Contact Tracing Prompts U.S. Data Privacy Bills
A flurry of data privacy proposals introduced in Congress as COVID-19 contact tracing efforts ramp up look to create safeguards for handling sensitive medical and other consumer information collected by smartphone apps.
Some observers predict the data privacy challenges associated with using contact tracing apps to detect coronavirus exposure could usher in sweeping federal data privacy protections similar to the EU General Data Protection Regulation (GDPR).
A group of Republican senators introduced the first of several data privacy proposals in response to COVID-19 in late April. The COVID-19 Consumer Data Protection Act aims to control the collection and use of personal health, geolocation and proximity data. Those data could be collected by proposed Bluetooth-enable smartphone apps being developed by Apple and Google. The apps could also be upgraded to use GPS location services as part of a contact tracing framework.
“It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans’ privacy and security are not put at risk,” said co-sponsor Sen. Marsha Blackburn (R-Tenn.). “Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.”
Initial data science efforts aimed at gauging metrics like pandemic travel patterns while stay-at-home orders were in effect used aggregated by anonymized location data generated by mobile apps. The Senate proposal would define what constitutes aggregated and “de-identified” data aimed at forging technical and legal safeguards to prevent consumer data from being “re-identified.”
The proposed Senate legislation also would require companies to obtain consumers’ consent to gather and personal health, geolocation or proximity data for the purposes of tracking the spread of COVID-19. A consensus is emerging among public health experts that a U.S. contact tracing framework should be voluntary, with the ability to opt in or out in order to promote buy-in.
Decentralized data storage on individual devices is also seen as a means of ensuring consumers retain control over health and location data. A French government proposal for centralize databases for coronavirus tracking has met with stiff resistance.
Asian nations such as South Korea, according to some observers, were more heavy-handed in their use of contact tracing data, prompting fears of a permanent surveillance capability even after the pandemic wanes.
Still, privacy advocates said the Senate proposal offered little protection. “Companies may still profit from selling health information or geolocation data, and are allowed to infer who has been diagnosed with the novel coronavirus,” said Sara Collins, policy counsel at Public Knowledge.
The advocacy group said the proposed Senate legislation only applies to coronavirus contact tracing data and provides no guidance or funding for enforcement.
In response to those shortcomings, competing bills in the House and Senate have emerged over the last two weeks. For example, the Public Health Emergency Privacy Act introduced by Democrats in the House and Senate on May 14 would create temporary rules for collecting and disclosure of health data used to slow the spread of COVID-19. The proposal would require government agencies to secure data collected via contact tracing.
“Emergency” health data could no longer be stored or used 60 days after the declared end of public health emergency. The Democratic bill also includes an enforcement mechanism.
Along with establishing data privacy guidelines for COVID-19 contact tracing, observers said the legislative response to the pandemic could propel efforts towards national data privacy rules akin to GDPR, which took effect in May 2018. So far, states have taken the lead in forging a patchwork of privacy protections, including the California Consumer Privacy Act, which took effect in January 2020.
“While yet to become a law, [the legislative proposals] could pave the way toward future privacy protection laws similar to the California Consumer Privacy Act and the EU General Data Protection Regulation,” said Jerrold Wang, an analyst with Lux Research.