How can one reasonably evaluate the costs and benefits of Google or Facebook sharing location data with the federal government when it has been perfectly legal for Walgreen’s to share access to customer data with pharmaceutical advertisers?
How does aggregating and anonymizing data safeguard privacy when a user’s personal data can be revealed through other data points?
Change your marriage status on Facebook? There is a data point. Check in at the Farmer’s Market in The Grove shopping center complex in Los Angeles from Instagram? There is a data point. Purchase a book with a VISA credit card on Amazon? There is a data point.
Data collection is not itself a new concept. In fact, most freely offer up these data points for access to the aforementioned sites.
Nearly every Web site on the Internet collects information about users, either submitted by the users or collected automatically through cookies and other technologies. Business owners need information to deliver their products, advertise their services, communicate with customers and prospective customers, and improve their website functionality.
But there is a more ethically challenging part to data collection that puts individual users at risk.
Having a DNA company sell one’s information to a health insurance company after trying to figure out one’s ancestry? It happens. Local law enforcement subpoenaing Facebook to collect specific individual information as part of an investigation? This happens as well.
There is no one comprehensive federal law that governs data privacy in the United States.
Instead, there is a complex patchwork of sector-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions and marketing.
In addition to federal laws and regulations, the U.S. has hundreds of data privacy and data security laws among its states, territories and localities.
The COVID-19 pandemic is exacerbating the U.S. in just how much further it has moved away from formulating any consensus on privacy norms. In the wake of the COVID-19 pandemic, legislatures have introduced several bills that would have major impacts on data collection policies in the U.S. going forward.
COVID-19 Consumer Data Protection Act
The proposed bill would regulate the collection, transfer and processing of certain personal data in connection with COVID-19 related purposes. A key aim of the bill is to regulate technology companies and public health agencies that deploy contact tracing applications and digital monitoring tools.
Public Health Emergency Privacy Act
The proposed bill would protect “emergency health data,” or data linked or reasonably linkable to an individual or device that concerns the public COVID–19 health emergency. If enacted, the Federal Trade Commission (FTC) would be required to promulgate rules regarding data collection, use and disclosure under the Act.
Exposure Notification Privacy Act
The proposed bill would specifically regulate “exposure notification” mobile APPs that enable individuals to receive automated alerts if they have been exposed to COVID-19. Unliked the other aforementioned COVID-19 privacy bills introduced, the Exposure Notification Privacy Act has a narrow scope, applying only to entities that collect data through automated exposure notification services.
According to the World Health Organization, governments have justified data collection during COVID-19 given the mounting evidence that the collection, use, sharing and further processing of data can help limit the spread of the virus and aid in accelerating the recovery, especially through digital contact tracing.
That being said, such data collection and processing also includes the collection of vast amounts of personal and non-personal sensitive data, which can have significant effects beyond the initial crisis response phase, including, if such measures are applied for purposes not directly or specifically related to the COVID-19 response, potentially leading to the infringement of fundamental human rights and freedoms.
The government applications proposed by the U.S., while seeking to limit the focus to narrow bandwidths of health information, nonetheless create a norm that has no immediate redress for future generations.
AmChamUSA opposes such tactics if the emergency measures introduced to address the COVID-19 pandemic, such as digital contact tracing, are turned into standard practice after the COVID-19 pandemic subsides.