Sen. Richard Blumenthal (D-CT) announces a bipartisan agreement on Turkey sanctions during a news conference on Capitol Hill in Washington, October 17, 2019.
Erin Scott | Reuters
Five Democrats from both houses of Congress introduced a bill Thursday that would protect consumers’ health data when they choose to use digital contact tracing technology that aims to slow the spread of Covid-19, including technology that Apple and Google are building into their smartphone software.
The Public Health Emergency Privacy Act would take several measures to protect health data collected during a public health crisis. It would require companies collecting data to meet certain security standards and delete data after the public health emergency passed. It would also prohibit data collected for public health efforts from being used by government agencies without a public health focus, or for other purposes like commercial advertising, employment or insurance.
The bill would also ensure Americans are able to choose whether to use digital contact tracing technologies that track their location to determine if they’ve been in contact with a person known to be infected with the virus. In particular, it would require users to actively consent (opt-in) to have their data collected, and would forbid officials from making participation in contact tracing mandatory to vote in elections.
Digital contact tracing and smartphones
Digital contact tracing uses short-range signals between smartphones to track when users are in close proximity. When a person tests positive for Covid-19, these systems can be used to notify others that they might have been exposed. (Regular contact-tracing is a more manual process, involving volunteers who interview subjects after they’ve been exposed to the virus, then contact everybody the subject says they were close to.) But there are a wide variety of approaches to digital contact tracing, some of which do more to protect privacy than others.
The bill includes many privacy protections that Apple and Google are insisting upon as a condition of allowing public health agencies to use their software, such as requiring users to opt in and restricting the software’s use to legitimate public health organizations.
But the Apple-Google approach is even stricter. Among other things, the companies will not allow data to be collected and stored in a centralized database — instead, apps will send anonymous alerts to people notifying them that they might have been exposed. In addition, the Apple-Google software enables apps only to tap into Bluetooth signals, which can be used to measure proximity, but not GPS, which can be used to identify precise location.
This may make the Apple-Google software less useful to public health departments than apps that use more invasive approaches, such as an app being developed by the state of Utah.
But those more invasive apps are also more likely to require the kind of privacy protections being proposed in the bill.
The proposed protections could not only safeguard consumers’ data, but could also potentially build confidence in contact tracing methods, making them more effective. An Axios-Ipsos poll of nearly 1,000 U.S. adults conducted between May 8 and 11 found that 66% of respondents said they would be not at all or not be very likely to use a contact tracing system made by major tech companies. More people said they would use a system created by the Centers for Disease Control and Prevention and public health officials, though still 48% said they would still be unlikely or definitely not use it .
Such distrust is a problem for contact tracing and potentially for public health. Contact tracing is most effective when most people have opted into the system. Otherwise, it is difficult to truly track all or most of the people with whom a person has come into contact.
The legislators who introduced the legislation said Americans’ fears about contact tracing and the privacy of their health data are valid. Prior to the pandemic, lawmakers had been inching toward more generalized digital privacy legislation, though several key disputes between Republicans and Democrats remained.
“Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19,” Sen. Richard Blumenthal, D-Conn., a member of the Senate Judiciary and Commerce Committees said in a statement.
“Americans are rightly skeptical that their sensitive health data will be kept safe and secure, and as a result, they’re reluctant to participate in contact tracing programs essential to halt the spread of this disease. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”
“Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations could become the new status quo in health care and public health,” Sen. Mark Warner, D-Va., Vice Chairman of the Senate Intelligence Committee, said in a statement. “The credibility – and indeed efficacy – of these technologies depends on public trust.”
Rep. Jan Schakowsky, D-Ill., the chairwoman of the House Consumer Protection Subcommittee who also introduced the bill, said it’s important to remember that contact tracing is one piece of the the solution to the current health crisis combined with manual tracing and testing.
House Health Subcommittee Chairwoman Rep. Anna Eshoo, D-Calif., and Rep. Suzan DelBene, D-Wash. also introduced the bill. House Energy and Commerce Committee Vice Chair Yvette Clarke, D-N.Y., Health Subcommittee Vice Chair G. K. Butterfield D-N.Y., and Consumer Protection Subcommittee Vice Chair Tony Cárdenas D-Calif. are co-sponsors.