Representing different parties and different points of view had many specifics to be worked out. Given the data needs associated with the coronavirus aftermath. The panel will discuss the tradeoff between privacy and the context of the pandemic and get back privacy considerations and what the new privacy wall should look like and include and what it should not include. We are a distinguished panel to discuss these issues. Let me introduce them now. We have professor of law at the university of arizona. Christina montgomery is Vice President and chief officer at ibm, the former acting chair and commissioner now a partner of the law firm, andrew smith is the head of the bureau of Consumer Protection of the ftc and distinguished professor of management. Let me start out with a question for the panel and then also take you in the same order. Has the pandemic changed the tradeoff and beneficial uses of data, and if so, how. In terms of where the policy debate is going, i found its done surprisingly little to change how we talk about privacy law and the tradeoffs that need to be made. Early in the pandemic i thought that this was going to be a sort of moment where we recognized that very strong privacy and the main model for allowing data to be collected and processed in almost any way. But that was proven to be, to not serve what we are trying to do with the pandemic. So, when a south korea was using them in order to do Contact Tracing and quarantines of individuals, i thought we were going to wind up in a productive conversation about what type of privacy is the right goal or objective given the context where Something Like a map might help give a benefit. That just has not happened though. Instead, there is a sort of persistence and trust of government such that no matter what type of tradeoff might be made, i think people still feel like they would be foolish or naive if they were to recommend using Communications Technology in order to help stop the spread of the virus. So, you know, when i looked at the type used here in the u. S. , they are useless, and they were made useless because of these privacy norms and the way that the public debate emerges in the expectations with how they have to be voluntarily used without any pressure whatsoever, no pressure on consent and that it would be limited to only one form of data. So, watching the development has disappointed me in terms of having a substantive debate about the types of tradeoff that are going to happen. Why dont we go through the rest of the panel. Christina, do you want to take that question . I think from my perspective i will pick up on what you were saying about the lack of trust in the Tech Companies whether the perspective of speaking from the beginning i dont think necessarily there is a tradeoff between privacy and Public Health but we were conscious from the beginning at ibm in sharing that we maintain the trust of consumers and users of technology because of the recognition that the technologies are not going to be adopted and if they are not adopted there will be a proximity notification and if it isnt universally adopted by a specific percentage of the populations of workinpopulatione boundaries and also staying true to our values and principles as a company. We were facing these issues early on in the timeframe of covid because people with ibm wanted to respond immediately to solve problems. We put a process in place to ensure technologies were consistent with our principles for trust and transparency so years ago around trust and technology that essentially is to augment and not replace humans and it then belongs to that new technology to deploy. So, with solutions that our teams were looking to deploy in response to the pandemic we supplemented those with covid technologies and i think things like the exposure notification act, social distancing detection kind of technologies, fever detection, health passports, all those kind of things quickly companies were looking at it as helping to solution some of the Public Health concerns with respect to the pandemic. So we put together and published a set of principles around those kind of technologies that were focused on things like the data minimization and ensuring thinking about inclusivity of those areas of technology and that they were inclusive as well. We called on the broader Tech Industry to include those as well because again, i think it does come back to the fact that we are very conscious in ensuring its there as a timeline for us. Do we have opinions on the level of trust that these things might be adopted . I think what you find is that it depends on where you are in the world. Theres different notions of what the consumers in the u. S. Will be versus consumers in other parts of the world and weve seen those different approaches to address the pandemic and as a Global Company when you want to be consistent as possible when we look at the tools we are going to use in the 170 locations we have around the world, it is challenging for a Global Company, so we have to have a specific set of principles that we apply around the globe because there isnt necessarily a consistent view of trust from the consumer perspective in various parts of the world. A. Theres a lot of different sources we might consider of value but it isnt always just a federal or state privacy law. Early on in the pandemic a lot of things were changing and they preempted about whether somebody had a diagnosis and letting your employer know. They changed some of the rules about what information employers could ask. Have you traveled to a spot. You called in sick last week, was it for a covid related reason and then things like taking temperatures and Contact Tracing and things like that so there were a lot of changes and they were done in reaction to the pandemic. And companies on the fly emergency declarations. So i think there were definitely some changes. And then there were notices being collected but we didnt really see that get a lot of traction so i think in some ways its been kind of overtaken by events. Then theres what covid really impacted. Doing remote things like we