Skip to main content

Senators’ plan for reining in contact tracing apps doesn’t make a lot of sense

Senators’ plan for reining in contact tracing apps doesn’t make a lot of sense

/

It’s unclear how to enforce the new privacy measures

Share this story

Tracking App Covid-19!
Photo by Thomas Trutschel/Photothek via Getty Images

A group of Senate Republicans is planning to introduce a privacy bill that would regulate the data collected by coronavirus contact tracing apps. The COVID-19 Consumer Data Protection Act would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data,” according to a joint statement. It’s not clear how the legislation would be enforced (the statement says it would “authorize state attorneys general to enforce the Act”), a potential sticking point to persuading Democrats to get on board.

Republican Sens. Roger Wicker (MS), John Thune (SD), Jerry Moran (KS), and Marsha Blackburn (TN) said the legislation also would “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.” The act would permit the creation of “platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens,” Thune said.

But Sara Collins, policy counsel at privacy rights watchdog group Public Knowledge said in a statement that the legislation was “a privacy ‘cure’ worse than the disease,” and amounted to “deregulation disguised as consumer protection.” The bill doesn’t include resources for the Federal Trade Commission to enforce it, offer an enforcement mechanism, or provide any new rule-making authority, Collins said.

“The only ‘restrictions’ apply to data specifically collected for coronavirus contact tracing,” she said. “To make matters worse, the bill gratuitously preempts the much stronger FCC privacy protections governing mobile carriers. These protections have been used to ensure data on mobile phones are not shared with third parties without the user’s permission. As a final insult to consumer privacy, the bill would preempt the states from adopting or enforcing any stricter privacy protections in the absence of strong federal protections at the FTC.”

Last month, Google and Apple announced a rare joint project to build a framework for contact tracing apps, and although the senators’ announcement doesn’t specifically mention this project, the bill appears aimed at privacy issues Google and Apple have already addressed. An API for developers to build contact tracing apps, the project uses Bluetooth to track COVID-19 cases, as smartphones track with whom an infected person comes into contact. This would allow public health officials to inform people when they have been exposed. Identifying information and patient locations are not shared with Apple or Google, and participation would be voluntary. And the companies have pledged to shut down the tracker once the pandemic is over.

Under the proposed legislation, companies that fall under the Federal Trade Commission’s jurisdiction would have to obtain “affirmative express consent” for any collection or use of their personal health and location information “for the purposes of tracking the spread of COVID-19.” People must be allowed to opt out of any data collection or transfer of their personal information, and companies must be clear about what information is collected, how it will be handled, and how long it will be retained. Companies will be required to delete or anonymize any personally identifiable information after it’s no longer being used for COVID-19 tracing.

The bill is set be introduced next week, according to Sen. Wicker’s office. There’s a chance the legislation would be rolled into the next phase of coronavirus relief if it gains bipartisan support, according to Protocol. But Sen. Blackburn told Politico that she expected the COVID-19 privacy bill would probably move forward independently of the coronavirus relief legislation.

Sen. Richard Blumenthal (D-CT) said in a statement that he looked forward to working on the consumer privacy protections. “This crisis has made urgently clear the need for strong, reliable protections for privacy and security of personal data,” Blumenthal said. “As just one example, there is certainly a need for clear guardrails concerning information resulting from testing and contact tracing.”

As with any privacy legislation, however, Democrats and Republicans are likely to disagree on whether to include a private right of action in the COVID-19 bill. This would permit the ability to sue tech platforms for violating rules of a potential future federal privacy law. In the past, Democrats have sought to include a private right of action to hold platforms responsible, but Republicans have maintained that such a provision would lead to frivolous lawsuits more likely to hurt small businesses than big tech firms like Facebook and Twitter. 

Jason Oxman, president and CEO of the Information Technology Industry Council said the tech industry is working closely with public and private partners on coronavirus research. “Data and technology tools can help address this crisis, but the sensitive data necessary to achieve this goal must be adequately protected and limited,” Oxman said. “ITI and our member companies respect our users’ privacy, and in order to ensure trust, we remain committed to working with policymakers – in the US and elsewhere – to develop strong, comprehensive privacy protections.”

Apple and Google did not immediately respond to requests for comment Friday.