Ongoing and Emerging Issues in Privacy and Security in a Post COVID-19 Era: An Environmental Scan
Institutional Repository Document
Overview
Identity
View All
Overview
abstract
Information privacy, confidentiality, and security continue to be issues of national importance. In the last four years, there have been substantial developments in law, legal theory, data analytics, privacy preserving technologies, efforts to promote novel and socially beneficial data applications, and public disclosures of concerning data applications. The National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Privacy, Confidentiality and Security (PCS) requested this environmental scan to better understand recent developments in privacy, confidentiality and security issues in the health, healthcare, and public health sectors. Accordingly, this environmental scan was developed to guide PCS and NCVHS in identifying new major projects to pursue. This report is primarily focused on developments occurring during or after 2018. PROPOSED AND ENACTED STATE AND FEDERAL PRIVACY LEGISLATION Nationally, there are intensive efforts to address privacy and security risks in state and federal legislation. At the state level, momentum for new comprehensive privacy legislation is at an all-time high. Since 2018, five states have adopted new comprehensive privacy laws: California, Colorado, Connecticut, Virginia, and Utah. Four additional statesMichigan, New Jersey, Ohio, and Pennsylvaniahave active comprehensive privacy bills under active consideration. Also noteworthy is the Uniform Law Commissions Uniform Personal Data Protection Act, which introduces several innovative privacy provisions. These innovations include a factor-based approach to defining allowable data uses and incorporating a voluntary consensus standard approach to enable the law to adapt to evolutions to data practices over time. In comparison to state activity, few new federal privacy laws have been adopted. However, dozens of bills have been introduced, and at least one has broad support. The 21st Century Cures Acts regulations defining exceptions to the Acts prohibition of information blocking is a notable exception to relative federal inactivity. Nevertheless, Congress has been busy exploring new federal privacy legislation with over 50 federal privacy bills introduced during the 117th Congress. Of these, the American Data Privacy & Protection Act (ADPPA) is considered the most significant and promising federal comprehensive privacy effort in the past decade. However, there are still significant political challenges to overcome before the ADPPA can become law. NEW PRIVACY AND SECURITY RISKS AND PROMISING POLICIES, PRACTICES AND TECHNOLOGIES This environmental scan explores two significant new risks to privacy and security: artificial intelligence and law enforcement use of private data. Artificial intelligence has evolved in a largely unregulated space. This has created significant alarm due to the growing reliance on these tools across sectors. Risks associated with artificial intelligence cross social, health, economic, and political dimensions. Notably, artificial intelligence processes can be opaque, making it difficult for consumers to understand risks or difficult for processors to evaluate the unintended effects of their algorithms. In particular, group harms can be pronounced in artificial intelligence applications. Additionally, multiple high-profile stories have alarmed the public and lawmakers about the scope of law enforcement use of data. These include the use of commercial DNA databases to identify criminal suspects from the DNA of their distant relatives, the criminalization of once legal health procedures (e.g., after the Dobbs v. Jackson Supreme Court decision, which overturned a long recognized federal constitutional right to abortion,) as well as law enforcement using commercial surveillance tools to achieve mass surveillance on a budget. Despite these challenges, there are many innovations in privacy policies, practices, and technologies. This report describes four primary approaches to contemporary privacy legislation: (1) the consumer protection model, e.g., notice and consent, (2) the data protection approach, similar to the European Unions General Data Protection Regulation (GDPR), (3) the antitrust approach, i.e., focusing oversight on dominant entities, and (4) the information fiduciary approach, i.e., imposing legal duties of confidentiality, care, and loyalty on data controllers. Similarly, this report describes different approaches to privacy enforcement. Each alternative can be consequential for the effectiveness of a given regulatory framework. These enforcement options include, (1) delegating enforcement authority to a preexisting or newly created agency, (2) enforcement through an individual right of action, (3) deputizing intermediaries to enforce standards and discipline, (4) increasing standards and associated penalties according to the scale of the activity or the size and sophistication of the regulated entity, (5) profit disgorgement, and (6) personal liability for corporate executives. POTENTIAL PROBLEMS IN GOVERNANCE OF HEALTH INFORMATION The U.S. privacy framework is often derided as a patchwork of laws. This patchwork is both overly complex and under protective. The U.S. legal privacy framework is under protective when its sector-by-sector and jurisdiction-by-jurisdiction approach leaves personal information un(der)-regulated (e.g., commercial data). This sectoral approach leads to uneven protections that can be confusing to consumers (e.g., health information stored in a hospital versus health information stored in a fitness-tracking app). The U.S. privacy framework is also overly complex because of inconsistency between jurisdictional approaches. This variability complicates compliance. This is one reason why industry has embraced calls for a national comprehensive privacy law. Notably, the U.S. privacy framework might also be considered overprotective where it restricts popular and socially beneficial data uses. For example, a 2020 national survey of U.S. adults mea
