U.S. and Other Governments Respond To Privacy and Data Implications of COVID-19

Competition, Data Flows, data security, EU, FTC, privacy, Technology 7 Minutes

Federal agencies have continued to respond to the changing conditions presented by the increased number of COVID-19. However, while the U.S. government has not weighed in officially on the legality and appropriateness of using people’s location data from phones in order to combat the spread of the virus, European authorities have.

Last week, the Federal Trade Commission (FTC) sought to assure businesses and other regulated entities that the agency would look kindly on some activities that might otherwise be anti-competitive if the ultimate goal is to help consumers get by and survive COVID-19. Yet, the agency made clear that it would continue to police unfair and deceptive practices.

FTC Chair Joe Simons issued a statement explaining that “FTC staff in the Bureau of Consumer Protection remain hard at work protecting consumers from deceptive and unfair commercial practices” but “the FTC will remain flexible and reasonable in enforcing compliance requirements that may hinder the provision of important goods and services to consumers.” Simons added “[t]o be clear, by being flexible and reasonable, I am not suggesting that we will tolerate companies deceiving consumers, using tactics that violate well-established consumer protections, or taking unfair advantage of these uniquely challenging times…[and] [a]t all times, good faith efforts undertaken to provide needed goods and services to consumers will be taken into account in making enforcement decisions.” He stated “[t]he FTC is ready to assist businesses that may seek guidance about compliance obligations on consumer protection issues during this unprecedented time.”

On April 3, the FTC and the Federal Communications Commission (FCC) transmitted letters “ to threecompanies providing Voice over Internet Protocol (VoIP) services,warning them that routing and transmitting illegal robocalls, including Coronavirus-related scam calls, is illegal and may lead to federal law enforcement against them” per the agencies’ press release.

The FTC and FCC noted “a separate letter to USTelecom – The Broadband Association (USTelecom), a trade association that represents U.S.-based telecommunications-related businesses…thanks USTelecom for identifying and mitigating fraudulent robocalls that are taking advantage of the Coronavirus national health crisis, and notes that the USTelecom Industry Traceback Group has helped identify various entities that appear to be responsible for originating or transmitting Coronavirus-related scam robocalls.” The agencies stated:

The letter further notifies USTelecom that if, after 48 hours of the release of the letter, any of the specified gateway or originating providers continue to route or transmit the specified originators’ robocalls on its network, the FCC will: 1) authorize other U.S. providers to block all calls coming from that gateway or originating provider; and 2) authorize other U.S. providers to take any other steps as needed to prevent further transmission of unlawful calls originating from the originator.

Last week, FTC staff sent “letters to nine Voice over Internet Protocol (VoIP) service providers and other companies warning them that “assisting and facilitating” illegal telemarketing or robocalls related to the coronavirus or COVID-19 pandemic is against the law” according to the agency’s press release. The FTC argued that “[m]any of these calls prey upon consumers’ fear of the virus to perpetrate scams or sow disinformation.”

Earlier in March, according to the agencies’ press release, the FTC and Food and Drug Administration (FDA) “sent warning letters to seven companies allegedly selling unapproved products that may violate federal law by making deceptive or scientifically unsupported claims about their ability to treat coronavirus (COVID-19) [that]…are the first issued by the agencies alleging unapproved and/or unsupported claims that products can treat or prevent coronavirus: 1) Vital Silver, 2) Quinessence Aromatherapy Ltd., 3) N-ergetics, 4) GuruNanda, LLC, 5) Vivify Holistic Clinic, 6) Herbal Amy LLC, and 7) The Jim Bakker Show.” The agencies alleged “[t]he recipients are companies that advertise products—including teas, essential oils, and colloidal silver—as able to treat or prevent coronavirus…[but] [a]ccording to the FDA, however, there are no approved vaccines, drugs, or investigational products currently available to treat or prevent the virus.”

The FTC also joined the Department of Justice (DOJ) in a statement “to make clear to the public that there are many ways  firms,  including  competitors,  can  engage  in  procompetitive  collaboration  that  does  not  violate the antitrust laws.”

Internationally, agencies with data protection and privacy responsibilities have also moved to remind public and private sector entities of how latitude they have under national law to use personal data to fight COVID-19. The European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski responded to a request from the European Union’s Directorate‑General for Communications Networks, Content and Technology “on the monitoring of the spread of the COVID-19 outbreak,” presumably through the use of location data and metadata to track EU citizens to monitor health and compliance. One of the EDPS’ primary duties is to enforce data protection laws on EU agencies.

