Warning that “the current exercise in physical distancing in which most nations are engaged has exposed important gaps in societies’ digital readiness,” the Information Technology and Innovation Foundation (ITIF) recently proposed a series of future stimulus actions for policymakers, including the enactment of a federal privacy law.
“If policymakers seize the opportunity to address these gaps,” ITIF’s report suggested, “they will make it easier for the world to manage the next pandemic (which we hope won’t be soon) while also providing significant social and economic benefits.”
ITIF identified the problem during the COVID-19 crisis as being that, “Data can play a role in pandemic response by allowing authorities to track the spread of the disease, measure the level of compliance with stay-at-home orders, and identify individuals who may have crossed paths with an infected individual (i.e., contact tracing). But many of these useful data-driven public health interventions during a pandemic are complicated by the lack of a national data privacy framework that would enable organizations to collect and share this type of information with government and researchers. In addition, some government officials are reluctant to release critical public health information to the public because of concerns about violating privacy laws.”
Moreover, the report pointed to the example of the EU and GDPR, stressing that “stricter limits on data collection, as various state and federal laws have proposed, could make it more difficult to collect consumer data or reuse it for public health purposes.”
ITIF’s solution is one of the Insights Association’s top policy objectives, which we are pursuing with the Privacy for America coalition: a comprehensive U.S. privacy law.
“Congress should establish a unified national approach to privacy by preempting state laws to make it easier to create national datasets that can be used to organize a nationwide response to a pandemic. Moreover, such legislation should provide explicit carve-outs to obtaining consent for data uses that are in the public interest, including responding to public health emergencies. The COVID-19 crisis should be a reminder that privacy laws focused on only protecting individual rights can overlook important societal and communal values. The goal should be to balance privacy with innovation by minimizing compliance costs and restrictions on data use. Legislation also should address concrete privacy harms rather than hypothetical ones, improve transparency requirements, and strengthen oversight and enforcement through the Federal Trade Commission (FTC). Congress should not include data-minimization requirements, universal opt-in rules, purpose-specification requirements, limitations on data retention, a right to deletion, a private right of action, or privacy-by-design requirements.”