On April 9, the Senate Commerce, Science, and Transportation Committee held a virtual hearing of sorts as all the proceedings would occur through the written word with the chair, ranking member, and witnesses all submitting statements. Then all the members were to submit written questions to the witnesses who will have 96 business hours to respond or what appears to be 12 days. The questions posed to each witness by each member of the committee have been posted on the hearing webpage as well.
In his written statement, Chair Roger Wicker (R-MS) stated “[a]s the public and private sectors race to develop a vaccine for [COVID-19], government officials and health-care professionals have turned to what is known as “big data” to help fight the global pandemic.” He stated “[i]n recognition of the value of big data, Congress recently authorized the CDC, through the bipartisan coronavirus relief package, to develop a modern data surveillance and analytics system,” a reference to the $500 million appropriated for “for public health data surveillance and analytics infrastructure modernization.” Wicker said “[t]his system is expected to use public health data inputs – including big data – to track the coronavirus more effectively and reduce its spread.” He added “[s]tate governments are also using big data to monitor the availability of hospital resources and manage supply chains for the distribution of masks and other personal protective medical equipment.”
- Recent media reports revealed that big data is being used by the mobile advertising industry and technology companies in the United States to track the spread of the virus through the collection of consumer location data. This location data is purported to be in aggregate form and anonymized so that it does not contain consumers’ personally identifiable information. It is intended to help researchers identify where large crowds are forming and pinpoint the source of potential outbreaks. The data may also help predict trends in the transmission of COVID-19 and serve as an early warning system for individuals to self-isolate or quarantine.
- In addition to these uses, consumer location data is being analyzed to help track the effectiveness of social distancing and stay-at-home guidelines. Data scientists are also seeking ways to combine artificial intelligence and machine learning technologies with big data to build upon efforts to track patterns, make diagnoses, and identify other environmental or geographic factors affecting the rate of disease transmission.
- The European Union is turning to big data to stop the spread of the illness as well. Italy, Germany, and others have sought to obtain consumer location data from telecommunications companies to track COVID-19. To protect consumer privacy, EU member states have committed to using only anonymized and aggregate mobile phone location data. Although the EU’s General Data Protection Regulation does not apply to anonymized data, EU officials have committed to deleting the data once the public health crisis is over.
Wicker asserted, “[t]he potential benefits of big data to help contain the virus and limit future outbreaks could be significant.” He stated “[r]educing privacy risks begins with understanding how consumers’ location data – and any other information – is being collected when tracking compliance with social distancing measures.” He contended that “[e]qually important is understanding how that data is anonymized to remove all personally identifiable information and prevent individuals from being re-identified…[and] I look forward to hearing from our witnesses about how consumer privacy can be protected at every stage of the data collection process.”
Wicker stated, “I also look forward to exploring how consumers are notified about the collection of their location information and their ability to control or opt out of this data collection if desired.” He explained “[g]iven the sensitivity of geolocation data, increased transparency into these practices will help protect consumers from data misuse and other unwanted or unexpected data processing.” Wicker added “I hope to learn more about how location data is being publicly disclosed, with whom it is being shared, and what will be done with any identifiable data at the end of this global pandemic.”
Strengthening consumer data privacy through the development of a strong and bipartisan federal data privacy law has been a priority for this Committee. The collection of consumer location data to track the coronavirus, although well intentioned and possibly necessary at this time, further underscores the need for uniform, national privacy legislation. Such a law would provide all Americans with more transparency, choice, and control over their data, as well as ways to keep businesses more accountable to consumers when they seek to use their data for unexpected purposes. It would also provide certainty and clear, workable rules of the road for businesses in all 50 states, and preserve Americans’ trust and confidence that their data will be protected and secure no matter where they live.
Ranking Member Maria Cantwell (D-WA) asserted, “[r]ight now, we must ensure there are enough hospital beds, enough personal protective equipment, and enough ventilators and medical supplies to withstand the full force of this virus as it peaks in communities across our country” in her opening statement. She stated, “[w]e need robust testing, and as the virus finally fades, we’ll need to deploy contact tracing systems so that we can respond quickly to outbreaks and stamp it out for good.” Cantwell claimed, “[d]ata provides incredible insights that can assist us in these efforts, and we should be doing everything possible to harness information in a manner that upholds our values.” She remarked, “[t]o gain and keep the public’s trust about the use of data, a defined framework should be maintained to protect privacy rights…[that] at a minimum, should ensure that information is used:
(1) for a specific limited purpose, with a measurable outcome and an end date,
(2) in a fully transparent manner with strong consumer rights, and
(3) under strict accountability measures.
