Today, Senators Blumenthal (D-CT) and Mark Warner (D-VA) introduced the Public Health Emergency Privacy Act (“PHEPA”) into the Senate. A companion house bill was introduced by Reps. Anna Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA), which was co-sponsored by Reps. Yvette Clarke (D-NY), G.K. Butterfield (D-NY), and Tony Cárdenas (D-CA). This and similar legislation has been introduced in the last week as health agencies and technology companies nationwide are developing contact tracing and monitoring tools to contain the pandemic.
The Act would restrict data collected for public health purposes, limit what and by whom it can be collected and for what purposes it can be used. For example:
- It requires data minimization procedures for that info, and require opt-in consent for any efforts.
- It would formally mandate data collected to fight the pandemic be deleted after the public health emergency.
- The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes,
- It would prohibit conditioning the right to vote based on use of such services or a medical condition.
- It provides for both public enforcement (by the FTC) as well as a private right of action.
- The private right of action specifies a range of statutory penalties ($100-$1000 for negligent violations, $500-$500 for reckless, willful, or intentional violations), plus attorney fees and costs, and any other appropriate relief. It would also make the statutory violation sufficient injury to allege standing.
This Democratic legislation comes as a counterproposal to the Senate Republicans’ bill, the COVID-19 Consumer Data Protection Act, failed to gain Democratic support. The Republican bill’s opt-in requirement was more limited to data collected for purposes of tracking the spread of the virus, and did not include the same civil rights protections that are included in this legislation. It also did not include a private right of action. Both bills, however, include rules mandating transparency and consent, and controlling the use of data for purposes other than public health.
An unofficial copy of the legislation is available here on the website of the Electronic Privacy Information Center (EPIC). We will update this post once it is available in the Congressional Record.