While the COVID-19 outbreak has brought about numerous changes to our daily lives, it has not brought U.S. Congress any closer to bridging the partisan divide over the shape and scope of federal privacy legislation. Although both Democrats and Republicans in Congress have introduced privacy legislation related to the ongoing COVID-19 pandemic in recent weeks, lawmakers from either side of the aisle remain at odds over at least two key provisions: a private right of action and preemption of state law.
The same lack of agreement on these issues also brought about a halt to progress last year in passing a federal privacy law, efforts which had been met with enthusiasm by many privacy advocates and were also supported by a large majority of the public.
Ultimately, establishing baseline privacy protections at the federal level would be one way to alleviate growing distrust and fears throughout society about data misuse, which would encourage the adoption of contact tracing technologies that can play a role in mitigating the spread of coronavirus.
A familiar script
For those who have been following U.S. developments around privacy at the federal level, a familiar script is playing out with respect to the two recently introduced pieces of federal privacy legislation related to COVID-19.
It goes like this.
First, Republicans introduce a bill that would require consent to process sensitive data and protect various individual rights, such as rights to access, transparency and data security. Notably, this bill would preempt state laws that provide for stronger privacy protections and lack a private right of action, being solely enforced by the Federal Trade Commission and state attorneys general.
Then, Democrats introduce a bill that provides even stronger protection for individual rights and includes protections for a few more, such as the right to nondiscrimination. It also provides a more expansive definition of “sensitive data,” establishes a private right of action, and includes a non-preemption clause.
Lastly, these thorny issues and politically contentious differences remain unresolved, and efforts to enact a data privacy law at the federal level come to a halt.
Oh, and one more thing: California adds a pathbreaking privacy act to its November ballot.
For the most part, this series of events played out in November and December 2019, when Republicans in the Senate unveiled the Consumer Data Privacy Act, after which Democrats in the Senate introduced the Consumer Online Privacy Rights Act, and again earlier this month, when Senate Republicans introduced the COVID-19 Consumer Data Protection Act, followed by the introduction of the Public Health Emergency Privacy Act by Democrats in both the House and the Senate.
While close, Congress has not completely agreed about the scope and shape of a federal privacy law. The difference this time, however, is that the COVID-19 Consumer Data Protection Act may be rolled into a phase-four coronavirus recovery package, which means it has a real shot at passing.
Consensus and contention
In a previous white paper, I analyzed two pieces of federal privacy legislation introduced late last year, one sponsored by Democrats and one by Republicans. There were several points of agreement that were encouraging to privacy advocates who are pushing for more rights at the federal level. Areas of consensus included requiring consent to process sensitive data, transparency, data security and risk assessment obligations, as well as issues of corporate accountability, such as the designation of privacy and data security officers.
The two bills also overlapped to some degree in how they defined “sensitive data” and the level of protection they afforded to the individual rights to access, correction, deletion and data portability, albeit some nuanced differences could be found between the texts. For example, the Republican-backed bill was limited in how much protection is afforded to the exercise of individual rights, and it also included broader exceptions.
The most readily apparent differences between the bills, meanwhile, revolved around the preemption of state law and private right of action, as well as a couple of other issues, such as recognizing “harmful” data practices and establishing a new FTC bureau. While the Republican-backed bill contained broad preemption, the Democratic bill would have preserved state law and superseded it only in cases of direct conflict and when the state law provided weaker protection.
COVID-19 privacy bills
Like their 2019 counterparts, the recently introduced COVID-19 privacy bills from each party agree on several key principles, as detailed in a recent analysis by the Future of Privacy Forum. The agreement includes the requirement to obtain consent to process data, keep data collection to a minimum, and afford protection for individual rights, such as the right to correct inaccurate information.
These two bills differ, however, with respect to the scope of entities and data that would fall under their purview (the Democratic bill is broader in scope). Most consequential for their potential reconciliation, however, are the positions they take toward a private right of action, which the Electronic Privacy Information Center has described as one of the “basic elements of a comprehensive privacy law,” as well as the preemption of state law.
It is unclear what a negotiated, partial or limited private right of action or preemption would look like — or even if negotiated forms of these provisions would be politically feasible — but privacy legislation on Capitol Hill is unlikely to move forward before the parties’ positions on these two issues are reconciled.
Why more privacy protection is needed
At least part of the legislative intent behind the two COVID-19 bills is to alleviate privacy concerns that may inhibit people from using contact tracing apps that can mitigate the spread of coronavirus. This goal may be especially important given that public opinion in the U.S. toward the data collection practices of companies and government agencies has soured in recent years.
For example, according to a recent Pew Research survey, about 3 in 4 Americans say the data collection practices of companies and government bring them very little to no benefit at all. Indeed, by a ratio of 4 to 1, Americans say that the potential risks of data collection by companies outweigh the potential benefits.
These dour views seemed to have tainted public attitudes toward coronavirus mitigation efforts. Regarding the collection of cellphone location data to combat the spread of COVID-19, in particular, Americans are anything but optimistic. The majority (60%) say that such data collection will “not make much of a difference” in stopping the spread of the coronavirus, while 22% say that it will only “help a little.”
This skepticism is not merely held by fringe groups in society, and it does not imply that the U.S. public is misinformed. A Brookings Institution report about the use of contact tracing apps, written by Ashkan Soltani, a former chief technologist for the FTC, the University of Washington's Ryan Calo, and Professor of Biology Carl Bergstrom, concluded that “no clever technology — standing alone — is going to get us out of this unprecedented threat to health and economic stability.”
Complicating matters even further is the lack of trust most people have in large tech companies to keep their personal information private. Yet, as privacy scholar Paul Schwartz recently pointed out, “public use of these apps ultimately depends on the extent of trust in them.”
Thus, national efforts to combat coronavirus that rely on these data-collecting technologies will be hindered by the U.S. public’s absence of trust, which has continually eroded over the years by high-profile data breaches and scandals, such as Facebook-Cambridge Analytica.
What this relationship between trust and technology use makes clear is that, in an open and democratic society, the goals of protecting privacy and safeguarding public health are mutually reinforcing, not mutually exclusive.
Conclusion
As we continue to track legislative developments at the federal level in the wake of COVID-19, the most recent sequence of events bears a striking resemblance to events of the past year.
Yet, even in the midst of a pandemic, Congress remains divided on the scope and shape of privacy legislation to enact. As an analysis of the two most recent pieces of COVID-19 privacy legislation demonstrates, Democrats and Republicans remain divided over key issues, such as the private right of action and preemption of state law.
Perhaps the epitome for such a scenario is the character of Phil Connors, the weatherman portrayed by Bill Murray in the comedy film "Groundhog Day," who is forced to relive the same day over and over. After countless repetitions of Feb. 2, the protagonist finally manages to break the cycle by doing what is right and helping the townspeople of Punxsutawney, Pennsylvania, to solve their problems.
Let us hope that legislators in Congress can similarly break out of the current cycle by doing what is right for the public and put in place much-needed baseline privacy protections.
Photo by Maria Oswalt on Unsplash