Cantwell stated, “[w]e must always focus on exactly how we expect technology to help, and how to use data strategically to these ends…[and] [w]e must resist hasty decisions that will sweep up massive, unrelated data sets.” She further argued, “we must guard against vaguely defined and non-transparent government initiatives with our personal data…[b]ecause rights and data surrendered temporarily during an emergency can become very difficult to get back.”
Cantwell expressed her belief that “there are three advantages to data that need to be harnessed at this time: the power to predict, the power to discover, and the power to persuade.” She remarked, “[d]ata helps us build models based on what has come before…[and] [w]e can use these models to identify patterns to help us prepare for what might be next, whether those are predictions of where disease is spreading, estimations of community needs, or coordination of scarce resources.” Cantwell said, “[l]arge publically available data sets also help us identify patterns and solutions that cannot be seen with a more fragmented, less complete picture.” She asserted, “[d]iscoveries and insights that once were hidden can now be brought to light with the help of advanced data analysis techniques.” She said, “[a]nd when there are vital messages to share, data allows us to get those messages out to everyone who needs to hear them…[and] [m]essages about social distancing, exposure risks, and treatment options are just a few of the many types of essential communications that can be informed and enhanced by data analysis.”
Cantwell summed up:
- The world is now confronting a challenge of tremendous urgency and magnitude. At some point, we will be opening up our society and our economy again. First, we’re going to need robust testing. And when that time comes, we’re also going to need technology, powered by data, to help us safely transition back to a more normal way of life.
- Our job in Congress is to help provide the tools needed to turn back this disease, and to understand how we marshal innovation and technology in a responsible way to respond to this challenge, both in the short term and for what we are starting to understand may be a very long fight ahead.
- We are only at the beginning of this fight. We urgently need to plan for the days and, yes, the years ahead; we must discover, test, and distribute new cures faster than ever before; we need our greatest minds, wherever they may be, to collaborate and work together; and we must build unity because ultimately, that is our greatest strength.
In this testimony, I will address some of the ways people and institutions propose to use data analytics and other technology to respond to coronavirus. The first set of examples involves gaining a better understanding of the virus and its effects on American life. By and large I support these efforts; the value proposition is clear and the privacy harms less pronounced. The second set of examples involves the attempt to track the spread of COVID-19 at an individual level using mobile software applications (“apps”). I am more skeptical of this approach as I fear that it threatens privacy and civil liberties while doing little to address the pandemic. Finally, I conclude with the recommendation that, however we leverage data to fight this pandemic, policymakers limit use cases to the emergency itself, and not permit mission creep or downstream secondary uses that surprise the consumer.
I am not opposed to leveraging every tool in our technical arsenal to address the current pandemic. We are facing a near unprecedented global crisis. I note in conclusion that there will be measures that are appropriate in this context, but not beyond it. Americans and their representatives should be vigilant that whatever techniques we use today to combat coronavirus do not wind up being used tomorrow to address other behaviors or achieve other goals. To paraphrase the late Justice Robert Jackson, a problem with emergency powers is that they tend to kindle emergencies.
In national security, critics speak in terms of mission creep, as when vast surveillance powers conferred to fight terrorism end up being used to enforce against narcotics trafficking or unlawful immigration. In consumer privacy, much thought is given to the prospect of secondary use, i.e., the possibility that data collected for one purpose will be used by a company to effectuate a second, more questionable purpose without asking the data subject for additional permissions. No consumer would or should expect that the absence of certain antibodies in their blood, gathered for the purpose of tracing a lethal disease, could lead to higher health insurance premiums down the line. There is also a simpler danger that Americans will become acclimated to more invasive surveillance partnerships between industry and government.14My hope is that policymakers will expressly ensure that any accommodations privacy must concede to the pandemic will not outlive the crisis.
ACT | The App Association Senior Director for Public Policy Graham Dufault explained some of the big data privacy concerns in the COVID-19 crisis:
- Creating and Using Big Data Sets Consistent with Privacy Expectations. Beyond the Taiwan example described above, other nations are engaging in their own versions of highly targeted surveillance. Israel is tracking citizens’ movements using smartphone location data and even sending text messages to people who were recently near a person known to have been infected with COVID-19, with an order to self-quarantine.While Israeli courts blocked the use of this data to enforce quarantines,11even the use of it to send unsolicited text messages and swiftly apply impromptu quarantines raises some questions.
- By contrast, in the United States, private companies are leading the charge on big data sets about location, with persistent privacy oversight by policymakers. For example, Google is producing reports on foot traffic patterns using smartphone location data. However, there are limitations to the reports because they only use high-level data indicating a percentage decrease or increase in foot traffic in six different types of locations (e.g., workplaces, retail, and recreation sites)over a given period of time. Their vagueness is in part the result of federal and state privacy law, which generally prohibit deceptive practices, including the disclosure of private data in a manner that is inconsistent with a company’s own privacy policies or where the individual never consented to the disclosure. News articles variously describe these kinds of high-level reports as tracking compliance with stay-at-home orders, but they only do so in an indirect sense and certainly not to the degree to which Taiwan or Israel track compliance, which involves the use of individual location data.
