Blog

Global privacy in a crisis: The challenge of addressing regional privacy laws & COVID-19

This article was originally published on Thomson Reuters Westlaw on June 27, 2020, citation 2020 WL 3486582. Republished with permission. A full copy of the original post can be found here and a copy of the PDF is available here.

By Jordan L. Fischer, Esq.

In the last two decades, the evolution of technology, the growing prominence of data, and the general globalization of the world economy has created tensions with the concepts of international data privacy.

Within this increasingly digital world, regional approaches to privacy laws have created legal barriers to the exchange of information and the development of effective technological solutions to societal concerns.

Within this environment, COVID-19 has highlighted the challenges associated with these regional approaches to privacy because data and technology knows no borders.

This article explores the regional tensions in privacy and data governance, and the challenges caused by a lack of harmonization between these regional approaches to privacy, information governance, and data sharing.

These challenges are exacerbated by two key areas: (1) the definition of privacy; and (2) the core concepts underpinning the legal frameworks.

Using the European Union and the United States as case studies, it becomes apparent that without a baseline understanding of privacy protections, these regional divergences will hinder both our response in times of crises and the innovative solutions that those crises require.

THE RAPID EVOLUTION OF PRIVACY

Privacy is not a new subject. However, since the 1970s, privacy has gained more prominence both in the law and the economy.

The Fair Information Privacy Principles (”FIPPS”) provide the modern concepts of privacy, articulating core principles such as:

(1) notice/awareness;
(2) choice/consent;
(3) access/participation; (4) integrity/security;and (5) enforcement/redress.1

These FIPPS led to the creation of various regional and international regulatory regimes, including the U.S.’s Privacy Act of 19742 and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.3

Ultimately, FIPPS forms the backbone of the European Union’s General Data Protection Regulation4 (”GDPR”), one of the most influential privacy regulations.

Unlike Europe, concepts of data privacy at the United States federal level involve governmental actors. However consumer- facing data privacy is starting to take a front seat at the state level.

The threshold issue therefore becomes: what are we protecting? Is it personal data, or personal information, or personally identifiable information?

The classic example being California with the California Consumer Privacy Act (”CCPA”),5 which creates data protection measures focused on the private sector.

Stepping back, it is key to look at some essential divergences in data privacy created by the growing regionalization of privacy law. However, it is important to keep in mind that international concepts of information sharing and the digital economy are still in its infancy.

DEFINING PRIVACY

Understanding the definition of privacy is key to understanding what the law is intended to protect. Is privacy a right? Is privacy a commodity? What is protected under the law of privacy? Is it privacy vis a vis the government? Private companies? Your neighbor?

Privacy itself is a very cultural and personal concept. In the 19th century, Warren and Brandeis famously articulated privacy as: “the right to be left alone.”6

Since then, the concepts of privacy have evolved to mean many different things, often depending on culture and history.

Even defining the concept of data related to an individual diverges across regional lines with the two (2) main privacy laws (i.e. the CCPA and GDPR) having different definitions.

The GDPR uses the term personal data, defined as

any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.7

Whereas the CCPA uses the term personal information, which it defines as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”8

The CCPA goes on to list a number of different types of personal information, including biometric information, geolocation data, education information, and “inferences drawn from any information identified in this subdivision.”9

The CCPA then expressly carves out publicly available information from the definition of “personal information.”10

And, finally, there is the widely used term in the United States of personally identifiable information which is usually associated with data security. Personally identifiable information denotes information that requires protection and creates liability for the holder.

This term is used in both federal and state laws, and often is defined as an individual’s name plus another piece of identifying information, such as a social security number, financial information, or driver’s license number.11

The threshold issue therefore becomes: what are we protecting? Is it personal data, or personal information, or personally identifiable information?

This becomes acute in the current crisis environment because the definition of information protected under privacy laws will directly correlate with the protections required by companies who are offering solutions to COVID-19.

THE VARYING FORMS OF PRIVACY PROTECTIONS

It is against this backdrop of divergent definitions and concepts of personal information or data that COVID-19 has provided a unique test case for the ways in which countries with developed privacy legislation can demonstrate their ability to respond quickly to situations that place pressure on privacy.

