Bill on Health and Location Data Protection Act introduced to US Senate
June 19, 2022 |
The US has had a long tradition of commercialising customer lists. It is curious With that has come the “data broker” putting holders of data in touch with those who are keen to use that data. In the analog age it was a matter of mild concern, typically with people getting unexpected correspondence and offers. A common example was someone signing up for a hunting magazine getting offered a membership of the National Rifle Associate. In terms of scale the problem was real and concerning but not threatening to a person’s privacy. Most people subscribe to a limited number of publications and it wasn’t until relatively recently the fetish for being required to provide masses of personal information for even the most anodyne activity.
The digital age and the appreciation of businesses of the advantage of knowing as much about customers or potential customers combined with the vastly improved ability to collect masses of data and process them into useful information has mean the collection of information is key. And that has led to worrying practices, such as the collection of sensitive and health information. In that context on 15 June 2022 Senator Elizabeth Warren introduced Senate Bill 4408 to prohibit data brokers from selling and transferring certain sensitive data was introduced in the U.S. Senate.
Australia has not had a tradition or framework for data brokers but that does not mean there has not been the sale of data from time to time. Recently the Federal Government has made the transference of data between government agencies and educational institutions much easier. The privacy protections were added as an afterthought. It remains a problematical piece of legislation.
The Bill would:
- make it unlawful for a data broker to sell, resell, license, trade, transfer, share, or provide an individual’s location, health and other categories of data identified by the Federal Trade Commission (‘FTC’) except for Health Insurance Portability and Accountability Act of 1996 compliance activities, publication of newsworthy information of legitimate public concern, or disclosures made with a valid authorisation of an individual;
- provide that any violation of its provisions would be treated as an unfair or deceptive act or practice under Section 18(a)(1)(B) of the FTC Act of 1914. Moreover, SB 4408 would provide that state Attorneys General (‘AGs’) would also have enforcement powers if they have reason to believe that an interest of the residents of their state has been threatened and thus would allow the AGs to bring a civil action on behalf of their residents.
- require that before the state AGs bring an action, they notify the FTC in writing of such action accompanied by a copy of the complaint.
- allow individuals, whose interests have been threatened or affected, to bring a private action against a data broker.
- provide that a violation would carry a civil penalty not exceeding 15% of the revenues earned by the person’s ultimate parent entity during the preceding 12 months.
The report Senate considers ban on data brokers selling health and location info describes the context and aim of the Bill quite well, providing:
Politicians are determined to put a stop to brokers who compromise privacy by selling your data. Motherboard has learned Elizabeth Warren and other senators are introducing a bill, the Health and Location Data Protection Act, that would ban brokers from selling or transferring a person’s medical and positional info outside of limited circumstances. The main exceptions would include HIPAA-compliant activities (such as sharing patient records between facilities) and First Amendment-protected speech.
The legislation would also give the Federal Trade Commission $1 billion over the next decade to help fund enforcement. The FTC, state attorneys general and individuals would also have the power to sue and seek injunctions. Bill cosponsors include longtime data privacy advocate Ron Wyden as well as Bernie Sanders, finance committee chair Patty Murray and HELP committee chair Sheldon Whitehouse.
The act comes in response to numerous instances where companies and government bodies violated privacy by purchasing data through brokers. Bounty hunters bought location data from carriers, for instance, while Google banned a company last year for allegedly selling Android location data indiscriminately. Critics have also accused agencies like ICE and the Secret Service of buying location info through brokers to get data that would normally require a warrant. At the same time, lawmakers are worried about access to abortion seekers’ data when the Supreme Court is expected to overturn Roe vs. Wade. This measure could limit anti-abortion politicians and activists hoping to target patients.
Protection bills like this aren’t new. Wyden’s stalled Fourth Amendment is Not for Sale Act would require agencies to obtain warrants for location data. This would represent one of the most sweeping data controls yet if it became law, however, and reflects mounting opposition to companies that profit from trading sensitive content.
Whether this Bill becomes law or not is a live question but almost besides the point. There is a significant awareness and concern about the collection and comodification of masses of personal data. Given more and more personal information derives from fitness apps that is especially concerning.