Exposure Notification Privacy Act Introduced

A third COVID-19 privacy bill is unveiled in the Senate that may be more about messaging and positioning on broader privacy legislation. In any event, the odds on such legislation being enacted in the near term is not high.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, a third COVID-19 privacy bill was released that occupies a middle ground between the other two bills. However, despite being bipartisan and between the two other bills, it is still not likely Congress will enact either targeted privacy legislation or broader, national privacy legislation this year. And yet, a number of the bill’s requirements track more closely with the Democratic bill released last month, suggesting some of the ground may be shifting under some of the outstanding issues. For example, the bill would not preempt state laws and while it would not create a new federal means a person could sue a company for violations, it expressly preserves all existing state and federal avenues a person could use to litigate.

On 3 June, Senate Commerce, Science and Transportation Committee Ranking Member Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced the “Exposure Notification Privacy Act” (S.3861) with Senator Amy Klobuchar (D-MN) cosponsoring. The Senators released a section-by-section and a summary of the bill, too. This bill follows the “Public Health Emergency Privacy Act” (S.3749) and the “COVID-19 Consumer Data Protection Act” (S.3663), bills that take approaches aligned with the Democratic and Republican thinking on privacy respectively. (See here for more analysis).

The key term in the Exposure Notification Privacy Act is “automated exposure notification service,” (AENS) for it informs what is “covered data,” and hence covered by the bill’s protections, and it seems fairly targeted to address only those apps or services created to track contacts for purposes of reducing the spread of COVID-19. This term is defined as:

  • a website, online service, online application, mobile application, or mobile operating system
  • offered in interstate commerce in the United States
  • designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease

And yet, because what is covered data is limited to information “collected, processed, or transferred in connection with an AENS,” it is a reasonable reading of this language that an entity obtaining information from a data broker in order to track COVID-19 would be outside the definition of covered data. The same would seem to be true of social media platforms that collect and process data from their users incidentally to their main business of monetizing these data. This seems like a fairly large loophole that would mean the “Exposure Notification Privacy Act” would really focus tightly on technology programs, apps, and platforms mostly used to track and prevent infectious diseases with the voluntary, knowingly consent of users.

AENS would need to obtain express, affirmative consent a person provides after being provided with conspicuous, easy-to-understand notice about data collection, usage, processing, and transfer. There must also be a conspicuous means of withdrawing such consent. In any event, a person with an “authorized diagnosis” would control whether this information is processed by the AENS.

AENS and platform operators must publish “a privacy policy that provides a detailed and accurate representation of that person or entity’s covered data collection, processing, and transfer activities in connection with such person or entity’s AENS or the facilitation of such service.” These privacy policies must divulge “each category of covered data the person or entity collects and the limited allowable processing purposes for which such covered data is collected” and

  • “a description of the person or entity’s covered data minimization and retention policies;
  • how an individual can exercise the individual rights described in this title;
  • a description of the person or entity’s covered data security policies.”

As an aside, platform operators are entities “other than a service provider who provides an operating system that includes features supportive of an AENS and facilitates the use or distribution of such AENS to the extent the technology is not used by the platform operator as an AENS.” And so, platform operators might be Google, Apple, Microsoft, or a handful of others to the extent their operations systems are supporting the AENS in its purpose to track infectious diseases. Hence, some of the bill’s requirements will be imposed on such entities.

Of course, the bill text does not limit this measure just to COVID-19 and extends it to all infectious diseases, which is perhaps a nod to a new normal in which many Americans have apps on their phone or wearables on their bodies designed to counter contracting the flu or other, less dangerous viruses (See below in further reading for an article on FitBit and other apps and platforms that may be poised to do just this and a wearable Singapore may debut shortly.)

There are restrictions on whom may receive covered data from AENS. These entities may only alert individuals of possible exposure if they opted in or a public health authority, transfer these data to service providers to maintain, fix, or improve the system or for security purposes, or to comply in a legal action. The bill also seeks to assuage fears that the sensitive information of people collected for the purposes of combatting infectious diseases could be transferred to and used by law enforcement and surveillance agencies. The legislation explains “[i]t shall be unlawful for any person, entity, or Executive agency to transfer covered data to any Executive agency unless the information is transferred in connection with an investigation or enforcement proceeding under this Act.” Consequently, it would appear the Centers for Disease Control and Prevention (CDC) would be able to transfer covered data to the FTC for an investigation, it could not do the same with the Federal Bureau of Investigation (FBI). In this vein, Executive agencies can only process or transfer for a health purpose related to infectious diseases or in connection with an FTC or state investigation or enforcement action. However, this limitation does not seem to bar a state public health authority from conducting such a transfer to a state law enforcement agency.