Wiewiórowski explained

  • Firstly, let me underline that data protection rule currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics. I am aware of the discussions taking place in some Member States with telecommunications providers with the objective of using such data to track the spread of the COVID-19 outbreak.
  • I share and support your call for an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible.
  • There is a clear need to act at the European level now.

Wiewiórowski stated that “[o]n the basis of the information provided in your letter and in absence of a more specific data model, please find below some elements for your consideration:

  • Data anonymization
    • It is clear from your letter that you intend to use only anonymous data to map movements of people with the objective of ensuring the stability of the internal market and coordinating crisis response. Effectively anonymised data fall outside of the scope of data protection rules
    • At the same time, effective anonymisation requires more than simply removing obvious identifiers such as phone numbers and IMEI numbers. In your letter, you also mention that data would be aggregated, which can provide an additional safeguard.
    • I understand that the Health Security Committee established by Decision (EU) 1082/2013 you make explicit reference to would be the relevant forum for exchanges with the Member States in this case. The Commission should ensure that the data model would enable it to respond to the needs of the users of these analyses. Moreover, the Commission should clearly define the dataset it wants to obtain and ensure transparency towards the public, to avoid any possible misunderstandings. I would appreciate if you could share with me a copy of the data model, once defined, for information.
  • Data security and data access
    • As mentioned above, to the extent the data obtained by the Commission would be anonymous, it falls outside the scope of data protection rules. Nonetheless, information security obligations under Commission Decision 2017/464still apply, as do confidentiality obligations under the Staff Regulations for any Commission staff processing the information. Should the Commission rely on third parties to process the information, these third parties have to apply equivalent security measures and be bound by strict confidentiality obligations and prohibitions on further use as well. I would also like to stress the importance of applying adequate measures to ensure the secure transmission of data from the telecom providers. It would also be preferable to limit access to the data to authorised experts in spatial epidemiology, data protection and data science.
  • Data retention
    • I also welcome that the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end. It should be also clear that these special services are deployed because of this specific crisis and are of temporary character. The EDPS often stresses that such developments usually do not contain the possibility to step back when the emergency is gone. I would like to stress that such solution should be still recognised as extraordinary.

Wiewiórowski added that he wanted “to recall the importance of full transparency to the public on the purpose and procedure of the measures to be enacted…[and] I would also encourage you to keep your Data Protection Officer involved throughout the entire process to provide assurance that the data processed had indeed been effectively anonymised.” Wiewiórowski stressed that “should the Commission feel compelled at any point in the future to change the envisaged modalities for processing, a new consultation of the EDPS would be necessary…[and] [t]he EDPS is ready not only to consult the plans but also to actively involve its resources in the process of development of products and services that may have significant value to the public.”

The Office of the Privacy Commissioner of Canada (OPC) issued guidance “to help organizations subject to federal privacy laws understand their privacy-related obligations during the COVID-19 outbreak” according to the agency’s press release. OPC explained that “[d]uring a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.” OPC stated that “[t]he new document provides general guidance on applying the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law, in the context of the current outbreak.” OPC added that “[a]ll organizations must continue to operate with lawful authority and exercise good judgment…[and] [g]overnment institutions will need to apply the principles of necessity and proportionality, whether in applying existing measures or in deciding on new actions to address the current crisis.” OPC declare it “will continue to protect the privacy of Canadians, while adopting a flexible and contextual approach in its application of the law.”

On April 1, the Office of the Australian Information Commissioner (OAIC) issued a press release announcing “privacy guidance for agencies and private sector employers to help keep workplaces safe and handle personal information appropriately as part of the COVID-19 response. This includes:

  • Using and disclosing individuals’ personal information, including sensitive health information, on a ‘need-to-know’ basis
  • Only collecting, using or disclosing the minimum amount of personal information reasonably necessary to prevent or manage COVID-19
  • Advising staff about how their personal information will be handled in responding to any potential or confirmed COVID-19 cases in the workplace
  • Taking reasonable steps to keep personal information secure, including where employees are working remotely.

OAIC asserted it and “state and territory privacy regulators have convened a National COVID-19 Privacy Team to respond to proposals with national implications.”

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s