When talking about data privacy, the conversation always comes back to the same place: There needs to be a federal law.
While a strong federal data privacy law would represent a big leap in protecting people’s personally identifiable information, there’s another area where it could have an immediate impact: handling the coronavirus pandemic.
In previous outbreaks, contact tracing has proven vital in stemming the spread of infection. New technology could augment the traditional contact tracing method used by health authorities, which is to call infected patients, ask for the names and numbers of people they have been in contact with, and ask that those people get tested and self-isolate.
With a contact tracing app on people’s smartphones, health authorities could effectively monitor large populations for potential coronavirus infection hotspots. They could use the data to safely reopen communities or implement shut-down measures to control the virus’ spread.
But the effort to create contact tracing apps has been hampered by the lack of a federal data privacy law. Congress’ failure to act is causing America to fall behind Europe and the rest of the world in creating contact tracing apps that could, in theory, allow health officials to monitor and react to coronavirus hotspots in real time.
While countries like South Korea, India, the United Kingdom, France, Germany, Italy, and Norway have begun testing and rolling out contact tracing apps, U.S. development of contact tracing apps remains stuck in neutral. There is no movement afoot to develop a federal contact tracing app; in fact, only a handful of states have even expressed interest in developing their own.
“My sense of the difference between the EU and the U.S. is that U.S. citizens have a stronger distrust for their government than EU citizens do of their governments—which is ironic since the U.S. has stronger checks on government conduct (independent judiciary and active legislative oversight) than do European nations, and of course European citizens have historically suffered far greater damage from government overreach than U.S. citizens have,” said David Shonka, a partner at the Washington, D.C.-based law firm Redgrave, who served three terms as acting general counsel at the Federal Trade Commission. “Moreover, in the current environment, the U.S. lacks the strong moral leadership (and I mean leadership, not authoritarianism) that the country needs to work through the political conflicts and mistrust.”
Competing contact tracing bills introduced to Congress have exposed the fault lines between the Republican and Democratic views on regulating data privacy.
The first issue is pre-emption—that is, whether the federal privacy law should supersede any and all state laws on the subject.
Senate Republicans favor pre-emption. A bill, S.3663, introduced by Senate Republicans that would be pre-emptive now awaits action before the Senate Committee on Commerce, Science, and Transportation. Democrats favor a competing bill (S.3749) that would allow states to pass laws with stronger data privacy protections than the federal statute. That bill is similarly waiting in the queue in the Senate Committee on Health, Education, Labor, and Pensions. A third bill, one with bipartisan support that focuses narrowly on privacy concerns regarding contact tracing apps, has yet to be assigned a committee.
The Republican and Democratic bills also diverge on another key point: whether to allow victims of data breaches to sue companies that lose control of their personal data. The Democratic bill would allow for class-action lawsuits; the Republican bill would deny that right.
The first state data privacy law, the California Consumer Privacy Act (CCPA), gives consumers the right to sue companies that mishandle their data. Republicans would like to see their version of a federal data privacy law defang this and other provisions of the CCPA.
“That’s going to be a significant battle line,” Shonka said.
Types of apps
There are two basic kinds of contact tracing apps. The kind favored by governments uses geolocation and health data to track infections, create alerts, and monitor evolving hotspots. Information is collected and stored in a government database, used to help inform and guide the public health response.
But development of this type of app in the United States has been hobbled by privacy concerns. If the government knows where you are, whether you’ve been infected, and whether you’ve come in contact with other sick people, what else could it be used for? The possibilities are endless, and ominous.
The second kind of contact tracing app is less intrusive to privacy and all but useless for governments for use in contact tracing. It uses a phone’s Bluetooth signal to alert a user when he or she has come within six feet of a person infected with coronavirus. Users who test positive for coronavirus would get a code from the government that they plug into the app; then other app users who came into contact with the infected person would receive an alert, as well as information on getting tested and self-isolating. The app would create anonymized Bluetooth tags for users that would be unidentifiable to other users. Movement history would not be stored anywhere other than on the individual user’s phone.
Contact tracing apps are not a silver bullet for tamping down coronavirus infections, says Paul Breitbarth, director, EU policy and strategy at TrustArc, a privacy compliance and risk management consultant that provides its customers with daily updates on all COVID-19 related privacy developments from around the world.
“They are not the solution, they are part of the solution,” he said of contact tracing apps. Contact tracing is a mostly manual process that involves health agents talking with infected patients about whom they have come in contact with, then calling each one and advising them to be tested and self-isolate.
To be effective, a contact tracing app needs to be downloaded by at least 60 percent of a targeted population, Breitbarth said.
Left without a workable contact tracing app, state and local governments are seeking other ways to monitor potential hotspots. Some states are contracting with private tech companies to access their geolocation data as a means to track the public’s movements, according to this Wall Street Journal story.
There has never been a more important time for Congress to set aside ideological differences and hammer out a data privacy law. Sadly, though, that outcome seems unlikely.
“With this Congress, I don’t know that they can pass anything,” Shonka said.