Congressional Democrats Introduce an Alternative COVID-19 Privacy Bill

We recently reported that a group of Republican Senators introduced a COVID-19 Consumer Data Protection Act of 2020 to regulate processing of geolocation, proximity, and personal health information data to track the spread, signs, and symptoms of COVID-19, measure compliance with social distancing guidelines, and conduct contact tracing for the COVID-19 purposes.

On May 14, 2020, five members from both houses of Congress introduced their own version of the COVID-19 privacy legislation, the Public Health Emergency Privacy Act (PHEPA).  PHEPA would apply to commercial and governmental entities that collect, use or disclose personal data concerning the COVID-19 health emergency (emergency health data) or develop or operate a mobile or web application for the purpose of tracking, screening, monitoring, contact tracing, mitigation, or otherwise responding to COVID-19.

The emergency health data would include data derived from the COVID-19 testing, data on whether an individual has contracted, been tested for, or the likelihood that he will contract the decease, genetic data, biological samples and biometrics, as well as data collected in conjunction with the emergency health data such as geolocation, proximity data, demographic data, and contact information.

Like the COVID-19 Consumer Data Protection Act, PHEPA would require organizations to obtain explicit consent from individuals to collect, use, and disclose their emergency health data, as well as to provide a mechanism for revoking the consent.   The bill would guarantee the right to privacy of the emergency health data (which includes the rights to its limited collection, use, and disclosure, rectification, and safeguards from unlawful discrimination) and the right to data security.

The covered organizations would be prohibited from using the emergency health data for any unauthorized purposes, including commercial advertising.  The organizations would further be required to provide certain disclosures in the privacy policies and would be obligated to destroy the data upon the termination of the health emergency.   Notably, the bill specifically prohibits any interference with a right to vote based on the individual’s emergency health data, medical condition, or participation or non-participation in a program to collect the emergency health data.

Additionally, the bill provides for enforcement by the Federal Trade Commission and state attorney generals, as well as for a private right of action.

As we recently reported, the U.S. government has been in discussions with the leading tech companies to use geolocation and smartphone movement data to combat the coronavirus pandemic.  As reported by CNBC,  66% of recently surveyed adult Americans said they would be not at all or not be very likely to use a contact tracing system made by major tech companies.  Although more people said they would use a system created by the public health officials, 48% said they would still be unlikely or definitely not use it.  The recently proposed privacy bills would not only provide protection for personal data but would also potentially build confidence in the contact tracing methods.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653