Future of Privacy Forum (FPF) Senior Counsel Stacey Gray today provided the Senate Committee on Commerce, Science, and Transportation with written testimony, including recommendations based on how experts in the U.S. and around the world are currently mitigating the risks of using data to combat the COVID-19 pandemic.
“The collection and use of data, including personal data, to respond to a public health crisis like a pandemic can be compatible with privacy and data protection principles,” said Gray. “In many cases, commercial data can be shared in a way that does not reveal any information about identified or identifiable individuals.”
Gray offered recommendations, based on recent FPF workshops with global experts, to mitigate the risks of processing location data and other consumer data for public health initiatives, including:
- Follow the lead of public health experts. Rather than leading the way with data that is already available, technology companies should play a supporting role to epidemiologists, established research partners, and public health experts and rely on their expertise in determining what data is useful to achieving specific, clear public health goals.
- Ensure transparency and lawfulness. In order to ensure public trust, including in the use of voluntary pandemic apps, companies should be as transparent as possible about data shared with government or public health officials.
- Apply privacy enhancing technologies (PETs). Companies should take advantage of advances made by privacy engineers in recent years, and apply privacy enhancing technologies (PETs), such as differential privacy, in accordance with principles of data minimization and privacy by design.
- Employ privacy risk assessments. Companies should use well-established privacy and data protection impact assessment frameworks to help identify risks and find ways to mitigate or eliminate them.
- Follow core purpose limitation principles. Any personal data collection and use enlisted to fight the pandemic should be limited in time and limited to a specific, well-defined purpose identified in advance, with clear limitations on secondary uses.
Gray also explored the commercial sources and relative risks and benefits of precise location data generated by consumer devices, and highlighted the needs for baseline federal consumer privacy legislation. In addition to providing legal protections for individuals, a federal privacy law would also provide much-needed legal clarity for US companies to be able to respond quickly and understand what kind of data they may or may not share legally and ethically to support emergency public health initiatives.
Gray provided testimony to a full Commerce, Science, and Transportation Committee paper hearing, “Enlisting Big Data in the Fight Against Coronavirus.” Witness testimony was published by the committee on Thursday, April 9, 2020, at 10:00 a.m. Questions from committee members will be posted by the end of the day, and witnesses will have 96 business hours to respond.
FPF is exploring the challenges posed by the COVID-19 pandemic to existing ethical, privacy, and data protection frameworks through a series of original Privacy and Pandemics publications, workshops, and resources, accessible on the FPF website. The series is intended to help governments, researchers, companies, and other organizations navigate essential privacy questions regarding the response to the coronavirus pandemic. Resources include a chart that compares the specific objectives and methods of apps and software development kits (SDKs) that have been deployed to help public and private entities tackle the COVID-19 pandemic, and lessons learned from a workshop on corporate data-sharing for COVID-19 research.