Businesses make no assumptions in these strange and unsettling times about what you can and cannot do to track employees’ COVID-19 contacts or work productivity. Four Republican senators have backed a bill that places restrictions on contact tracing. Is a privacy bill sponsored by Republicans offered during a pandemic topsy-turvy? Maybe, maybe not.
Introduced by its primary sponsor Senator Roger Wicker (R-MISS.) the COVID-19 contact tracing bill, entitled “COVID-19 Consumer Data Protection Act,” would require a privacy notice detailing to how the information would be collected, processed, retained and with whom it would be shared. The organizations processing the data would also be required to issue periodic public reports as to the number of individuals whose data was processed, the categories of data, why it was transferred to third parties and to whom the data was transferred. Individuals must be given the right to opt out. The law would be enforced by the Federal Trade Commission under its unfair and deceptive practices jurisdiction, but state attorneys general could bring civil suits under limited circumstances.
The bill is similar in many respects to legislation under consideration in the UK. Members of Parliament have submitted a report detailing the safeguards for privacy, including transparency as to methods of collection, sharing, data retention and cybersecurity for the data and protections against “scope creep” for uses of the data, be included in the final legislation. Pursuant to the European Convention on Human Rights (to which the UK is a signatory) and the General Data Protection Regulation (which remains in effect in the UK until December 31, when it will be replaced by the substantially similar Data Protection Act of 2018).
The US bill significantly parts company with the UK proposal, though, in preempting state laws that hew closer to the European model of greater protection for privacy of health and geolocation data. Some may consider the US bill, then, a Trojan Horse for the preemption that pending Senate bills on privacy have sought.
Businesses considering such contact tracing applications as a condition for return to offices, as well as software that monitors what employees are doing on home devices on which they do remote work for their employers, should be aware that a number of US states, including California, have laws restricting the scope of such monitoring or requiring affirmative consent before the employer can engage in such surveillance.
The tensions between privacy, the exigencies of returning to pre-pandemic business and public health considerations will continue to pose challenges for businesses large and small. If you have questions regarding the uses of the surveillance tools and applications discussed here, please contact Kenneth N. Rashbaum.