Privacy risks of using big data in the fight against COVID-19 are significant, and have caught the attention of Republicans and Democrats alike.
Earlier this month we reported on a bill introduced on May 7 by Republican members of the Senate Commerce, Science and Transportation Committee: the COVID-19 Consumer Data Protection Act of 2020. The proposed bill would temporarily regulate the collection, transfer, and processing of certain personal data in connection with COVID-19 related purposes.
On May 14, Democrats responded with their own plan: the Public Health Emergency Privacy Act (“PHEPA”). The bicameral effort was introduced by Senators Blumenthal (D-CT) and Warner (D-VA) in the Senate, as well as Representatives Eshoo (D-CA), Schakowsky (D-IL) and DelBene (D-WA) in the House. Similar to the Republican proposal, PHEPA would temporarily regulate the collection, use and disclosure of emergency health data in connection with COVID-19.
A key aim of PHEPA is to regulate tech companies and public health agencies that deploy contact tracing applications and digital monitoring tools. “After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information,” the press release announcing the proposal stated. Calling attention to the counterproductive effects of low participation in use of contact tracing applications and digital monitoring tools, Senator Blumenthal noted, “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.” Representative Eshoo went on to note, “As we consider new technologies that collect vast amounts of sensitive personal data, we must not lose site of the civil liberties that define who we are as a nation.”
While PHEPA shares some similarities with the Republican proposal – such as express consent from individuals before their data is collected, transparency requirements, and use restrictions – PHEPA diverges from its Republican counterpart in several meaningful ways.
The Republican proposal would apply to precise geolocation data, proximity data, and personal health information when collected, processed, or transferred for a “covered purpose."
PHEPA applies to a broader swath of personal information, covering “emergency health data,” which includes the following data and information related to the COVID-19 public health emergency: (1) physical or behavioral health information, testing and examination information, information concerning infection or likelihood of infection, and genetic data, biological samples and biometrics; and (2) any information collected for the purpose of tracking, screening, monitoring, contract tracing, mitigation, or otherwise in connection with the COVID-19 public health emergency, such as geolocation data, proximity data, demographic data, contact information for identifiable individuals (such as an address book or call log); and (3) any data collected from a personal device.
Additionally, unlike the Republican proposal, PHEPA does not include an exclusion from employee health data collected or processed for workplace safety-related reasons. PHEPA also lacks any exception for guest or visitor screening data obtained as a condition of entry to a public venue, retail location, or theme park.
While the Republican proposal would apply only to private organizations, PHEPA would additionally apply to government entities that collect, use or disclose “emergency health data,” including federal, state, and local governments and other organizations.
Private Right of Action and Statutory Penalties
One of the most impactful differences between the Republican proposal and PHEPA is that PHEPA would create a private right of action. PHEPA provides, “a violation of this Act with respect to the emergency health data of an individual constitutes a concrete and particularized injury in fact to that individual,” allowing individuals alleging violation to bring civil actions under PHEPA. The bill further allows for damages of $100 - $1,000 per violation in cases of negligent violation, and damages of $500 - $5,000 per violation in cases of reckless, willful, or intentional violation, as well as attorney’s fees, litigation costs, and “any other relief, including equitable or declaratory relief, that the court determines appropriate.” Relatedly, pre-dispute arbitration agreements and pre-dispute joint action waivers (class action waivers) would not be valid or enforceable under PHEPA.
The Republican proposal allows enforcement by the FTC under the FTC Act regarding unfair or deceptive acts or practices, as well as by State attorneys general for violations affecting their State’s residents, but would not create a private right of action.
Unlike the Republican proposal, PHEPA expressly would not preempt federal or state law.
PHEPA would prohibit government entities and covered organizations from using emergency health data, medical condition information, or participation or non-participation in a program to collect emergency health data, to deny, restrict or interfere with an individual’s right to vote, or to retaliate against an individual for voting.
The Republican bill does not contain any similar requirements.
Civil Rights Impact Reports
Under PHEPA, the Secretary of the Department of Health and Human Services (HHS), in consultation with the U.S. Commission on Civil Rights and the FTC, would be required to submit reports to Congress on the civil rights impact of the collection, use, and disclosure of health information in response to the COVID-19 health emergency. Such reports must, at a minimum: (1) evaluate the impact of such practices on the civil rights and protections; (2) analyze the impact, risks, costs, legal considerations, disparate impacts, and other implications to civil rights of policies to incentivize or require the adoption of digital tools or apps used for contact tracing, exposure notification, or health monitoring; and (3) include recommendations on preventing and addressing undue or disparate impact, segregation, discrimination, or infringements of civil rights in the collection and use of health information.
The Republican bill does not require reporting from governmental agencies.
We will continue to monitor progression of both proposals. If you have any questions about how these bills may impact your organization, please contact the Mintz Privacy & Cybersecurity Team.