are right now and school being remote and some of the privacy implications and employees accessing things remotely. There were some things but that technologies had to adapt to and some kind of previous employers having to handle it because that is how the businesses continue. Moving forward from there its likely we could end up with a solution and implications for how privacy is treated Going Forward so in some ways it would be better to have something in place that would take care of a lot of different situations so that is still to be determined and we will talk more about that but those are the changes that i have seen. Theres been a lot of different perspectives here. From my perspective i think the laws that we and force have proven to be adaptable and allow the uses of the data. Its a big distinction from what the other speakers have said or issues in other countries. From my perspective it was right at the beginning of the pandemic with the distant learning. That requires consent so, what we said pretty quickly we reiterated guidance we already issued but only for the educational purposes and collection. Others like the financial privacy law include exceptions for the responsible use of the data and sharing service providers. We havent seen so much of a conflict but they talk about trust and i think that is where they come in and could be helpful in terms of Building Trust and getting a baseline for the data so they build trust and also its been pretty abysmal so far. We dont know how the function of the approach weve taken in this country sort of runs stated by statebystate so they are lying down to develop the apps and then to be interoperable. With respect to Contact Tracing in particular, we are interested in the privacy aspect of those. Also from the perspective of the ftc we are concerned about the broad issue so example, scammers will send to a consumers smart phone that will report to be a contact tracer and there is a link that downloads malware. Theres also people reporting to be contact tracers and they are collecting Financial Information or Social Security information or immigration information. So weve been heavily invested in helping consumers realize like you need to engage with contact tracers but if they ask for personal information or Social Security number, dont click on any links and dont give any of that type of information out. The long and short of it is it is adaptable to the crisis and i also think it could let Companies Know the rules of the road. A. [inaudible] one way of thinking about the pandemic is an acceleration of trends and giving a notice about where the economy is going and where it may be. I have a point to make about the tradeoff. There seems to be little talk about privacy in the report in march that might be all we are talking about. What i had noted is a good job of demonstrating the public value of the data in a way one might not have anticipated so im thinking of the industry around location data and its somewhat controversial but its demonstrated that the governments are now using it. I think there hasnt been enough talk about the privacy law and facilitating the exchange of data but it says really just its an alternate data. We see in that respect several instances. I was thinking of the kind of law which makes it easier to be compliant and i would say for me on the issues of Health Privacy rather than commercial privacy which we have been discussing for so long. The other thing i would say we keep having this conversation about privacy assuming that the data is being created and it makes you think about how to protect peoples privacy but there wasnt much discussion [inaudible] it was highlighting they are generating it but not talking about much. I think jane was suggesting this in the opening remarks but let me just ask a question about whether privacy requirements or privacy considerations that were not really requirements have basically changed in terms of other Health Effects or activities or both. I did want to clarify im a little bit at odds with other panelists because although i am concerned about the level of public distrust, i think one of the causes, or my diagnosis is there is an unjustified level and we are all somewhat responsible for and that by focusing on and attributing to the sense that Companies Large and small are constantly misusing data we get the impression that without the federal regulation we are unprotected as consumers and that just is not correct. They found a way that doesnt satisfy some consumers but i think it does strike a defensible balance between innovation but this perception that apple and google will keep the data indefinitely or will combine all the data with other things and just exploit it as much as possible and if any data were given to the cdc than the next thing we know the fbi would have it. Theres the perception that every possible risk is a risk no matter what law we have in place. That really got in the way. The Reason Congress didnt pass might be because it didnt have to, because apple and google were so far ahead of the Public Relations crisis and its a technology cant be heard. When a company is fighting a broad perception that data, consumers are constantly exploited and abused by not only the Big Companies but also the Small Companies that make use of their services, then they are understandably reluctant to put together useful data for the Public Health services. Does anybody want to comment on that . From the Company Perspective we have to assure consumers as a provider of the services that we have at the heart their interest, that we are going to responsibly bring technologies into the world and we are transparent and with privacy and security at the heart of everything we do and that is a constant consideration and one of the reasons i think why we are supportive and i know we will talk about the landscape and privacy legislation, but i do think, i dont agree there are laws out there that are broadly protected by consumer interest i also do agree that firms just from a perception perspective are nothing else, uniform consistently apply foundations of