will exercise its enforcement discretion and will not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule…” the agency stated in a memo.
But some data firms are warning against relaxing or bypassing data regulations, including the digital twin company Iotics. “While it is paramount to have access to all relevant data to make informed decisions and support first-responders, healthcare services and businesses, Iotics raises concerns that uncontrolled data mining could compromise security,” the firm says.
As the states and the feds ramp up COVID-19 testing and other data-gathering activities as a precondition for the lifting of stay-at-home restrictions, the potential for abuse of private data increases. While this data will be vital in the battle against COVID-19, Iotics noted, is doesn’t remove the fact that it’s real challenge to manage the data effectively and securely.
“This is probably the first pandemic of the 21st century in which the full power of information technology, social media, artificial intelligence is being applied to almost every aspect of this response,” said Michael Ryan, the executive director of the World Health Organization (WHO) Health Emergencies Programme, during a COVID-19 virtual press conference on March 25th, according to a Dataguise blog.
We don’t have to trade data privacy for health security, says JT Sison, the VP of marketing and biz dev at Dataguise. “Yes, data belongs to people who have a right to their privacy. Yes, using that data to stop a pandemic is the right thing to do,” he writes. “However, we don’t have to throw data privacy out the window to achieve our goals.”
Let’s hope so.