There are data minimization responsibilities AENS would need to meet. AENS may not “collect or process any covered data…beyond the minimum amount necessary to implement an AENS for public health purposes; or…for any commercial purpose.” This would seem to limit AENS to collecting, processing and sharing personal information strictly necessary for the purpose of tracking infectious diseases. Likewise, AENS must delete a person’s covered data upon request and on a rolling basis per public health authority guidance. Service providers working with AENS must comply with the latter’s direction to delete covered data.

AENS must “establish, implement, and maintain data security practices to protect the confidentiality, integrity, availability, and accessibility of covered data…[that] be consistent with standards generally accepted by experts in the information security field.” The bill further specifies that such practices must include identifying and assessing risks, corrective and preventive actions for risks, and notification if an AENS is breached. The bill would also ban discrimination on the basis of covered data collected or processed by an AENS or on the basis of a person’s decision not to use an AENS.

As a means of providing oversight, the Privacy and Civil Liberties Oversight Board (PCLOB) would have its mandate enlarged to include “health-related epidemics,” meaning the Board could investigate and issue reports on how well or poorly the act is being implemented with respect to privacy and civil liberties.  To this end, within one year of enactment, PCLOB “shall issue a report, which shall be publicly available to the greatest extent possible, assessing the impact on privacy and civil liberties of Government activities in response to the public health emergency related to the Coronavirus 2019 (COVID–19), and making recommendations for how the Government should mitigate the threats posed by such emergency.”

AENS must also collaborate with public health authorities, which are federal and state agencies charged with protecting and ensuring public health. AENS could only collect, process, and transfer actual diagnoses of an infectious disease and could not do so with potential or presumptive diagnoses. AENS would be charged with issuing public guidance to help people understand the notifications of the system and any limitations with respect to accuracy and reliability. Moreover, AENS must also publish metrics (i.e. “measures of the effectiveness of the service”), including adoption rates. Presumably these latter two requirements would allow for greater transparency and also greater insight into how widely an app or platform is being adopted.

There are a few unexpected wrinkles, however. For example, the act only bars deceptive acts, and not unfair ones, which is a deviation from Section 5 of the Federal Trade Commission (FTC) Act, necessitating language in the bill to this effect rather than the usual reference to 15 USC 45. The bill also places a positive duty on service providers to report violations of the act by either AENS or public health authorities to these entities. It is possible that if such a report accurately depicted a violation the AENS or public health authority then neglected to remedy, the enforcers of the act would have an easier case to make that a violation occurred.

As mentioned, the FTC would police and enforce the act with an enlarged jurisdiction to include common carriers and non-profits. The agency would treat violations as if they were violations of an FTC regulation barring unfair or deceptive practices, which allows the agency to seek civil fines for first offenses. The FTC would not, however, receive rulemaking authority, and should regulations be needed, the agency would be forced to use the cumbersome Moss-Magnuson process.

However, and like the “Public Health Emergency Privacy Act,” the FTC would receive explicit authority to go to court itself instead of having to work through the Department of Justice (DOJ), which is currently the case. That this new wrinkle has appeared in two recent bills largely sponsored by Democrats suggests this may be a new demand for targeted and national privacy legislation and also may reflect diminished faith in the DOJ to vigorously enforce privacy legislation.

State attorneys general could enforce the act in the same ways as the FTC, meaning civil penalties in the first instance being possible. State attorneys general may also bring concurrent state claims, alleging violations under state laws. And so, the bill does not preempt state laws, as a section of the bill goes to some length to stress.

Interestingly, while the bill does not create a private right of action, it suggests a possible way of resolving that sticking point in negotiations between Republicans and Democrats. The bill stresses that it does not foreclose any existing common law federal and state rights of action and would therefore allow people to use any existing law to sue covered entities. This would allow tort suits and other suits to move forward. That Cassidy has cosponsored legislation with this language does not necessarily indicate this is now the will of the Senate Republican Conference.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Dueling COVID-19 Privacy Bills Released

Democratic stakeholders answer a Republican proposal on how to regulate privacy issues raised by COVID-19 contact tracing. The proposals have little chance of enactment and are mostly about positioning.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Late last week, a group of Democratic stakeholders on privacy and data security issues released the “Public Health Emergency Privacy Act” (S.3749), a bill that serves as a counterpoint to the “COVID-19 Consumer Data Protection Act” (S.3663) legislation introduced a few weeks ago to pose a solution to the privacy issues raised by contact tracing of COVID-19. However, the Democratic bill contains a number of provisions that many Republicans consider non-starters such as a private right of action for individuals and no preemption of state laws. It is not likely this bill will advance in the Senate even though it may possibly be moved in the House. S. 3749 was introduced by Senators Richard Blumenthal (D-CT) and Mark Warner (D-VA) and Representatives Anna Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA). 

