Lessons from COVID-19 for a New US Privacy Framework

COVID-19 has forced an increased reliance on technology and data, both in our daily lives and in responding to the pandemic. The pandemic has also demonstrated, more than ever before, the need for a comprehensive US federal privacy framework. CIPL has published a new paper entitled “Data Protection in the New Decade: Lessons from COVID-19 for a US Privacy Framework.” It highlights seven key lessons from the health crisis to consider when developing a new privacy framework for the US:
 
1. Data and the technologies that facilitate its collection and use are an essential part of our lives.
 
Since the start of the pandemic, technology fueled by data has kept our economy and society operating as key aspects of our lives (e.g. work, shopping, education, entertainment, medical care, social life, etc.) have moved online. Data has also been essential for medical research and developing tools to fight to the pandemic, as well as to ensure a safe re-opening of our businesses. This situation has also highlighted the ability to share data both between organizations and between the public and private sectors, which, in turn, has put a spotlight on important data protection and privacy issues. We’ve learned that we must have a privacy framework that is flexible and nimble enough to effectively meet the increasing need to use and share data in new ways. Any US data privacy law, therefore, needs to be drafted in a way that both protects individual privacy and enables the effective use of data.
 
2.  A privacy law must not impede the responsible use of artificial intelligence (AI).
 
AI has played a key role in developing technologies to combat the spread of COVID-19 as well as in developing a vaccine and other treatments for the virus. These are just the latest examples of how AI has been used to revolutionize business operations and generally transform core aspects of how we live. As such, any privacy rules we create should not seek to impede the development of AI technology, but must provide reasonable guardrails that enable its further development and responsible use.
 
3. The right to privacy must be balanced with other fundamental rights.
 
Times of crisis have demonstrated that the right to privacy cannot be absolute and must be balanced with other fundamental rights such as healthcare and the freedom of movement. A well-tailored privacy law can and must provide the flexibility to respond to crises such as the pandemic while also protecting individual privacy. As explained further below, a privacy law that is grounded in organizational accountability and rigorously enforced can deliver the appropriate balance and flexibility.
 
4. Traditional interpretations of data protection principles have proven insufficient to keep up with modern data uses.
 
Modern uses of data are challenging long-standing privacy principles. Consent has proven particularly inadequate to protect individuals given how data is used today and how it’s being used to respond to the pandemic. While consent remains relevant in some contexts, consent requests can improperly suggest to individuals that they are choosing between compromising their privacy (by giving their consent) and maintaining their privacy (by not consenting). But privacy protections should not and need not depend on whether one has consented to a particular data use. Moreover, consent can be burdensome to individuals in our increasingly complex, data-driven economy. Not even privacy experts could manage to invest the time and analysis it would take to make appropriate choices in the many contexts where consent is being requested. This overuse of consent has resulted in consent fatigue, which can render even legitimate and appropriate consent requests meaningless.  There are also many uses of data for which consent is not possible or even desirable — for example, developing a vaccine, enforcing quarantine, or contact tracing for people who have been exposed to the coronavirus, in addition to protecting national security, enforcing criminal laws, and conducting life-saving research. Thus, while there is a role for consent in certain circumstances, it should not be the principal protection mechanism of a modern-day privacy law.
 
5. Privacy laws should focus less on the collection of data and more on the use of data after collection.
 
Many existing privacy laws and proposals focus on the collection of data. However, the COVID-19 pandemic has demonstrated that there always are compelling reasons for collecting data, such as preventing the spread of the virus and medical research. Thus, privacy laws should focus less on data collection and more on how collected data can be used. They should apply a risk- or harm-based approach to determine what uses should be prohibited or allowed based on the actual risk they pose to individuals, taking into account the available mitigations to reduce the risk.
 
6. Privacy laws should embrace an accountability-based model of data protection.
 
The accountability-based model of data protection is the most promising model in for the digital economy and society. It incorporates privacy risk assessment as one of its most important core elements. Risk assessments enable organizations to devise targeted privacy protections that focus on risky and harmful data uses while enabling other data uses that are not risky or harmful.  This approach is ideally suited to the privacy challenges posed by unforeseen events like a pandemic because it facilitates tailoring privacy protections on a case-by-case basis to the risks at hand rather than casting the protective net so widely that it impedes beneficial and harmless data uses. CIPL’s Accountability Framework provides organizations a comprehensive approach for building, implementing and demonstrating accountable and risk-based privacy management programs. While this approach can and should be used even in the absence of a privacy law, any new US privacy law should incorporate an accountability requirement that can be implemented through comprehensive privacy management programs or other measures that operationalize compliance. Other accountability measures leadership and oversight, appointing a person responsible for data protection compliance, effective and actionable transparency, training of relevant employees, written policies and procedures including on data security, or implementing contractual measures to ensure accountability in the context of cross-border data transfers. Such accountability measures are the future of ensuring both responsible and innovative data uses and robust and enforceable protections for individual privacy.
 
7. Comprehensive federal privacy legislation is the best approach to ensuring privacy protections in the US.
 
COVID-19 does not abide by state borders and large amounts of data needs to be shared across the country to respond to the emergency. If it wasn’t already clear, this situation has illustrated the importance of a privacy law that provides uniform protections for this data throughout the US. Personal data should not be subjected to a patchwork of different privacy regimes. Consumers deserve consistent protections and businesses deserve consistent rules that can enable economic activity and innovation across the country. Given the importance of personal data in the modern economy (as brought into even sharper focus by the pandemic), a single comprehensive approach to US privacy law should be considered a top priority, not least to facilitate economic recovery. It would rationalize and streamline data privacy requirements for US businesses and provide the basis for consumers to gain trust in the digital economy, embrace new technologies, and welcome rather than fear broad uses of data for social good and other beneficial purposes.