Congress Is Closely Examining Privacy During COVID-19 Pandemic
Privacy in Focus®
While Congress has been unable to come to agreement on comprehensive privacy legislation in the past few years, it has a new set of privacy topics on the horizon: how to handle a range of privacy issues arising in the context of the coronavirus (COVID-19) pandemic. Last week, on April 9, the Senate held its first hearing on COVID-19 and privacy – a “paper hearing” – to explore the use of aggregated geolocation data in tracking the spread of the disease. The hearing consisted of opening statements by the Chairman and ranking member, witness statements, and questions for the witnesses. The hearing announcement and questions provide important information on where Congress is headed, as it will likely continue to remain engaged on this topic.
Below we summarize some privacy issues raised during the hearing, and highlight a number of privacy issues that Congress could tackle as it moves forward.
Geolocation data. On April 9, the Senate Committee on Commerce, Science, and Transportation held its “paper hearing” on “Enlisting Big Data in the Fight Against Coronavirus.” One goal was to examine “uses of aggregate and anonymized consumer data to identify potential hotspots of coronavirus transmission and to help accelerate the development of treatments.” Topics included “how consumers’ privacy rights are being protected” and also how the government will handle COVID-related data going forward.
Aggregated mobile phone data has provided key insights on how personal behavior has shifted in the wake of the coronavirus spread and local orders to facilitate social distancing. As we’ve noted, individual mobile phone tracking is being used worldwide as a means of combatting the spread of COVID-19, but would raise serious issues under U.S. privacy laws. In his statement, Chairman Roger Wicker (R-MS) provided his view that “[t]he potential benefits of big data to help contain the virus and limit future outbreaks could be significant. . . . To maximize these benefits, however, privacy risks to consumers will need to be minimized.” Ranking Member Maria Cantwell (D-WA) added that “there are three advantages to data that need to be harnessed at this time [-] the power to predict, the power to discover, and the power to persuade.” She also argued for a framework to “ensure that information is used: (1) for a specific limited purpose, with a measurable outcome and an end date, (2) in a fully transparent manner with strong consumer rights, and (3) under strict accountability measures.” Members on both sides of the aisle asked witnesses about how data about individuals will be anonymized and aggregated. How Congress assesses the costs versus benefits to COVID-19 tracking, particularly when compared to other countries, will be a debate worth watching.
The privacy of aggregated geolocation data will likely emerge as an issue outside of the context of mobile phones as well. For example, the CEO of one health tech company testified that the company can leverage the data it collects through its smart thermometer to help identify coronavirus hot spots as an “early warning system.” Meanwhile, some observers have suggested that the spread of the virus can be tracked through the use of data generated by social media accounts, while facial recognition firms may be able to contribute to efforts at contact tracing. Each of these use cases is likely to draw further questions as to how collected data is anonymized, stored, secured, or destroyed.
Remote connections. “Stay at home” and business shutdown orders have resulted in substantial numbers of individuals working remotely from their homes – and connecting via apps and services that previously did not operate at the same scale. This has raised concerns about the privacy of communications over these services. Additionally, employers must also be concerned with cybersecurity of their systems with so many remote users. Based on their questions, Congressional members are interested in privacy and security issues that might arise when dealing with remote connections, including in the area of telehealth.
Enforcement of CCPA. In recent weeks numerous trade associations have asked the California Attorney General to postpone the implementation of the California Consumer Privacy Act (CCPA), which is set to be enforced beginning on July 1st. In support of their push for delay, the trade groups have pointed to the financial costs associated with complying with the law – especially for small businesses already fearful of severe economic impacts created by COVID-19 – as well as the logistical challenges created by stay-at-home orders that have prevented companies from fully operationalizing CCPA’s mandates. Even as Congress has not yet passed a federal privacy law, we can expect members to raise questions about the wisdom of enforcing CCPA in the midst of a pandemic.
Kids’ privacy. Remote connection services are also being used in innovative ways for educational purposes. At the same time, the Children’s Online Privacy Protection Act (COPPA) imposes requirements on many operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Congress may look more closely at COPPA compliance issues, and more generally at how children’s information is protected in a learning environment that has moved so quickly online.
Employment situations. As we covered in a recent webinar, dealing with coronavirus will require employers to deal with potentially sensitive health information in the workplace. As governments think about plans for employees to eventually return to work while still protecting public health, employers will need to navigate these concerns as well, and Congress may weigh in.
© 2020 Wiley Rein LLP