A new Democratic privacy bill spurred by the COVID-19 pandemic would require developers of contract-tracing apps to obtain people's express consent before collecting or disclosing data about their health.
The Public Health Emergency Privacy Act (PHEPA) would also prohibit the commercial use of location data, diagnoses and other information collected via contact-tracing apps.
That prohibition would cover not only ads and e-commerce recommendations, but would also prohibit the use of data to train machine-learning algorithms for commercial purposes.
The bill -- introduced by Senators Richard Blumenthal (D-Connecticut) and Mark Warner (D-Virginia) and Reps. Anna Eshoo (D-California), Jan Schakowsky (D-Illinois), and Suzan DelBene (D-Washington) -- also would prohibit commercial establishments and places of public accommodation from discriminating against people based on whether they use contact-tracing apps.
The measure “would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties,” sponsors stated Thursday.
“Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19,” they added, noting that many Americans have expressed privacy concerns regarding contact-tracing by tech companies.
The bill specifically provides that contact-tracing apps can only collect and disclose data that's “necessary” for public health. Developers of the apps would also be required to take “reasonable measures” to insure the accuracy of data, and provide mechanisms for people to correct errors.
The measure would be enforceable by the Federal Trade Commission, state attorneys general, and private citizens.
The bill provides for up to $5,000 in damages per violation, in cases brought by private individuals.
Digital rights advocates praised the bill Thursday. “As contact-tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it,” Sara Collins, policy counsel at Public Knowledge, stated.
Justin Brookman, director of consumer privacy and technology policy for Consumer Reports, added that the bill “smartly requires that data collected to fight coronavirus can only be used for public health purposes -- and nothing else.”
The new proposal comes one week after four Republican senators put forward a different bill, the COVID-19 Consumer Data Protection Act. That measure would generally require companies to obtain people's express consent before gathering data health, device, geolocation, or proximity, in order to trace the contacts of people diagnosed with the virus.
That GOP proposal was met with skepticism by digital rights advocates, who argued the bill has exceptions that could undermine people's privacy.