Ongoing and Emerging Issues in Privacy and Security in a Post COVID-19 Era: An Environmental Scan

Abstract

Information privacy, confidentiality, and security continue to be issues of national importance. In the last four years, there have been substantial developments in law, legal theory, data analytics, privacy preserving technologies, efforts to promote novel and socially beneficial data applications, and public disclosures of concerning data applications. The National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Privacy, Confidentiality and Security (PCS) requested this environmental scan to better understand recent developments in privacy, confidentiality and security issues in the health, healthcare, and public health sectors. Accordingly, this environmental scan was developed to guide PCS and NCVHS in identifying new major projects to pursue. This report is primarily focused on developments occurring during or after 2018. PROPOSED AND ENACTED STATE AND FEDERAL PRIVACY LEGISLATION Nationally, there are intensive efforts to address privacy and security risks in state and federal legislation. At the state level, momentum for new comprehensive privacy legislation is “at an all-time high.” Since 2018, five states have adopted new comprehensive privacy laws: California, Colorado, Connecticut, Virginia, and Utah. Four additional states—Michigan, New Jersey, Ohio, and Pennsylvania—have active comprehensive privacy bills under active consideration. Also noteworthy is the Uniform Law Commission’s Uniform Personal Data Protection Act, which introduces several innovative privacy provisions. These innovations include a factor-based approach to defining allowable data uses and incorporating a voluntary consensus standard approach to enable the law to adapt to evolutions to data practices over time. In comparison to state activity, few new federal privacy laws have been adopted. However, dozens of bills have been introduced, and at least one has broad support. The 21st Century Cures Act’s regulations defining exceptions to the Act’s prohibition of “information blocking” is a notable exception to relative federal inactivity. Nevertheless, Congress has been busy exploring new federal privacy legislation with over 50 federal privacy bills introduced during the 117th Congress. Of these, the American Data Privacy & Protection Act (ADPPA) is considered the most significant and promising federal comprehensive privacy effort in the past decade. However, there are still significant political challenges to overcome before the ADPPA can become law. NEW PRIVACY AND SECURITY RISKS AND PROMISING POLICIES, PRACTICES AND TECHNOLOGIES This environmental scan explores two significant new risks to privacy and security: artificial intelligence and law enforcement use of private data. Artificial intelligence has evolved in a largely unregulated space. This has created significant alarm due to the growing reliance on these tools across sectors. Risks associated with artificial intelligence cross social, health, economic, and political dimensions. Notably, artificial intelligence processes can be opaque, making it difficult for consumers to understand risks or difficult for processors to evaluate the unintended effects of their algorithms. In particular, group harms can be pronounced in artificial intelligence applications. Additionally, multiple high-profile stories have alarmed the public and lawmakers about the scope of law enforcement use of data. These include the use of commercial DNA databases to identify criminal suspects from the DNA of their distant relatives, the criminalization of once legal health procedures (e.g., after the Dobbs v. Jackson Supreme Court decision, which overturned a long recognized federal constitutional right to abortion,) as well as law enforcement using commercial surveillance tools to achieve “mass surveillance on a budget.” Despite these challenges, there are many innovations in privacy policies, practices, and technologies. This report describes four primary approaches to contemporary privacy legislation: (1) the consumer protection model, e.g., notice and consent, (2) the data protection approach, similar to the European Union’s General Data Protection Regulation (GDPR), (3) the antitrust approach, i.e., focusing oversight on dominant entities, and (4) the information fiduciary approach, i.e., imposing legal duties of confidentiality, care, and loyalty on data controllers. Similarly, this report describes different approaches to privacy enforcement. Each alternative can be consequential for the effectiveness of a given regulatory framework. These enforcement options include, (1) delegating enforcement authority to a preexisting or newly created agency, (2) enforcement through an individual right of action, (3) deputizing intermediaries to enforce standards and discipline, (4) increasing standards and associated penalties according to the scale