Senate Republicans introduced a new bill during the tail end of last week that seeks to increase transparency and ownership of personal health, geolocation, proximity and other related data collected by digital devices or systems during the COVID-19 public health emergency.
The so-called COVID-19 Consumer Data Protection Act was introduced by Sen. Roger Wicker R-Miss.; Sen. John Thune, R-S.D.; Sen. Deb Fischer, R-Neb.; Sen. Jerry Moran, R-Kan.; and Sen. Marsha Blackburn, R-Tenn. – the majority of whom serve as the chairman of a Senate committee or subcommittee. No Democrats have backed the new bill.
“As the coronavirus continues to take a heavy toll on our economy and American life, government officials and health-care professionals have rightly turned to data to help fight this global pandemic,” said Wicker, who heads the bill. “This data has great potential to help us contain the virus and limit future outbreaks, but we need to ensure that individuals’ personal information is safe from misuse."
As written, the law would be enforced by the Federal Trade Commission (FTC) and state attorneys. The bill requires companies under the FTC's purview to obtain "affirmative express consent" prior to collecting this data for COVID-19 tracking. These companies would also need to inform consumers of the ways their data will be handled, transferred and retained at the point of collection, and to allow consumers an avenue to opt out of the data collection.
The proposed law outlines definitions for data aggregation and de-identification, while setting data minimization and security requirements. Companies collecting this data would be required to release data-use-transparency reports to the public, and would have to either delete or de-identify all data that could be used to identify an individual at the end of the COVID-19 emergency.
WHY IT MATTERS
Jena Valdetero, a data security and privacy lawyer at Bryan Cave Leighton Paisner, told MobiHealthNews that the proposed act covers several of the "universally accepted" privacy principles for programs that impact personal information. She also noted that this COVID-19 bill is just the latest in a line of short-lived federal data privacy efforts out of Congress.
"The sticking points on prior proposed laws generally fall into two categories: (1) whether the federal law would preempt, or 'trump' similar state laws regulating privacy; and (2) whether to provide a private right of action for individuals to sue for violations of their rights," she wrote in an email comment. "This bill errs on the business-friendly side on both issues. It would preempt state laws and would leave enforcement to the [FTC] and state Attorneys General, and not to individuals. But, it remains to be seen if this crisis will be enough to get this privacy bill over the finish line when prior bills have failed."
The bill's early prospects look grim. Recent reports from Politico citing anonymous senior Democratic aides suggest that liberal lawmakers have major reservations about these same two concerns, and also would prefer that the act protect a broader range of personal information.
Although this particular act is solely focused on personal consumer data related to the COVID-19 emergency, any privacy safeguards put into place by Congress could serve as a precedent to federal-level requirements down the road – something that every digital health company relying on personal data will need to be mindful of.
Leslie Krigstein, Livongo's VP of government affairs, told MobiHealthNews that her company has been in "active communication with government officials" on health-data-privacy proposals such as these, and has been primarily concerned with the balancing act of data collection and user trust necessary for its service to be effective.
"As [is] the case with COVID-19 contact tracing, the consumer trust that’s required to advance data science and aid with keeping individuals safe can be easily undermined if the data is misused or the individual feels threatened by its use," Krigstein told MobiHealthNews in an email statement on the proposed bill. "It’s going to be critical that policymakers look to address these concerns in a way that protects privacy without hindering innovation, yet recognizes the responsibility that must fall on organizations collecting and leveraging personal data."
THE LARGER TREND
Big data and privacy protections during COVID-19 were the focus of a "paper hearing" conducted a few weeks ago by the Senate Committee on Commerce, Science and Transportation. Here, a handful of witnesses from industry associations and academic institutes said that it's possible to have a balance between effective technology and individual privacy, but that companies and governments will have to be careful when deploying their COVID-19 responses.
“As one can see, there are a number of ways big data processing can advance the coronavirus response without unduly risking individual privacy,” Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology, said. “Some of this data does not reflect personal information at all – such as state level statistics that are aggregated and cannot be associated with specific individuals. But there are also uses of data that are riskier. For example, if heat maps or case reporting become too granular, it may be easy to associate a positive coronavirus status with identifiable people. Symptom trackers may also pose privacy risks if they collect personal information.”
Perhaps the standout mobile tools being discussed over the past few months have been apps and services designed to support contact tracing efforts. Designs are being developed by researchers, tech giants and governments alike. Similarly, a number of technology companies and, most recently, the World Health Organization have focused on COVID-19 screening or symptom-checking apps that ask users to input their information before providing care recommendations.