- With Location Data, Privacy is Possible. Ideally, federal, state, and local governments could enact targeted measures that significantly stem the spread of COVID-19 in high-risk areas and at high-risk times, while enabling certain parts of the economy to open back up where there is mitigation of risk—all with anonymous data. The Private Kit app takes privacy protective steps that may help provide both actionable data and effective anonymity. For example, when a user downloads the app, it clarifies that location data stays on the user’s phone and does not go to a centralized server. Instead, when turned on, the app tracks the user’s location and stores it in an encrypted format—which it apparently sends, again encrypted, directly to other phones when queried. Theoretically, it would be difficult for any single user of the app to discern the identity of the person signified by one of the dots on the map. The problem Private Kit encounters is whether enough people will download this app quickly enough for it to be useful for policymakers and users. Similar ideas, like NextTrace have also cropped up, but the effectiveness of these tools may be limited if a single, popular choice does not soon emerge.
- The COVID-19 Pandemic Underscores the Need for a National Privacy Law. National privacy legislation should ensure companies are using default privacy measures like those described above. Animating some of the privacy concerns policymakers have expressed about the use of big data to address the COVID-19 pandemic is a (not entirely unfair) lack of trust in how tech-driven companies are using sensitive personal data, especially location data. While many of us worry that governmental intrusions to address the COVID-19 pandemic would be difficult to pull back, policymakers also worry that corporate surveillance efforts could later turn into unexpected uses of sensitive data and exposure to additional risk of unauthorized access. The passage of a strong, national privacy framework could help alleviate the stated concerns with private sector use of data.
- Healthcare Data Remains Siloed. Through the Connected Health Initiative (CHI), we advocate for patients to be able to share their healthcare data with digital health companies that can help them make use of it. But in general, electronic health records (EHR) companies decline to transfer that data except inside their own network of providers and business associates (BAs), citing Health Insurance Portability and Accountability Act (HIPAA) compliance concerns. The problem with this, of course, is that HIPAA is supposed to make data portable, as the name suggests. And EHRs have emerged as a chokepoint for healthcare data that patients should otherwise be able to use as they wish. Besides harming big data competencies, outdated healthcare policies have also directly harmed patients. It would be a great tragedy if we yanked telehealth and remote physiologic monitoring (RPM)away from patients just as the general public begins to realize their potential. Certainly, the ability to rely on telehealth (defined in Medicare as live voice or video visits between patients and caregivers) is a sudden necessity during the pandemic as caregivers must screen and monitor patients from a distance. Avoiding such basic communications technologies because of fraud or abuse concerns when public health demands patients stay at home would be nothing short of a catastrophic win for red tape. What surprises many of us, however, is just how unprepared our relative inability to make use of digital health has made us for pandemics like COVID-19.
While self-regulation has been a useful mechanism to encourage responsible data use, federal leadership is now needed to ensure that robust consumer privacy protections apply consistently throughout the country. The time is right for the creation of a new paradigm for data privacy in the United States. To this end, IAB is a key supporter of Privacy for America, a broad industry coalition of top trade organizations and companies representing a wide cross-section of the American economy that advocates for federal omnibus privacy legislation. Privacy for America has released a detailed policy framework to provide members of Congress with a new option to consider as they develop data privacy legislation for the United States. Participants in Privacy for America have met with leaders of Congress, the FTC, the Department of Commerce, the White House, and other key stakeholders to discuss the ways the framework protects consumers while also ensuring that beneficial uses of data can continue to provide vast benefits to the economy and mankind.
The Privacy for America framework would prohibit, rather than allow consent for, a range of practices that make personal data vulnerable to misuse. Many of these prohibitions would apply not only to companies that engage in these harmful practices directly, but to suppliers of data who have reason to know that the personal information will be used for these purposes.
- Eligibility Determinations. Determining whether individuals are eligible for benefits like a job or credit are among the most important decisions that companies make. Although many of these decisions are currently regulated by existing sectoral laws (e.g., the Fair Credit Reporting Act), companies can easily purchase data on the open market to evade compliance with these laws. Privacy for America’s framework would prevent this abuse by banning the use of data to make eligibility decisions—about jobs, credit, insurance, healthcare, education, financial aid, or housing—outside these sectoral laws, thereby bolstering and clarifying the protections already in place. It also would provide new tools to regulators to cut off the suppliers of data that undermine these protections. To the extent that companies are unsure about whether a practice is permitted under existing law, they would be able to seek guidance from the FTC.
