High-profile Senate Republicans say they plan to introduce a data privacy bill, the COVID-19 Consumer Data Protection Act, that would hold companies accountable for their use of personal data to fight the COVID-19 pandemic.
There are concerns that contact-tracing technology employed by companies including Apple and Google could wind up producing a surveillance state or put consumer data at risk for misuse or follow-on use by third parties.
They say the bill would give Americans more "transparency, choice, and control" over the collection of health, geolocation and proximity data, all key to contact tracing, and would "hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic."
The "they" in this case are Senate Commerce Committee Chairman Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation, Communications Subcommittee Chairman John Thune (R-S.D), Consumer Protection Subcommittee Chairman Jerry Moran (R-Kan.), and Sen. Marsha Blackburn (R-Tenn.).
The senators suggested that while the severity of the health crisis can't be overstated, the importance of individual privacy, even in times of crisis, should not be undervalued.
“This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens," said Thune.
The bill would:
1."Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
2. "Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
3. Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
4. "Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
5. Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
6. "Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
7. "Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
8. "Authorize state attorneys general to enforce the Act."