COVID-19, and containment efforts that rely on personal data, are shining a spotlight on a longstanding problem: our nation’s lack of sufficient laws to protect data privacy. Two bills before Congress attempt to solve this problem as to COVID-19 data. One is a good start that needs improvements. The other is a misstep that EFF strongly opposes.

The Public Health Emergency Privacy Act (PHEPA) was introduced by U.S. Senators Richard Blumenthal and Mark Warner, and U.S. Representatives Anna Eshoo, Jan Schakowsky and Suzan DelBene. It has some major elements that privacy advocates have called for. It requires opt-in consent and data minimization, and limits data disclosures to government. It has a strong private right of action and does not preempt state laws. And it bars denial of voting rights to people who decline to opt-in to tracking programs. But it does not protect such people from discrimination in access to employment, public accommodations, or government benefits. Also, it has overly broad exemptions for manual contact tracing, public health research, public health authorities, and entities regulated by the federal Health Insurance Portability and Accountability Act (HIPAA).

The COVID-19 Consumer Data Protection Act (CCDPA) was introduced by U.S. Senators Roger Wicker, Jim Thune, Jerry Moran, and Marsha Blackburn. It preempts state laws, has no private right of action, and exempts a broad set of surveillance by employers. It is a non-starter.

Responses to COVID-19 Burden Our Data Privacy

The ways companies and governments are using our data to respond to the COVID-19 crisis illustrates our lack of data privacy laws. Governments are partnering with businesses to create websites where we provide our health and other information to obtain screening for COVID-19 testing and treatment. States are conducting manual contact tracing, often by contracting with businesses to build new data management systems. Public health authorities are encouraging us to download proximity tracking apps. Some of these apps also track our location, which EFF opposes.

There are many ways to misuse our COVID-related data. Some restaurants are collecting contact information from patrons to notify them later of any infection risk; disturbingly but not surprisingly, a restaurant employee used one patron’s information to send them multiple harassing messages. Companies might divert our COVID data to advertising. Public health agencies might share our COVID data with police or other agencies. All this data might be stolen by identify thieves, stalkers, and foreign nations.

We Need a Comprehensive Privacy Law …

Existing U.S. laws do not sufficiently protect us from misuse of COVID-related data. For example, HIPAA protections of health data apply only to narrowly defined healthcare providers and their business associates. The strongest state data privacy laws only apply to certain kinds of data (like Illinois’ biometric privacy law), data processors (like Vermont’s data broker registration law), or data protections (like California’s rights to access, delete, and opt-out of the sale of data).

So, we need a strong, comprehensive federal consumer data privacy law. EFF has three top priorities for a federal privacy law: no federal preemption of state data privacy laws; strong enforcement by giving consumers a private right of action against companies that violate the privacy rules; and a ban on discrimination against consumers who exercise their privacy rights. Such legislation also must require opt-in consent before data processing, and minimization of data processing to what is necessary for a business to give a consumer what they asked for.

Thus, there is a lot to like about the Consumer Online Privacy Rights Act introduced last year by U.S. Senators Maria Cantwell, Brian Schatz, Amy Klobuchar, and Edward Markey. While that bill needs strengthening amendments, such a law would do a great deal to protect our COVID-related data.

… Or At Least a COVID-19 Privacy Law

If our nation currently lacks the political will to enact a comprehensive consumer data privacy law, then we at least need a COVID-specific law. For the reasons above, it would need opt-in consent, data minimization, a private right of action, no preemption, and protections to prevent discrimination against people who don’t consent.

Non-discrimination has particular urgency here. There is not just a risk that a government or business entity will process a person’s data, or make them use a tracking app, without their consent. There also is risk of denial of benefits and access to people who refuse to share their data or use an app. For example, if a person declines to download a tracking app, an employer might deny workplace access, a restaurant might deny table service, or a government agency might deny a benefit. But any use of such apps must be truly voluntary.

It is also important to restrain the flow of personal data to the government. The outbreak has prompted demands for new institutions and new technologies to gather new kinds of data about us. History shows that governments generally don’t give back emergency powers.

PHEPA is a Good Start …

PHEPA broadly applies to data that is reasonably linkable to a person or device and that concerns COVID-19. It expressly includes health data (such as medical test results), and outbreak tracking data (such as location, proximity, or any data collected by a personal device). The bill extends to government and private entities that electronically process covered data, or that develop websites or mobile apps for COVID-19 purposes.