privacy legislation in the u. S. To help to build Consumer Trust in technology companies. The bottom line concerns about privacy basically made it more difficult to have an effect of the strategy against covid which obviously has huge costs. Would people agrewhat people age that statement . I think it depends on the context. There are probably some businesses that have been able to take advantage for example the Distance Learning and there are probably businesses that have been stymied. We issue some guidance pretty early on but of all of the principles we were talking about, tell people why they are collecting the data and only keep the data as long as you need it for that purpose so it collects the bluetooth signals that youve been close to over a period of time but there isnt one big central database. All of that went a long way to Building Trust. Why there havent been a lot of updates in this country is discouraging but im not sure that its due to the type of considerations it may just be more due to Something Like that on a national level. I agree that it is well trusted, but it also doesnt do much in terms of being able to provide a better risk for orbiter notification then we could do using a more traditional means. The nature of collecting bluetooth only and not gps means we are lacking a lot that might have a hope of doing better and then you know not just whether a person has been in contact with another person that actually tested positive, but you have more data to figure out each individuals risk in terms of whether theyve been in contact with somebody in contact. More than one hop, to use National Security lingo. I do think that the distrust, which again arguably from my approach seems to be exaggerated or not totally flared with reality but its gotten in the way of companies being able to feel like they can help. To choose between that or being trusted, there isnt a way to get both. In the federal law that basically codifies the expectation that the data will be minimized. In some ways, apple and google did exactly what the federal law will require of them so you could only collect one kind of data and you can socialize it. That impeded the efficacy. Lets move on. Theres pretty widespread. Of course this fairly widespread agreement for a number of years but i think theres maybe more agreement now than there was. What we ask basically [inaudible] its probably had little to no effect. Maybe i will take that one, tom. My experience on the federal privacy law before the Senate Commerce committee in december of 2019 and i didnt see any change in the bill. Im not saying that that is a failure or inappropriate. Other than as i already mentioned in the kind of recognition that its accelerated our use of digital which was pretty strong to begin with but Even Stronger now than previously in telemedicine. But i think that its now impacted the federal bill, the wording and provisions. The idea that it would have been a neutral thing to have in pla place. I agree with jane. I think some of the concerns about how companies are going to use data and things like that may not have been particularly well grounded but they were enough to keep consumers. It could have been one of the reasons. I think the other thing we need to mention all of this is taking place during criticism. We had house hearings and thats part of the environment as well where i think critics have been vocal about whether the companies can or will be trusted. Its just part of that larger debate thats happening. Lets talk a bit about what we think about what the privacy law looks like. Should we have something similar to the gdp are in fundamental ways . Ive been pretty critical about the research and its effects. I think in some sense we should say thank you for experimenting in a way that means we can learn. It is not clear to me that in particular they strike the right balance between competition and privacy, and i think that theres mucthereis much we can t dealing with the unintended effects reinforcing the incumbency in the data. I think we should say thank you to the eu and it shouldnt necessarily be a model that is now wellconnected. Should we base it on a notice of choice type of approach as we talked about for a long time or Something Different . It can span a wide range depending on what you mean by choice. What would be the most critical is the idea of nondiscrimination when someone has chosen to be a leader it or not offered to a Data Collection team because if you say the service has to be identical in the control of their data or not, we think of it as being the kind of price or therwhere theres a weird cross subsidy for the people that share their data and then dont and overall the services themselves will be affected in some way. Working with the uniform Law Commission to develop a privacy act and we are trying something a little different from the stands. Its more similar to i think what theyve been developing through its fairness doctrine where we are trying to find compatible uses, categories and then prohibited uses where the prohibited data practices cant be done no matter what and if you were in the incompatible range you need the kind of consent we have in mind rather and then compatible use can go beyond it was intended as long as basically there are reasonable shared benefits with the consumer. We are trying that and i will let you know. Failure to do sufficient Data Security in the data practice and certain things that would be illegal anyway. Things like the tort law has honed in as a in an appropriate use of information anyway. Many things that are falling into the incompatible category. I think you and other people have talked about kind of the duty of care, which as a nonlawyer, i am not even sure what that means. But somewhat similar to that the common sense around fiduciary duties that might be applied to tech firms, digital firms is related except once you Start Talking about things like duty of care and loyalty it starts looking stronger and stronger and more likely where we are having tech firms in a similar position as doctors and lawyers but in terms of a reasonableness