Bipartisan Privacy Bill Would Govern Exposure Notification Services
Authors: Stacey Gray, Senior Counsel; Katelyn Ringrose, Christopher Wolf Diversity Law Fellow; and Polly Sanderson, Policy Counsel
Yesterday, Senators Cantwell (D-WA), Cassidy (R-LA), and Klobuchar (D-MN) introduced a new COVID-19 data protection bill, the Exposure Notification Privacy Act, which would create legal limits for “automated exposure notification services.” The bill comes on the heels of Republican and Democratic-led bills introduced earlier this month that would govern COVID-19 data much more broadly.
In contrast, the Exposure Notification Privacy Act would specifically regulate “exposure notification” apps, primarily mobile apps that enable individuals to receive automated alerts if they have been exposed to COVID-19. Such apps often harness Bluetooth, location data or other information from phones, to enable automated alerts for users who have come into contact with an asymptomatic person who is later diagnosed with COVID-19. The Center for Disease Control has described exposure notification systems as a complement to traditional manual techniques used to monitor the spread of COVID-19.
As cities and states begin to reopen, many public health authorities are working with private companies or not for profits to develop these apps. Large employers are also considering using exposure notification services as part of “back to work” strategies to help ensure safe working environments. In order for automated exposure notifications to be highly effective, it is estimated that 40-60% of a given population would need to install such an app. (However, contact tracing may work at much lower levels than most people think). However, recent research shows a marked lack of trust among the American population when it comes to their digital privacy amid COVID-19. For these reasons, if exposure notification methods are to be effective, trust and adoption are crucial.
“Exposure notification services can support the work of public health agencies and can help employers keep workplaces safe, but only if they are designed and implemented with privacy in mind and in the public interest. The Cantwell-Cassidy bill guarantees that data collected by mobile apps is protected by strong legal safeguards, in addition to technical measures companies put in place.” – Jules Polonetsky, CEO, Future of Privacy Forum
Below, FPF summarizes the core provisions of the Exposure Notification Privacy Act, which, if passed, would become effective immediately. If adopted, it would codify core data protection principles, such as purpose limitation. We describe below the Act’s: (1) jurisdictional and material scope; (2) obligations for covered entities; (3) anti-discrimination provisions; and (4) federal and state enforcement and oversight.
The full text of the Exposure Notification Privacy Act can be found HERE.
The section-by-section of the bill can be found HERE.
The one-pager of the bill can be found HERE.
Jurisdictional and Material Scope
Unlike other COVID-19 privacy bills recently introduced, the Exposure Notification Privacy Act has a narrow scope–applying only to entities that collect data through “automated exposure notification services,” i.e., mobile apps that enable automated alerts to those who may have been exposed to COVID-19.
Covered entities include commercial businesses, non-profits, and common carriers; collecting or processing data that is “linked or reasonably linkable to [any] individual or device linked or reasonably linkable to an individual.” Although the bill does not contain an explicit exemption for de-identified data, covered data does not include “aggregate data.”
Importantly, this bill would not apply to the various technologies, including mobile apps, that enable traditional manual contact tracing, i.e., tracing that involves public health experts interviewing a diagnosed person and contacting friends and family who may have been exposed. For example, New York City is partnering with Salesforce to assist manual contact tracers by deploying a call center as well as a customer relationship and case management system. San Francisco and Massachusetts have also been ramping up manual contact tracing efforts. Many of those are already subject to restrictions mandating confidentiality for public health agencies.
In addition, this bill would not affect state and local government entities who are developing and implementing automated exposure notification services “in house,” without partnering with private companies or non-profits. Generally, the federal government cannot directly regulate local governments engaged in traditionally local activities such as public health.
Obligations of Covered Entities
Under this bill, commercial entities or nonprofits that operate “automated exposure notification services” would be subject to strict legal requirements. Many of the bill’s requirements are consistent with the requirements for COVID-19 apps set by the App Store and Google Play. As a result, app developers using the API created by Google and Apple should already be substantially in compliance.
These obligations include:
- App operators would be required to “collaborate with” a public health authority. This legal restriction would prevent commercial entities from developing and offering their own apps independently of any involvement of public health officials. For example, many large employers are developing “back to work” strategies that include deploying their own exposure notification apps to help ensure safe working environments for employees and customers. Under this bill, such employers would be prevented from doing so unless 1) the app facilitates manual contact tracing (rather than automated alerts); or 2) if they begin collaborating, at least to a certain extent, with a public health authority. As some workplace apps will likely be considered essential to helping employers ensure a safe working environment, the extent to which employers must collaborate with public health authorities–whether they must work closely together or, for example, adopt local health guidelines–will likely need further clarity. This is an area for further development by the Senate Commerce Committee.
