A Republican-led coronavirus data privacy bill was introduced in the Senate last week, but the bill does not have the backing of advocacy groups.
The bill comes as tech companies and public health advocates have worked to use technology to trace the spread of the coronavirus.
The COVID-19 Consumer Data Protection Act was unveiled on Thursday after weeks of anticipation by Sen. Roger Wicker (R-Miss.), the chairman of the Senate Commerce Committee, Sen. John Thune (R-S.D.), Sen. Jerry Moran (R-Kansas), and Sen. Marsha Blackburn (R-Tenn.).
The COVID-19 Consumer Data Protection Act would require companies to get consent from individuals to collect health information, device information, geolocation, or proximity information.
It would also make companies disclose why their data is being collected, how it will be handled, who it will be transferred to, and how long it will be retained.
The bill claims it will give Americans more control over data that is collected as part of the coronavirus response and hold businesses accountable to consumers. Wicker said because “data has great potential to help us contain the virus” there needed to be a way to “ensure that individuals’ personal information is safe from misuse.
It’s future is uncertain. Even if the bill were to pass in the Republican-controlled Senate, it would need to go through the Democrat-controlled House of Representatives.
However, several advocacy groups that champion digital rights have said the Republican bill does not go far enough to protect consumers.
The groups highlighted, specifically, a number of exemptions within the bill for specific kinds of data collected and its preemption of state and local laws.
Sara Collins, the policy counsel for Public Knowledge, said the bill does not cover data other than contract tracing. She added, among other criticisms, that it preempts “much stronger” privacy protections under the Federal Trade Commission (FCC) governing mobile carriers.
The bill exempts aggregated data, data that does not identify or link to a person; business contact information; “de-identified data,” employee screening data; and publicly available information from the data that is covered by it.
Collins also raised alarms that the bill would preempt any potential state-level laws that might go further than it. Specifically, the bill says “no state or political subdivision of a state my adopt, maintain, enforce, or continue in effect any law, regulation, rule, requirement, or standard … is related to the collection, processing, or transfer” of data covered by the bill.
“In this time of crisis, Americans need strong privacy protection they can trust, not deregulation disguised as consumer protection. This bill is truly a privacy ‘cure’ worse than the disease.”
The preemption of state level laws was also a sticking point for Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project, since it would effectively block states from going further than the federal one if they chose to do so.
Cahn added that it could also preempt other protections being drafted, for example, a bill introduced in New York’s Assembly in April that would ban the location of geolocation data of people who are not under suspicion of a crime.
Cahn told the Daily Dot he believed state or local laws could, for example, also offer people a private right of action, or the ability to sue tech companies that violated the law.
“We think there are parts of it that are quite dangerous and potentially counterproductive,” Cahn said of the Republican’s bill. “The fact that it preempts states and local privacy protections for COVID-19 tracking data is incredibly alarming to me … Under this bill, residents are going to be dependent on the FTC and state attorneys generals as the only ones to enforce this measure. Depending on what state you live in, that may leave you without much leverage at all.”
The bill’s exemption of aggregated information was also an issue, Cahn said.
“One thing that has become quite apparent over the years is that location data—such as data that would be acquired in any contact tracing app—is uniquely difficult to anonymize,” Cahn said. “The locations we are at are so intimately associated with who we are. So even if you remove the name, if you remove someone’s social security number or whatever identifier they are using, it will still be possible to reconstruct who someone is.”
Gaurav Laroia, the senior policy counsel at Free Press Action, called the bill “profoundly flawed,” adding that lawmakers should “start over” because of exemptions built into it.
“The bill’s authors should start over,” Laroia said in a statement. “Any entity that is planning to deploy this technology—whether they’re state and local governments or businesses—must do so only for valid public-health reasons, and in a way that protects individual privacy and civil rights.”
*First Published: May 14, 2020, 7:00 am
Andrew Wyrich is a politics and technology staff writer for the Daily Dot. Andrew has written for USA Today, NorthJersey.com, and other newspapers and websites. His work has been recognized by the Society of the Silurians, Investigative Reporters & Editors (IRE), and the Society of Professional Journalists (SPJ).