In a way, the “Public Health Emergency Privacy Act” makes the case that “Health Insurance Portability and Accountability Act” (HIPAA)/“Health Information Technology for Economic and Clinical Health Act” (HITECH Act) regulations are inadequate to protect the privacy and data of people in the United States for the reason that these regulations apply only to healthcare providers, their business associates, and other named entities in the healthcare system. Entities collecting healthcare information, even very sensitive information, are not subject to HIPAA/HITECH regulations and would likely be regulated, to the extent they are, by the Federal Trade Commission (FTC) or state agencies and attorneys general.

The “Public Health Emergency Privacy Act” would cover virtually all entities, including government agencies except for public health authorities (e.g. a state department of health or the Centers for Disease Control and Prevention), healthcare providers, service providers, people acting in a household capacity. This remarkable definition likely reflects plans announced around by the world by governments to eschew Google and Apple’s contact tracing app to develop its own. Moreover, it would also touch some efforts aside and apart from contact tracing apps. Moreover, this is the first bill introduced recently that proposes to treat public and private entities the same way with respect to how and when they may collect personal data.

The types of data protected under the act are “emergency health data” which are defined as “data linked or reasonably linkable to an individual or device, including data inferred or derived about the individual or device from other collected data provided such data is still linked or reasonably linkable to the individual or device, that concerns the public COVID–19 health emergency.” The bill then lists a number of examples of emergency health data that is sweeping and comprehensive. This term includes “information that reveals the past, present, or future physical or behavioral health or condition of, or provision of healthcare to, an individual” related to testing for COVID-19 and related genetic and biometric information. Geolocation and proximity information would also be covered by this definition. Finally, emergency health data encompasses “any other data collected from a personal device,” which seems to cover all data collection from a person’s phone, the primary means of contact tracing proposed thus far. However, it would appear that data on people collected at the household or higher level may not be subject to this definition and hence much of the bill’s protections.

The authority provided to covered entities is limited. First, collection, use, and disclosure of emergency health data are restricted to good faith health purposes. And yet, this term is not defined in the act, and the FTC may need to define it during the expedited rulemaking the bill. However, it seems a fairly safe assumption the agency and courts would not construe using emergency health data for advertising would not be a good faith public health purpose. Next, covered entities must allow people to correct inaccurate information and the entity itself has the duty to take reasonable efforts on its own to correct this information. Covered entities must implement reasonable safeguards to prevent discrimination on the basis of these data, which is a new obligation placed on covered entities in a privacy or data security bill. This provision may have been included to bar government agencies collecting and using covered data for discriminatory purposes. However, critics of more expansive bills may see this as the camel’s nose under the tent for future privacy and data security bills. Finally, the only government agencies that can legally be provided emergency health data are public health authorities and then only “for good faith public health purposes and in direct response to exigent circumstances.” Again, the limits of good faith public health purposes remain unclear and then such disclosure can only occur in exigent circumstances, which likely means when a person has contracted or been exposed to COVID-19.

Covered entities and service providers must implement appropriate measure to protect the security and confidentiality of emergency health data, but the third member of the usual triumvirate, availability, is not identified as requiring protection.

The “Public Health Emergency Privacy Act” outright bars a number of uses for emergency health data:

  • Commercial advertising, recommendations for e-commerce, or machine learning for these purposes
  • Any discriminatory practices related to employment, finance, credit, insurance, housing, or education opportunities; and
  • Discriminating with respect to goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation

It bears note the covered data cannot be collected or disclosed for these purposes either.

The act contains very strong consent language. Covered entities may not collect, use, or disclose emergency health data unless a person has provided express affirmative consent, which requires knowing, informed choice that cannot be obtained through the use of deceptive practices nor inferred through a person’s inaction. However, there are significant exceptions to this consent requirement that would allow covered entities to collect, use, or disclose these data, including

  • protecting against malicious, deceptive, fraudulent, or illegal activity; or
  • detecting, responding to, or preventing information security incidents or threats;
    the covered organization is compelled to do so by a legal obligation.

But these purposes are valid only when necessary and solely for the fulfillment of named purpose.

In a related vein, covered entities must allow people to revoke their consent and it must be effective as soon as practicable but no later than 15 days afterward. Moreover, the person’s emergency health data must be destroyed or rendered not linkable within 30 days of revocation of consent.