Generally, privacy laws fall on a spectrum that ranges from comprehensive privacy laws to limited privacy frameworks.12

Comprehensive privacy laws provide for a similar set of data protection requirements for both the private and public sector, and do not vary depending on the industry or type of data collected.

Conversely, limited privacy frameworks generally address the collection of personal information by the public sector, but leave most (if not all) of the private sector to self-regulate its own privacy practices.13

The GDPR falls squarely within the comprehensive privacy approach, whereas at the federal level in the U.S., there is a more limited approach, creating patchwork privacy protections that depend on the type of data impacted, the industry of the collector, and the size of the entity.

Because the EU already maintains a set of data protection laws, it was able to draw support from those laws to work with companies creating innovative solutions to address COVID-19 while also balancing the privacy protections of the individuals.

During COVID-19, the impact of these two approaches has been drastically different.

In Europe, the European Data Protection Board (”EDPB”), charged with overseeing data protection across all of the European Union, has continued to provide guidance on the collection of personal data in the context of COVID-19.

In March 2020, the EDPB provided guidelines for the use of health data in the context of COVID-19, emphasizing that “[d]ata protection rules (such as the GDPR) do not hinder measures taken in the fight against the COVID-19 pandemic”.14

The EDPB provided additional guidance on the collection and processing of geolocation data, again emphasizing that the “data protection legal framework was designed to be flexible and as such, is able to achieve both an efficient response in limiting the pandemic and protecting fundamental human rights and freedoms.”15

Because the EU already maintains a set of data protection laws, it was able to draw support from those laws to work with companies creating innovative solutions to address COVID-19 while also balancing the privacy protections of the individuals.

The GDPR also provides a level of comfort to EU consumers that the information used during this crisis will not be exploited.

Further, the GDPR, and other similarly written privacy legislation, has provided more concrete requirements that the private and public sector can use to design and implement solutions during this crisis.

The privacy law structure and consumer confidence is a stark contrast to what we see domestically. In the United States, where privacy laws are not as comprehensive, there have been a number of different viewpoints and sources of guidance in responding to COVID-19.

The Health Insurance Portability and Accountability Act16 (”HIPAA”) provides guidance in the collection and use of personal health information gathered in the context of COVID-19 treatment.

The Office of Civil Rights (”OCR”) that enforces HIPAA provided a number of different guidelines, especially focused on telehealth communications and disclosure of information during a public health emergency.17

However, HIPAA, and OCR, are less relevant in the research and development space.

Additional federal agencies have weighed-in on various components of COVID-19 that impact privacy. For example, the U.S. Food and Drug Administration (”FDA”) is heavily involved in the creation of a vaccine and the corresponding clinical trials and testing.18

And, the Department of Labor, under the Occupational Safety and Health Act of 1970 (”OSHA”), released guidance on recordkeeping for employees who return to work during COVID-19.19

Further, individual states are also providing guidance on the collection of personal information within the context of COVID-19. The California Attorney General emphasized that consumers still maintain privacy rights throughout the emergency situation.20

The New York Department of Financial Services (”NY DFS”) issued guidance reminding companies of the increased security risks posed by remote work during COVID-19.21

Without clear federal guidance (i.e. a statute) that addresses data privacy protections, the approach to data privacy is more scattershot which leads to uncertainty in the private sector and a lack of confidence for the consumer.

Couple this with the numerous different state regulations that come into play, and we see chaos.

The U.S. Congress is playing catching up, proposing two competing privacy laws focused on COVID-19: (1) the COVID-19 Consumer Data Protection Act (”CDPA”)22 and (2) the Public Health Emergency Privacy Act (”PHEPA”).23

However, these bills diverge on a number of areas, including enforcement, state preemption, and the impacted data.24

Domestically there is a clear lack of consensus and data privacy leadership at the federal level which leaves industry to guess at compliance and police themselves.

CREATING A GLOBAL PRIVACY PATH DURING A CRISIS

What is apparent when looking at both the United States and the European approach to privacy during COVID-19 is that waiting until a crisis to create privacy laws provides for more chaos and less clarity in addressing the societal needs.

While Europe has struggled to address the balance between using data to combat COVID-19 and protecting individual privacy, it is doing so consistently within a clear standard of privacy articulated in the GDPR, the Charter of Fundamental Rights, and within its vast privacy jurisprudence.

