While the COVID-19 outbreak has brought about numerous changes to our daily lives, it has not brought U.S. Congress any closer to bridging the partisan divide over the shape and scope of federal privacy legislation. Although both Republicans in Congress have introduced privacy legislation related to the ongoing COVID-19 pandemic in recent weeks, lawmakers from either side of the aisle remain at odds over at least two key provisions: a private right of action and preemption of state law.
The same lack of agreement on these issues also brought about a halt to progress last year in passing a federal privacy law, efforts which had been met with enthusiasm by many privacy advocates and were also supported by a large majority of the public.
Ultimately, establishing baseline privacy protections at the federal level would be one way to alleviate growing distrust and fears throughout society about data misuse, which would encourage the adoption of contact tracing technologies that can play a role in mitigating the spread of coronavirus.
A familiar script
For those who have been following U.S. developments around privacy at the federal level, a familiar script is playing out with respect to the two recently introduced pieces of federal privacy legislation related to COVID-19.
It goes like this.
First, Republicans introduce a bill that would require consent to process sensitive data and protect various individual rights, such as rights to access, transparency and data security. Notably, this bill would preempt state laws that provide for stronger privacy protections and lack a private right of action, being solely enforced by the Federal Trade Commission and state attorneys general.
Then, Democrats introduce a bill that provides even stronger protection for individual rights and includes protections for a few more, such as the right to nondiscrimination. It also provides a more expansive definition of “sensitive data,” establishes a private right of action, and includes a non-preemption clause.
Lastly, these thorny issues and politically contentious differences remain unresolved, and efforts to enact a data privacy law at the federal level come to a halt.
Oh, and one more thing: California adds a pathbreaking privacy act to its November ballot.
For the most part, this series of events played out in November and December 2019, when Republicans in the Senate unveiled the Consumer Data Privacy Act, after which Democrats in the Senate introduced the Consumer Online Privacy Rights Act, and again earlier this month, when Senate Republicans introduced the Public Health Emergency Privacy Act by Democrats in both the House and the Senate.
While close, Congress has not completely agreed about the scope and shape of a federal privacy law. The difference this time, however, is that the rolled into a phase-four coronavirus recovery package, which means it has a real shot at passing.
Consensus and contention
In a previous Future of Privacy Forum. The agreement includes the requirement to obtain consent to process data, keep data collection to a minimum, and afford protection for individual rights, such as the right to correct inaccurate information.
These two bills differ, however, with respect to the scope of entities and data that would fall under their purview (the Democratic bill is broader in scope). Most consequential for their potential reconciliation, however, are the positions they take toward a private right of action, which the Electronic Privacy Information Center has described as one of the “basic elements of a comprehensive privacy law,” as well as the preemption of state law.
It is unclear what a negotiated, partial or limited private right of action or preemption would look like — or even if negotiated forms of these provisions would be politically feasible — but privacy legislation on Capitol Hill is unlikely to move forward before the parties’ positions on these two issues are reconciled.
Why more privacy protection is needed
At least part of the legislative intent behind the two COVID-19 bills is to alleviate privacy concerns that may inhibit people from using contact tracing apps that can mitigate the spread of coronavirus. This goal may be especially important given that public opinion in the U.S. toward the data collection practices of companies and government agencies has soured in recent years.
For example, according to a recent Pew Research survey, about 3 in 4 Americans say the data collection practices of companies and government bring them very little to no benefit at all. Indeed, by a ratio of 4 to 1, Americans say that the potential risks of data collection by companies outweigh the potential benefits.
These dour views seemed to have tainted public attitudes toward coronavirus mitigation efforts. Regarding the collection of cellphone location data to combat the spread of COVID-19, in particular, Americans are anything but optimistic. The majority (60%) say that such data collection will “not make much of a difference” in stopping the spread of the coronavirus, while 22% say that it will only “help a little.”
This skepticism is not merely held by fringe groups in society, and it does not imply that the U.S. public is misinformed. A Brookings Institution report about the use of contact tracing apps, written by Ashkan Soltani, a former chief technologist for the FTC, the University of Washington's Ryan Calo, and Professor of Biology Carl Bergstrom, concluded that “no clever technology — standing alone — is going to get us out of this unprecedented threat to health and economic stability.”
Complicating matters even further is the lack of trust most people have in large tech companies to keep their personal information private. Yet, as privacy scholar
Photo by Maria Oswalt on Unsplash