standard that gauges that kind of consent or not is a fair comparison. In the existing framework what harm would that be addressing . They talk about things like the concepts and the sensitivity of the data which is a result of the harm that could come of it so if it is sensitive data, you need to get the express consent. For nonsensitive data you dont. Then theres this awareness of the free flow of data to create new products and have innovations and restrictions and a data that is meant to harm a particular person. Then some of the other provisions also to allow the use of data and giving the consumers access so they can find out what companies have and delete it or correct it. So there are beneficial uses of data consumers may not but societal laws of beneficial so when we balance them they get to challenge it and find out theres something in my file. Some of these concepts are being brought into with the federal law would look like so while it isnt necessarily saying, i think a lot of the current facts are being put in with the idea that we are trying to prevent harm to consumers. There are things people share but if they know what they are doing and why, we are not supposed to be replacing consumer choice. Those are some of the things ive seen. Some of the important things it also has is it its not trying to create and its trying to stick with them as the enforcer in the kind of availability to license. Like what about the state. They can do Something Different with it. Those are some of the sticking points that need to be worked out but there is an important overlap that together its out of the ftc and the credit reporting act designed not to create the kind of challenges and hurdles that we have seen. We are running out of time so let me close with an easy question. Should there be a costbenefit requirement for the ftc rules . Lets go around and answer that briefly. The approach enable them for the harm to consumers entering the dissent degree for example. Because a lot of what we talked about today could clear up the rules out there to expand upon the ftc is the right place to have that. Should there be a costbenefit requirement for the fcc rules . It worries me because we have research on how difficult it is. Even in the way they respond. I think until we begin to craft that and what we mean by the costbenefit analysis we could be facing some very difficult decisions. When we started doing this with environmental regulations, it was pretty primitive. We should have expanded the commentary of the nonprofit so anything under the administrative procedures act which on its terms does require some analysis if you articulate a problem you are trying to solve in your solution has a rational basis some of which may apply to the federal trade commission but commissioners have said is not just the policy choices and access and what we talked about a rather the should be set by the congress and the ftc should be will to fill in the blanks that would naturally occur and that rulemaking should be under the procedures act and the zito finally administrative procedures act. I think im on record from a previous proposed bill suggesting the ftc should have limited Rulemaking Authority but i want to emphasize that costbenefit analysis because while i recognize the concerns that patrick has the only thing worse is privacy is tricky where its easy to lose track of the benefits when you lose control of your data. Im also in favor of the ftc having limited Rulemaking Authority and often to look back make its on my side where Congress Just like studying the role but like that will change over time so the ftc should have the authority and the ability to do that is not within the problem that someone makes so i am in favor of that as well and with the executive order 8266 and for any agency making rules to consider those factors because then it starts to get challengeds. I agree that Congress Needs to make the policy and what information can be collected. But within their there needs to be some rulemaking and that should be the ftc and we should not be so confined it becomes impossible to those planks and that i could imagine a situation with those additional requirements of her pretty hard to make those rules to make the system work. These are all great comments now we will move to audience q a we will stop here and pick it up again can everybody hear me cracks. That transition actually went smoother than i thought it would. Let me start with a question for christina. You talked about doing some things and also talking so what would you try to do to build more trust and what measures could be taken . And maybe also address the point that is not entirely warranted. Think it goes back to what we mentioned and what the approach to articulate principles and demonstrating to have the accountable framework to demonstrate to clients and investors. We have done all that going back to the principles we articulated around trust and transparency but when you are releasing new technologies with data you are clear and you a principles depending on the type of data with a realistic approach with the use of the technology in the end user this is what do with the ethics board with the process of a good week consistent way to for the county and as a Company Accountable for what we are going. We come out with policy perspective of our recommendations that are concrete actual recommendations policy makers and other companies can take and then that is what happens internally but as a company and i personally feel as if yes and if we follow through and demonstrate the accountability. We have to continually earn and the actions that we take to share and be transparent so thats what we try to do to help that conversation. One of the things that you mentioned to go trust is not using data from those says but of course it could be there are unanticipated uses that are beneficial in that health data to give us the better idea what we have done right or wrong with respect to the covid pandemic so how should we treat the end on unanticipated uses of data . There are measures for example privacy enhancing