Covered entities must provide clear and conspicuous notice before or at the point of data collection that explains how and why the emergency health data is collected, used, and disclosed. Moreover, it must also disclose the categories of recipients to whom a covered entity discloses covered data. This notice must also disclose the covered entity’s data retention policies and data security policies and practices but only with respect to emergency health data. The notice must also inform consumers on how they may exercise rights under the act and how to file a complaint with the FTC.

There would also be a public reporting requirement for those covered entities collecting, using, or disclosing the emergency health data of 100,000 or more people. Every three months, these entities would need to report on aggregate figures on the number of people from whom data was collected, used, and disclosed. These reports must also detail the categories of emergency health data collected, used and disclosed and the categories of third parties with whom such data are shared.

The bill requires covered entities to destroy or make not linkable emergency health data 60 days after the Secretary of Health and Human Services declares the end of the COVID-19 public health emergency, or a state does so, or 60 days after collection.

The FTC would be given the daunting task of beginning a rulemaking 7 days after enactment “to ensure a covered organization that has collected, used, or disclosed emergency health data before the date of enactment of this Act is in compliance with this Act, to the degree practicable” that must be completed within 45 days. There is also a provision requiring the Department of Health and Human Services (HHS) to issue guidance so that HIPAA/HITECH Act regulated entities do not need to meet duplicative requirements, and, moreover, the bill exempts these entities when operating under the HIPAA/HITECH Act regulations.

The FTC, state attorneys general, and people would be able to enforce this new act through a variety of means. The FTC would treat violations as f they were violations of regulation barring a deceptive or unfair practice, meaning the agency could levy fines in the first instance of more than $43,000 a violation. The FTC could seek a range of other relief, including injunctions, restitution, disgorgement, and remediation. However, the FTC could go to federal court without having to consult with the Department of Justice, which is a departure from current law and almost all the privacy bills introduced in this Congress. The FTC’s jurisdiction would be broadened to include common carriers and non-profits for purposes of this bill, too. The FTC would receive normal notice and comment rulemaking authority that is very broad as the agency would be free to promulgate any regulations it sees necessary to effectuate this act.

State attorneys general would be able to seek all the same relief the FTC can so long as the latter is not already bringing an action. Moreover, any other state officials empowered by state statute to bring similar actions may do so for violations of this act.

People would be allowed to sue in either federal or state court to vindicate violations. The bill states that any violation is to be considered an injury in fact to forestall any court from finding that a violation does not injure the person, meaning her suit cannot proceed. The act would allow people to recover between $100-1000 for any negligent violation and between $500-5000 for any reckless, willful, or intentional violation with no cap on total damages. People may also ask for and receive reasonable attorney’s fees and costs and any equitable or declaratory relief a court sees fit to grant. Moreover, the bill would disallow all pre-lawsuit arbitration agreements or waivers of rights. Much of the right to sue granted to people by the “Public Health Emergency Privacy Act” will be opposed by many Republicans and industry stakeholders.

The enforcement section raises a few questions given that entities covered by the bill include government agencies. Presumably, the FTC cannot enforce this act against government agencies for the very good reason they do not have jurisdiction over them. However, does the private right of action waive the federal and state government’s sovereign immunity? This is not clear and may need clarification of the bill is acted upon in either chamber of Congress.

This bill would not preempt state laws, which, if enacted, could subject covered entities to meeting more than one regime for collecting, using, and disclosing emergency health data.

Apart from contact tracing, the “Public Health Emergency Privacy Act” also bars the use of emergency health data to abridge a person’s right to vote and it requires HHS, the United States Commission on Civil Rights, and the FTC to “prepare and submit to Congress reports that examines the civil rights impact of the collection, use, and disclosure of health information in response to the COVID–19 public health emergency.”

Given the continued impasse over privacy legislation, it is little wonder that the bill unveiled a few weeks ago by four key Senate Republicans takes a similar approach that differs in key aspects. Of course, there is no private right of action and it expressly preempts state laws to the contrary.

Generally speaking, the structure of the “COVID–19 Consumer Data Protection Act of 2020” (S.3663) tracks with the bills that have been released thus far by the four sponsors: Senate Commerce, Science, and Transportation Committee Chair Roger Wicker (R-MS) (See here for analysis of the “Consumer Data Privacy Act of 2019”)and Senators John Thune (R-SD), Jerry Moran (R-KS) (See here for analysis of “Consumer Data Privacy and Security Act of 2020” (S.3456)), and Marsha Blackburn (R-TN) (See here for analysis of the “Balancing the Rights Of Web Surfers Equally and Responsibly Act of 2019” (BROWSER Act) (S. 1116)). In short, people would be provided with notice about what information the app collects, how it is processed, and with whom and under what circumstances this information will be shared. Then a person would be free to make an informed choice about whether or not she wants to consent and allow the app or technology to operate on her smartphone. The FTC and state attorneys general would enforce the new protections.

