Law360 (April 30, 2020, 9:54 PM EDT) -- Four U.S. Senate Republicans are gearing up to introduce legislation that would hold companies liable for misusing consumers' health, geolocation and other personal information to fight the coronavirus pandemic, they revealed Thursday, the same day that a Federal Trade commissioner called on lawmakers to quickly enact federal privacy rules.
As pressure mounts for the U.S. and other countries to curb the spread of the novel coronavirus and reopen the struggling global economy, companies such as Apple and Google have announced new initiatives that involve using troves of personal data to keep tabs on people's health status and movements.
Sen. Roger Wicker, a Mississippi Republican and chairman of the influential Senate Commerce Committee, along with three of his colleagues responded to these concerns Thursday by revealing plans to introduce the COVID-19 Consumer Data Protection Act. The legislation aims to provide Americans with more control, transparency and choice over how their personal health, geolocation and proximity data is being collected and used to combat the virus, according to the lawmakers.
"As the coronavirus continues to take a heavy toll on our economy and American life, government officials and health care professionals have rightly turned to data to help fight this global pandemic," Wicker said in a statement. "This data has great potential to help us contain the virus and limit future outbreaks, but we need to ensure that individuals' personal information is safe from misuse."
The proposed legislation would require companies that fall under the Federal Trade Commission's jurisdiction to obtain affirmative express consent from individuals to collect, process or transfer their personal information for COVID-19 tracking purposes and would give consumers the ability to opt out of these practices at any time, according to the bill's sponsors.
Companies would also be directed to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred and for how long it will be retained; delete or de-identify personally identifiable information when it is no longer being used to combat the current public health emergency; and provide transparency reports to the public describing their data collection activities related to COVID-19, the senators said.
Additionally, the bill would seek to establish clear definitions about what qualifies as aggregate and de-identified data to ensure that companies adopt certain technical and legal safeguards to protect consumer data from being re-identified. The bill would aim to set data minimization and data security requirements for any personally identifiable information collected by these businesses.
State attorneys general would be charged with enforcing alleged violations of the law, according to lawmakers. They didn't elaborate on the potential size or scope for fines that could be levied.
Sen. John Thune of South Dakota, the chairman of the chamber's subcommittee on communications, technology, innovation and the internet and another co-sponsor of the bill, touted the proposal for striking the "right balance" between protecting individuals' privacy and fostering the innovation necessary to allow tech companies to develop effective ways to trace the virus.
"While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important," Thune added.
Sen. Jerry Moran of Kansas, who chairs the subcommittee on consumer protection, product safety, insurance and data security, as well as Sen. Marsha Blackburn of Tennessee are also backing the proposed legislation.
Consumer advocacy group Public Knowledge slammed the proposal Thursday for doing little to protect Americans' privacy.
The group argued that the bill still allows companies to profit from consumers' health or geolocation data, fails to extend the "limited" privacy protections it creates to cover law enforcement or federal agencies, and gives the FTC no new powers or resources to enforce the law.
The bill would also "gratuitously preempt" stronger privacy protections that the Federal Communications Commission enforces against mobile carriers and would block states from putting stronger measures in place, according to the group.
"In this time of crisis, Americans need strong privacy protection they can trust, not deregulation disguised as consumer protection," said Sara Collins, policy counsel at Public Knowledge. "This bill is truly a privacy 'cure' worse than the disease."
The new proposal emerged on the same day that Federal Trade Commissioner Christine S. Wilson — one of the three Republicans on the five-member commission — continued to push Congress to establish baseline federal privacy rules that would set a uniform standard for how companies can generally collect, use and share personal information.
"For too long, we have let the perfect be the enemy of the good," Wilson said in discussing the urgent need for federal privacy legislation during a digital fireside chat hosted by USTelecom on Thursday.
Wilson, who was sworn in as an FTC commissioner in September 2018, said that the coronavirus pandemic had highlighted how "incredibly important" it was for congressional lawmakers to quickly "hammer out" their differences — including long-standing disagreements over whether a federal law should preempt more stringent state protections or allow consumers to bring private lawsuits — and reach a consensus on privacy legislation.
For one, the pandemic has exposed the "limits to the FTC's authority" in "new and graphic ways," according to Wilson. Both the agency's present leadership and past FTC commissioners on both sides of the political spectrum have pushed Congress for years to boost the commission's authority to go after companies for first-time privacy violations, including by giving the agency enhanced fining and rulemaking authorities.
The current global health crisis has also forced companies to make difficult decisions about how much information to collect and share with third parties, including government authorities, to help stop the spread of the virus, Wilson noted.
Any of the several draft privacy proposals that have been floated in Congress in recent years would have helped to "clarify the legitimate uses of data during the pandemic" and could have given companies a "head start" on answering the "very challenging questions" they're currently facing about where the line is between the public good and the need to safeguard personal privacy, according to Wilson.
Wilson's remarks built on an April 15 essay that she penned for the scholarly commentary website Truth on the Market. In that essay, titled "Privacy in the Time of COVID-19," Wilson highlighted the privacy and civil liberties concerns raised by the pandemic and pushed for Congress to enact legislation to fill gaps in existing privacy rules, to clarify for consumers the types of data being collected about them and how that information is used and shared, and to give businesses "predictability and certainty regarding the rules of the road, given the emerging patchwork of regimes both at home and abroad."
While the coronavirus pandemic has derailed most nonurgent lawmaking efforts, several lawmakers on both sides of the aisle have continued to show a major interest in regulating privacy and data security issues.
The Senate Commerce Committee, led by Wicker, convened a rare paper hearing on April 9 to examine how large consumer data sets, commonly known as Big Data, are being used to identify potential hot spots of coronavirus transmission and to help accelerate the development of treatments. During his opening statement, Wicker stressed that "the collection of consumer location data to track the coronavirus, although well intentioned and possibly necessary at this time, further underscores the need for uniform, national privacy legislation."
While the Republican-backed proposal unveiled Thursday would focus narrowly on data used to fight the pandemic, many of the access, control and transparency principles contained in the bill are similar to those featured in both California's landmark Consumer Privacy Act, which took effect on Jan. 1, and broader privacy proposals that have previously come before Congress.
Moran said that although the focus now was on addressing "potentially harmful practices" that could stem from coronavirus tracking efforts, he remained "motivated to provide American consumers with clear and measurable protections when it comes to the collection, processing and transferring of their personally identifiable information" more broadly.
"As Congress seeks to enact a uniform comprehensive data privacy and security framework, thoughtful and targeted legislative efforts, like this bill, will address specific consumer privacy violations resulting from COVID-19," Moran added.
--Editing by Michael Watanabe.
For a reprint of this article, please contact firstname.lastname@example.org.