technologies could be put to better use and with federated learning and with the unanticipated ways that we would not be concerned about and those that you are in place enable you to protect the data. So to be very persuasive of the idea of the cn context and how that was important and with those difficulties with that policy hopefully so that which was generated in march but now in general and then to be useful in the Public Health crisis with access of that data with the usual the cn context consideration. Not thinking of the anticipated circumstance. Yes. I agree with what catherine said and just this morning learned the French High Court had to reverse the ruling related to the Central Health data case because the french government was working with ibm. Im sorry you are right. Microsoft. And then there were concerns because microsoft could not guarantee they wouldnt use a phrase a warrant to access the data with the gdpr to stop the use of the centralized database even though its being used for the covid crisis in deciding that that was important enough to outweigh the concerns but it has shown that there will be differences of opinion in terms of the tradeoff and the risks we are willing to take and what we perceive as the benefits. There is the enduring problem to figure out how to assess efficacy without trying things that seem dangerous were figuring out what types of processing should be off limits. Without knowing in advance. Do you think people were actually concerned about privacy with covid or was it mostly their advocates . In april i was paying attention to the goals and there were some interesting findings and they were more willing than you might think to have the government itself collecting gps or data and minority groups were more likely to be in favor that and that the risks were not evenly distributed. With the elites and the more politically connected. And that are evenly split. I thank you are saying that in light of the covid pandemic and then to revisit the Health Privacy laws and what we could do with health data and what we cant do. And do you have a more specific suggestion . And with the Contact Tracing up so what is the first place i would go thinking the adoption of the Contact Tracing to be in place and with the adoption of the public good. But what does strike me during the pandemic the continued cost i think thats what it should live up to and during the panel so for example because of that interpretations and also and so on but the other thing the pandemic in the Health Sector and with those Public Health authorities and then to comply with privacy laws but it does suggest those are the things that we can tackle and through the age that they would be reported. Nobody is looking at that in congress by now as far as i am aware. But speaking of congress, i realize not as you advertise yourself as political prognosticators but let me ask the question with the National Privacy law in 2021 is greater than 50 50 whether that depends on which party is in control of congress. Should we start . A typical numeral is two alphabetical order again. I word still but at 50 percent i think that although there are reasons parties would be interested in showing restraint with the power of big tech the actual political tradeoffs to be made are two contentious. Pure speculation. [laughter] i think a lot of work has gone into both sides of the house. I think there is discussion right now how to compromise on the issues but they are hard issues. Talk about the state preemption . There are hard issues to solve some of the odds that 50 50 we get through next year maybe that depends if you have one party in charge of congress can make a difference as well. To be agnostic and im not the legislative guy anyway but i hope there is a law so with the ftc and thats important because for the last 50 years since the advent of the fair credit reporting act we have been interpreting and making rules under Information Privacy laws where a great deal of experience we can protect consumers when they have given us a specific authority and the telemarketing sales rule we have use of authority we have our cases we have made rules and we even used our organic authority for those deceptive acts and practices that all commissioners had recognized it is the imperfect tool with the imprecision of those requirements and the limited relief we can obtain we have use them in part almost 150 cases over the last several years in both the privacy and Data Security arena. We think were up to the task. Thinks it is important to understand what you are answering one asking if there is a federal privacy law. There is a difference between the federal bacilli the National Privacy law if we have a federal privacy law we still dont have a single National Privacy la law, federal law and the friday of state laws. So i would hope that we get is a federal and National Privacy law and its important to understand there is the difference between those two with a uniform law that applies it doesnt matter where the different parts of the transaction we do need a federal privacy law to set the standard with the ability of the state ag and it would be ironic if we ended up with the law that actually created more patchwork because one of the reasons with a single European Market so we should take a lesson from that because of so many areas have a national marketplace. Do you think its possible we could get a federal law . We could depending on the Election Results what they are. And to be associated with a Central Investment and with those Health Records and if with the federal regulation senator Kamala Harris has just arrived for a campaign event. Of todays some washington journal on the battleground state of wisconsin. Next five days, washington journal will be focused on key battleground states with political reporters and analysts on the ground looking at what has changed since 2016 with Public Policy issues and motivating voters. And looking at recent Political Trends that could give us a clue on how that state might vote. Today is the state of wisconsin. Joining us is craig gilbert. Lets begin with