Governments worldwide have employed digital contact-tracing applications to monitor and combat the spread of the COVID-19 virus. Early in the pandemic, contact-tracing was left to state and local governments, leading to a patchwork of contact-tracing networks. Due to this piecemeal approach, applications are often not interoperable, leading to an inability among some applications to exchange data and limiting the effectiveness of tracing the virus’ spread. The 116th Congress attempted to address these gaps in coverage, advocating for a national, federal framework. However, contact tracing applications raise two interrelated privacy risks: unwanted access to information by government actors and unwanted access to information by private actors such as third-party advertisers. As there was a push for active oversight of other pandemic-related activities with the passage of the CARES Act, there should be a similar drive to extend oversight to digital contact-tracing in the 117th Congress.
To date, the only oversight mechanism relating to COVID data privacy requires the Centers for Disease Control (CDC) to report to Congress within 30 days on “the development of a public health surveillance and data collection system for coronavirus.” This reporting requirement is insufficient to ensure that privacy and civil liberties are adequately safeguarded and does not specifically address digital efforts.
Five data privacy bills were introduced in the 116th Congress addressing pandemic digital contact-tracing. These initiatives were generally sparse in their adoption of oversight mechanisms. One bill fails to mention oversight entirely. Three bills (H.R.7472, S.3749, and H.R.6866) only include narrow reporting requirements. The Exposure Notification Privacy Act (ENPA) provides the most detailed model for congressional oversight. The ENPA would amend and expand the Intelligence Reform and Terrorism Prevention Act of 2004 to place oversight responsibility for actions taken by the executive branch to protect the nation from a “health-related epidemic” under the purview of the Privacy and Civil Liberties Oversight Board (PCLOB). The bill tasks PCLOB, an independent agency within the executive branch, with balancing these executive actions against the “need to protect privacy and civil liberties.” In addition to reviewing executive policy and practice, the PCLOB would have oversight of the information-sharing practices of departments, as well as the “collection use, storage, and sharing” of applicable data by federal, state, and local governments. PCLOB would also have a statutory mandate to issue reports on their findings within a year.
The 117th Congress will have the opportunity to reconsider a national contact-tracing strategy and, accordingly, which oversight mechanisms to implement. The ENPA model provides a strong starting point. The PCLOB has the mandate and capabilities to provide competent oversight on issues of privacy and civil liberties. As digital contact-tracing cuts across the purview of several agencies including the Federal Trade Commission (FTC) and the Department of Health & Human Services (HHS), the ENPA’s review of information-sharing practices is a consequential addition to future legislation. Additionally, the ENPA applies broadly to “health-related epidemics” rather than specifically to COVID-19, ensuring that oversight mechanisms are already in place if faced with a health emergency in the future.
Any government body (PCLOB or otherwise) delegated an oversight role in digital contact-tracing should be afforded a seat at the pandemic oversight “table.” Future CARES Act amendments should include a representative from this agency to the Pandemic Response Accountability Committee (PRAC) in order to ensure that the privacy and civil liberties of application users are given appropriate weight.
Contact-tracing applications require broad adoption, roughly 80% of U.S. smartphone users, to be effective. There have already been violations of users’ data privacy at the state level, which only serve to stoke suspicions and deter potential users. Reporting requirements alone are insufficient. A comprehensive statutory mandate for oversight is a critical element of any national digital contact-tracing strategy. Oversight mechanisms will work to assuage public concerns, prevent privacy violations, and investigate potential breaches.