Democrats Introduce COVID-19 Data Privacy BillSimilar Measures Failed to Win Congressional Approval Last Year
Congressional Democrats have again introduced legislation designed to help safeguard the privacy of COVID-19 health data collected for public health purposes.
Similar proposals were introduced by Democratic lawmakers last year as part of a coronavirus relief package, but those provisions did not win Congressional approval.
The Democratic senators and representatives who introduced this year’s legislation say the Public Health Emergency Privacy Act sets “strong and enforceable privacy and data security rights for health information” as technology companies and public health agencies deploy “new tools to fight the spread of COVID-19, including contact tracing apps, digital monitoring, home tests and vaccine appointment bookings.”
The sponsors of the privacy legislation include senators Mark Warner, D-Va., and Richard Blumenthal, D-Conn. and representatives Anna Eshoo, D-Calif., Jan Schakowsky, D-Ill., and Suzan DelBene, D-Wash.
“After decades of data misuse, breaches and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information,” the sponsors said in a statement.
The Bill’s Main Provisions
The Public Health Emergency Privacy Act proposes to:
- Ensure that data collected for public health is strictly limited for use in public health;
- Explicitly prohibit the use of health data for discriminatory, unrelated or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing or education opportunities;
- Prevent the potential misuse of health data by government agencies with no role in public health;
- Require data security and data integrity protections – including data minimization – and mandate data deletion by tech firms after the public health emergency;
- Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;
- Require regular reports on the impact of digital collection tools on civil rights;
- Give the public control over their participation in these efforts by mandating transparency and requiring opt-in consent;
- Provide for robust private and public enforcement at the federal level while recognizing the continuing role of states in legislation and enforcement.
The proposed legislation would “prohibit privacy invasions by preventing misuse of pandemic-related data for unrelated purposes, like marketing, prohibiting the data from being used in discriminatory ways, and requiring data security and integrity measures,” Eshoo said in a statement. “The legislation will give the American people confidence to use technologies and systems that can aid our efforts to combat the pandemic.”
The bill would require that organizations and service providers that collect, use or disclose emergency health data “shall establish and implement reasonable data security policies, practices and procedures to protect the security and confidentiality of emergency health data.”
The legislation would not supersede any requirements or authorizations under the Privacy Act of 1974, HIPAA, or federal or state medical records retention and health privacy laws or regulations.
The latest legislation is an effort to restart discussions on a COVID-19 privacy bill, says privacy attorney Kirk Nahra of the law firm WilmerHale. “This issue had some momentum last spring, but then died, somewhat unexpectedly,” he says.
The proposal raises some important issues, Nahra says.
“First, will any of the ideas in this bill carry over to the broader debate on national privacy legislation? This is very much an emergency-focused bill, but we may see some carryover,” he says.
“Second - and this is a long shot but a very intriguing possibility - it is possible that a broad agreement on this proposal could then incorporate some broader privacy legislation at this point, short-circuiting the otherwise slow legislative debate.”