Silver linings: Why COVID-19 will encourage a national privacy law

Future generations will judge our response to the COVID-19 pandemic not only by our real-time public health and economic actions, but also by our post-pandemic regulatory choices. One of these choices will be how Congress should address the data privacy question, which is rising to new prominence as we embrace the notion that tech and data are integral to a successful and modern pandemic response.

Once we are on the other side of this critical moment, we must come together as a society, draw from the lessons learned, and create a national privacy standard that balances continued innovation and individual privacy. This is not only possible. It is imperative.

Finding consensus

April 9, 2020 Senate Commerce Committee hearing entitled “Enlisting Big Data in the Fight Against Coronavirus” brought together witnesses from the App Association, Network Advertising Initiative, Future of Privacy Forum, Interactive Advertising Bureau and the Center for Democracy and Technology, among others, underscoring the broad consensus in favor of a national privacy law and why the pandemic illustrates the need for such a law. 

Particularly in the pandemic context, there are two major reasons for this consensus.  First, a national privacy law can and should build uniform and consistent standards that provide consumers with assurances that their data will not be misused and companies with the rules of the road for using data to combat public health crises. Second, companies need legal security in order to make the most of the data at hand to develop big data solutions to address the coronavirus.

Fighting the virus; protecting privacy

The pandemic has elicited considerable interest in how data can help address the crisis.  There are many kinds of data under consideration, but one that has gotten recent attention is location data collected by smartphones and other devices. At the April 9, 2020 hearing Senate Commerce Committee Chairman Wicker asked how aggregated and anonymized location data can help with contact tracing without posing unacceptable privacy risks.

In the United States, the mobile advertising industry and technology companies are collecting consumers’ smartphone location data to track the spread of COVID-19 and compliance with social distancing measures. The location data is purported to be in aggregate form and anonymized so that it does not contain consumers’ personally identifiable information. How can the use of anonymized, de-identified, and aggregate location data minimize privacy risks to consumers? And, what additional legal safeguards should be imposed on the collection of this data to prevent it from being used or combined with other information to reveal an individual’s identity? 

There are a number of answers as to how to protect personal data, many of them technical such as to incorporate the latest advances in privacy engineering.  For example “federated learning” allows AI algorithms to analyze data from different sources without having to pool sensitive personally identifiable information from those sites.  “Differential privacy” techniques accomplish much the same thing. 

In the end though, the emerging consensus (including among industry, which has traditionally favored self-regulation and voluntary codes of conduct) is that self-regulation is not enough and that a national law is needed both to protect consumers and to provide a legal framework that would permit companies to innovate in this space.  

Increasing consumer confidence

A federal privacy law would increase consumer confidence in data-driven innovation, especially, but not limited with respect to, the health space in the following ways. 

• While consent would still have a place, the role of notice and choice would be deemphasized, thereby reducing the role of long legalistic privacy policies that consumers often face when purchasing digital products and services.
• Preventing consumer injury would guide the development of a federal privacy law. For example, the Software & Information Industry Association advocates that policymakers consider four categories of information injuries in this context: financial, physical, reputational and unwanted intrusion injury. 
• Consumers would have new rights to notice, control, access, correction, deletion, and portability.
• National enforcement would be strengthened, particularly through the Federal Trade Commission.

That will happen. Just not right now.

There just is not much bandwidth to get a privacy law on the books while the immediate crisis needs to be dealt with.  But the reality is that this is not the last time companies and countries are going to grapple with using sensitive personal health data to manage a public health emergency.  Congress should act as soon as it can to enact a federal privacy law providing national rules protecting consumers and empowering firms to innovate securely.