Contact Tracing Gridlock

As states move to reopen the U.S. economy, we hear a lot on the news about contact tracing applications and how we can use it to help reduce the spread of COVID-19. With all of this news comes the inevitable and frankly critical question of data privacy. If we allow governments or private organizations to trace us, how can we be assured that the data collected is being used for the purpose for which it was intended? And despite that fact that we are facing this new problem (i.e. data privacy in contact tracing apps), we see a familiar scenario- Congressional gridlock. 

But, before we delve into the legalities, it is important to understand what contact tracing is and how technology can assist. 

What is contract tracing?

Contact tracing is a disease control measure which has been around for decades. It assists state and local health departments in preventing the further spread of infectious diseases, such as COVID-19. The way it works is that public health personnel work with the infected patient to help them recall all of the individuals with whom they have had close contact during a time where they could be contagious. 

Obviously, using technology to assist in the process could create a more effective and widespread network that would trace the disease and warn people who have been potentially exposed. However, a serious question arises of whether in light of the limitations on the effectiveness of this tech-solution is the privacy trade-off worth it? Coupled with the almost certain inevitability of abuses linked to contact tracing applications that lack a corresponding checkpoint and a predictably larger legal issue begins to emerge. 

For its part, the tech industry is under enormous pressure to create a digital solution to the COVID-19 crisis. With people being locked in their homes for months, both the government and the industry itself realize that getting people out of their homes and back to even a “new normal” is critical for the economy and the nation’s mental health. So tech companies are therefore feverishly working on applications that can track COVID-19. After all, there’s an app for that… right? 

Challenges to Creating Effective Contract Tracing Solutions

An application is successful and effective if you have people willing to use it. From a global perspective, this is clearly a real issue. In privacy-aware Europe, using mobile tracking technology to monitor and keep the virus in check will certainly spark much discussion and debate. This is not shocking. The legislative body that brought us the General Data Protection Regulation (“GDPR”), one of the strongest data privacy laws in the world, has a citizenry that is not likely to easily allow the government or private companies to monitor their movements. One does not need to think too far back in history when Europe went down this road once before where governments were monitoring its citizens, e.g., Nazi Germany, to come to the transparent realization that Europeans are not overly keen on that idea.

But unlike the U.S., Europe has the GDPR and its Privacy-by-Design principles that its citizens can rely on. The European Data Protection Board (“EDPB”) issued guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. Even Max Schrems, the famous Austrian privacy lawyer who successfully sued Facebook over data privacy issues, has said that “If you have a proper design, it’s hard to misuse, but that’s something that in daily life people do not differentiate.” 

Conversely, here in the U.S., we have not yet put in place those same national privacy protections. There is no federal data privacy or cybersecurity law. We are currently operating under a not so uniform patchwork of individual states and their approach to data privacy. States like California are leading the charge with the California Consumer Privacy Act (“CCPA”), but that applies only to California consumers. Considering the fact that tech-giants have not had the best of reputations related to their privacy practices, it is little wonder that Americans are conscious and frankly apprehensive about the idea of contact tracing applications. 

Proposed Federal Laws to address Contacting Tracing Concerns

Within this disjointed privacy framework, big tech is working to create apps that could be used to notify users who come in close contact with a person who tested positive for COVID-19. Aside from the benefits such an app would create, approximately 3 out of 5 Americans say they are either unable or unwilling to use these infection-alert systems. One of the reasons is that Americans have a general distrust of big tech. Nearly half of Americans surveyed said that they would trust public health agencies rather than private tech companies with their data. The first effort to combat this sense of distrust was put forth by a group of Republican U.S. Senators who introduced a data privacy bill, the COVID-19 Consumer Data Protection Act (“CDPA”), that would regulate the data collected by contact tracing apps. 

The U.S. Senators proposing this legislation, i.e., Sens. Roger Wicker (MS), John Thune (SD), Jerry Moran (KS), and Marsha Blackburn (TN), said in a joint statement that the CDPA would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data.” Democrats on the other side of the aisle are concerned over the parameters of enforcement, specifically leaving state attorney generals to this task. Needless to say, that would create, once again, a non-uniform patchwork of enforcement rather than a cohesive and comprehensive national privacy law. 

