Law360 (April 27, 2020, 12:43 PM EDT) -- While the coronavirus pandemic has derailed most nonurgent lawmaking efforts, pressure continues to mount for Congress to enact uniform privacy legislation that factors in the growing concerns over moves by companies such as Apple and Google to harness the troves of personal information they hold to track the virus and contain its spread.
In attempting to manage the virus' spread and reopen the struggling economy, tech companies and governments have both sought to come up with effective yet socially distant ways to keep close tabs on people's health status and movements. These methods often involve using technology to collect vital but potentially sensitive health and location information, highlighting issues that hadn't previously been featured in the long-running privacy debate on Capitol Hill and potentially prompting lawmakers to ease up on restrictions they've long sought to place on companies.
"What the pandemic has really done is it's brought to the forefront this underlying conflict between personal privacy rights and public well-being, and that wasn't really being considered by lawmakers before the coronavirus outbreak took place," said Jeff Dennis, head of the privacy and data security practice at Newmeyer & Dillion LLP.
This issue promises to factor prominently in future privacy proposals, given that it would be nearly impossible for lawmakers to overlook these competing privacy and civil liberties interests moving forward, attorneys say.
"The pandemic really accelerates a lot of the ongoing discussions on privacy legislation because it highlights a concrete example of not only the need to use data in important ways, but also the importance of getting it right when it comes to the type of privacy and security safeguards that need to be placed on different uses of data," said Kate Goodloe, director of policy at tech industry group BSA: The Software Alliance.
This newly surfaced factor will likely require lawmakers to rethink their approach to setting the rules for how companies protect, retain and share data, particularly sensitive health and location information that's not clearly covered by existing laws, according to Lisa Sotto, chair of Hunton Andrews Kurth LLP's privacy and cybersecurity practice.
"The situation is certainly broadening the view of what needs to be considered in privacy laws," Sotto said.
A primary way that attorneys see the debate shifting is when it comes to whether companies should have some type of exemption or liability shield for collecting, using or sharing data in certain circumstances.
While laws like the federal Health Insurance Portability and Accountability Act and the European Union's General Data Protection Regulation contain exemptions for public health emergencies, California's landmark Consumer Protection Act — which went into effect in January and is focused more on boosting transparency and consumer access than on restricting data uses — doesn't contain such a carveout, and the issue hasn't really permeated the federal privacy debate yet either.
But with these issues now top of mind, both federal and state lawmakers may begin to reevaluate the proposals they've put on the table and question whether data limitations should be eased for some purposes, attorneys say.
"Coming out of this, if I'm a legislator, I'd be looking at whether there were any companies or government agencies that had trouble getting access to data that really was necessary [to fight the virus] and be thinking about building in the right provision to allow for disclosure of personal information in circumstances where it's absolutely necessary," said Alexander Bilus, the vice chair of Saul Ewing Arnstein & Lehr LLP's cybersecurity and privacy practice.
Michelle Richardson, the director of the data and privacy project at the Center for Democracy and Technology, agreed that it was likely the pandemic would make some involved in the debate more sympathetic to arguments against putting tight restrictions on how companies can and can't use personal data. But she stressed that any exemption needs to be narrowly tailored to cover only pressing emergency situations and should promote the use of de-identified or anonymized data to achieve these important objectives.
Advocacy groups such as CDT and the American Civil Liberties Union have urged policymakers and companies to ensure that any personal data or other information used to fight, measure or track the pandemic be "necessary and proportionate" to both the pandemic response and the safety of the public, and that this information not be used for unexpected purposes, principles that could now factor more prominently than ever in the privacy debate.
"Those are the kind of things that if they were in place now, people would feel more comfortable to use tools like contact tracing apps and would help make sure companies don't go too far astray," Richardson said.
Principles like data minimization and purpose limitations are far from new concepts. In both California's new consumer privacy law as well as the flurry of privacy proposals that have been introduced by federal lawmakers on both sides of the aisle in recent years to stave off a growing patchwork of state laws, there is an emphasis on ensuring that consumers are able to find out what information companies hold on them and to exercise some control over that data.
But despite the prominence of these issues, they're likely to be viewed through a different lens as the country emerges from the pandemic, attorneys say.
"The pandemic could serve as a catalyst, either through federal legislation or through industry self-regulatory efforts, to develop a common set of principles for facilitating the beneficial uses of Big Data for society in ways that still protect and preserve privacy," said Heather Egan Sussman, global co-chair of the cyber, privacy and data innovation practice at Orrick Herrington & Sutcliffe LLP.
Several lawmakers have continued to press these issues during the pandemic, and the influential Senate Commerce Committee convened a rare paper hearing on April 9 to examine how large consumer data sets, commonly known as Big Data, are being used to identify potential hot spots of coronavirus transmission and to help accelerate the development of treatments.
Commerce Committee Chairman Roger Wicker, R-Miss., stressed in his opening statement that the development of "a strong and bipartisan federal data privacy law" has long been a priority for his committee, and that "the collection of consumer location data to track the coronavirus, although well intentioned and possibly necessary at this time, further underscores the need for uniform, national privacy legislation."
"Such a law would provide all Americans with more transparency, choice, and control over their data, as well as ways to keep businesses more accountable to consumers when they seek to use their data for unexpected purposes," Wicker said. "It would also provide certainty and clear, workable rules of the road for businesses in all 50 states, and preserve Americans' trust and confidence that their data will be protected and secure no matter where they live."
Late last year, Wicker and Commerce Committee ranking member Maria Cantwell, D-Wash., advanced dueling proposals for crafting uniform federal privacy standards. Their proposed bills both aim to give consumers more control over their personal data, but diverged on the hot-button issues of whether the laws should preempt more stringent state protections or contain a private right of action.
The question of whether consumers should be allowed to bring lawsuits for alleged privacy violations has been a major stumbling block in efforts to enact both federal legislation and state laws such as a twice-failed privacy proposal in Washington state. While that debate will continue to dominate post-pandemic, attorneys say the drive to use personal data to fight the virus could influence these discussions as well.
Those in favor of including a private right of action may highlight instances where they claim companies used data gathered for the pandemic fight in unexpected ways, while advocates for leaving enforcement solely up to state and federal regulators may point to situations where companies had great tools or ideas that could have proven helpful but were hesitant to act due to concerns over being sued, Bilus said.
"The focus is likely to be on encouraging the highest and best use of data while at the same time protecting individuals' privacy," Bilus said, adding that lawmakers may strive to find "some middle ground where there's a private right of action but if companies meet certain requirements, they're entitled to some safe harbor."
Even with interest still relatively high, the push to get privacy legislation across the finish line this year remains an uphill climb.
Congress has struggled for years to substantially advance any privacy proposal, and Sussman predicted it would take a groundswell of events beyond the mounting costs of complying with laws like the CCPA and concerns over the risks of data-sharing in a pandemic to really move the needle.
"It will take a perfect storm ... a confluence of issues and events that push the federal legislation wave up onto the shore," Sussman said.
Still, these issues remain firmly on the table, and attorneys say they wouldn't be surprised to see significant movement once we emerge from the current public health crisis.
"Privacy issues are now showing themselves to be key considerations in this new environment, and there seems to very much be renewed interest in considering how this data should be protected and regulated," Sotto said.
--Editing by Rebecca Flanagan and Marygrace Murphy.
For a reprint of this article, please contact firstname.lastname@example.org.