In Part I of this mini-series last week, Dayle A. Duran, Esq., CIPP/US[1] articulately described Apple and Google’s COVID-19 contact tracing API. Overall, she concluded that, if used as intended, the technology provides good privacy protections, but flagged that the real privacy risks lie in unintended use and function creep. And that’s what brings us to the need for legislation.
In this country, we have only a patchwork of sectoral and state specific privacy laws. None of those laws provide a nationwide solution or a foundation from which guidance or regulations could emerge to protect data collected in connection with a public health emergency (PHE). The lack of a federal privacy law has left a deeply divided Congress scrambling to propose critical legislation.
Originally, I planned to compare the recently introduced Republican and Democratic bills on the protection of data used to address the COVID-19 PHE, including data used in contact tracing apps. Both bills raised numerous concerns. In fact, I had a proposal to marry the best parts of the two bills and use existing regulatory frameworks to fill in gaps and avoid the need for rulemaking. Thanks to a bipartisan bill released earlier this week, my plans changed.
On June 1, a bipartisan group of Senators introduced the “Exposure Notification Privacy Act” (ENPA), which unlike the partisan bills, focuses solely on contact tracing technologies called “automated notification services” designed to trace any infectious disease, not just COVID-19. The ENPA only permits entities working with a public health authority (PHA) to collect data for purposes of offering an automated notification service.
The bill dramatically limits the collection, use and transfer of any data, specifically prohibits commercial use and requires confirmation of a diagnosis from a PHA or licensed healthcare provider. Further, it does not preempt state law or provide for a private right of action and it requires breach notification. These provisions, along with others detailed below, make the ENPA the best legislative option.
Commonalities Among the Proposed Bills
While it is no longer necessary to perform an in-depth comparison of all three bills, pointing out key similarities is a worthwhile exercise. All the bills:
- Require affirmative express consent from the individual prior to collecting, using or transferring data, and such consent cannot be inferred from inaction;
- Limit the collection, use, and transfer of data to the least amount necessary to carry out the permitted purpose;
- Mandate reasonable security practices (the ENPA provides the most robust requirements including a risk assessment and defines reasonable security practices as those accepted by information security experts);
- Deletion of data when it is no longer being used (the ENPA requires deletion at least every 30 days, on a rolling basis, or as directed by a public health authority);
- Require a privacy policy providing transparency on collection, use and transfer (the ENPA offers the most detail on required policy contents); and
- Call for enforcement by the Federal Trade Commission under the unfair and deceptive acts provision of the Federal Trade Commission Act while granting authority to State Attorneys General to enforce locally.
That’s a lot of agreement for anything before Congress these days.
The ENPA’s Key Differences
Scope
Both the Republican and Democratic bills apply broadly to information collected and used that relates to the COVID-19 PHE. The ENPA, on the other hand, applies solely to automated exposure notification services (AENS) and requires that AENS can only be provided in collaboration with a public health authority (PHA). The ENPA would apply to AENS for any infectious disease, not just COVID-19, which would be useful if there is another pandemic in the future.
Generally, technology-specific legislation designed to address a particular issue, such as contact tracing apps, has diminishing utility because such legislation is often outdated as soon as it is passed; here, however, it may work. The legislation’s focus on AENS and meaningful rules within the bill itself makes it functional without the need to create regulations, which is a time-consuming and cumbersome process.
Authorized Diagnosis
The ENPA prohibits AENS operators from collecting diagnosis information unless a PHA or a licensed health care provider confirms the diagnosis. This promotes public trust by mitigating the risk of honest or malicious false positive reports. Further, only an individual with such an authorized diagnosis can permit the AENS to process that information. Neither partisan bill addressed diagnosis information.
Health Insurance Portability and Accountability Act (HIPAA) Exemption
Both partisan bills specifically exempt HIPAA covered entities and business associates from compliance. Conversely, the ENPA does not mention HIPAA at all. Due to its limited applicability to AENS, the ENPA does not seek to regulate health information in the same way as the partisan bills. Under the ENPA, if a health care provider, that is also a covered entity under HIPAA, wants to operate an AENS, that provider must comply with the new rules, regardless of HIPAA. This is beneficial because the same rules will apply to all AENS operators.
Nondiscrimination
The ENPA makes it unlawful for anyone to discriminate against an individual based on data in an AENS or based on an individual’s decision not to use such a service. The Democratic bill shares a similar provision, but more broadly prohibits housing, employment and other discrimination as well as governmental interference with voting rights based on collected data. Given the narrow purpose for which the AENS operators can collect, use or transfer covered data, the broader provisions in the Democratic proposal may not be warranted.
Tech Industry Influence on the ENPA
Some believe that Google and Apple have had too much influence on the ENPA as several Google/Apple’s policies for their contact tracing API overlap with ENPA provisions (e.g., voluntary individual use and required collaboration with a PHA). While industry influence on legislation has the potential to be problematic, it is not unduly concerning here. This is an unprecedented collaborative effort between competitors of all kinds. Because nothing happens expeditiously in Congress and because we need a speedy legislative solution, it makes sense to follow the lead of two tech giants that have set aside competition and financial gain to tackle the PHE.
Recommendations to Improve the ENPA
As detailed in the following three recommendations, a plug for a federal privacy law and a couple additional privacy protection measures would make the ENPA even better. First, the ENPA needs a sunset provision that sunsets upon the enactment of federal privacy legislation protecting the covered data. Second, under the ENPA, aggregate data is not regulated. It may be worth requiring an affirmative act to prove that aggregate data is not reasonably linkable to a person, such as requiring a documented expert determination.[2] Finally, law enforcement use should be clearly limited. As Dayle noted in her article, law enforcement has seized on the availability of genetic data held by companies like 23and Me and AncestryDNA in a way that those who voluntarily provided genetic data never imagined.
Conclusion
The ENPA’s proposed language adequately addresses the privacy risks related to unintended use and function creep. Most importantly, it avoids creating a new set of health privacy rules that would serve only to further complicate the already complex and confusing privacy ecosystem in this country. Hopefully, if enacted, the ENPA will inspire a collaborative effort to create comprehensive federal data privacy legislation, so that we won’t be in the same position during the next crisis.
[1] Special thanks to Dayle A. Duran for writing Part I of this series and for her assistance editing Part 2. It’s been awesome working with her and hopefully, we will see her again soon on this blog!
[2] For example, one of the de-identification methods under HIPAA involves the use of an expert. 45 CFR §164.514(b)(1).