- Discrimination. The widespread availability of detailed personal information has increased concerns that this data will be used to discriminate against individuals. The new framework envisioned by Privacy for America would supplement existing anti- discrimination laws by banning outright a particularly pernicious form of discrimination—using data to charge higher prices for goods or services based on personal traits such race, color, religion, national origin, sexual orientation, or gender identity. As discussed below, the framework also would allow individuals to opt out of data personalization, which can contribute to discrimination.
- Fraud and Deception. For decades, the FTC and the states have pursued cases against companies that engage in fraud and deception. The new framework would focus specifically on the use and supply of data for these purposes. Thus, it would ban a range of fraudulent practices designed to induce the disclosure of personal information and, more generally, material misrepresentations about data privacy and security.
- Stalking. In recent years, the proliferation of data has made it easier to track the location and activities of individuals for use in stalking. Of note, mobile apps designed for this very purpose have been identified in the marketplace. The framework would outlaw the use of personal information for stalking or other forms of substantial harassment, and would hold these types of apps accountable.
- Use of Sensitive Data Without Express Consent. Consumers care most about their sensitive data, and companies should have an obligation to protect it. The new framework would prohibit companies from obtaining a range of sensitive information— including health, financial, biometric, and geolocation information, as well as call records, private emails, and device recording and photos—without obtaining consumers’ express consent.
- Special Protections for Individuals Over 12 and Under 16 (Tweens). The Privacy for America framework includes a robust set of safeguards for data collected from tweens, an age group that needs protection but is actively engaged online and not subject to constant parental oversight. Specifically, the framework would prohibit companies from transferring tween data to third parties when they have actual knowledge of age. It also would ban payment to tweens for personal data, except under a contract to which a parent or legal guardian is a party. Finally, companies would be required to implement data eraser requirements allowing individuals to delete data posted online when they were tweens.
- Focus on prevention and treatment, not punishment: Past epidemics have demonstrated that fear is not as effective as clear, meaningful information from a reliable source and the ability to voluntarily comply with medical and governmental directives. Successfully fighting the coronavirus will mean ensuring that a government response does not evolve into law enforcement and broad surveillance functions.
- Ensure accuracy and effectiveness: There does not appear to be a universally accepted definition of “accurate” or “effective” when it comes to predicting, preventing, or responding to the coronavirus. Nevertheless, if a tool or practice is unlikely to provide meaningful and measurable contributions to the coronavirus response, companies and governments should consider alternatives. This is not only because the privacy risks may not be justified but because people may rely on these measures in lieu of those that actually work.
- Provide actionable information: In a time of crisis, more information isn’t always better. New data collection or novel data uses should inform individual, corporate, or government behavior in a constructive way. Symptom trackers, for example, may tell a person whether he or she should seek medical care. Contact tracing on the other hand, when it relies on insufficiently granular data, may result in unnecessary or unproductive quarantine, testing, and fear.
- Require corporate and government practices that respect privacy: People are reasonably fearful for their own health and the health of their loved ones. The burden for constructing privacy-protective products and responses must not be on concerned citizens but on companies and governments. That includes:
- A preference for aggregated data. Individually identifiable information should not be used when less intrusive measures will suffice. If aggregated data will not do, industry best practices in anonymization and de-identification must be applied.
- Minimizing collection, use, and sharing. When identifiable information is necessary, data processing should be limited when possible.
- Purpose limitations. Data collected or used for the coronavirus response should not be used for secondary purposes. For corporate actors, this means advertising for commercial purposes or unrelated product development. For government actors, that means any function not directly related to their public health functions.
- Deletion. Data should be deleted when it is no longer necessary for responding to the coronavirus epidemic or conducting public health research, especially if it is personally identifiable.
- Build services that serve all populations: Newly released data is confirming that minorities are contracting the coronavirus at a higher rate and are more likely to die from it.58 There are also legitimate questions about how actionable mobility tracking data is for rural, poor, and working class communities that must travel for work or to secure food and medical care. As technology seeks to find solutions to the coronavirus, it is crucial that it does so in a way that serves all demographics and does not exacerbate existing inequalities.
- Empower individuals when possible: Epidemic response may not always allow for individualized opt-ins or opt-outs of data collection and use. To the extent possible, participation in data based programs should be voluntary and individuals should maintain traditional rights to control one’s data.
- Be transparent to build trust: People will hesitate to participate in programs that involve their personal information but that are not transparent in how that information will be used. Companies that provide data, or inferences from data, and the governmental entities that use such information, must be transparent to users and residents about how data will be used.
- Be especially rigorous when considering government action: A coordinated government response is necessary for successfully fighting the coronavirus epidemic, but the United States has an important tradition of recognizing that the powers of the state pose unique threats to privacy and liberty.