In response to the CDPA, Senate and House Democrats countered with the Public Health Emergency Privacy Act (“PHEPA”). PHEPA which is being introduced by Sens. Richard Blumenthal (Conn.) and Mark Warner (Va.), as well as Reps. Anna Eshoo (Calif.), Jan Schakowsky (Ill.) and Suzan DelBene (Wash.), prohibits the collection of data that is not for a public health purpose. The data would also need to be deleted by the companies within sixty (60) days of the public health emergency ending. Both PHEPA and the CPDA require the organization collecting the data to receive “affirmative express consent” prior to collection and to allow users to opt-out of data collection. 

Another main difference between the CDPA and PHEPA is that the CDPA does not provide resources for the Federal Trade Commission (“FTC”) to enforce it nor does it provide for rule-making authority by the agency. PHEPA specifically provides for FTC enforcement under Unfair or Deceptive Trade Practices and allows the FTC to promulgate rules with a notice and comment period. Another interesting point to note in the CDPA is the state preemption. The CDPA preempts states from adopting or enforcing any stricter privacy protections in the absence of federal protections by the FTC. This shortfall potentially initiates a real conflict between the CDPA and the CCPA by setting up a Constitutional challenge to the CDPA before it even gets out of the gate. Plainly, the federal preemption issues that already exist between the proposed CDPA and the CCPA. Nonetheless, if the end goal is to provide true transparency, then it may be time to revisit some of the other data privacy laws that have been proposed at the federal level

As we discussed in a previous post, it has been apparent for quite some time now that a federal privacy law is acutely needed along a national framework instead of yet another regulation curtailing government’s authority on personal privacy issues, which has already been accomplished. In the U.S., laws that primarily govern private industry are mostly left to contracts. When individuals sign-up for apps, their rights vis-a-vie those apps are dictated by the Terms of Use/Terms of Service and Privacy Policy that attach to those apps. Notwithstanding, those contracts are predominantly not negotiable. In order to use those apps, the individual must agree to the contract she/he is presented. This inevitably creates disparate bargaining power by setting the stage for a take-it-or-leave-it approach to app usage. Consequently, if the government, public health or tech companies want the citizenry to use contact tracing apps, there must be more protections in place. 

As things stand right now, we have limited state-enacted data privacy laws that have domestic consumer protections in place that account for transparency in data collection practices. This lack of wide-spread transparency creates inherent distrust. Thus, in the face of a public health crisis where citizens are understandably examining closely the rapidly unfolding events and dissemination of information, we do not need to give rise to distrust when it comes to the data being collected for contact tracing.

Finding a Path Forward

Public health officials agree that contact tracing is a critical step in curtailing the spread of COVID-19. Using technological solutions to help in this effort is necessary in a global economy and shrinking digital borders. Therefore, US citizens need to have confidence that the data being collected will be secure and not used for other unintended purposes if they are going to use contact tracing applications. Senator Richard Blumenthal of Connecticut said it best:

“This crisis has made urgently clear the need for strong, reliable protections for privacy and security of personal data … [a]s just one example, there is certainly a need for clear guardrails concerning information resulting from testing and contact tracing.” 

A commissioner with the FTC, Christine Wilson, recently wrote a Wall Street Journal op-ed Wednesday calling for Congress to implement a new federal privacy law, saying that “the assumption that consumers have already given informed consent for quarantine-compliance monitoring is unsupportable.” 

The issue of a federal data protection law is front and center in the debate over contact tracing apps. Contact tracings apps must be in widespread use to be effective. If the government wants Americans to use contact tracing apps, Americans need to have confidence that the organization collecting the data will not abuse the privilege. In other words, the guardrails Sen. Blumenthal referred to needing to be in place first. In addition, those guardrails need to be strong enough to overcome any encroachment on privacy, meaning the FTC needs to have enforcement authority and funding to be able to enforce. 

It is clear that both parties see value in creating a data protection law that addresses data collection by private organizations related to contact tracing apps. As technology speeds ahead pushing the boundaries of what is possible, government is still effectively stymied by the same old problem; an inability to compromise. If they enjoy widespread use, contact tracing apps could help us all get back to some kind of “normal”. Tech companies are moving ahead, trying to accomplish this, but they need to have guidance on how to do this in light of data privacy concerns. The solution is ultimately the one standing right in front of us. A data privacy law would act as the vaccine we need to inoculate against public distrust in contact tracing apps, but Congress needs to make that happen. 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.