Laboratory equipment on table showing the concerns raised by privacy advocates on potential misuse of coronavirus data that may lead to a federal privacy law

Worried About Misuse of Coronavirus Data, Privacy Advocates Rally for Federal Privacy Laws

As compared to most of the world’s major democratic powers, the United States has been slow to adopt a comprehensive and universal federal privacy law. The need to collect potentially invasive coronavirus data for public health reasons might end up being the catalyst. It has certainly galvanized privacy advocates, some of whom addressed Congress on the subject in an April hearing convened primarily to determine the role of “big data” in the abatement of the Covid-19 crisis.

While this particular hearing was not meant to establish any clear signs toward the ultimate composition of or potential schedule for a federal privacy law, it did see some leading industry figures and privacy advocates promote established best practices and legal frameworks that already enjoy strong support.

Safe handling of Coronavirus data

The hearing, called “Enlisting Big Data in the Fight Against Coronavirus,” was unique in that it was held almost entirely offline. Dubbed a “paper hearing,” the creation of this novel format was prompted by the current social distancing measures. These hearings consist of a series of publicly posted documents rather than the usual live Q&A sessions in which experts testify.

Seven experts testified before the Senate Committee on Commerce, Science, and Transportation, representing a variety of interests and fields including data privacy, marketing, smart device manufacture and app development. The purpose of the hearing was to gather information on the use of anonymized consumer data to fight the spread of Covid-19 while also hearing the concerns of privacy advocates.

The majority statement of the hearing, drafted by chairman Roger Wicker, specifically mentions the EU’s strategies for tracking coronavirus data and that a plan is in place to delete it even though the GDPR does not specifically require it. It also made clear that witnesses were being asked to describe how collected data is to be anonymized to remove all personally identifiable information and how consumers were to be notified and provided with opt-out rights.  The questions asked by the senators reflected this focus on the concerns expressed by privacy advocates and may well represent the beginning of a renewed push to develop a federal privacy law.

General agreement among privacy advocates, but with some reservations

The witnesses were in general agreement that coronavirus data tracking was a necessary measure in fighting the pandemic, but that protection of user privacy was a key element and that data needed to be anonymized. Stacey Gray, senior counsel for the Future of Privacy Forum, summed up the essential position of most privacy advocates: “Aggregated location data, when it does not reveal device-level information about individual behavior, can almost certainly be used safely and effectively to support public health officials.”

The hearing on big data concluded with what appeared to be a general agreement that an anonymized program was going to be a requisite in collecting vital coronavirus data, a very promising sign for privacy advocates. The only question left unsettled is the exact method. Gray indicated that the Future of Privacy Forum formally supports a decentralized Bluetooth-based program, similar to the ones proposed in the EU and by the joint app development partnership between Google and Apple, as did Graham Dufault of the App Association. Washington University law professor Ryan Calo also specifically lauded the Google COVID-19 Community Mobility Report, an independent effort by the search giant that is already tracking aggregate movement trends in terms of certain industry categories and types of destination.

However, some of these same figures pointed out potential vulnerabilities in such a system that need to be addressed. Calo envisioned a scenario in which threat actors reported false coronavirus cases in an attempt to drive people away from the polls during the election. And Gray foresaw a breakdown of communications and confusion over ethical requirements among the private companies involved if a federal privacy law is not in place to guide the efforts to track the coronavirus. Gray also warned against the collection of coronavirus data that might be abused after the pandemic is over, citing the theoretical example of apps that require selfies to be taken feeding that data into unrelated machine learning algorithms as training material.

Michelle Richardson, Director of the Data and Privacy Project at the Center for Democracy and Technology, also noted that a number of tech companies that collect and process health data but are not covered by existing industry-specific federal privacy laws (such as HIPAA) are already using this information in ways that could be considered exploitive. Richardson pointed out that health apps (such as fitness trackers), self-diagnosis websites, prescription drug discount search sites and apps, and pregnancy apps (among other examples) are already collecting and selling sensitive personal data to advertisers in a way that manages to skirt existing regulations.

Several of the privacy advocates also noted that the best successes with app-based contact tracing have thus far mostly come from countries in which compliance can be forced to a greater degree than would be possible (or at least politically acceptable) in the United States.

Is a federal privacy law on the horizon?

Various proposals for a federal privacy law have been kicked around for over a year now, but none have reached a significant stage in the legislative process as of yet. The most recent effort took place in the Commerce Committee earlier in the year, with both Senator Wicker and ranking member Maria Cantwell proposing bills that their respective parties seemed to rally behind. Negotiations over a unified bill tailed off when the coronavirus shutdown measures began in March, however.

Tech companies that collect and process coronavirus data may not be covered by existing industry-specific federal #privacy laws such as HIPAA. #respectdata Click to Tweet

The fact that these bills have a great degree of overlap is promising; perhaps the biggest development in all this is the establishment of a workable process for getting Congressional work done while pandemic safety measures are in place. In addition to providing vital structure and guidelines, a federal privacy law would address the most important factor in a coronavirus data gathering program; the need for public confidence and buy-in to make it work.

 

Senior Correspondent at CPO Magazine