Amd 50, Civ Rts L; add Art 21 Title 8 2180 - 2183, Pub Health L
 
Establishes the test, trust, and certify act to establish a protocol for COVID-19 testing, contact tracing, and immunity certification and to protect individuals' right to privacy; grants individuals the right to control their self-sovereign identification data; provides for the anonymization of biometric data for protection from law enforcement.
STATE OF NEW YORK
________________________________________________________________________
10462
IN ASSEMBLY
May 18, 2020
___________
Introduced by COMMITTEE ON RULES -- (at request of M. of A. Kim) -- read
once and referred to the Committee on Health
AN ACT to amend the civil rights law and the public health law, in
relation to establishing a protocol for COVID-19 testing, contact
tracing, and immunity certification; and in relation to providing for
the anonymization of biometric data for protection from law enforce-
ment
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "test,
2 trust, and certify act".
3 § 2. Section 50 of the civil rights law is amended to read as follows:
4 § 50. Right of privacy. [A] 1. Any person, firm or corporation that
5 collects, stores, and/or uses for the purpose of advertising [purposes,
6 or for the purposes of], trade, data-mining, or generating commercial or
7 economic value, the name, portrait [or], picture, video, voice, like-
8 ness, or any other personal data, biometric data, or location data of
9 any living person without having first obtained the written consent of
10 such person, or if a minor of his or her parent or guardian, or, if such
11 consent is obtained, subsequently fails to exercise reasonable care
12 consistent with its obligations as bailee of such individual's name,
13 portrait, picture, video, voice, likeness, or any other personal data,
14 biometric data, or location data, is guilty of a misdemeanor.
15 2. As used in this section, "biometric data" means an individual's
16 physiological, biological or behavioral characteristics or an electronic
17 representation of such, including an individual's deoxyribonucleic acid
18 (DNA), that can be used, singly or in combination with each other or
19 with other identifying data, to establish individual identity.
20 3. Biometric data includes, but is not limited to, imagery of the
21 iris, retina, fingerprint, face, hand, palm, vein patterns, body temper-
22 ature, data collected from fluid from nasal cavities or saliva to ascer-
23 tain the presence of the novel SARS-CoV-2 coronavirus, data collected
24 from withdrawn blood serum, plasma, or whole blood used to determine the
25 presence of antibodies, or other forms of bodily immunity, in convales-
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD16206-01-0
A. 10462 2
1 cent or otherwise asymptomatic patients of pathogenic and infectious
2 disease, and voice recordings, from which an identifier template, such
3 as a faceprint, a minutiae template, or a voiceprint, can be extracted,
4 and keystroke patterns or rhythms, gait patterns or rhythms, and sleep,
5 health, or exercise data that contain identifying information.
6 § 3. Anonymization of biometric data; protection from law enforcement.
7 The commissioner of the department of health and the attorney general
8 shall ensure that:
9 (a) any sharing of information with governmental entities shall be
10 solely for purposes of optimizing the contact tracing and certification
11 protocol as outlined in title 8 of the public health law;
12 (b) any personal data that is not being used solely to assist the
13 person whose data is being accessed and that is being used for optimiz-
14 ing and administrating the protocol shall be cryptographically anonym-
15 ized and all reasonable care shall be taken to ensure that subsequent
16 deanonymization is not enabled or facilitated through databases used for
17 anonymized data;
18 (c) any personal data shared with law enforcement authorities shall be
19 shared solely in strict compliance with the fourth amendment to the
20 United States constitution and any and all other state, federal and
21 local laws, rules, regulations, or other legal constraints that protect
22 the rights of suspected or accused persons and the contact tracing and
23 certification protocol shall not lessen the degree of legally assured
24 biometric data privacy of New Yorkers;
25 (d) any and all practicable measures, including cryptographic and
26 self-sovereign data storage methods, when reasonable, shall be taken to
27 prevent unnecessary exposure, unnecessary custody over any form of
28 private data, or accidental data privacy breaches stemming from outside
29 or inadvertent disclosure.
30 § 4. Article 21 of the public health law is amended by adding a new
31 title 8 to read as follows:
32 TITLE VIII
33 SEVERE ACUTE RESPIRATORY SYNDROME CORONAVIRUS 2
34 (SARS-CoV-2); CORONAVIRUS DISEASE 2019 (COVID-19)
35 Section 2180. Definitions.
36 2181. Guidelines for contact tracing; certification for immunity
37 status.
38 2182. Self-sovereign identification of data.
39 2183. Liaising with the federal centers for disease control and
40 prevention.
41 § 2180. Definitions. As used in this title, the following terms shall
42 have the following meanings:
43 1. "Tracking" or "contact tracing" shall mean the protocol through
44 which the infectious spread of the novel SARS-CoV-2 coronavirus and
45 corresponding propagation of COVID-19 is monitored in individuals. Such
46 protocol may be implemented through, but not limited to, the use of
47 smart phone applications, an anonymized or pseudonymous digital tracing
48 identifier, and blockchain, GPS, or Bluetooth technology.
