A large group of Democrat Congressional lawmakers have introduced a new bill to protect people’s privacy and secure personal health data collected during the COVID-19 pandemic.
The bicameral Public Health Emergency Privacy Act would ensure that data collected is limited to public health use, prevent the potential misuse of health data by government agencies with no role in public health and require full transparency, among other measures.
Representatives Suzan DelBene (WA), Anna Eshoo (CA) and Jan Schakowsky (IL) and Senators Richard Blumenthal (CT) and Mark Warner (VA) sponsored the bicameral legislation. In the Senate, 10 members co-sponsored the bill as did 18 in the House.
The legislation’s genesis came from the sponsors’ contention that Americans don’t trust IT companies such as Apple and Google to safeguard their data and protect their civil liberties. Its sponsors pointed to polling data that indicated more than 50 percent would not use a contact tracing application or similar tools from either company. Strengthening the public’s trust that their personal data is protected from misuse will enable health authorities to use new information and applications to fight the contagion, the bill’s backers said.
The Public Health Emergency Privacy Act would:
- Ensure that data collected for public health is strictly limited for use in public health.
- Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities.
- Prevent the potential misuse of health data by government agencies with no role in public health.
- Require meaningful data security and data integrity protections, including data minimization and accuracy, and mandate deletion by tech firms after the public health emergency.
- Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps.
- Require regular reports on the impact of digital collection tools on civil rights.
- Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent.
- Provide for robust private and public enforcement, with rule making from an expert agency while recognizing the continuing role of states in legislation and enforcement.
Civil liberty organizations endorsing the measure include Access Now, Electronic Privacy and Information Center (EPIC), the Center for Digital Democracy, Color of Change, Common Sense Media, New America’s Open Technology Institute and Public Knowledge.
“Americans need to be certain their sensitive personal information will be protected when using tracing apps and other COVID-19 response technology and this pandemic-specific privacy legislation will help build that trust,” said DelBene. “Data privacy should not end with the pandemic. We need comprehensive privacy reform to protect Americans at all times, including state preemption to create a strong, uniform national standard.”
That laws protecting consumer privacy aren’t in lock step with evolving data capture technology has hampered the fight against COVID-19, Blumenthal said. “This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health,” he said.
Warner said he feared that without strict legal protections “creeping privacy violations and discriminatory uses of health data” could become standard in healthcare and public health. “Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services,” he said.
At this point, there still is no federal data privacy law as lawmakers have repeatedly scuffled about it for years. Companies have already taken steps to comply with the California's Consumer Privacy Act, which resembles the European Union’s General Data Protection Regulation. It gives the state’s 40 million residents the right to require a business to disclose the types of personal information it collects on the consumer, where that information is collected and whether it’s being sold or shared. Violators could be docked up to $7,500 for each infraction.
It is the first and the only such data privacy law in the country and extends to businesses headquartered outside the state but conducting business within its borders. That it provides a template for follow-on federal legislation has yet to prod lawmakers to untangle their differences on the issue.