- Apps would have to be voluntary. The bill includes robust consent requirements that would require exposure notification apps to be voluntary. In order to process data as part of such a service, an app would be required to obtain “affirmative express consent,” which must be “freely given” and “nonconditioned,” after the user receives a “clear and conspicuous” disclosure of the data practices.
- Any COVID-19 diagnosis would have to be confirmed by a public health authority. The bill would require any diagnosis processed by an exposure notification service to be an “authorized diagnosis,” meaning confirmed by a public health authority or health care provider. This would preclude exposure notification services from being designed in such a way that individuals could self-report potential or unconfirmed COVID-19 diagnoses.
- Data would have to be deleted regularly and upon request. The bill would require operators to either delete an individual’s data upon request or allow individuals a mechanism to delete their own data. Furthemore, the bill would require operators and service providers, on a recurring basis every thirty days, to delete covered data. This recurring deletion requirement would not apply to data processed for public health research purposes.
- Data would have to be kept secure. Covered entities would be required to implement reasonable security practices, a requirement that reflects the sensitive nature of the data. Specifically, operators would be required to assess reasonably foreseeable system risks and vulnerabilities, and undertake responsive and preventative actions in line with generally acceptable security standards to mitigate those risks.
- App operators would be prohibited from using data for any commercial purposes, or transferring data for secondary purposes. Aside from specific public health research related to COVID-19 approved by an institutional review board, operators would be prohibited from collecting or processing data beyond the “minimum amount necessary to implement an exposure notification service for public health purposes related to COVID-19.” The bill’s limitations on transferring covered data to executive agencies for secondary purposes would preclude the use of covered data for law enforcement or immigration.
- Platforms and apps would be required to publish privacy policies and public guidance. Platforms and apps would be obligated to publish public guidance on functionality, how to interpret the notifications, any limitations with respect to the accuracy or reliability of the exposure risk, and how the effectiveness of the service is measured, including adoption rates. In addition to requiring operators to publish robust privacy policies outlining their data practices, the bill would make it unlawful for an operator to engage in a deceptive act or practice concerning an exposure notification service.
In addition to obligations on app providers, the bill features strong anti-discrimination provisions that would apply to restaurants, educational institutions, hotels, retailers, and other places of “public accomodation” (as defined in Section 301 of the Americans with Disabilities Act). If passed, the bill would make it unlawful for these kinds of establishments to use data from such automated exposure notification services to deny people entry, services, or otherwise discriminate against them.
This would likely prevent these kinds of notification apps from being repurposed as immunity passports, at least to the extent that they are used to disallow someone from using public spaces “based solely on data collected or processed through an exposure notification service or an individual’s choice to use or not use” such a service. Immunity passports are methods for individuals to verify their “risk status” with respect to COVID-19 – i.e., that they have not been exposed, or are not showing symptoms for purposes of travel and work. Immunity passports have been widely criticized for their potential lack of efficacy, as well as their disparate impact on the basis of class and race.
Enforcement and Oversight
The Exposure Notification Privacy Act’s requirements would be enforced by the Federal Trade Commission (FTC) and State Attorneys General (AGs). A violation of the bill would be treated as a violation of the FTC’s prohibition against unfair or deceptive acts or practice under the FTC Act (15 U.S.C. 57(a)(1)(B)). The bill also preserves existing rights of individuals under other federal and state laws, including consumer protection laws, civil rights laws, or common law. We expect further discussion in Congress around the issue of one federal standard, given the expected inter-state interoperability of many of the exposure notification apps. The Exposure Notification Privacy Act would become effective on the date of enactment.
This bill would also extend the purview of the Privacy and Civil Liberties Oversight Board (PCLOB) to federally declared public health emergencies as well as federal actions used to combat terrorism. PCLOB is an independent executive branch agency that is currently tasked with ensuring that federal efforts to protect the U.S. from terrorism appropriately safeguard privacy and civil liberties.
As governments around the world grapple with “back to work” strategies for 2020 and beyond, many are considering whether and how to use exposure notification services to help contain the virus. Senator Cantwell’s proposal offers a promising legal model to build much-needed trust in such services.
In the United States, public health authorities in North Dakota, South Dakota, Utah, Georgia, California, and others are working with private companies to develop contact tracing services. Abroad, Canada recently released “Privacy Principles for Contact Tracing,” Australia has enacted legislation for their Covidsafe tracing app to allay privacy concerns, and the UK has created a Data Ethics Advisory Board for the NHS COVID-19 App.
Meanwhile, Google and Apple have partnered to provide the interoperability and API access needed for Bluetooth-powered exposure notification services to function effectively. Both companies have outlined strict standards for apps deploying this new API, in addition to creating guidelines for any COVID-19 related apps, including those that offer medical advice, education or training services, and social support.
Did we miss anything? Let us know at [email protected] as we continue tracking developments related to exposure notification services.
Image Credit: Photo by Mika Baumeister on Unsplash