The COVID-19 pandemic has had a disparate effect on privacy regulators, with varying levels of enforcement advocated by different government entities. The California Attorney General, the U.S. Department of Health and Human Services (HHS), European data protection authorities, and other regulators have taken different, often contradictory, approaches to dealing with the competing interests of a struggling economy and the threat of increased privacy and cybersecurity violations. These contradictions are likely to persist, as competing privacy legislation was recently introduced in Congress to regulate the collection and use of personal information during the COVID-19 pandemic.
Businesses struggling with the virus’s economic impact are striving to allocate resources for maximum financial benefit; simultaneously, risks to personal information and privacy rights have increased in a remote global workforce where phishing, malware, and other cyberattacks proliferate and the political pressure to collect and track medical information regarding COVID-19 infections mounts. With the seemingly competing interests of protecting the bottom line and addressing a heightened threat to privacy, some privacy regulators are responding to these new realities by relaxing enforcement efforts, while others decline to do so in recognition of the current risk to privacy and information security.
Below is an update on how different regulators have responded regarding enforcement since the COVID-19 national emergency was declared.
THE CALIFORNIA ATTORNEY GENERAL REMAINS STEADFAST ON THE CALIFORNIA CONSUMER PRIVACY ACT
The California Attorney General has declared that despite the pandemic, it will not delay enforcement of the California Consumer Privacy Act (CCPA), which is set to begin on July 1.
In late March, as the extent of the COVID-19 pandemic was becoming clear, a joint industry letter by advertising and adtech trade associations asked the Attorney General’s office to delay enforcement of the CCPA until 2021. The letter highlighted that “[t]he public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider trade-offs between decisions that are best for their employees and the world at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement actions.”
In an email to Forbes magazine, an advisor to the Attorney General responded, “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first … We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”
On June 2, 2020, the Office of the Attorney General announced that it had submitted the Final Text of the Proposed Regulations to the California Office of Administrative Law (OAL) for approval. The Office of the Attorney General requested an expedited review period of thirty (30) business days which, if approved, means the Final Text of the Proposed Regulations could become effective in mid-July. With less than 30 days until the planned enforcement date, businesses subject to the CCPA should ensure that their CCPA compliance efforts remain on track. As a further incentive to ensure your compliance framework is in place, the California Privacy Rights Act (CPRA), commonly referred to as CCPA 2.0, has garnered enough signatures to appear on the November 2020 ballot in the state of California. Among other measures, the CPRA would create a new enforcement agency (the California Privacy Protection Agency), expand data breach liability, and impose additional obligations on service providers, third parties, and contractors. In a nod to the business community, the CPRA would extent the current moratoriums on certain employee and business-to-business data from 2021 to 2023.
EUROPEAN REGULATORS SIGNAL FLEXIBILITY
The European Data Protection Board (EDPB), an agency created under the General Data Protection Regulation, issued a statement on the processing of personal data in the context of COVID-19. The EDPB stated that even during this pandemic, data controllers and processors must ensure the lawful processing of personal data, but it also noted that an “emergency” might legitimize “the restriction of freedoms provided these restrictions are proportionate and limited to the emergency period.”
The EDPB provided clarification on how public health authorities and employers can process personal data in the context of a pandemic, pointing to legal bases such as processing pursuant to a legal mandate of a public authority and compliance with health and safety obligations that are in the public interest.
The EDPB also issued two new guidelines: (1) "Guidelines 03/2020" on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and (2) "Guidelines 04/2020"on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. "Guidelines 03/2020" allows health data to be processed for the purpose of scientific research with the consent of the data subject, as long as there is not a significant power imbalance, or without consent for the purpose of complying with national legislation. "Guidelines 04/2020" discusses the use and collection of location data to map the spread of the virus and contact tracing for notification purposes. The guidelines provide that contact tracing applications should be voluntary, rely on proximity information regarding users rather than tracing individual movements, and grant preference to processing anonymized data where possible. The EDPB emphasized in its guidance that response to the crisis and protection of the right to privacy are not mutually exclusive.
