INSIGHT: Covid-19 Privacy Bills—Is There Room for Compromise?

As the Covid-19 pandemic continues to wreak havoc with our health system and economy, stakeholders are turning to apps and other technology to help stem the spread of virus and to help reopen the nation. But many people are wary of using these technologies due to privacy concerns.

From apps that provide virus exposure notifications to individuals to those that analyze and help screen employees for their readiness to go back to work, these IT solutions hold much promise. But peoples’ wariness is understandable, as as much of the personal data that would be collected by these apps could fall outside the protections of current federal privacy laws.

In an attempt to fill some of these gaps, Republican and Democratic leaders have separately introduced bills that specifically focus on protecting the privacy of personal information collected for mitigating the Covid-19 pandemic: The Republican-sponsored COVID-19 Consumer Data Protection Act (CCDPA) and the Democratic-sponsored Public Health Emergency Privacy Act (PHEPA) take different approaches to protecting privacy but there are enough similarities that there might be room for a compromise effort.

Similarities: Protecting Data Falling Between the Cracks of Current Laws

Both the Republican and Democratic-sponsored bills would protect data that generally falls between the cracks of our sector-specific privacy laws, including: geolocation data, proximity data (how close a person is in contact with another person), and health information not covered by the HIPAA Privacy Rule.

Both bills apply to commercial and nonprofit website and app developers and operators and require them to comply with many best practice privacy principles.

Among other things, the bills essentially require covered entities to:

• Provide individuals notice about their data practices;
• Obtain affirmative, express consent for the collection, use and disclosure of personal data to third parties. To give this type of consent would require the individual to take some action. Inaction would not be construed as consent;
• Minimize data collected, used, or disclosed to that necessary for this public health emergency;
• Implement security measures; and
• Generally delete or de-identify personal data once the public health emergency is over (limited data retention).

In addition, both the CCDPA and the PHEPA primarily rely on the Federal Trade Commission for enforcement. While the particulars of these provisions may vary, these privacy provisions seem aligned enough for the parties to potentially reach a consensus on their approaches to these issues.

Major Differences: Anti-Discrimination Practices, Private Right of Action, and Preemption

However, the bills have some other major differences, some of which may be more amenable to compromise than others.

Anti-Discrimination Practices

One of the major concerns people have about public surveillance activities is that their data will inappropriately be used against them. The PHEPA addresses this issue by prohibiting the use of covered data as the basis for denying employment, finance insurance, housing, or education opportunities. There is no similar provision in the CCDPA.

However, there is some evidence that the Republicans would be open to considering anti-discrimination provisions in a Covid-19 focused bill. One of the prime sponsors of the CCPDA, Sen. Roger Wicker (R-Miss.), released a staff draft of a comprehensive federal privacy bill, the United States Consumer Data Privacy Act of 2019, last winter which included some anti-discriminatory provisions. While the approach of the staff draft and the PHEPA vary, there may be some room for compromise on this issue.

Private Right of Action, Preemption of State Law

Not surprising to those who work on privacy policy, whether individuals should have the right to sue for violations of the privacy law (private right of action) or to preempt state law pose two of the most significant hurdles to passing a Covid-19 privacy law. Given that the Covid-19 bills are very limited in scope and duration, it seems that the parties should be able to reach some sort of compromise—at least in the short term.

The goal in enforcement of a Covid-19 privacy law should be to ensure that bad actors do not take advantage of desperate times in a manner that is not so drastic as to deter innovation. Relying solely on FTC enforcement actions, which can take years of investigation, is probably not enough to deter bad actors.

With a private right of action, individuals could probably sue for violations in a more timely fashion, which would serve as a good deterrent. One compromise approach to enforcement would be to provide an individual right of action but limit such actions to reckless, willful, or intentional violations of the law, which seems to strike the right balance between deterrence of bad actors and recognizing that innovators moving quickly may need a little room for error.

One of the major factors driving the push for federal preemption of state law is to impose some sense of uniformity in the law to make it easier for companies to comply with their legal obligations. However, this goal is not served by temporarily preempting a state law, which will once again be enforceable after the Covid-19 law sunsets.

One possible compromise approach would be for a bill to leave in place state laws that already exist (and which developers are already complying with) and to preempt new state privacy laws that would apply to Covid-19 data for the duration of crisis.

Experts continue to predict that there will be a second wave of Covid-19 cases in the fall, which will require collecting personal data for contact tracing and other purposes. There is still time for the passage of a compromise bill that would protect data and build trust for these applications.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Joy Pritts is a privacy lawyer helping IT companies develop and implement innovative strategies, policies, and practices on health information privacy, security, and individual access and is a fellow with the Innovators Network Foundation. She previously served as the first chief privacy officer at the Office of the National Coordinator for Health Information Technology, Department of Health and Human Services.