Contact Tracing Demonstrates Need for National Privacy Laws, Lawmaker Says

Privacy rights should not be diminished in the name of public health, Rep. Cathy McMorris Rodgers, R-Wash., said Thursday. McMorris Rodgers said digital contact tracing developed to track the spread of the coronavirus pandemic underscores the need for a national privacy framework. 

At an IBM Policy Lab webinar, McMorris Rodgers said state-by-state, patchwork privacy laws are inadequate for protecting privacy rights during the pandemic and beyond. She urged for the adoption of a national standard that would protect privacy without hampering technological innovation. 

“My hope is that it’s only going to raise the awareness among citizens in our country as well as those that are elected in Congress right now that privacy needs to be one of those must-pass bills,” McMorris Rodgers said. “You think about all of these proposals for apps and technologies to conduct contact tracing and track the spread of the virus, but people right now do not have confidence in the technology.”

State-by-state legislation will only add to the confusion, both for consumers and businesses, McMorris Rodgers said. She advocated regulatory certainty when it comes to privacy, particularly noting that the internet doesn’t work on a state-by-state basis and thus neither should privacy laws. 

McMorris Rodgers sits on the House Energy and Commerce Committee, and is the ranking member of the Consumer Protection and Commerce subcommittee. She has long been an advocate for a national data privacy standard. Though her preference is for a general, nationwide privacy standard, McMorris Rodgers said she would not rule out a COVID-19 specific privacy bill as has been proposed in both the House and the Senate. 

A bipartisan group of lawmakers joins McMorris Rodgers in her data privacy concerns, particularly when it comes to contact tracing. At a hearing in front of the Senate’s counterpart to McMorris Rodgers’ subcommittee Tuesday, data privacy concerns related to the contact tracing weren a critical concern for several senators including Roger Wicker, R-Miss., Marsha Blackburn, R-Tenn., Amy Klobuchar, D-Minn., and Richard Blumenthal, D-CT.

Blumenthal quizzed Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection, on whether the agency is equipped to address data privacy concerns. He told Smith he is concerned the FTC has been silent on the issue of privacy when it comes to contact tracing. 

“An explanation to the American public about how this data is safe, what those rules of the road will be and how they will be impervious or at least highly protected against intrusion or interference, I think it would be very valuable for our consumers,” Blumenthal told Smith.

But many of the lawmakers raising concerns about privacy and contact tracing are not in favor of solutions put in place in other countries. McMorris Rodgers as well as several of the senators who spoke at Tuesday’s hearing opposed the decision by the European Union’s highest court to dismantle the Privacy Shield agreement, which allowed data to be transferred from users in Europe to tech companies in the U.S. 

The decision was seen as a win for privacy rights advocates. John Davisson, counsel at the Electronic Privacy Information Center, called the lawmakers’ disdain for the court’s decision “disappointing.”

“The Schrems II decision really should be a wake-up call for the U.S. to update its surveillance authorities to ensure that they are in line with the fundamental right of privacy,” Davisson said. “And that’s really the message that the High Court in the EU was sending.” 

During the webinar, McMorris Rodgers specifically complimented the efforts of the White House’s Office of Science and Technology Policy for partnering with industry to develop technology to help fight the coronavirus crisis. But Davisson said that some of the industry partners on the tech sector task force may not be taking privacy considerations seriously enough. 

Some tech companies participating in the task force proposed using location data from cell phones, Uber trips and Google searches in contact tracing, according to communications between industry task force members and OSTP obtained by EPIC. EPIC received these communications through a Freedom of Information Act request. 

Google’s contact tracing practices came under the microscope for similar reasons this week. Even after the tech giant, which is working with Apple on contact tracing, promised it would work to protect privacy in its contact tracing partnership, Google continued to require access to Android users’ location data, the New York Times reported.