Data protection authorities in nearly all EU member states and the United Kingdom have issued similar guidance on the processing and sharing of personal data related to COVID-19. Organizations should continue to monitor guidance issued by the EDPB, the United Kingdom, and national data protection authorities in the countries in which organizations have a presence.
DEPARTMENT OF HEALTH AND HUMAN SERVICES RELAXES ENFORCEMENT OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
Perhaps the most critical response to the COVID-19 pandemic has been from the Office of Civil Rights in HHS, which is charged with the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). Compounding the conflict between the conservation of resources to protect the bottom line and heightened privacy concerns in the crisis is a third element in play under HIPAA: the critical role of protecting the privacy and security of personal medical and health information as the crisis escalated.
While covered health care entities must continue to comply with the privacy and security rules under HIPAA, HHS has issued guidance and relied on its discretion to relax enforcement and waive penalties for community-based testing sites, public health and health oversight activities conducted by business associates, disclosures made to law enforcement and first responders, and telehealth service providers. With the proliferation of telehealth services during the pandemic, it remains to be seen whether HHS will extend its policy of relaxed enforcement after the emergency has subsided.
FEDERAL TRADE COMMISSION WARNS OF INCREASING THREAT
On May 19, the Federal Trade Commission (FTC) issued a public warning regarding scammers posing as contact tracers hired by state governments to obtain personal information such as Social Security Numbers from unsuspecting individuals. A few days later, in coordination with the Federal Communications Commission, the FTC instructed service providers that enable robocalling to terminate services to any customers exploiting the pandemic to obtain sensitive information from individuals, threatening such providers with “serious consequences” for failure to comply. These recent statements by the FTC follow warnings of surging complaints since the beginning of the year (upward of 18,000 as of mid-April) related to the coronavirus and signals of increased enforcement activity by the agency.
CONGRESS PROPOSES COMPETING COVID-19 PRIVACY LEGISLATION
Reflecting the larger clash of interests, conflicting privacy legislation is currently pending in both houses of Congress. The COVID-19 Consumer Data Protection Act, introduced by Republican senators in May, seeks to regulate the collection and processing of personal health information, geolocation data, identifiers, and other data during the health emergency. Shortly thereafter, Democratic members of the House proposed the Public Health Emergency Privacy Act, which would broadly regulate “data linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device.” Most notably, the House bill includes a private right of action (a right not included in the Senate bill). Then, on June 1, 2020, Senators from both sides of the aisle introduced another Senate bill called the Exposure Notification Privacy Act (ENPA), which would regulate contact tracing and exposure-notification apps. Among other obligations, the ENPA would require affirmative express consent to collect data from an individual including COVID-19 status and geolocation, and includes restrictions on how such data may be used. Despite their differences, the speed at which these three bills were introduced underscores the urgency in Congress to address contact tracing technologies and holding government and businesses accountable for how collected personal information is used. Congress has not yet succeeded in passing national privacy legislation. Nonetheless, given the current exigent circumstances, if any one of the proposed bills is passed, it could form the basis for a future, more expansive general privacy legislation at the federal level.
WHAT YOU NEED TO KNOW
- The CCPA is set to become enforceable on July 1. If your business is regulated by the CCPA, you have a limited window to comply.
- Government authorities have pursued different, frequently contradictory, approaches to enforcing data privacy and cybersecurity regulations during the COVID-19 pandemic.
- It is imperative that you understand the data privacy and cybersecurity regulations applicable to your business and develop creative compliance programs that respect the integrity and security of personal information and maximize its value to your business.
- If the potential for new federal privacy legislation is realized, additional regulations will be forthcoming, including regulation of contact tracing programs to combat the COVID-19 pandemic.
Reprinted with permission from the June 8, 2020, issue of Business Law Today. © 2020 American Bar Association. All Rights Reserved. Further duplication without permission is prohibited.
To see our other material related to the pandemic, please visit the Coronavirus/COVID-19: Facts, Insights & Resources page of our website by clicking here.
Click here to view the full article