Following on the heels of the COVID–19 Consumer Data Protection Act of 2020, a bill recently filed by Republican Senators, Democratic Sens. Richard Blumenthal and Mark Warner introduced the “Public Health Emergency Privacy Act.”
The bill regulates the collection, by entities public or private, (other than public health authorities or healthcare providers) of “emergency health data.”
Emergency Health Data
Emergency Health Data is defined as data linked or reasonably linkable to an individual or device, including data inferred or derived about the individual or device from other collected data, provided such data is still linked or reasonably linkable to the individual or device, that concerns the public COVID–19 health emergency. It includes;
- Past or present health condition
- Data derived from testing
- Whether a person has contracted or is likely to contract a disease
- Genetic data, biometric samples or biometric data
- Other data collected in conjunction with other emergency health data or for the purpose of tracking, screening, monitoring, contact tracing or mitigation, or otherwise responding to the COVID–19 public health emergency, including
- geolocation data (which includes: cell-site location information, triangulation data derived from nearby wireless or radio frequency networks and global positioning system data)
- proximity data, when such term means information that identifies or estimates the past or present physical proximity of one individual or device to another, including information derived from Bluetooth, audio signatures, nearby wire2 less networks, and near-field communications
- demographic data
- contact information for identifiable individuals or a history of the individual’s contacts over a period of time, such as an address book or call log
- any other data collected from a personal device.
The bill does not apply to service providers and provides a definition of service provider which is similar in some aspects, but not identical to the definition of “service provider” under the California Consumer Privacy Act (CCPA):
- A person who collects, uses or discloses emergency health data for the sole purpose of, and only to the extent that such entity is, conducting business activities on behalf of, for the benefit of, under instruction of and under contractual agreement with a covered organization.
- It does not include a person who develops or operates a website, web application, mobile application or smart device application for the purpose of tracking, screening, monitoring, contact tracing or mitigation, or otherwise responding to the COVID–19 public health emergency.
It also defines a “third party,” in a manner different than CCPA. “Third party’’ means, with respect to a covered organization:
- Another person to whom such covered organization disclosed emergency health data
- A corporate affiliate or a related party of the covered organization that does not have a direct relationship with an individual with whom the emergency health data is linked or is reasonably linkable.
it does not include:
- A service provider of such covered organization
- A public health authority
Data Protection Principles
For collection of health emergency data, the bill requires upholding key data protection principles that are similar to those quoted in the Republican COVID-19 privacy bill and, to some extent in the European Union’s General Data Protection Regulation and CCPA:
- Proportional/necessary: Collect, use or disclose such data that is necessary, proportionate and limited for a good faith public health purpose, including a service or feature to support such a purpose.
- Accuracy/rectification: Take reasonable measures, where possible, to ensure the accuracy of emergency health data and provide an effective mechanism for an individual to correct inaccurate information.
- Avoid discrimination: Adopt reasonable safeguards to prevent unlawful discrimination on the basis of emergency health data.
- Limited disclosure to the government: Disclose such data to a government entity when the disclosure:
- is to a public health authority
- is made in solely for good faith public health purposes and in direct response to exigent circumstance
- Adequate security: Establish and implement reasonable data security policies, practices and procedures to protect the security and confidentiality of emergency health data.
Collection of health emergency data is prohibited if done for:
- Commercial advertising, recommendation for e-commerce or the training of machine-learning algorithms related to, or subsequently for use in, commercial advertising and e-commerce
- Soliciting, offering, selling, leasing, licensing, renting, advertising, marketing or otherwise commercially contracting for employment, finance, credit, insurance, housing or education opportunities in a manner that discriminates
- Segregating, discriminating in, or otherwise making unavailable the goods, services, facilities privileges, advantages or accommodations of any place of public accommodation
Consent: Similar to the Republican COVID-19 bill, this bill requires consent for collection and use and allows for the revocation of such consent.
Consent is not required when the collection, use or disclosure is necessary and for the sole purpose of:
- Protecting against malicious, deceptive, fraudulent or illegal activity
- Detecting, responding to, or preventing information security incidents or threats
- The covered organization is compelled to do so by a legal obligation.
After an individual revokes consent, the covered organization shall cease collecting, using or disclosing the individual’s emergency health data as soon as practicable, but in no case later than 15 days after the receipt of the individual’s revocation of consent.
A covered organization is required to provide the individuals with a notice that describes:
- How and for what purposes the covered organization collects, uses and discloses emergency health data
- The categories of recipients to whom it discloses data
- The purpose of disclosure for each category
- The data retention and data security policies and practices for emergency health data
- Describes how an individual may exercise the rights under this Act and how to contact the Commission to file a complaint.
- A covered organization must destroy or render not linkable that individual’s emergency health data not later than 30 days after the receipt of an individual’s revocation of consent.
- A covered organization must not use or maintain the information the later of 60 days after the termination of the public health emergency declared or 60 days from collection.
- Deletion is defined as: Data shall be destroyed or rendered not linkable in such a manner that it is impossible or demonstrably impracticable to identify any individual from the data.
- The bill is not meant to prohibit collection of information for the purpose of scientific research.
- It does not apply to Covered Entities or Business Associates under HIPAA.
- A violation of this act shall be deemed a deceptive or unfair act under the FTC Act and subject to enforcement by the FTC, including with respect to common carriers and nonprofit entities.
- Additional enforcement can be done by state AG’s and any other officer of the state authorized by the state to do so.
- Individuals are granted a private right of action to bring claims with statutory damages of:
- An amount not less than $100 and not greater than $1,000 per violation against any person who negligently violates a provision of this Act.
- An amount not less than $500 and not greater than $5,000 per violation against any person who recklessly, willfully or intentionally violates a provision of this Act.
- Reasonable attorneys fees and litigation costs.
- Any other relief, including equitable or declaratory relief, that the court determines appropriate.