With the Annual Meeting of the International Society for Medical Publication Professionals (ISMPP) taking place as a virtual event this year, Jon Bigelow from the Coalition for Healthcare Communication, presented the second of two standalone ‘preview sessions’. This session focused on the future direction of data privacy laws in the USA.
Big data has the potential to revolutionise healthcare
Big data is an important part of the modern world, with the potential to not only augment the personal user experience, but also revolutionise the way in which technology companies interact with their customers. From the healthcare perspective, patient data from wearables combined with improved algorithms may unlock new insights into disease development and diagnosis. Topically, personal data collected en masse is proving critical in facilitating public health initiatives such as monitoring seasonal influenza outbreaks, or more recently in response to the ongoing coronavirus pandemic, in government-backed ‘track and trace’ apps.
There is low public confidence that technology companies sufficiently protect consumer data
Unfortunately, as highlighted by Bigelow, public confidence in large tech companies to safeguard their data has been eroded through unexpected uses of private user data, such as the high profile case involving Cambridge Analytica and Facebook user data. Indeed, a poll conducted by the Pew Research Center reveals a high level of mistrust surrounding data privacy, with 79% of those surveyed expressing concern about the way companies use data. Government mobile phone tracking apps to help combat the coronavirus outbreak has exacerbated this mistrust, with Bigelow pointing to a recent New York Times article on how COVID-19 surveillance data could be exploited for other purposes.
Current regulation in place in the USA and the rest of the world
Before considering new data protection legislation, Bigelow examined what lessons could be learned from current legislature in place in the USA and beyond. The 2018 European General Data Protection Regulation (EU GDPR) and California Consumer Privacy Act (CCPA) introduced important concepts in data privacy, such as an expanded definition of personal data, greater consumer consent on data storage, including opt-in, and severe penalties for non-compliance (up to 4% of company profits). While the rest of the world moves to a consent-based framework, the USA remains an outlier with its fragmented sector-based regulation and reliance on self-regulation. Bigelow also noted that much of current US legislature is out of date and did not anticipate today’s digital data usage and the threat of cyber-attack. For example, the Health Insurance Portability and Accountability Act, which covers electronic health care transactions, originally dates back to 1996.
One of the limitations of the EU GDPR is the onus on consumers to provide consent. Data opt-in often involves the review of lengthy and abstruse terms and conditions that demand a high level of literacy. In reality, only 9% of US consumers always read the terms before clicking “I accept” for everything, which raises the question if opt-in truly represents informed consent. In addition, technology such as facial recognition software may negate the practicality of informed consent.
Further challenges of data protection include the potential conflict between individual best interests and public health policy. Initiatives such as OpenTrials and the Yoda Project are striving to increase clinical trial data availability and transparency, yet in certain circumstances, for example with studies in patients with rare diseases, full publication of trial data can be difficult to reconcile with the need to protect the privacy of a potentially identifiable patient population.
The future of data privacy laws in the USA
Bigelow went on to describe his vision of the future of data protection laws in the USA. Multiple laws focusing on different areas of concern have been proposed by US senators. Many aim to address the challenges of regulating data usage by large social media platforms, including aspects such as:
- limiting experimentation on consumers without their knowledge (as highlighted by The Facebook user emotion manipulation experiment)
- greater transparency on the monetisation of user data (eg the DASHBOARD Act)
- the implementation of a Do Not Track Act, designed to work in the same way as phone list opt-out options.
Other acts aimed at protecting consumers include:
- the Algorithmic Accountability Act, to enforce testing of algorithms to remove bias or discrimination
- the Mind Your Own Business Act, which requires larger companies to produce an annual transparency report and leverages accountability at the CEO level.
The coronavirus pandemic has also prompted new proposals, such as the introduction of limits on how health tracking information garnered as part of the public health emergency can be used and for how long.
Notably, there appears to be bipartisan agreement in the US congress that new data protection laws are needed. Implementation at the federal level, such as the Privacy for America initiative that would develop a new data protection bureau within the Federal Trade Commission, will address the cross-state nature of data privacy. This initiative aims to shift the burden of data protection away from individuals towards the government. The proposal includes aspects such as the right to access and delete data, as well as increased control of the use of data. Although COVID-19 has delayed the passing of new legislature, it is expected that new US data protection laws will be enacted during the 2021–2022 congress.
The virtual 16th Annual Meeting of ISMPP will take place 16–18 June, 2020.