On Thursday, May 14, House Energy and Commerce Health Subcommittee Chair Anna Eshoo (D-CA) and Consumer Protection and Commerce (CPC) Subcommittee Chair Jan Schakowsky (D-IL) introduced a bicameral counter-proposal to the COVID-19 Consumer Data Protection Act unveiled by Senate Republicans last week (see prior alert here).

Emergence of a separate Democratic proposal signifies continued dissent in Congress regarding key components of a federal privacy standard. Broader privacy talks stalled earlier this year after the introduction of separate Republican and Democratic privacy proposals, and Congress has yet to reconcile these differences as the privacy debate resurfaces amidst the COVID-19 pandemic. However, members hope to reach agreement with their colleagues across the aisle on these differences as they pertain to COVID-19 contract tracing efforts in the coming weeks.

The Democratic measure, dubbed the Public Health Emergency Privacy Act (PHEPA), aims to provide clearly defined privacy rights for consumers and strong enforcement to safeguard these rights as industry pursues digital contact tracing efforts. Similar to Senate Republicans' proposal, PHEPA would require companies to obtain express consent in order to collect, use or disclose emergency health data for the purposes of tracking the spread of COVID-19. The COVID-19 Consumer Data Protection Act requires covered entities to delete or de-identify all personally identifiable information (PII) when it is no longer being used for the health emergency, and the PHEPA similarly prohibits covered entities from using or maintaining emergency health data of an individual more 60 days after the termination of the public health emergency declaration.

Under PHEPA, the Federal Trade Commission (FTC) and state attorneys general are given enforcement authority. Unlike the Republican contract tracing proposal, the measure would not preempt more stringent state and local laws such as the California Consumer Privacy Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA), which remains a key issue of importance for Democrats such as Chairwoman Eshoo and Chairwoman Schakowsky who represent districts in these states. Further, the Democratic proposal would provide for a private right of action, which remains a sticking point in Senate privacy negotiations.

PHEPA also contains language stipulating that a government entity may not deny, restrict or interfere with an individual's right to vote based on his or her emergency health data, medical condition or participation or non-participation in a program to collect emergency health data. In addition, the Department of Health and Human Services (HHS), in consultation with the U.S. Commission on Civil Rights and the FTC, would be required to submit a report to Congress on the civil rights impact of the collection of health information in response to the COVID-19 pandemic within one year of the measure's enactment.

The measure is endorsed by Consumer Reports, Public Citizen, Free Press, Public Knowledge, the Open Technology Institute at New America Foundation and the Electronic Privacy Information Center (EPIC). A Senate version of the bill will be sponsored by Sens. Richard Blumenthal (D-CT) and Mark Warner (D-VA).

Akin Gump's public law and policy practice continues to work with the cybersecurity, privacy and data protection practice to monitor real-time data privacy updates related to COVID-19. Our team apprises clients of any legislative or regulatory updates, as well as applicable industry action in the privacy arena. You can find additional information on COVID-19 related matters on Akin Gump's COVID-19 Resource Center.


Article originally published on 15 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.