of the activity or the size and sophistication of the regulated entity, (5) profit disgorgement, and (6) personal liability for corporate executives. POTENTIAL PROBLEMS IN GOVERNANCE OF HEALTH INFORMATION The U.S. privacy framework is often derided as a patchwork of laws. This patchwork is both overly complex and under protective. The U.S. legal privacy framework is under protective when its sector-by-sector and jurisdiction-by-jurisdiction approach leaves personal information un(der)-regulated (e.g., commercial data). This sectoral approach leads to uneven protections that can be confusing to consumers (e.g., health information stored in a hospital versus health information stored in a fitness-tracking app). The U.S. privacy framework is also overly complex because of inconsistency between jurisdictional approaches. This variability complicates compliance. This is one reason why industry has embraced calls for a national comprehensive privacy law. Notably, the U.S. privacy framework might also be considered overprotective where it restricts popular and socially beneficial data uses. For example, a 2020 national survey of U.S. adults measured privacy preferences, and it identified instances where socially beneficial and popular data uses might be impeded by existing privacy restrictions. This environmental scan also identifies and explores important and contentious issues in legislative debates. These include (1) defining and regulating sensitive data, (2) preemption of state laws, (3) treatment of existing federal laws, (4) authorizing an individual right of action, and (5) the impact of privacy legislation on healthcare and public health data practices. In addition, developments in data science, world events, and privacy scholarship necessitate discussion of four additional issues. First, artificial intelligence’s anticipated risks and benefits warrant regulatory attention, but it presents a challenging regulatory target. Second, the COVID-19 response exposed significant challenges and concerns in public health data collection, use, sharing, and governance. Third, de-identification remains a significant issue in part because (1) data science and reidentification methods have seemingly outgrown decade-old guidance, and (2) new scholarly thinking on group harms raises concerns about the effect of deidentification methods on groups. Fourth, there is increasing skepticism of the effectiveness of the notice-and-consent model within legal scholarship, which raises questions on the sustained reliance on this approach given available alternatives. OPPORTUNITIES FOR TIMELY ADVICE FROM NCVHS TO THE HHS SECRETARY REGARDING CONSTRUCTIVE ACTIONS THAT HHS AND OTHER FEDERAL DEPARTMENTS MIGHT TAKE. This environmental scan identifies four opportunities for timely advice to the HHS Secretary: 1. De-identification remains a critically important issue in privacy. It would be prudent to revisit the 2017 NCVHS recommendations on deidentification, which remain highly relevant to contemporary issues, in addition to other considerations (e.g., group harms). 2. Recent concerns about law enforcement access to and use of private information raise parallel questions about whether existing law enforcement disclosure exceptions in some privacy laws might enable inappropriate uses. An NCVHS convening could help refine and identify nuance within this area. Some of the issues that could be explored in more detail include narrowing the scope of law enforcement exceptions and imposing data protection requirements on data disclosed for law enforcement purposes (e.g., duties of data minimization or purpose limitation). 3. Artificial intelligence and machine learning tools are reshaping the structures of health care delivery as well as broader social structures, but many existing federal laws do not account for the fundamental difference in the scope and scale of the risks associated with these automated processes. A future NCVHS convening could explore the following issues: (1) standards and requirements for conducting algorithm impact assessments, (2) algorithm transparency requirements or standards, and (3) higher standards, duties, or penalties based on the size and sophistication of the data controller. 4. There are important health implications for the Federal Trade Commission advance notice of proposed rulemaking (ANPRM) on Commercial Surveillance and Data Security. Some unintended consequences could be mitigated by early communication between HHS and FTC to ensure that proposed rules consider the health perspectives and objectives. If FTC promulgates new regulations on commercial surveillance, joint guidance by the FTC and HHS might be needed to ensure that HIPAA covered entities understand their compliance obligations under both laws. A future NCVHS convening could explore whether timely comments or input could inform or assist the FTC rulemaking process and group harm considerations. NCVHS