49 2. "Immunity" shall mean:
50 (a) the degree to which an individual is diagnostically determined to
51 not be susceptible to infection by or not capable of shedding the novel
52 SARS-CoV-2 coronavirus, as determined by various markers such as serolo-
53 gy-based testing for the presence of antibodies. Such serological test-
54 ing may include, but not be limited to, the rapid diagnostic test (RDT),
55 enzyme-linked immunosorbent assay (ELISA), neutralization assay, or any
56 test that has been approved by the United States Food and Drug Adminis-
A. 10462 3
1 tration for diagnostic use in the United States and in the state of New
2 York.
3 (b) the definition that the commissioner is authorized, in conjunction
4 and in consultation with medical researchers and health officers, to
5 unilaterally determine, as research continues to be conducted on immune
6 response to the novel coronavirus, serological testing, antiviral drug
7 therapies, and candidates for a vaccine.
8 3. "Certifying" shall mean the protocol through which an individual is
9 determined to have immunity to COVID-19 or is otherwise deemed non-con-
10 tagious and able to participate in greater society.
11 4. "Self-sovereign identification" shall mean, with respect to the
12 collection and monitoring of data used for the tracking of the spread of
13 the novel coronavirus, COVID-19, the right of an individual to maintain
14 sovereign access and control of their data and their anonymity, provid-
15 ing proof of validity without being required to disclose unneeded
16 private data, and protect such data from extraction for profit or
17 exploitation by an authority or external entity, such as, but not limit-
18 ed to, a person, firm, corporation, or government entity that is not
19 done with the explicit intent for aiding the individual in mitigating
20 the spread of the novel coronavirus, COVID-19, or convalescing from
21 COVID-19, pursuant to sections twenty-one hundred eighty-one and twen-
22 ty-one hundred eighty-two of this title.
23 5. "COVID-19" shall mean the novel severe acute respiratory syndrome
24 coronavirus 2 (SARS-CoV-2).
25 § 2181. Guidelines for contact tracing; certification for immunity
26 status. 1. The commissioner, in conjunction with his or her counter-
27 parts in municipalities of the state and the chief medical and health
28 officers in hospitals and medical facilities in the state, and at the
29 federal centers for disease control and prevention, shall develop a
30 protocol for contact tracing and certifying for immunity to mitigate the
31 spread of COVID-19.
32 2. The department shall ensure that authorized diagnostic tests for
33 immunity be conducted unconditionally and free of charge for any indi-
34 vidual.
35 (a) No provider of COVID-19 and antibody testing shall discriminate
36 against a consumer for exercising his or her right to unconditional and
37 free testing for immunity.
38 (b) A testing provider shall not discriminate against a patient who
39 exercises any of their self-sovereign identification and data protection
40 rights under this title or does not provide consent to additional data
41 collection or sharing under this title, including, but not limited to,
42 by:
43 (i) denying testing services to the consumer;
44 (ii) charging a fee for testing;
45 (iii) providing a different level or quality of testing or medical
46 service to the consumer; or
47 (iv) suggesting that the consumer will receive a fee for testing or
48 medical service or a different level or quality of testing or medical
49 service.
50 § 2182. Self-sovereign identification of data. 1. The department shall
51 structure the protocol developed pursuant to section twenty-one hundred
52 eighty-one of this title to make provisions for accepting and function-
53 ing with the self-sovereign identification of individuals' data.
54 2. Information related or pertaining to an individual's immigration
55 status, banking status, financial affairs, or criminal or policing
56 record, shall be deemed to be sensitive personally identifiable informa-
A. 10462 4
1 tion, and shall not be procured from the individual at any point
2 throughout the tracing and certification process.
3 3. For applications or agencies to support tracing, testing, and
4 certification protocols required use of any centralized, third-party
5 private platform or digital cloud infrastructure as central data storage
6 for the purposes of implementing the protocol is prohibited.
7 4. The collection and storage of tracing and certification data for
8 the implementation of the protocol shall be supported using a decentral-
9 ized database, in order to facilitate:
10 (a) The protection of personal health records and individual identity,
11 and the preservation of self-sovereignty over one's own personal biome-
12 tric data;
13 (b) The maximization of data integrity and security through encryption
14 and verification of personal health records to mitigate the necessary
15 involvement or infiltration of central parties not privy to access such
16 information; and
17 (c) Accessibility to published data and data provenance, to ensure the
18 transparency of tracing data inputs.
19 5. (a) Every individual has a right of self-sovereign identity whereby
20 they can issue, revoke, and recover their identity autonomously.
21 (b) Every individual has the right to use their self-sovereign identi-
22 ty to submit provable information about themselves and have such infor-
23 mation accepted as valid if it has been attested to cryptographically by
24 an acceptable authority.
25 (c) Every self-sovereign identity system has the right to create a
26 cryptographically secure digital signature, which shall be accepted as
27 legally binding if properly attested to as representing the individual
28 by an acceptable authority or authorities.
29 § 2183. Liaising with the federal centers for disease control and
30 prevention. The governor and the commissioner shall be responsible for
31 liaising with the federal centers for disease control and prevention to
32 coordinate state and federal efforts to mitigate the spread of COVID-19,
33 ensure that adequate data protections as prescribed in this title are
34 being taken at the federal level, and provide consultation to the feder-
35 al government for implementing a similarly decentralized and self-
36 sovereign system for contact tracing and immunity certification nation-
37 wide.
38 § 5. This act shall take effect immediately.