The scope of the information and entities covered is narrower than the Democratic bill. “Covered data” is “precise geolocation data, proximity data, a persistent identifier, and personal health information” but not aggregated data, business contact information, de-identified data, employee screening data, and publicly available information. Those entities covered by the bill are those already subject to FTC jurisdiction along with common carriers and non-profits, but government agencies are not, again unlike the bill put forth by Democrats. Entities must abide by this bill to the extent they “collect[], process[], or transfer[] such covered data, or determine[] the means and purposes for the collection, processing, or transfer of covered data.”

Another key definition is how an “individual” is determined, for it excludes any person acting in her role as an employee and almost all work-related capacities, making clear employers will not need to comply with respect to those working for them.

“Personal health information” is “information relating to an individual that is

  • genetic information of the individual; or
  • information relating to the diagnosis or treatment of past, present, or future physical, mental health, or disability of the individual; and
  • identifies, or is reasonably linkable to, the individual.

And yet, this term excludes educational information subject to the “Family Educational Rights and Privacy Act of 1974” or “information subject to regulations promulgated pursuant to the HIPAA/HITECH Acts.

The “COVID–19 Consumer Data Protection Act of 2020” bars the collection, processing, or transferring of covered data for a covered purpose unless prior notice is provided, a person has provided affirmative consent, and the covered entity has agreed not to collect, process, or transfer such covered data for any other purpose than those detailed in the notice. However, leaving aside the bill’s enumerated allowable purposes for which covered data may collected with consent, the bill provides a number of exemptions from this general bar. For example, collection, processing, or transfers necessary for a covered entity to comply with another law are permissible apparently in the absence of a person’s consent. Moreover, a covered entity need not obtain consent for operational or administrative tasks not disclosed in the notice provided to people.

The act does spell out “covered purposes” for which covered entities may collect, process, or transfer covered data with consent after notice has been given:

  • Collecting, processing, or transferring the covered data of an individual to track the spread, signs, or symptoms of COVID–19.
  • Collecting, processing, or transferring the covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID–19 that are imposed on individuals under a Federal, State, or local government order.
  • Collecting, processing, or transferring the covered data of an individual to conduct contact tracing for COVID–19 cases.

Covered entities would be required to publish a privacy policy detailing for which of the above covered purposes a person’s covered data would be collected, processed, or transferred. This policy must also detail the categories of entities that receive covered data, its data retention and data security policies.

There would be reporting requirements that would affect more covered entities than the Democratic bill. Accordingly, any covered entity collecting, processing or transferring covered data for one of the enumerated covered processes must issue a public report 30 days after enactment and then every 60 days thereafter.

Among other provisions in the bill, people would be able to revoke consent, a request that covered entities must honor within 14 days. Covered entities must also ensure the covered data are accurate, but this requirement falls a bit short of people being granted to right to correct inaccurate data as they would, instead, be merely able to report inaccuracies. There is no recourse if a covered entity chooses not to heed these reports. Covered entities would need to “delete or de-identify all covered data collected, processed, or transferred for a [covered purpose] when it is no longer being used for such purpose and is no longer necessary to comply with a Federal, State, or local legal obligation, or the establishment, exercise, or defense of a legal claim.” Even though there is the commandment to delete or de-identify, the timing as to when that happens seems somewhat open-ended as some covered entities could seek legal obligations to meet in order to keep the data on hand.

Covered entities must also minimize covered data by limiting collection, processing, and transferring to “what is reasonably necessary, proportionate, and limited to carry out [a covered purpose.]” The FTC must draft and release guidelines “recommending best practices for covered entities to minimize the collection, processing, and transfer of covered data.” However, these guidelines would most likely be advisory in nature and would not carry the force of law or regulation, leaving covered entities to disregard some of the document if they choose. Covered entities must “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of such data,” a mandate broader than the duty imposed by the Democratic bill.

The FTC and state attorneys general would enforce the new regime. The FTC would be able to seek civil fines for first violations in the same way as the Democrat’s privacy bill. However, unlike the other bill, the Republican bill would nullify any Federal Communications Commission (FCC) jurisdiction to the extent it conflicted with the FTC’s in enforcement of the new act. Presumably, this would address jurisdictional issues raised by placing common carriers under FTC jurisdiction when they are usually overseen by the FCC. Even though state laws are preempted, state attorneys general would be able to bring actions to enforce this act at the state level. And, as noted earlier, there is no private right of action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.