Published by The Lawfare Institute
in Cooperation With
Over the past several weeks, Senate Republicans and Democrats have introduced competing bills to regulate how companies can collect and use diagnostic and geolocation data to conduct contact tracing and other forms of disease surveillance. The proposals have important differences: The Republican bill would apply only to companies, while the Democratic bill would also apply to non-public-health government agencies; and the Democratic bill also imposes data-security requirements and a host of civil rights safeguards. But at their core they propose similar restrictions on data collection and use, suggesting an emerging bipartisan consensus. Much of this consensus is valuable, and the provisions encouraging effectiveness and transparency, as well as the prohibition on using coronavirus data for anything other than public health purposes (for example, no advertising), should be adopted. But a key part—the focus on individual consent to collection—is a mistake.
Both bills require organizations to get affirmative consent from users before collecting coronavirus-related data. The bills also stipulate that consent cannot be inferred from inaction; users must expressly agree to have their data collected. Both bills also provide users with the right to revoke consent and opt out of collection. The Democratic bill’s sponsors justify the consent provisions on the grounds that people won’t trust health companies with their data unless they know it’s being protected. Maybe. But it’s just as possible that requiring people to opt in will discourage them from participating in the first place. In countries such as Singapore and Australia, where participation in tracking apps is voluntary, participation levels have remained low, thus rendering the programs ineffective (because the effectiveness of a contact-tracing app is the square of the fraction of the population that uses it). There’s no reason to think that voluntary programs will fare any better in the United States.
Individualized consent has long been the core of American data-privacy regulation, and so it is unsurprising that lawmakers defaulted to this model. But whatever the appropriateness of a consent model for run-of-the-mill data collection, it is the wrong framework here. As an excellent essay from the “Fighting Covid with Data” working group explains, “[I]t doesn’t make sense, given the particular characteristics of this virus, to treat each individual’s privacy choices as a matter for individual control.” Because a person’s decision not to participate in a tracking program might put others at risk, “[a]s with lockdowns, the decision must be made at a collective level. A user choice conception of privacy must give way to other societal interests.” As the working-group authors explain, this is the basis behind traditional public health law, which mandates centralized reporting of infectious diseases, no matter the privacy preferences of the patient.
Lawmakers can promote effective digital disease surveillance, or they can give people total control over their health-related data. But they can’t do both. Congress would do better to focus on making sure that whatever digital disease-surveillance programs come about actually work. If bending the curve is the highest priority, then participation in effective disease-surveillance programs should be mandatory.