Sens. Propose Bill to Regulate Privacy of COVID-19 Contact Tracing Apps
Proposed bipartisan privacy legislation would give consumers control over the data collected by COVID-19 contract tracing apps, while establishing data restrictions and enforcement measures.
By - Sens. Maria Cantwell, D-Washington, and Bill Cassidy, R-Louisiana, recently introduced privacy legislation designed to protect the data collected, used, and maintained by COVID-19 contact tracing apps and other commercial online exposure notification systems, while establishing enforcement provisions.
The proposal joins two other contact tracing bills released in the last month. Congressional democrats unveiled the The Public Health Emergency Privacy Act on May 14, meant to restore public trust in technologies that would benefit the COVID-19 fight, while protecting consumer privacy.
In early May, Senate Republicans unveiled a similar proposal, focused on strict privacy disclosures and ensuring businesses are held accountable for any data misuse.
While contact tracing apps are intended to help curtail the spread of COVID-19, privacy advocates have repeatedly warned these apps also pose serious privacy and security risks and have grown increasingly worried about the potential threats the apps pose to consumers.
A prime example of those risks was seen on May 21, where a security flaw in Qatar’s contact tracing app exposed the sensitive data of more than 1 million citizens, according to Amnesty International. Given participation of the app is mandatory, those officials warned the event should serve as a warning to other governments of the need for strict privacy and security requirements.
READ MORE: COVID-19 Contact Tracing Apps Spotlight Privacy, Security Rights
“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards,” Claudio Guarnieri, Head of Amnesty International’s Security Lab, said in a statement. “If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”
From potential overreach and the need to sunset data once the pandemic ends, app developers must work hard to gain public trust. Those concerns are targeted in the latest Congressional proposal, including promoting public health and ensuring participation is voluntary.
The bill will also ensure commercial online exposure notification systems give consumers controls over their personal data and would limit the type of data that can be collected and how it can be used. Further, it’s designed to quell privacy concerns of the public by ensuring the apps are indeed from legitimate sources.
“Public health needs to be in charge of any notification system so we protect people’s privacy and help them know when there is a warning that they might have been exposed to COVID-19,” Cantwell said in a statement.
"As we continue to confront the coronavirus pandemic, Americans should not have to worry about the privacy and security of their personal health data,” Sen. Amy Klobuchar, D-Minnesota, the bill’s co-sponsor, said in a statement. “While contact tracing can play a critical role in helping prevent the spread of the coronavirus, this crucial innovation cannot come at the expense of consumers’ privacy."
READ MORE: Congressional Bills Target COVID-19 Contract Tracing App Privacy
Specifically, the bill would require the involvement of public health officials in the deployment of any contact tracing app to give consumers confidence the app is legitimate and “not created by unqualified actors.”
The app would only be allowed to collect medically authorized diagnoses to combat false reporting, while requiring voluntary participation based on affirmative, consumer consent. The bill also requires limits on the collection and use of data to just what is necessary for the contact tracing purpose. Any commercial use of data would be banned.
Under the legislation, all participants would be allowed to delete their data from the exposure notification system at any time. Any discrimination of participants would be prohibited, such as places of public accommodation based on the information provided to the contact tracing app, or based on their choice to participate.
The bill also creates comprehensive data security safeguards, requirements, and obligations, while requiring the app owners to immediately notify individuals in the event of a security incident.
Lastly, the legislation outlines strict enforcement measures aimed to protect consumer rights, which would empower federal and state authorities to prosecute any violations and pursue strong penalties.
READ MORE: EFF Warns COVID-19 Tracing Apps Pose Cybersecurity, Privacy Risks
“Automated exposure notification services will be released to track the spread of the COVID-19 virus and notify individuals who may be exposed,” the Senators explained. “However, this method will only be effective if adoption reaches a critical mass.”
“Safeguarding data privacy and civil rights in any exposure notification system is needed to help ensure the widespread participation necessary for the program’s efficacy,” they added. “The Exposure Notification Privacy Act creates those strong privacy safeguards for commercial automated exposure notification services.”
