Getty Images

Congressional Bills Target COVID-19 Contract Tracing App Privacy

Two separate bills from Republicans and Democrats aim to secure data generated by proposed COVID-19 contact tracing apps but differ on just how to provide transparency and ensure privacy.

A group of Congressional Democrats proposed privacy legislation designed ensure the privacy and security of proposed COVID-19 contact tracing apps. Senate Republicans released a competing privacy bill earlier in May, which will open the debate on how lawmakers will secure the privacy of users.

Unveiled on May 14, The Public Health Emergency Privacy Act is spearheaded by Sens. Mark Warner, D-Virginia and Richard Blumenthal, D-Connecticut. Warner co-founded the Senate Cybersecurity Caucus in 2016, while both have actively pushed for tighter privacy restrictions. Most recently, Blumenthal and Warner pressed the Department of Homeland Security to issue COVID-19 cyber threat guidance for healthcare.

Reps. Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) are the bill’s co-sponsors. Driven by a wide range of privacy misuse, intrusions, and breaches, the bill aims to restore individuals’ trust in technology – especially platforms used amid the pandemic.

For Warner, technology has proved invaluable during the crisis. However, privacy laws have failed to keep pace with modern technologies. The hope is that the legislation would strengthen public trust, which would encourage use of these platforms and, thus, increase the apps’ effectiveness in the fight against COVID-19.

“Americans are rightly skeptical that their sensitive health data will be kept safe and secure, and as a result, they’re reluctant to participate in contact tracing programs essential to halt the spread of this disease,” Blumenthal said in a statement.

“This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more,” he added. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.”

To encourage user participation, the bill would give individuals control over participation, requiring tech companies to provide opt-in consent and meaningful transparency into privacy and security practices. The proposal also empowers private and public enforcement that includes rulemaking from an “expert agency” but also recognizing state legislation and enforcement.

The proposed legislation would mandate that all data collected through contact tracing apps would be limited to public health use and prohibit the use of health data for any discriminatory, unrelated, or intrusive purposes, such as commercial advertising or efforts to bar access to employment, insurance, and the like.

Further, the bill would prevent potential misuse of health data by government agencies with no public health role. The apps would also be required to provide regular reports on the impact of digital collection tools on civil rights.

If passed, the apps would be required to employ strengthened data security and integrity protections, including data minimizations and accuracy, while requiring tech firms to delete the data once the public health emergency has ended.

The bill would also ensure the protection of voting rights by “prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps.”

A host of privacy stakeholders have endorsed the Public Health Emergency Privacy Act, including Public Knowledge, New America’s Open Technology Institutes, Consumer Reports, and Public Citizen.

“This bill establishes critical protections for patients whose health data is released in the context of the public health emergency,” Frank Pasquale, Piper & Marbury professor of law at University of Maryland Carey School of Law, said in a statement. “To build a trusted data infrastructure, the US needs to ensure that any entity which accesses such data is held accountable and does not abuse the public trust.”

“Importantly, the bill ensures an individual's right to seek redress for violations, and it bars against the use of pre-dispute arbitration agreements,” Justin Brookman, director of Consumer Privacy and Technology Policy for Consumer Reports, said in a statement. “These measures will help individuals trust contact-tracing or proximity-tracing programs, and they can serve as a model for more comprehensive protections down the road.”

From the other side of the aisle, Sens. Roger Wicker, R-Mississippi, John Thune, R-South Dakota, Deb Fischer, R-Nebraska, Jerry Moran, R-Kansas, and Marsha Blackburn, R-Tennessee, proposed the COVID-19 Consumer Data Protection Act designed to provide individuals with greater transparency, choice, and control over data collected by these contact tracing apps.

The proposal is designed to ensure businesses are held accountable for any misuse of data collected to fight the COVID-19 pandemic and would require companies under Federal Trade Commission jurisdiction to obtain explicit consent from users to collect, process, or transfer personal health, geolocation, proximity, or device data for contact tracing.

The bill mandates strict privacy disclosures at the point of collection into how data will be handled, to which companies it will be transferred, and how long it would be retained. Companies will be required to establish clear definitions around aggregate and de-identified data and to adopt technical and legal safeguards to protect consumer data from being reidentified.

Further, companies would be mandated to allow users to opt-out of the collection, processing, or transfer of their personal health data and other personal information collected by the apps. The platforms would need to provide transparency reports to the public that detail data collection activities related to the pandemic.

The proposal would also establish data minimization and security requirements for any personally identifiable information collected by a covered entity, while requiring companies to delete or de-identify all personally identifiable information at the end of the COVID-19 public health emergency.

If passed, the bill would also give state attorneys general the power to enforce the act.

“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important,” said Thune, in a statement. “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”

“It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans’ privacy and security are not put at risk,” Blackburn said in a statement. “Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.”

As Google and Apple set to release their contact tracing API by the end of the month, it will be imperative for Republicans and Democrats to find a middle ground to ensure user privacy protections. As noted in earlier Congressional debates around the creation of a federal privacy law, both groups recognize that bipartisanship is the clear path to enacting any privacy legislation.

Next Steps

Dig Deeper on Health data access & privacy