By Emily Peterson-Cassin, Digital Rights Advocate
There’s good news, and there’s bad news.
The good news is that a bill is about to be introduced in the U.S. Senate to offer some protections around the new data being collected by companies that are tracking our health and movement in the name of fighting the pandemic. Efforts already are underway to collect individual data for pandemic response needs, and Public Citizen and others have been simultaneously advocating for protections for consumers in the face of that increased collection of personal data.
The bad news is that although we need these protections desperately, this bill is a giveaway to companies looking to exploit our personal data for profit rather than a full-throated protective measure for the public.
The bill, which U.S. Sens. Roger Wicker (R-Miss.), John Thune (R-S.D.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.) plan to introduce this week features some dangerous loopholes and exempts companies from any meaningful enforcement of the bill’s mild suggestions if their terms of service aren’t followed.
On the good side, the bill does offer some bare minimum protections for data collected as a result of the coronavirus crisis – data that may be particularly personal and potentially harmful such as geographic location data. But being “better than nothing” is not an acceptable standard for a bill protecting consumer data rights when those rights are under threat.
For example, this bill’s protections don’t include publicly available information on the internet, despite the source of that information. So if your vengeful ex, tired of quarantining with you, puts your virus status up on Facebook, the bill offers you no protection. Even the weak protections the bill offers for some data only highlight the need for a comprehensive baseline privacy bill that would offer protections for all kinds of data – something Congress has failed to produce despite calls from both industry and consumers.
The enforcement provisions of the bill also fall far short of what’s needed. The health and location data of millions of people has tremendous potential value to a company, so the temptation to play fast and loose with the rules will be enormous. The bill rests enforcement power with state attorneys general – who, even in the best of circumstances, can bring only a few cases a year – and the Federal Trade Commission (FTC), which is coming off a series of high-profile failures to keep big tech companies in line. The bill even yanks enforcement power away from the Federal Communications Commission, which does not have a great enforcement record but at least has some expertise in location tracking, at issue in the kinds of tech-based contact tracing efforts the Senate bill intends to address.
In order to be effective, the consequences of breaking the rules must outweigh the benefits of doing so, and this bill is a long way from ensuring that.
Perhaps the bill’s most egregious giveaway is a provision exempting companies from having to follow stricter state laws responding to the pandemic. Let’s say New York wanted to have a different contact tracing system with stronger protections for its residents than this Senate bill contemplates. “Nope!” says this proposal. It doesn’t matter that what works for public health in Wyoming may not work in California. This bill puts a stop to any “upstart” state legislatures that want to go further in the fight to protect residents from the dangerous consequences of this level of health and location data collection.
In March, 15 groups including Public Citizen sent a letter to Congress laying out the elements of what we need in a pandemic response bill to protect the public health, while preventing data gouging by companies that may see the pandemic as a boon to their data gathering operations.
Those guidelines call for prohibiting any commercial use of data collected as a result of the crisis, for real consequences for companies that break the rules and for data to be deleted at the end of the crisis so it doesn’t become part of a company’s permanent data horde or an unreasonable part of the thousands of data points available about each of us to companies with access to them.
Those protections are what consumers actually need out of the next pandemic protection package – not the vague assurances corporations provide claiming that they care about our privacy, nor the official stamp on that practice that this Republican bill contains.