A new federal COVID-19 data privacy bill with bipartisan support, the Exposure Notification Privacy Act, would have a substantially narrower scope of application than two previous partisan draft COVID-19 privacy laws. The bipartisan bill specifically regulates “automated exposure notification services,” defined as any website or other online or mobile system “specifically to be used for . . . the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease[.]” This definition of an “automated exposure notification service” is clearly meant to encompass the rapidly proliferating universe of COVID-19 contact tracing and notification systems which are increasingly being used to send alerts to individuals who have come into close physical proximity with someone later confirmed as COVID-19 positive (although it bears noting that the bill would regulate any contact tracing system for any infectious disease, not just COVID-19). Accordingly, this new bipartisan bill markedly diverges from the approaches of two previous “dueling” partisan COVID-19 data privacy bills, both of which would have protected individuals’ COVID-19-related health information in a variety of circumstances, not only in the context of automated contact tracing.
Emergence of Contact Tracing Technology
While many countries in eastern Asia have been using COVID-19 contact tracing technology since the very early stages of the pandemic, commentators in the United States, Europe, and elsewhere questioned how such granular digital monitoring technology could be widely deployed and used in accordance with data privacy laws as well as in the face of public skepticism of rapid real-time exchanges of sensitive personal information. Now, over six months into the global pandemic, based on those Asian countries’ largely successful use of contact tracing to slow the spread of COVID-19, governments around the globe, including many jurisdictions in the United States, are increasingly turning to contact tracing as an essential means (along with masks and social distancing) of “flattening the curve” of COVID-19. However, some governments, including the United Kingdom, have experienced false starts and setbacks with their contact tracing efforts, underscoring the difficulties inherent in rapidly rolling out contact tracing on the massive scales necessary to combat the pandemic.
Manual vs Automated Tracing Work
The approach that governments and public health agencies worldwide have taken to conduct contact tracing can be roughly split into two categories:
In the manual approach, a COVID-19-positive patient is interviewed to determine where they have gone and whom they have come into physical proximity with during the period of time in which they were potentially contagious. Investigators then attempt to notify all such individuals (e.g., via telephone or email), and advise them to self-quarantine for fourteen days, and then to undergo COVID-19 tests themselves if they show any symptoms of the disease.
In the automated approach, geolocation technology (such as Bluetooth or GPS) is used to create real-time records of all signal-emitting/receiving devices that the user comes into physical proximity with. Then, when an individual later tests positive for COVID-19, all users who have come into physical proximity with that individual are automatically notified, and, as with manual tracing, typically advised to self-quarantine, self-monitor, and get tested if necessary. Typically, automated contact tracing takes the form of mobile applications that utilize mobile devices’ built-in geolocation technology and “push” notifications, but stand-alone contact tracing devices are also being developed and employed by some countries such as Singapore. Apple and Google are currently collaborating to roll out automated contact tracing on their iPhone and Android mobile device operating systems.
In order for manual contact tracing to be effective on the scale of a global pandemic, especially in hard-hit areas, “armies” of hundreds (if not thousands) of human contact tracers are needed, each of whom needs to be trained and compensated for their services. Automated contact tracing, on the other hand, merely requires clever programming/engineering and a widely adopted and utilized system of participating devices. It is therefore unsurprising that governments and public health organizations worldwide have begun aggressively pursuing automated contact tracing technologies. The bipartisan Exposure Notification Privacy Act expressly exempts “traditional in-person, email, or telephonic contact tracing technologies”, i.e., manual contact tracing, and instead is solely focused on regulating automated contact tracing.
Establishing Privacy Guardrails for Automated Contact Tracing Systems
The newly introduced Exposure Notification Privacy Act is a clear legislative response to privacy advocates’ concerns that individuals’ real-time geolocation and COVID-19 status information collected by automated contact tracing technologies might be used inappropriately. The bipartisan bill creates several significant guardrails against such misuse:
- Express Affirmative Consent
Operators of automated contact tracing systems “may not enroll an individual . . . without the individual’s prior affirmative express consent[.]” Such consent must be “in response to a specific request that” is (a) provided “in a clear and conspicuous disclosure separate from other options or acceptance of general terms[,]” and (b) describes each act and practice for which consent is sought . . . concisely and in easy-to-understand language[.]” Accordingly, automated contact tracing mobile apps and websites would not be able to rely on a simple “I agree to the Terms of Service and Privacy Policy” check-box, and instead would need to separately obtain users’ consent specifically for usage of their information for contact tracing purposes.
- Privacy Policies and Rights of Users
Operators of automated contact tracing systems would be obligated to “make publicly and persistently available, in a conspicuous and readily accessible manner, a privacy policy that provides a detailed and accurate representation of [the operator’s] covered data collection, processing, and transfer activities[.]” The privacy policy would also have to notify system users of their rights under the Exposure Notification Privacy Act, which includes the right to request deletion of their information.
The bill would forbid automated contact tracing systems from collecting or processing infectious disease diagnosis information unless the diagnosis constitutes an “authorized diagnosis,” which means “an actual, potential, or presumptive positive diagnosis of an infectious disease confirmed by a public health authority or a licensed health care provider.” It is unclear how the operator of the contact tracing system will be able to confirm that an individual’s diagnosis constitutes an “authorized diagnosis,” unless this is an implicit aspect of “collaboration” with a public health authority, as described below.
- Collaboration with Public Health Authority
Operators of contact tracing systems will be required to “collaborate” with a public health authority in connection with the operation of the contact tracing service. The bill defines “public health authority” as a federal, state, or local government agency or authority responsible for public health matters, or a person or entity acting under a grant of authority from such a government entity. The bill does not specify what level of “collaboration” is required, or what such “collaboration” must consist of.
- Public Guidance as to Accuracy and Reliability
Automated contact tracing system operators would be required to publish public-facing information regarding the system’s functionality, the proper interpretation of notifications that participants may receive, and the service’s effectiveness and adoption rate.
Although service providers to automated contact tracing systems would not be directly subject to the Exposure Notification Privacy Act, the bill would create a duty for service providers to notify the system operator or the public health authority of any potential violation of the law.
Operators of contact tracing systems would be obligated to establish and maintain data security practices “consistent with standards generally accepted by experts in the information security field[,]” and must specifically (a) have procedures in place designed to identify risks and vulnerabilities to the system and use preventative measures to mitigate against such risks, and (b) notify the Federal Trade Commission (“FTC”) and affected individuals of any data breaches affecting the security of covered data “in the most expedient time possible[.]”
As was the case under the previous Democrat- and Republican-sponsored COVID-19 privacy bills, the Exposure Notification Privacy Act would empower the FTC to enforce the new law and direct the FTC to treat violations as violations of Section 5 of the Federal Trade Commission Act regarding unfair or deceptive acts or practices. The bipartisan bill would also empower the state attorneys general to bring suit on behalf of their states’ residents.
Current Status
The new bipartisan bill is currently in the very early stages of the legislative process. On June 1, 2020, two members of the Senate Commerce Committee, Senators Cantwell (D-WA) and Cassidy (R-LA), introduced the Exposure Notification Privacy Act. It remains to be seen how or whether Congress will reconcile the prior Democrat- and Republican-sponsored COVID-19 privacy bills with the newly introduced bipartisan alternative.
