Cybersecurity

Coronavirus surveillance concerns ramp up pressure to pass federal privacy law

Concerns around the use of personal data to track and halt the spread of the ongoing coronavirus pandemic led senators and tech industry groups on Thursday to urge Congress to ramp up its efforts to put in place a national consumer privacy law. 

“The collection of consumer location data to track the coronavirus, although well intentioned and possibly necessary at this time, further underscores the need for uniform, national privacy legislation,” Senate Commerce, Science and Transportation Committee Chairman Roger Wicker (R-Miss.) wrote in an opening statement submitted as part of a historic “paper hearing” on big data and the coronavirus. 

Several countries, including China, Singapore and Israel, have already put in place surveillance measures using cellphone data to track those with coronavirus. 

The U.S. and certain European countries have considered similar measures in recent days. Politico reported this week that White House senior advisor Jared Kushner has reached out to health groups to compile a system to track what patients are seeking treatment for.

Privacy advocates have increasingly sounded the alarm, particularly as the U.S. currently has no overriding federal consumer privacy law, despite years of bipartisan effort on Capitol Hill to push one through.  

The concerns were spelled out in written statements submitted as part of the Senate Commerce Committee’s paper hearing Thursday. The hearing did not involve any in-person contact, with written opening statements being submitted online, and members of the committee then given 96 business hours to question witnesses and receive responses. 

Sen. Maria Cantwell (D-Wash.), the ranking member of the committee, urged Congress to ensure that any surveillance authorities pushed through addressed privacy, such as through having a defined end date for collecting data, and with a view to address consumer rights. 

“To gain and keep the public’s trust about the use of data, a defined framework should be maintained to protect privacy rights,” Cantwell wrote. “We must guard against vaguely defined and non-transparent government initiatives with our personal data. Because rights and data surrendered temporarily during an emergency can become very difficult to get back.”

The Senate Commerce Committee has made consumer privacy, and the effort to put in place an overriding federal law, a key priority over the past several years. These efforts have been hampered by partisan disagreements over the bill’s language, and have repeatedly stalled

While most companies already conform to California’s privacy law, which gives consumers the right to know what data is collected from them, and the European Union’s General Data Protection Regulation (), the U.S. lacks its own consumer privacy law. 

Michelle Richardson, the director of the Center for Democracy and Technology’s Privacy and Data Project, testified Thursday that this gap could “inhibit” the use of consumer data to counter the spread of coronavirus. 

“The United States does not have a comprehensive privacy law to protect Americans’ personal information,” Richardson wrote in her opening statement. “This has led to the explosion of risky and exploitive data-driven behaviors in the vast unregulated space in between. It has reduced public trust in technology companies, and as a result, may discourage people from using legitimate services or waste precious time and resources on untested products.”

Stacey Gray, senior council at the Future of Privacy Forum, pushed for Congress to immediately take action on data privacy in the context of the ongoing pandemic. 

“Congress should address the gaps in existing legal protections for highly sensitive data – including precise location data and health and wellness data – and provide US companies with much-needed structure and clarity for when they may or may not share data ethically and legally in situations such as this,” Gray wrote. 

Some companies have already moved forward with sharing data. Google announced last week that it would share anonymized location data for individuals in 131 countries and regions to help health care providers track the spread of coronavirus. 

While Google stressed that this data would be anonymous and aggregated, many are skeptical that the data can stay completely anonymous. Sens. Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) questioned Google this week on the new policy, underlining concerns around the lack of privacy regulations.

“Access to this type of information can pose risks to both individuals’ civil liberties and their physical safety,” the senators wrote. “No one should fear that their phone is monitoring their every step.”