Newly Released COVID-19 Privacy Bills Would Regulate Pandemic-Related Data

By Pollyanna Sanderson (Policy Counsel), Stacey Gray (Senior Policy Counsel) & Katelyn Ringrose (Christopher Wolf Diversity Law Fellow)

Yesterday afternoon, leading House and Senate Democrats introduced the Public Health Emergency Privacy Act. The Democratic-led bill, which was introduced by Senators Blumenthal and Warner, as well as Representatives Eshoo, Schakowsky and DelBene, follows the May 10th introduction of a similar COVID-19 data protection bill by leading Senate Republicans. Although the bills are similarly broad in scope and substantively robust, they contain a few important differences. 

Both the Democratic-led and the Republican-led COVID-19 privacy bills introduced so far are motivated by an urgent need to build public trust in the use of personal data to address the current pandemic. For example, recent research shows a marked lack of trust among the American population when it comes to their digital privacy amid the COVID-19 pandemic.

Below, we summarize the Public Health Emergency Privacy Act’s (1) scope of covered data and entities; (2) legal requirements; and (3) a few key differences from its Republican counterpart. 

BROAD SCOPE OF COVERED DATA

The Democratic-led Public Health Emergency Privacy Act would create new substantive obligations for a broad range of covered entities processing data to address COVID-19–both public and private, including non-profits and employers with respect to data collected about their employees. 

The Act would apply to:

• Any private/public sector entity except public health authorities and HIPAA-covered entities, and service providers, if they collect or process “emergency health data.” 
• “Emergency health data” is defined as data linked, reasonably linkable or inferred as an individual that concerns the public COVID–19 health emergency including: health-related data, geolocation, proximity data, demographic data, and contact information. Such data includes test results; an estimated likelihood of a COVID-19 positive status; and other genetic data, biological samples, and biometrics. 
• But would not apply to manual contact tracing and case investigation by public health authorities or their “designated agents.”

LEGAL REQUIREMENTS

The Act contains a variety of blanket prohibitions (such as a prohibition on using COVID-19 data for commercial purposes), as well as a few affirmative obligations (such as reporting) on companies, non-profits, and other covered entities.

Covered entities would be prohibited from:

• Collecting, processing, or disclosing emergency health data except to the extent that it is “necessary, proportionate, and limited” for a good faith public health purpose (data minimization);
• Using emergency health data for: (1) commercial uses, including e-commerce or advertising; (2) offers of employment, finance, credit, insurance, housing, or education opportunities; or (3) discrimination in any place of public accommodation.

Covered entities would be required to: 

• Obtain affirmative express consent (and provide the opportunity to revoke such consent);
• Provide individuals with a mechanism to correct inaccurate information;
• Provide transparency about data practices in a privacy policy, and publish public reports every 90 days (for covered entities that collect data of over 100,000 individuals);
• Practice “reasonable” security measures; and
• Destroy data 60 days after the close of the public health emergency, as defined by the Secretary of HHS (or 30 days after an individual revokes consent). 

The Act includes a broad research exemption for public health or scientific research associated with COVID-19 when such research is carried out by a public health authority, nonprofit organization, or an institute of higher education. Furthermore, the Act would not prohibit research, development, manufacturing, or the distribution of COVID-19 related drugs or vaccines. 

The Act does not preempt state laws, and includes a private right of action with tiered remedies according to whether the violation is negligent ($100-$1,000), or reckless, willful or intentional ($500-$5000).

COMPARISON TO SENATE REPUBLICANS’ COVID-19 PRIVACY BILL

Last week, Senator Roger Wicker, the Republican Chairman of the Senate Commerce Committee, introduced a similarly broad privacy bill with leading Senate Republicans, the COVID-19 Consumer Data Protection Act of 2020. 

The two bills contain many similarities, including a requirement that covered entities obtain “affirmative express consent” to collect or process COVID-19 data, a requirement for recurring deletion, and a data minimization requirement that data should not be collected beyond what is necessary and proportionate to public health needs. 

We observe a few key differences between the Republican-led bill and this week’s Democratic-led bill:

• Broader Scope of Covered Entities: The Democratic-led bill would govern a broader scope of covered entities, applying to both private (commercial) and public (government) entities, including non-profits and common carriers, with a few limited exceptions. In contrast, Senator Wicker’s proposal would govern only commercial entities, and would exclude most COVID-19 data collected by employers about their employees.

• Broader Scope of Data: The Democratic-led bill would cover a broader scope of data, including publicly available data. In contrast, Senator Wicker’s proposal contains exemptions for de-identified, aggregated, and “publicly available information,” defined as information widely available to the general public,” including information from a telephone book or online directory, video, internet, or audio content, or the news media or a website that is available to the general public on an unrestricted basis. 

• Exemption for Research: The Democratic-led bill would seem to create a remarkably broad exemption for data processing for “public health or scientific research,” so long as it is conducted by non-profits, universities, or public health authorities. In contrast, Senator Wicker’s bill does not have an explicit research exemption.

• Strong Anti-Discrimination Protections: The Democratic-led bill would prohibit uses of covered data for discriminatory purposes (in the context of employment, finance, credit, insurance, housing, or educational opportunities), and would prohibit discrimination in places of public accommodation (such as restaurants, educational institutions, hotels, or retail stores), on the basis of COVID-19 related data. Furthermore, the Act would require HHS, the FTC, and the US Commission on Civil Rights to produce recurring reports examining the civil rights impact of the collection, use, and disclosure of covered data. In comparison, Senator Wicker’s bill is much more limited, and would only require the FTC to cooperate with other government agencies when it obtains information that a covered entity may have processed or transferred covered data in violation of federal or state anti-discrimination laws.

• Preservation of Existing State Laws: The Democratic-led bill would preserve existing state laws that create stronger privacy protections. In contrast, Senator Wicker’s bill would broadly preempt all differing state laws, regulations, rules, requirements, and standards that relate to the same data practices covered in the bill. 

• Individual Enforcement: The Democratic-led bill includes a private right of action for individuals to challenge violations in court, with tiered remedies according to whether the violation is negligent ($100-$1,000), or reckless, willful or intentional ($500-$5000). In contrast, Senator Wicker’s proposal provides for exclusive enforcement by the Federal Trade Commission and State Attorneys General.

As noted, there are some significant differences between these two proposals. We expect additional bills to emerge, as additional legislators set forward ideas to address COVID data issues, including some that may be more narrowly tailored to specific use cases. And, as the HR Policy Association recently pointed out, hundreds of current local labor and employment laws and regulations are currently applicable to COVID-related activities.   

In an op-ed this week calling for legislation, Commissioner Christine Wilson quoted the words of Samuel Johnson: “When a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully.” We hope the pressure to pass legislation during this crisis can bridge the political divides in Congress, but we also hope legislators appreciate the ongoing urgency of broad comprehensive data protection legislation.