Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.
Data Collection in Europe
The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest.
Germany, for example, abandoned its decision to use a database that would store pseudonymized proximity data (i.e., who has been near whom) on a centralized server in favor of a decentralized “contact tracing” model, in which users’ movement data is stored locally on the users’ device, and uploaded only after both a confirmed diagnosis of the virus and the users’ consent. The decentralized model affords greater privacy protections but inhibits real-time benefits of the system Czechia (formerly the Czech Republic) has adopted. It is unclear whether the success or failure of Germany’s model would bear on the question of whether Czechia’s more invasive method was “unnecessary” within the meaning of GDPR’s public safety exception. It is also unclear how relative success or “necessity” would be measured. Even if more hands-on methods like Czechia’s satisfy the public safety exception, the GDPR’s stringent requirements still limit what Europe’s data collectors can do compared to collectors elsewhere, and the European Union itself will not issue guidance on the subject for another month. As data collectors await help from the EU, they are left to make their best guess at how far they can push data collection practices without risking fines.
Concerns about GDPR compliance in the COVID age are well-founded, given that two years after its implementation, GDPR has been inconsistently enforced, both in terms of who gets punished and to what extent. There have been few large fines, those fines have not tracked the formula set out in GDPR; for example, Facebook is the sole recipient of a fine above 20m Euro, a fine that is much less than GDPR’s language suggests it would be. Moreover, adjudication lags significantly behind changes in enforcement, producing little precedential guidance. An organization that deploys a detailed exposure management tool may not know for years whether it will be severely punished, slapped on the wrist, or excused. In the United States, where the the sole state with a comprehensive data privacy law not yet begun to enforce it, things are no clearer.
Data Collection in the United States
The CCPA, which begins its enforcement period on July 1, will remain the country’s most broadly applied privacy law, as businesses across the nation come into compliance so that they can continue to reach California’s 40 million residents. The CCPA resembles the GDPR at least superficially, but the all-important enabling regulations have been up in the air for months and may not be final before enforcement starts. A crucial difference between the statutes is that, unlike the GDPR, the CCPA has no public safety exception. Consequently, data collectors must gather information in a way that stays outside the bounds of the CCPA altogether—by gathering data that is anonymous, deidentified, pseudonymous, or aggregated. Practically speaking, the focus is on how the data is collected and stored, not for what purpose it is collected. The California Attorney General’s Office has emphasized the privacy rights of Californians during the pandemic, but has not offered guidance on how data collectors can comply with the law.
Assuming a worst-case scenario for compliance requirements, companies like Google and Apple are devising innovative means of contact tracing to track carriers of the virus with approval from privacy experts. However, the process leaves room for the kind of expansion of data collection that would likely run afoul of the CCPA. For example, although the individual data bits gathered in the Google/Apple model are anonymized at collection, collectors working outside the four corners of the Google/Apple model could aggregate disparate bits of information to identify and target persons who self-report as Covid-positive. For now, the model only tracks contacts with carriers of COVID-19, but every additional data point that can be associated with a data subject—even by a cellular carrier—could threaten to help reconstruct the personal data that CCPA aims to protect.
Even before COVID-19, privacy law in the United States was in a state of flux. In late 2019, the Senate produced two proposals for America’s first federal privacy law, the Democrat-sponsored Consumer Online Privacy Rights Act (COPRA), and the Republican-sponsored Consumer Data Privacy Rights Act (CDPR). Although the bills agree on broad points such as basic compliance requirements, the proposals differ in whether a private right of action should exist and whether the federal law should preempt state law. Neither federal bill has gained traction, and the GDPR’s legion enforcement problems coupled with the unique concerns COVID-19 raises will likely make Congress wary of a federal law’s viability at this time.
Consequently, the CCPA appears poised to be a de facto national standard for the foreseeable future, although even the fundamentals of the statute are being questioned. In March, a coalition of 35 businesses petitioned California’s Attorney General, Xavier Becerra, to delay the CCPA’s July 1 enforcement date in light of the pandemic, a request that Mr. Becerra denied. Just last week, Californians for Consumer Privacy, the same advocacy group behind the ballot initiative that led to CCPA’s creation, announced that it had obtained enough signature to qualify a more robust privacy law, the California Privacy Rights Act, to earn a place on the November 2020 ballot.
In short, COVID-19 has complicated a critical moment for data privacy law because the things that are most effective against the current pandemic are also the most likely to offend principles of emerging and expansive privacy law. These laws and regulations may have been written without thinking that 101 years after the Spanish Influenza epidemic of 1918, a similarly dangerous condition could arise again. It remains unclear whether the current public health crisis will cause authorities to dial back enforcement in the interest of defeating a pandemic, whether ruling bodies will rewrite laws to accommodate societal conditions no one imagined when the laws were drafted, or whether regulators will simply work to rules already in place.
For more information regarding this article, please contact Kevin Connor.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.