By Charles McDermid
As Silicon Valley gears up to help Washington fight the COVID-19 pandemic, concern is intensifying that the United States still lacks the legal framework needed to protect data privacy during and after the public-health crisis.
A group of U.S. senators last week introduced the COVID-19 Consumer Data Protection Act. The legislation, according to a news release, “would provide all Americans with more transparency, choice and control over the collection and use of their personal health, geolocation and proximity data.”
The move comes a short time after Apple Inc. and Google said they were developing a “contact-tracing system” that would use wireless signals to track the spread of coronavirus.
News reports indicated that within months the tracking system would be built into billions of smartphones.
“This really isn’t about a ‘balance,’” Alan Butler, interim executive director and general counsel of the Electronic Privacy Information Center (EPIC), told Digital Privacy News. “We can and should protect privacy and public health.
“Protecting both of those vital interests should be a top priority for federal, state and local governments in the U.S. and for governments all around the world,” he said.
“The United States is at a disadvantage because we do not have a comprehensive privacy law and we do not have a data-protection authority to coordinate regulations and provide clear guidance,” Butler observed. “But we do have legislative and public-oversight mechanisms that should be used to protect individual rights while promoting public health.”
The COVID-19 pandemic has prompted many governments to collect personal data of millions of citizens to help enforce social distancing. Yet critics are increasingly asking when safety measures become surveillance — and what can be done to stop them.
Last month, Amnesty International and Human Rights Watch led more than 100 civil-society groups in a joint statement, stressing that “states’ efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance.”
In a separate public statement in April, Rasha Abdul Rahim, deputy director of Amnesty Tech in the U.K., said: “The recent past has shown governments are reluctant to relinquish temporary surveillance powers. We must not sleepwalk into a permanent expanded surveillance state now.”
In the U.S., several recent events have troubled privacy advocates. Late last month, CBS News reported that health officials “all over the world” were employing drones to monitor public spaces and enforce social-distancing rules.
The article cited the police department of Daytona Beach, Fla., as one of at least 43 agencies in 21 U.S. states that had received a donated drone as part of a manufacturer’s disaster-relief program.
The White House also announced that it had awarded a contract to build a U.S. tracking database for COVID-19 to Palantir, the data-mining firm of Silicon Valley investor Peter Thiel.
The company would be under contract for the Department of Health and Human Services for the agency’s new data platform, called HHS Protect Now.
The move drew abrupt criticism from the Surveillance Technology Oversight Project (STOP), a New York-based privacy group.
“Contact-tracing is important, but we can’t entrust those with a history of abusing surveillance powers to lead this effort,” Albert Fox Cahn, the group’s executive director, said in a statement.
“Palantir’s technology has already been used to target our undocumented neighbors, and we can’t trust them to responsibly use our health data as well,” he added. “We cannot allow the federal government to expand its public monitoring in response to COVID-19 without putting privacy protections in place.”
‘Question of Trust’
Not everyone is convinced that sharing personal data to save lives marks the beginning of a so-called surveillance state.
Kyung-Sin Park is director of the American Law Center at Korea University and head of Open Net Korea.
As he told Digital Privacy News, South Korea has specific “sunset” laws in place that enforce the destruction of all personal information once a public emergency is over.
“As long as they use aggregated, as opposed to individualized, information, I think privacy concerns could be abated very much,” Park said in an email. “But there is a question of trust on whether the health agencies and other public agencies would turn over only aggregated data to Palantir and other companies.”
He continued: “There is a chance that they may turn the data over in individualized but pseudonymized format so that companies could merge two or more databases. Done properly, in the GDPR (General Data Protection Regulation, the E.U. data-protection law) sense, privacy concerns can be also abated.
“But I am worried,” Park said, “because not many in U.S. are familiar with safeguards in merging databases, for example the ‘Trusted Third-Party’ method.”
‘Deleted or Minimized’
For many in the U.S., the current tightrope between public safety and personal privacy presents a sad case of déjà vu.
Surveillance was greatly escalated after the 9/11 attacks, but federal regulations have not been passed to limit data-collection.
“Nearly two decades after the 9/11 attacks, the NSA is still conducting dragnet internet surveillance,” Karen Gullo, an analyst for the Electronic Frontier Foundation (EFF) in San Francisco, told Digital Privacy News.
“It’s imperative that if the government acquires a new surveillance power to address a crisis, that power must expire when the crisis ends.
“Likewise, personal data that is collected during the crisis, and used to help mitigate the crisis, must be deleted or minimized when the crisis is over,” Gullo added. “And crises cannot be defined to last in perpetuity.”
She said the COVID crisis clearly had illustrated the need for the U.S. to pass strong data-privacy legislation.
“With companies proposing new ways to gather and share information about consumers, in the name of public health, all the more reason to enact strong laws,” she said.
“What’s more, consumers need protection when government partners with the private sector to collect their data and cloak the practices in secrecy.”
Charles McDermid is a writer based in Asia.
Sources (external links):
Data privacy legislation: Wicker, Thune, Moran, Blackburn Announce Plans to Introduce Data Privacy Bill