Toward a new data privacy regimen

 

By Jon Bigelow • Executive Director of the Coalition for Healthcare Communication

 

This is the Age of Big Data – and also the Age of Data Vulnerability. How we as a society square these two realities will be important to all of us as citizens, consumers, and health communications professionals.

The good and the bad

Consider just a few of the ways in which new approaches to collecting, tracking, and interpreting healthcare data benefit us:

• In clinical medicine, by allowing more joined-up patient care through access to electronic health records, previous radiologic and laboratory studies, and data from wearables, as well as the use of algorithms to detect patterns pointing to specific diagnoses;
• In public health, by enhanced sensitivity in tracking diseases, whether the seasonal spread of influenza, the measles outbreak, or potential spread of avian flu;
• In clinical trials, by capturing real world data and deriving more information from study groups, especially in diseases for which patient populations are small;
• In marketing, by targeting messages to the most relevant audiences.

Yet the darker side of data becomes more apparent with every report of a major data breach, misuse of personal data, fake news (including misleading health information) spreading on social media, and so on. While much of the attention has been about hacks at retailers or financial institutions or about Cambridge Analytica-like political machinations, there have been smaller security breaches at health insurers or systems and there are potential vulnerabilities in the health ecosystem: for example, marketing firms are dependent on their vendors’ data protection procedures, and the advance of location data plus machine learning poses the risk that “de-identified” personal data could be “re-identified”.

GDPR, CCPA, and 209 new bills

No wonder the public is increasingly distrustful of the security of their personal data, and that Congress is frustrated and angry. The federal government in the past was reticent to regulate search engine and social media companies, instead allowing considerable self-regulation by industry. That situation is clearly changing: Speaking at the Coalition for Healthcare Communication’s Rising Leaders Conference on Healthcare Policy on May 22, Alison Pepper, senior VP for government relations at the American Association of Advertising Agencies (4As), counted 209 separate bills already introduced in the current Congress with the word privacy in the title and over 20 specifically on data privacy, just four months into the term. The pressure is from both parties, is in both houses of Congress, and is not likely to let up.

Two developments outside Washington have added to the momentum.

• The European Union’s General Data Protection Regulation (GDPR), with which American companies with EU residents in their data bases must comply, expands the definition of personal data and requires that consumers opt-in, rather than simply being given the opportunity to opt-out.
• On January 1, the California Consumer Privacy Act (CCPA) will take effect, granting consumers the right to know what is being collected, the source of the information, what data is being sold or disclosed, and to whom; consumers can say “no” to disclosure of their data and take legal action for privacy violations and data breaches. Passed hurriedly in 2018, this legislation is marred by ambiguous language and probably will be revised before the implementation date.

California, of course, has 12 percent of the U.S. population, and at least 20 other states are actively considering data privacy regulations of their own. Facing the specter of different rules in each of the 50 states, even the tech industry may prefer regulation at the Federal level. The question now is, what will that regulation look like?

The GDPR model still leaves the burden on consumers: It requires consumers to repeatedly, in multiple facets of their lives ranging from sensitive health situations to simply booking a hotel room, scroll through lengthy and abstruse terms and conditions – often within a time limit and often on a mobile phone – and then opt-in. In reality, most of us click “I accept” without parsing the legalese. Does this truly represent “informed consent?”

The “Privacy for America” initiative

Rather than putting all of the burden on consumers, it may be time for the federal government to set tighter guardrails. That’s one of the reasons to watch “Privacy for America,” an initiative announced in April by the 4As, the Association of National Advertisers, the Interactive Advertising Bureau, and other industry groups to develop model privacy regulation. The goal is to make personal data less vulnerable to breach or misuse, and to set clear, enforceable, and nationwide consumer privacy protections that are technology-agnostic (since laws tend to lag behind technological advances). Initial elements of this plan might include establishing a data protection bureau; setting rules for data collection and use; identifying certain practices as being “unreasonable per se” and defining a process for designating additional practices unreasonable; and offering a safe harbor program.

Clearly it will be difficult to create a new data privacy regime that balances the opportunities and the challenges of data, will not be obsolete before it can be enacted, and that works well for disparate sectors of the economy. “Privacy for America” offers Congress and the Federal Trade Commission, both of which tend to lack deep expertise in data technology, the benefits of industry understanding of how data is gathered and used. There inevitably will be conflicts to resolve between the public good and individual privacy, and as we get further into the 2020 campaign, it will be more difficult to pass comprehensive legislation even on an issue with bipartisan support. Yet public concern – and the looming laws in California and other states – will keep the pressure on.

The Coalition for Healthcare Communication will closely monitor the discussion around data privacy and security, including how CCPA is revised, the progress of pending Federal and state bills, and the draft legislation to come from the Privacy for America initiative. Please visit us at www.cohealthcom.org to stay up to date.