Privacy Legislation in the Time of Pandemics

Now that Apple and Google have released their Exposure Notifications API and numerous nations around the world are adopting or adapting it in order to trace exposure of COVID-19, numerous concerns and questions about privacy and data security have been raised about this new form of mass surveillance. Even before the development of this API, Members of Congress and civil liberties and privacy advocates were calling for limits for how and to what extent personal data may be used to fight the pandemic. The tension between the exigencies of the current emergency and privacy will likely spill over into the process to enact federal privacy legislation. For example, four Senate Republicans announced plans to introduce the “COVID-19 Consumer Data Protection Act,” and while the prospects for this particular bill do not look good at present, an exploration of other, more broadly gauged privacy bills may inform policy considerations on how personal data would be collected, processed, and disclosed during a public health emergency.

And, as privacy legislation continues to be an issue at the forefront of stakeholders’ minds – to the extent this and other non-COVID-19 issues have purchase during a pandemic – policymakers will likely scrutinize further the legitimate and non-legitimate use of personal data in a public health emergency. However, it is likely that even if some of the strictest of privacy bills pass Congress, regulated entities and government agencies would still possess tremendous latitude to access personal data in the event of public health emergencies. Almost all the comprehensive privacy bills introduced in Congress allow provide exceptions for the use, sharing, and disclosure of information that may otherwise be considered private, especially if there is imminent risk to life or health. Moreover, given that many experts are saying that de-identified or anonymized data are sufficient for tracking COVID-19, the provisions in those bills that usually carve out these types of data from the personal data subject to regulation are also of interest.

First, a threshold matter bears discussion. For purposes of this article, let’s assume a pandemic in which a highly contagious respiratory disease with death rates of 1-3% qualifies as the type of situation where a person is at risk for purposes of using the exception in almost all the bills for a situation where a person’s explicit consent is not needed for collection and processing.

Turning to the bills that have been introduced to regulate privacy at the federal level, let’s look at of the most restrictive bills. Senator Ed Markey’s (D-MA) “Privacy Bill of Rights” (S.1214) is one of the few bills on which the Electronic Privacy Information Center (EPIC) bestowed an A and is generally seen as far more favorable among privacy and civil liberties advocates than many of the bills introduced this Congress on privacy. However, even in this bill, there are a number of exceptions that would allow tech companies like Facebook to share a person’s location data quite likely without her consent.

Under S.1214, covered entities must generally obtain the affirmative, express, knowing consent of consumers before they can collect, use, retain, share, or sell personal information through the provision of notice. And yet, in the Privacy Bill of Rights, it is provided that “a covered entity shall not be required to obtain opt-in approval…if the covered entity, in good faith, believes danger of death or serious physical injury to any individual requires use, access, or disclosure without delay of personal information relating to the emergency.” It would not be a hard case to make that a pandemic like the current one with COVID-19 would function to allow a large collector and processor of personal data to share information with, say, the Centers for Disease Control and Prevention. However, the more interesting scenarios arise when it comes to public health emergencies like a bad year for the seasonal flu which is not quite an epidemic but still has significant public health effects. For example, during the 2018-2019 flu season in the U.S., there were more than 34,000 deaths and nearly half a million hospitalizations. Using such authorities to fight the flu seems like a closer case and may not pass muster under this standard.

Another means by which data could be shared under S.1214 would be through the de-identification of data. The legislation defines de-identified data as “information that cannot reasonably identify, relate to, describe, or be capable of being associated with or linked to, directly or indirectly, a particular individual.” Any de-identified data is to be considered publicly available and not personal information and therefore largely exempted from regulation. Obviously, Markey intended that this exclusion would create the incentive to move more covered entities to de-identify the personal information they hold, collect, share, and process to protect against breaches but also future repurposing of the information. However, according to a number of experts, aggregated anonymized data (which is not exactly the same as de-identified) would be useful for public health officials in the fight to flatten the curve and control future outbreaks. Consequently, Google could de-identify data and then turn it over to the Department of Homeland Security which could then utilize it. In this vein, there have been articles in the media detailing the Trump Administration’s efforts to obtain aggregated, anonymous data in order to better understand and ideally prevent the transmission of the respiratory virus.

