Experts were gathered in front of the Senate Commerce Committee’s Subcommittee on Manufacturing, Trade, and Consumer Protection to testify on scams. But data privacy concerns bubbled over.
Contact tracing has become a necessary measure to fight the coronavirus pandemic, but lawmakers and experts are raising concerns about the privacy implications contact tracing presents.
At a hearing before the Senate Commerce Subcommittee on Manufacturing, Trade, and Consumer Protection Tuesday, lawmakers pushed witnesses to say whether they think Congress should institute stricter privacy rules as the coronavirus pandemic rages on with no end in sight. Legislators were concerned specifically with the risk that sharing personal data with contact tracers may pose to U.S. citizens.
Though the hearing was convened ostensibly to discuss the scam risks posed to Americans during the COVID-19 crisis, privacy became a central issue even in instances where personal data is gathered for legitimate purposes. Because contact tracing is a necessary tool in the fight against the pandemic, lawmakers worried about how to make consumers feel like they can trust contact tracing apps or companies.
“I think of the old expression ‘the road to hell is paved with good intentions’,” Kansas Attorney General Derek Schmidt told the committee. “We have grown so rapidly into that data collection that perhaps we have not put in place the ordinary safeguards we would otherwise put in place with any entity—government or business—that’s collecting large amounts of personal data.”
Schmidt spoke with purview limited to his state, but he said that a federal standard with respect to data privacy makes sense for the COVID-19 pandemic and beyond.
The pandemic is giving the government a prime opportunity to crack down on scammers, and U.S. Attorney General William Barr in March directed federal attorneys to go after perpetrators of phony cures and phishing schemes. But it may also be pushing them to consider more aggressive legislation that would curtail the ability of tech companies to gather and use personal data, particularly beyond the current health crisis, where companies could profit from selling the data to third parties.
Several senators including Roger Wicker, R-Miss., Marsha Blackburn, R-Tenn., Amy Klobuchar, D-Minn., and Richard Blumenthal, D-CT., asked the gathered experts what Congress can do to protect consumer privacy. Blumenthal said he is concerned the Federal Trade Commission has been silent on the issue of privacy when it comes to contact tracing.
“An explanation to the American public about how this data is safe, what those rules of the road will be and how they will be impervious or at least highly protected against intrusion or interference, I think it would be very valuable for our consumers,” Blumenthal told Andrew Smith, director of the FTC’s Bureau of Consumer Protection, at the hearing.
While Smith focused on the Trade Commission’s education and outreach efforts, Senators including Blumenthal questioned whether education or tools like warning letters are enough, especially during such a far-reaching crisis as the coronavirus pandemic.
But Smith is not opposed to further work on the data privacy front as it relates to contact tracing. Rather, he testified that he saw privacy legislation as a helpful tool in getting consumers to trust contact tracing efforts, potentially improving the practice as more people feel comfortable in participating.
“Commission has testified in favor of broad privacy legislation,” Smith said. “But that failing, contact tracing legislation would be great.”
Wicker, the chairman of the Senate Commerce Committee, along with Sens. John Thune, R-S.D., Jerry Moran, R-Kansas, and Blackburn introduced legislation called the COVID-19 Consumer Data Protection Act in April that would protect consumer data shared with companies legitimately participating in contact tracing from misusing that data for other purposes. The bill would require transparency from companies on issues like how long they will retain personal data. It would also require companies to delete or anonymize personal information post-pandemic.
Klobuchar emphasized that COVID-19 has only “put a magnifying glass” on the issue of data privacy, suggesting that actions taken to protect consumer data during the pandemic may have wider implications on technology regulation beyond the current health crisis.
The data privacy concerns bubbled over in the hearing at the same time it is becoming less clear whether Google and Apple are serious about their stated privacy commitments when it comes to contact tracing. Even after the tech giants promised they would work to protect privacy in their contact tracing partnership, Google continued to require access to Android users’ location data, the New York Times reported.
The hearing was also five days after Europe’s highest court struck down the Privacy Shield agreement, which allowed for the transfer of data from users in the European Union to tech companies in the U.S., marking a victory for privacy-rights activists. The court found that the shield did not provide strong enough protections from surveillance by those tech companies.
Some of the same senators raising red flags at Tuesday’s hearings about consumer data protections were unhappy with the Privacy Shield decision, though. Wicker and Moran said in a statement a day after the decision came down that it would have a “troubling” effect on businesses.
“This would cause significant disruptions to data transfers and trade activity between the EU and the United States,” they said in the statement. “We need to work quickly to establish a successor framework that supports economic development and adequately protects consumer data across borders.”