Tuesday, May 12, 2020

Senate Commerce Committee Members Introduce COVID-19 Privacy Bill

Contact tracing, which involves identifying those who have tested positive for COVID-19 and the people with whom they have interacted, may prove effective in minimizing the spread of the virus and enabling the safe reopening of America. It typically is a labor-intensive effort, but digital tools, such as mobile apps, seek to automate at least part of the process. Such efforts have achieved qualified success in other parts of the world, such as Singapore and South Korea. But the monitoring of citizen movement inevitably implicates personal privacy. Businesses developing contact-tracing technology, and now lawmakers, seek to mitigate that impact.

A number of companies are active in this space, both domestically and internationally. The most high-profile effort involves Apple and Google, rivals that provide the operating system software (iOS and Android, respectively) running on virtually all smartphones. Working together to make available Application Programming Interfaces (APIs) that leverage Bluetooth technology, they have indicated that privacy is a “primary goal.” To that end they recently announced measures, such as prohibiting the collection of GPS location data and allowing only public health officials to deploy apps that utilize those APIs, in response to privacy concerns that have been raised.



In addition, on May 7, five Republican members of the Senate Committee on Commerce, Science, and Transportation – Chairman Roger Wicker (MS), John Thune (SD), Deb Fischer (NE), Jerry Moran (KS), and Marsha Blackburn (TN)  introduced legislation that, according to the Press Release, is designed to “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, device, geolocation, and proximity data” and “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.”

Specifically, the COVID-19 Consumer Data Protection Act of 2020 (CCDPA) would regulate “covered data” collected and used to:
  • Track the spread, signs, or symptoms of COVID-19;
  • Measure compliance with social distancing guidelines and other requirements; and
  • Conduct contact tracing.
Covered data includes:
  • Precise geolocation data;
  • Proximity data;
  • A persistent identifier; and
  • Personal health information.
It does not include:
  • Aggregated data;
  • Business contact information;
  • De-identified data;
  • Employee screening data; and
  • Publicly available information.
Should the CCDPA become law, “covered entities,” among other things, would be required to:
  • Provide individuals with clear and transparent notice regarding how their data will be handled, to whom it will be transferred, and how long it will be retained;
  • Obtain “opt-in” consent before collecting or using that data;
  • Limit that collection to what reasonably is necessary;
  • Ensure that that data is accurate (and allow individuals to correct inaccurate data);
  • Implement appropriate data security policies and practices; and
  • Provide a means for those who do “opt-in” to “opt-out” at a later date.
Covered entities include those that collect, process, or transfer covered data and are:
  • Subject to the FTC's jurisdiction;
  • Common carriers (which would be exempt from Communications Act provisions and FCC rules, other than those relating to 911, in connection with activities covered by the CCDPA); and
  • Nonprofit organizations
Covered entities would be required to issue public transparency reports within 30 days of enactment and no less than every 60 days thereafter providing information on the number of individuals from whom data has been collected, the categories into which it falls, how it is used, and to whom it has been transferred.

The CCDPA would preempt state and local laws “related to the collection, processing, or transfer of covered data for a purpose described” therein and empower the FTC and state attorneys general to enforce its provisions.

The CCDPA would remain in effect only until the Secretary of Health and Human Services declares an end to this public health emergency. Covered entities would be required to delete or de-indentify all covered data at the end of the current crisis.