Congress Considers Three Bills Addressing Privacy Protections During COVID-19 Crisis

Policymakers and public health authorities are turning to digital tools as key elements of their strategies for reopening the United States during the COVID-19 pandemic. Such tools raise important equity, privacy, and civil liberties concerns. Without strong guardrails, not only do these tools threaten to cause a variety of privacy harms, but communities of color are at greater risk of being disadvantaged by these digital tools just as these communities have been disproportionately impacted by the pandemic itself.

In response to these concerns, OTI, the Leadership Conference on Civil and Human Rights, the Lawyers’ Committee for Civil Rights Under Law, and 83 civil rights, civil liberties, labor, and consumer protection organizations released principles to guide decisions about whether and when the use of such technologies is appropriate. Members of Congress have introduced three bills to mitigate COVID-19 privacy risks, but only one of the three bills fulfills all the principles.

Digital tools should augment, but not replace, traditional manual contact tracing. Neither manual tracing nor digital tools will be effective without widely available COVID-19 testing, supported isolation, partnerships with vulnerable communities, and other supportive public health measures, such as equitable access to healthcare. The principles state that a digital tool should not be deployed unless it is:

• Non-Discriminatory
• Used exclusively for public health purposes
• Effective
• Voluntary
• Secure
• Accountable

Since the onset of the pandemic, Congressional leaders have introduced three measures designed to provide safeguards for deployment of technological tools aimed at fighting COVID-19. In general, these measures focus on crafting guidelines around what types of data can be collected, who has access to the data, and how long the data can be retained. As Congress considers three different bills intended to address privacy issues with COVID-19 digital tools, OTI urges members to consider how the different proposals align with the principles set forth by civil rights, consumer protection, and civil liberties organizations. All three proposals include provisions on effectiveness, voluntariness, security, and accountability. The proposals differ most significantly on how they address non-discrimination and how they constrain the uses of data for purposes other than public health.

The Public Health Emergency Privacy Act (PHEPA) is strong and comprehensive.

OTI supported the introduction of the Public Health Emergency Privacy Act (S. 3749 and H.R. 6866), sponsored by Sens. Richard Blumenthal (D-Conn.) and Mark Warner (D-Va.), and Reps. Anna Eshoo (D-Calif.), Jan Schakowsky (D-Ill.), and Suzan DelBene (D-Wash.). The bill satisfies all six of the above principles. The bill would apply to all digital tools used in a pandemic response, and states that an organization should only collect data when “necessary, proportionate, and limited for a good faith public health purpose.” This data minimization provision would prevent companies and governments from using COVID-19 digital contact tracing efforts as a pretense for collecting as much data as possible. Further, the bill’s prohibition on using data for non-health related purposes will help establish public trust and promote widespread use of these tools, particularly among minority communities concerned that the government will use this data against them.

The bill also states that organizations should “adopt reasonable safeguards to prevent unlawful discrimination” based on emergency health data. This provision would prohibit emergency health data from being used to discriminate against a person for employment, housing or voting purposes. For example, a person’s ability to vote could not be restricted based on their COVID status, nor could landlords refuse to rent to tenants based on their COVID status. If a company or organization were to violate the act, the bill creates a private right of action to empower individuals to bring a lawsuit to enforce their civil rights. The other bills do not include similarly strong enforcement mechanisms.

The Exposure Notification Privacy Act (ENPA) is strong, but has a limited scope.

OTI also welcomed the introduction of the Exposure Notification Privacy Act (S. 3861), sponsored by Senators Maria Cantwell (D-Wash.) and Bill Cassidy (R-La.). The bill satisfies five of the six principles laid out in the coalition letter. It makes voluntary participation the basis for any digital contact tracing system and allows users to withdraw consent later if they choose. The bill only permits the use and disclosure of collected data when necessary to implement an exposure notification service for public health purposes. This would prevent the data from being used for law enforcement or other purposes unrelated to public health.

However, the bill does not satisfy the accountability principle because it lacks a private right of action that would empower individuals to enforce their rights. The bill prevents organizations from discriminating against individuals based on the data collected by exposure notification apps for public services and accommodations, but the bill lacks provisions extending similar protections to employment or voting. Further, the bill only applies to exposure notification systems, rather than to all digital tools that may be used in pandemic responses. Given the range of digital COVID-19 response tools under development in the U.S. and already deployed in other countries, such as “immunity passports” and QR codes to track people’s movements, the bill’s exclusive focus on exposure notification tools is relatively narrow.

The COVID-19 Consumer Data Protection Act (CCDPA) provides some safeguards, but fails to protect vulnerable communities.

The COVID-19 Consumer Data Protection Act (S. 3663), introduced by Senators Roger Wicker (R-Miss.), Jim Thune (R-S.D.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.), only satisfies two principles laid out in the coalition letter: voluntariness and security. The bill would require entities collecting personal data in connection with pandemic response plans to first obtain the affirmative express consent of the individual, and to allow the individual to withdraw their consent at any point. It also contains a data minimization provision stating that covered entities “shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to carry out such purpose.”

Although the consent and security provisions would be improvements over the status quo, overall the bill would not protect individuals from privacy violations. The bill provides no safeguards against potential discrimination and fails to include guardrails against mission creep. For example, the bill would enable data to be collected for the purposes of measuring compliance with social distancing guidelines. This will have a disparate impact on certain communities because social distancing guidelines do not affect all communities the same way. The bill does not restrict how law enforcement or other government entities can access or use data collected for contact tracing purposes, enabling that data to be used in inappropriate ways. Most importantly, the bill contains no prohibition on discriminatory uses of data collected for contact tracing purposes. This allows for the possibility that sensitive data⁠—both about an individual’s COVID-19 status and about a protected class like race or gender⁠—could be used to make adverse decisions about individuals’ access to housing, employment, voting, and public accommodations.

Congress Should Pass COVID-19 Privacy Legislation That Recognizes Disparate Impacts of Digital Tools on Communities of Color

As Congress considers proposals addressing the privacy, equity, and civil liberties implications of the digital tools being deployed to help reopen American society, legislators must work to prevent further harm to communities already suffering disproportionately from the virus and economic hardships. Any reopening strategy must avoid improperly deploying information technologies designed specifically to monitor, track, or trace individuals in order to mitigate or respond to the COVID-19 public health crisis. The principles set forth by civil rights, consumer protection, and civil liberties organizations provide a roadmap for equitable deployment of COVID-19 response technologies, and only PHEPA would fully follow that roadmap.