Of course, a number of the bills bestow heightened protection for location data. For example, the Energy and Commerce Committee’s discussion draft released in mid-December provides a heightened level of protection for “sensitive information,” a subset of “covered information.” Among the data to be considered “sensitive information” are “precise geolocation information.” Assuming the term covers all location data that can be gleaned from a smartphone, the bill allows for the collection, processing, and sharing of sensitive information only after express, affirmative consent so long as clear and concise notice is given to the individual before consent is provided. Consequently, in order for location data to be processed, a covered entity could merely write into its privacy policy an exception for collecting and sharing sensitive information during public emergencies that a person would be free to assent to or reject. It is likely a significant number of people would accept such a term.

In any event, there is language in the bill that may not require covered entities to include such language in their privacy notices. In the discussion draft, there are explicit exceptions to the general rule under the bill that covered entities may not process certain classes of sensitive information absent notice and express consent that may also be used. Notably, a carveout is established for processing personal data for “preventing imminent danger to the personal safety of an individual or group of individuals.” Therefore, a covered entity could process the following types of information, most of which are defined as sensitive information: 

  • precise geolocation information linkable to an identifiable individual or [consumer device;]
  • covered information to attribute a [consumer device or devices] to a specific individual using probabilistic methods, such as algorithms or usage patterns;
  • covered information obtained through a microphone or camera of a consumer device;
  • the contents of an individual’s communications or the parties to such communications; or
  • health information.

I would think that there would be agreement that not all these types of personal data would be needed to fight a pandemic even they could be used from a legal perspective and would result in a backlash to government efforts to quell outbreaks of a disease.

Finally, a few closing thoughts. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is availing itself of exceptions written into the HIPAA/HITECH regulations to allow limited sharing and disclosure of protected health information (PHI) to some federal and state health agencies to combat COVID-19. However, this pertains only to entities regulated under those regulations, mostly healthcare providers and their business associates. Nonetheless, this demonstrates precedence for writing into regulation and statute exceptions to address public emergencies, which is not terribly surprising, of course.

Moreover, almost all the bills provide exceptions for most of the requirements to respect and honor the privacy choices of people if it is necessary to obey a federal law and in other similar situations. Therefore, Congress could always come after a federal privacy statute and pass another bill requiring private sector entities to provide private data during public emergencies, thus broadening this exception in a federal privacy statute. Then covered entities would need to turn over certain data or face legal liability.

Finally, as with diminutions of privacy and civil liberties for national security emergencies as happened after September 11, 2001, policymakers would be wise to consider whether such expansions of how people’s information is collected and used is, in a sense, a one-way ratchet. Governments rarely want to surrender the authority provided them in times of crisis, often times on the rationale that the authority will be needed to act quickly to address future, unforeseen crises. Consequently, the enactment of a privacy bill may be a Trojan Horse through which increased, legal surveillance occurs, but in the name of public health and safety, and not national security.

What’s more, under some of the privacy bills, there would no fast ways to stop illegal collection and processing of personal data. It is not hard to envision a scenario where the U.S. government and private sector entities agree that the exigencies of another public health crisis justify illegal collection and processing of personal data. Since many Republicans and other stakeholders oppose a private right of action, the only means of challenging such activity would be through the federal political system, which is not typically fast to address civil liberties violations where fear has taken root. Therefore, a private right of action or enforcement by state attorneys general may be the only feasible checks in such a situation as a court may conceivably enjoin such activities.

Furthermore, some health and climate experts are projecting that the ongoing warming of the planet and other facets of global warming (e.g. vanishing habitats for some animals brings them closer to humans, increasing the chances of zoonotic diseases jumping from animals to humans like COVID-19). Consequently, we may be facing a future of more frequent such diseases that turn into epidemics and even pandemics if policymakers do not act quickly during the next epidemic. And, therefore, privacy during a public health emergency may become more than a once in 100 years event.

Moreover, if privacy legislation is not enacted, private sector companies may see the use of big data by governments during the COVID-19 crisis as an implicit approval of its data processing practices, many of which are objectionable to many experts and across the political spectrum. Will successes in collecting and processing big data during the crisis let the air out of the movement to enact privacy legislation? Will it inure most people to the risks to and infringements of privacy? It may very well do so.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s