Contact Tracing Privacy Concerns? Congress Is On It!
By Behnam Dayanim, & Peter Hegel
As of the writing of this post, traditional contact tracing methods have largely fallen short in the United States, for a number of practical and political reasons. More and more frequently, some health agencies, states and countries have turned to digital contact tracing methods—most commonly using location and proximity-tracking technology. Privacy advocates have expressed serious concerns over the invasive nature of location-tracking technology and the anonymity of the data collected.
To respond to these concerns, members of Congress so far this year have introduced two separate Congressional bills focused on protecting individual data privacy in contact tracing. First was the Public Health Emergency Privacy Act (PHEPA), introduced in the last Congress and re-introduced in late January. The Secure Data and Privacy for Contact Tracing Act (SDPCTA) followed on its heels on February 3. Both proposed bills purport to increase protections attendant to digital contact tracing methods.
Public Health Emergency Privacy Act
Originally introduced by Senator Richard Blumenthal (D-CT) in May of last year, PHEPA sets stringent privacy and data security rights for health information related to the ongoing COVID-19 pandemic. The bill did not receive serious consideration during the last Congress, but it was reintroduced this year with the support of several Democratic members.
PHEPA would mandate a series of key privacy and security protections, including:
- Ensuring covered organizations “only collect, use, or disclose such data that is necessary, proportionate, and limited for a good faith public health purpose”;
- Restricting the collection of emergency health data only to instances where an individual has given express, affirmative opt-in consent;
- Ensuring covered organizations take reasonable measures to confirm health data are accurately collected and stored, as well as to provide an “effective mechanism for an individual to correct inaccurate information”;
- Prohibiting “unlawful discrimination on the basis of emergency health data” as well as delineating a series of prohibited uses, including commercial advertising and e-commerce;
- Requiring covered organizations to provide clear and conspicuous notice of how the organization will collect, use and disclose emergency health data;
- Requiring covered organizations to “establish and implement reasonable data security policies, practices, and procedures to protect the security and confidentiality of emergency health data”; and
- Granting individuals a private right of action in addition to granting enforcement powers to the FTC and, where applicable, state attorney generals.
Additionally, PHEPA imposes related privacy protections, including the protection of “voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing app” and “regular reports on the impact of digital collection tools on civil rights.”
Several advocacy organizations have endorsed PHEPA, including Access Now, Electronic Privacy and Information Center (EPIC), the Center for Digital Democracy, Color of Change, Common Sense Media, New America’s Open Technology Institute and Public Knowledge.
“Covered organizations” under PHEPA are not synonymous with Covered Entities under HIPAA. Rather, PHEPA applies to any person (including a government entity) “that collects uses, or discloses emergency health data electronically or through communication by wire or radio; or. . .that develops or operates a website, web application, mobile application, mobile operating system feature, or smart device application for the purpose of tracking, screening, monitoring, contact tracing, or mitigation, or otherwise responding to the COVID-19 public health emergency.” Importantly, the term does not include health care providers, service providers and public health authorities.
Secure Data and Privacy for Contact Tracing Act
The SDPCTA takes a slightly different approach than PHEPA, tying proposed grants to states seeking to use digital contact tracing technology to those states’ acceptance of robust privacy protections for users. Like PHEPA, the SDPCTA enjoys support from members in both chambers, although – also like PHEPA – so far only from the Democratic side of the aisle.
Under the SDPCTA, a total of $75,000,000 in federal grant money would be set aside for the Centers for Disease Control and Prevention to award to eligible state, tribal and territorial public health agencies. Reception of grant money is conditioned on implementing a host of privacy requirements, including:
- Establishing a program that is voluntary for individuals (requiring affirmative opt-in consent) to participate in and providing “complete and clear information on the intended use and processing of data collected by the technology”;
- Limiting data collection only to the extent necessary to meet contact tracing objectives;
- Deleting data no later than 30 days after the end of the COVID-19 emergency and, where practical, including notifications to individuals to disable or remove digital contact tracing technology;
- Mandating the encryption of contact tracing data; and
- Requiring public health agencies to establish processes for independent security assessments and rigorous procedures for remediating vulnerabilities.
Additionally, public health agencies are prohibited from conditioning the reception of government benefits or employment or employment status on the participation in contact tracing. Contact tracing data may not be used for “any punitive purpose, including law enforcement, immigration enforcement, or criminal prosecution.”
The future of both bills is uncertain; however, with slim Democratic majorities in both chambers and a Democratic administration, legislation would seem to possess an admittedly narrow but nonetheless discernible path to enactment.