Further, the EU regulations apply across all industries in the private and public sector, making it easier to ensure that privacy is uniformly understood and enforced regardless of the stakeholder involved in developing the solution.

Domestically there is a clear lack of consensus and data privacy leadership at the federal level which leaves industry to guess at compliance and police themselves.

The United States, alternatively, does not have one clearly defined concept of privacy or data protection that it can rely on when determining whether the data collected and processed violates privacy rights.

While there is a clear constitutional restriction on the collection of personal information within the public sector,25 the application of data privacy requirements in the private sector is much less clear.

This is highly relevant during COVID-19 when both the public and private sectors are collaborating to create effective solutions to address public health concerns.

In addition, the varying differences between the United States and the EU in privacy creates obstacles to the sharing of information across borders.

The GDPR expressly requires that any personal data that is shared beyond the EU be protected at the same level as it would be within the EU.26

Currently, many organizations use the Standard Contractual Clauses (”SCCs”) to transfer data between the EU and United States. However, these clauses are currently under litigation at the Court of Justice of the European Union (”ECJ”), where they could be held invalid.27

Ultimately, COVID-19 has shed light on challenges facing both the public and private sectors in sharing information. However, those challenges are not insurmountable when those sectors operate within a common framework.

Mathematics is the universal language. Much of technology is based on mathematical concepts.

Therefore, creating a common language for technology, and more specifically data, would help to create a global structure on which governments and private sectors businesses could rely. Afterall, COVID-19 does not stay within borders, and neither does data.

Notes

1 Pam Dixon, A Brief Introduction to Fair Information Practices, WORLD 5 U.S.C.A. § 552a.

2 PRIVACY FORUM (Dec. 19. 2007) https://bit.ly/30QScrq.

3 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980 (updated 2013), available at https://bit. ly/2UQL2PZ.

4 Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive), L119, 4 May 2016, p. 1–88.

5  Cal. Civ. Code § 1798.100 et seq.

6  Warren and Brandeis, The Right to Privacy, 4 Harvard L.R. 193 (1890).

7  GDPR, supra note iv, Art. 4(1).

8  Cal. Civ. Code § 1798.140(o)(1).

9  Cal. Civ. Code § 1798.140(o)(1)(K).

10  Cal. Civ. Code § 1798.140(o)(2).

11  See, e.g., Breach of Personal Information Notification Act, PA ST 73 P.S. § 2301; Cal. Civ. Code § 1798.82(a); N.J. Stat. § 56:8-163.

12  Abraham L. Newman, Protectors of Privacy, 23-41 (2008).

13  Newman, supra note xii, at 23.

14  Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, 4 (adopted Apr. 21, 2020), available at https://bit.ly/2AOjSTh.

15 Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak,¶ 2 (adopted Apr. 21, 2020), available at https://bit.ly/2VaovhB.

16  110 Stat. 1936 (1996).

17 HHS Office of Civil Rights, HIPAA and COVID-19, https://bit.ly/2YOnvAs.

18 FDA, Coronavirus Disease 2019 (COVID-19), available at https://bit. ly/2Clkhx3.

19 Revised Enforcement Guidance for Recording Cases of Coronavirus Disease 2019 (COVID-19) (May 19, 2020), https://bit.ly/2AKvmqR.

20 California Attorney General, Attorney General Becerra Reminds Consumers of their Data Privacy Rights During the COVID-19 Public Health Emergency (Apr. 10, 2020), https://bit.ly/2AKP7P2.

21 New York Department of Financial Services, Guidance to Department of Financial Services (”DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic (Apr. 13, 2020), https://on.ny. gov/3hCDnie.

22 S. 3663, 116th Cong. (2020); Committee Leaders Introduce Data Privacy Bill (May 7, 2020), https://bit.ly/2Y9nkAz.

23  HR. 6866, 116th Cong. (2020).

24  XPAN Law Group LLC, Contact Tracing Gridlock (May 19, 2020), https://bit.ly/2YOfqfn.

25 See, e.g., supra note ii; Carpenter v. U.S., 138 S. Ct. 2206 (2018). 26 GDPR, Chapter V.

27 C-311/18, Facebook Ireland and Schrems (opinion anticipated in July 2020).

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.