The bill provides important COVID-19 privacy protections. A covered entity:

  • Shall not process covered data absent the subject’s opt-in consent (with certain exceptions).
  • Shall practice data minimization, by only processing data as “necessary, proportionate, and limited for a good faith public health purpose.”
  • Shall not disclose covered data to the government, except to a public health authority, and only with a good faith public health purpose.
  • Shall not use covered data for commercial ads.
  • Shall let people correct inaccurate data about them.
  • Shall publish a privacy policy, and (for larger entities) quarterly reports.
  • Shall take reasonable steps to secure covered data.

The bill bars denial of the right to vote on the grounds of a person’s covered data, medical condition, or non-participation in a program that collects covered data. This would give some protection to people who refuse to download a tracking app. It provides a strong private right of action, in addition to enforcement by the Federal Trade Commission (FTC) and the State Attorney Generals. It explicitly provides that state laws are not preempted.

In short, there is a lot to like here, including opt-in consent, data minimization, a private right of action, no preemption, no discrimination in voting rights, and more. We appreciate the leadership of Sens. Blumenthal and Warner, and Reps. Schakowsky and DelBene.

… And It Has Room For Improvement

We respectfully suggest the following strengthening amendments to PHEPA.

First, it should ban discrimination against people who decline to use a COVID-19 tracking app, including by denying them employment, education, public accommodations, or government benefits. Such discrimination—and the resulting pressure to download a tracking app—is an urgent privacy threat. The bill makes a good start: it would ban denial of voting rights to someone who won’t participate in a COVID-19 tracking program. But more protections are needed.

Second, the bill has broad exemptions that should be removed or sharply limited:

  • It exempts manual contact tracing programs. But these will amass vast troves of personal data. And this data will be held by the private corporations that contract with states to undertake contact tracing.
  • It exempts public health research about COVID-19. But people should be able to use COVID resources, such as tracking apps or screening websites, without having to become research subjects.
  • It exempts public health authorities. But these government officials should have to follow the bill’s rules on, for example, subject consent, data minimization, confidentiality, and non-disclosure to other units of government.
  • It exempts entities covered by HIPAA, including the business associates of healthcare providers. But such entities should be required to follow the bill’s important new privacy rules, unless those rules conflict with HIPAA.

Third, the bill says that if a person revokes consent to data processing, then a covered entity shall stop processing “as soon as practicable, but in no case later than 15 days,” and shall destroy or de-identify data already collected. But if someone revokes their consent, that should be respected immediately. An entity that wants to process covered data must be prepared to stop processing it as soon as someone revokes consent. Also, the covered data should be destroyed, without an option to retain it in de-identified form. There is inherent risk that de-identified data can be re-identified.

Fourth, the bill provides that a covered entity shall destroy or de-identify covered data within 60 days of the end of the outbreak, as defined by federal and state government. But management of the COVID-19 outbreak could last for years, while much COVID-related data will be stale within weeks. For example, the COVID-19 incubation period is 14 days, so there is no need for lengthier retention of data collected by proximity tracking apps. Also, stale data must be destroyed and not merely de-identified, as just explained. We urge the authors to take these critical steps to strengthen their bill.

The CCDPA is a Misstep

The CCDPA is a nonstarter for EFF.

First, it would preempt state laws “related to” the processing of covered data (location, proximity, persistent identifiers, and health information) for a covered purpose (tracking COVID-19, measuring social distancing, and contact tracing). This would cut back existing legal rights of Californians to access, delete, or opt-out of the sale of data collected for COVID purposes, and of Illinoisans to be free from unconsented biometric surveillance for COVID purposes. Where COVID-19 data is involved, the CCDPA would also cut back existing state laws that address medical privacy, information security, data breach notification, and unfair trade practices. Even worse, the CCDPA would end the power of state legislatures, acting as “laboratories of democracy,” to innovate new ways to protect COVID-related privacy. And preemption under the CCDPA would be permanent—even after the outbreak ends.

Second, the CCDPA lacks a private right of action, and allows enforcement only by the FTC and State Attorney Generals. But the task of enforcement is too big just for these agencies, which have finite budgets and many competing obligations. Also, many agencies suffer regulatory capture, meaning regulated businesses have undue influence over agency enforcement decisions.

Third, the CCDPA exempts COVID-related data that employers use to screen entry to workplaces. This is a greenlight to businesses to fire employees unless they submit to surveillance of their movements, associations, and health—so long as the businesses say they are trying to prevent a workplace outbreak.

Conclusion

Governments and businesses are collecting vast troves COVID-related data, including our health, locations, associations with others, and much more. This further shows that a comprehensive data privacy law is long overdue. At a minimum, we need a COVID-19 privacy law. PHEPA is a good start. We hope Congress will build on it.

Correction: An earlier version of this post inadvertently omitted Rep. Anna Eshoo from the list of sponsors for the Public Health Emergency Privacy Act. This version has been corrected.