A recent Compliance Week article by Aaron Nicodemus, "Contact Tracing App Development Stunted by Inaction in Congress," includes David Shonka's commentary on privacy law and the handling of the coronavirus pandemic. While a strong federal data privacy law would represent a big leap in protecting people’s personal identifying information, it could have an immediate impact in the area of contact tracing. In the following excerpt, David discusses some reasons why the development of a contact tracing app remains stalled in the United States.
In previous outbreaks, contact tracing has proven vital in stemming the spread of infection. New technology could augment the traditional contact tracing method used by health authorities, which is to call infected patients, ask for the names and numbers of people they have been in contact with, and ask that those people get tested and self-isolate.
With a contact tracing app on people’s smartphones, health authorities could effectively monitor large populations for potential coronavirus infection hotspots. They could use the data to safely reopen communities or implement shut-down measures to control the virus’s spread.
But the effort to create contact tracing apps has been hampered by a lack of a federal data privacy law. Congress’s failure to act is causing America to fall behind Europe and the rest of the world in creating contact tracing apps that could, in theory, allow health officials to monitor and react to coronavirus hotspots in real time.
While countries like South Korea, India, the United Kingdom, France, Germany, Italy, and Norway have begun testing and rolling out contact tracing apps, U.S. development of contact tracing apps remains stuck in neutral. There is no movement afoot to develop a federal contact tracing app; in fact, only a handful of states have even expressed interest in developing their own.
“My sense of the difference between the EU and the U.S. is that U.S. citizens have a stronger distrust for their government than EU citizens do of their governments—which is ironic since the U.S. has stronger checks on government conduct (independent judiciary and active legislative oversight) than do European nations and of course European citizens have historically suffered far greater damage from government overreach than U.S. citizens have,” said David Shonka, a partner at the Washington, D.C.-based law firm Redgrave, who served three terms as acting general counsel at the Federal Trade Commission (FTC). “Moreover, in the current environment, the U.S. lacks the strong moral leadership (and I mean leadership, not authoritarianism) that the country needs to work through the political conflicts and mistrust.”
Competing data privacy bills introduced to Congress have exposed the fault lines between the Republican and Democratic views on regulating data privacy.
The first issue is pre-emption—that is, whether the federal privacy law should supersede any and all state laws on the subject.
The Republican and Democratic bills also diverge on another key point: whether to allow victims of data breaches to sue companies that lose control of their personal data. The Democratic bill would allow for class-action lawsuits; the Republican bill would deny that right.
The first state data privacy law, the California Consumer Privacy Act (CCPA), gives consumers the right to sue companies that mishandle their data. Republicans would like to see their version of a federal data privacy law defang this and other provisions of the CCPA.
“That’s going to be a significant battle line,” Shonka said. “With this Congress, I don’t know that they can pass anything."