COVID-19 data privacy could be a Pandora’s box

It has taken a global pandemic to finally move legislators in DC toward progress on consumer privacy issues. Despite an urgent need for a comprehensive legal framework to protect personal data, more than a year after it first began looking at a federal scheme, Congress has not managed to reach consensus on a framework such as the European Union's GDPR or the California Consumer Privacy Act (CCPA). Now, calls from public health experts to implement a system of contact tracing of individuals infected with COVID-19, and a seat-of-the-pants Senate proposal, have put data protection into hyperdrive.

We're at a critical juncture, with the health crisis driving us toward a quick fix that could jeopardize the broader public interest. It's the perfect moment for Congress to put differences aside and enact comprehensive federal data privacy laws, while also addressing the unique challenges of data collection during the coronavirus pandemic. A powerful cure is needed for the country's data privacy disease, not simply an interim coronavirus relief patch that could, as explained below, open a Pandora's box of problems.

On April 30, U.S. Sens. Roger Wicker (R-Miss.), John Thune (R-S.D), Jerry Moran (R-Kan.) and Marsha Blackburn (R-Tenn), announced plans to introduce the COVID-19 Consumer Data Protection Act (CCDPA). The act, according to a Senate press release, "would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data."

According to Sen. Blackburn, "It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans' privacy and security are not put at risk. Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.

Among its key provisions, the act would require covered companies -- those subject to FTC jurisdiction, as well as nonprofit entities and common carriers -- to obtain express consent from individuals to collect, process, or transfer their personal health, geolocation or proximity information for the purposes of tracking the spread of COVID-19. Companies would be obligated to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained. They would also be required to publish transparency reports every 30 days describing their data collection activities related to COVID-19 and to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.

Covered data under the CCDPA includes "precise location data" and "proximity data," which are defined as a person's past or present physical location; as well as "personal health information," which consists of information that identifies or is "reasonably linkable" to an individual and is "genetic information" or "information relating to the diagnosis or treatment of past, present or future physical, mental health or disability" of the individual. Health information already subject to the Health Insurance Portability and Accountability Act (HIPAA) would be exempt from the act. Information that is aggregated, de-identified or publicly available is not considered "covered data" under the proposed law. Covered companies would be required to have an effective opt-out mechanism for individuals to revoke their consent for the collection, processing and transfer of personal health, geolocation or proximity information, and they would need to adhere to prescribed data minimization and data security requirements for all personally identifiable information they collected.

At first blush, the CCDPA seems consumer-friendly and unobjectionable. As with all new programs, however, the devil will be in the details. How will individuals opt in or out? What will happen to their data once the crisis is over? Who will ensure that their data isn't shared with others or used for non-COVID-related purposes? How will HIPAA compliance work when personal health information is being shared for tracing purposes? The bill provides no private right of action but authorizes state attorneys general to enforce its provisions, leaving consumers with no mechanism to obtain relief or hold businesses accountable.

What could be more personal than individuals' health and location information? This is the material of scary sci-fi novels, and the public should be concerned, if not outright paranoid. Without clearly defined processes for managing data from the point of collection through its destruction, and absent meaningful penalties for failure to comply including a private right of action, the proposed bill doesn't do enough to protect consumers. Just like the coronavirus itself, data collection and use can very quickly morph beyond their intended scope. Any data privacy law must anticipate and address these changes.

The CCDPA is intended to preempt state and local privacy laws, such as the CCPA, with respect to COVID-19-related data. Because contact tracing identifies individuals with whom a person who tests positive for COVID-19 may have been in contact, such tracing necessarily implicates information of more than one person. Under California law, both parties to a communication must consent to being recorded. If communications encompass geolocation and proximity data, the federal law could effectively override the state's more protective law.

Given the urgency of reopening the economy, contact tracing has become a top priority. Traditional tracing methods, which involve manually recording who has tested positive and everyone they've been in contact with in recent weeks, are time-consuming and cumbersome. Google and Apple recently announced they would work together to help governments track the spread of COVID-19 using Bluetooth technology. Such technology, they claim, would provide a more effective way to track exposure while protecting user privacy. Guidelines published by these companies state that the system will not collect any location data; will be used only by health authorities without being monetized; will require explicit user consent; and will be disabled once contact tracing is no longer needed.

The CCDPA is intended to expire at the conclusion of the pandemic, but it could outlast the pandemic. If we're not careful, the COVID-19 response could become the de facto law on data protection, so we need to get it right. Legislators are trying to reverse well-considered state laws on data privacy in the name of a national emergency, using the lack of federal laws to do an end-run around existing laws.

It's a dangerous path to take, using the crisis to collect data for a noble purpose -- public health -- but addressing it through laws with no real teeth and no penalties for potential misuse. When the public health crisis eventually dies down, data collection for any purpose could become a privacy minefield. We do need a comprehensive federal privacy act, but it cannot be built around the COVID-19 crisis. It must be strong enough to protect us in a post-pandemic world. 