Data Privacy

Pandemic Ups Need for Data Privacy Legislation, but 2020 Prospects Are Slim

June 15, 2020 – The COVID-19 pandemic has brought increased use of telemedicine and group conferencing platforms, as well as prompted talk of using cellphones to do contact tracing, but this uptick in using technology in new and expanded ways also has increased the risks to personal data. Unfortunately, at a time when consumer data are becoming more vulnerable, it is exceedingly unlikely that comprehensive legislation for federal regulation of data privacy and security will be brought to a vote this year, according to Coalition for Healthcare Communication Executive Director Jon Bigelow.

“Among its myriad effects on our society, healthcare system and economy, the COVID-19 pandemic has upended the agenda in Congress, even as the pandemic also has given Americans more reasons to be concerned about the privacy and security of their personal information,” Bigelow said.

From “Zoombombing,” to some telemedicine platforms not being compliant with the Health Insurance Portability and Accountability Act, and several reports of hackers targeting COVID-19 research – intent on capturing biopharma’s intellectual property in developing vaccines or therapies and also gathering personal data from subjects of clinical trials – the stakes for data privacy protections have never been higher.

Further, the use of cellphones to do contact tracing is being met with mixed consumer reviews. Indeed, Pew Research Center data from May found Americans almost precisely split – 48 percent yes, 52 percent no – on whether it is acceptable for our government to use cellphones to track COVID-19 patients. Meanwhile, proposals to issue so-called “immunity passports” to persons who have developed antibodies to COVID-19 as a way of determining who can safely return to the workplace pose the risk of discrimination in employment, renting an apartment, at restaurants, or at pools or gyms.

In response, several lawmakers – both conservative and liberal – introduced bills to address coronavirus-inspired concerns. On April 30, Sen. Roger Wicker (R-Miss.) and three Republican colleagues offered the COVID-19 Consumer Data Privacy Act, which would improve transparency, choice, and control over health, geolocation and proximity data used in contact tracing. On May 14, Sens. Richard Blumenthal (D-Conn.) and three Democratic colleagues countered with the Public Health Emergency Privacy Act, which also is intended to set new standards for protecting data but would apply to both businesses and governments, would specifically block companies from selling or profiting from data on the COVID-19 status of individuals, and would not pre-empt existing state privacy laws.

Then on May 18, Sen. Elizabeth Warren (D-Mass.) and three colleagues offered the Coronavirus Containment Corps Act, which would enhance contact tracing for coronavirus infection, ensure automatic deletion of the information after the public health emergency ends, and prohibit most sharing of the information within the government. This bill also would prohibit banning a citizen from voting based on COVID-19 status, which would raise the broader issue of “immunity passports” in other fields as well.

Prospects for early passage of any of these specific COVID-19-related bills are poor, Bigelow stated, even though the need seems pressing and their goals are relatively noncontroversial. Due to health concerns, the House and Senate have been in session this spring only for short periods, and the time available has been largely consumed with focus on the series of COVID-19 emergency relief bills passed to date and confirming judicial and executive nominations. Now another relief bill is in discussion, the appropriations process for the fiscal 2021 budget looms, and a lengthy summer break is planned to allow members to campaign.

“There is little time left on the legislative calendar, and probably the only way that a specific measure related to data privacy and COVID-19 could pass this year is if is folded into an economic relief bill,” Bigelow noted. “More likely is that some of these proposals will be added to comprehensive federal regulation of data privacy and security next year.”

Dozens of bills on the table to establish a new regulatory regime, coming at the issue from a variety of directions, have been introduced in this session of Congress, but, Bigelow explained, “most never had much chance of passage; a few were probably intended more as the basis of press releases than actual legislation. But some proposals have greater backing, and in particular, there reportedly has been significant progress in the Senate Commerce Committee in hammering out a framework for a broad-based system for federal regulation that has bipartisan support.”

Before the pandemic exploded on the political scene, one of the Committee members involved, Sen. Brian Schatz (D-Hawaii), said “we’re most of the way there” in reaching agreement. Now, although that work is unlikely to be finished until after the November elections, there is optimism that Congress will take action.

“Increasing public concern, advancing technology, the impetus of the California Consumer Privacy Act which will begin to be enforced in July (as well as further new proposals at the state level) and now the coronavirus pandemic have raised the stakes – and also enhanced the prospects – for meaningful federal legislation on data privacy and security in 2021,” Bigelow concluded.