•  Summary 
  •  Actions 
  •  Committee Votes 
  •  Floor Votes 
  •  Memo 
  •  Text 
  •  LFIN 
  •  Chamber Video/Transcript 

A10462 Summary:

SPONSORRules (Kim)
COSPNSRSimon, Frontus, D'Urso, Mosley, Seawright, Glick, Colton, Cahill, Montesano
Amd 50, Civ Rts L; add Art 21 Title 8 2180 - 2183, Pub Health L
Establishes the test, trust, and certify act to establish a protocol for COVID-19 testing, contact tracing, and immunity certification and to protect individuals' right to privacy; grants individuals the right to control their self-sovereign identification data; provides for the anonymization of biometric data for protection from law enforcement.
Go to top

A10462 Memo:

submitted in accordance with Assembly Rule III, Sec 1(f)
SPONSOR: Rules (Kim)
  TITLE OF BILL: An act to amend the civil rights law and the public health law, in relation to establishing a protocol for COVID-19 testing, contact trac- ing, and immunity certification; and in relation to providing for the anonymization of biometric data for protection from law enforcement   PURPOSE OR GENERAL IDEA OF BILL: To provide a framework for a decentralized and system of self-sovereign identity, for the purposes of protecting the privacy of data related to COVID-19 contact tracing and immunity certification   SUMMARY OF PROVISIONS: Section 1 provides the short title of the bill, hereafter known as the "Test, Trust, and Certify Act." Section 2 amends Section 50 of the Civil Rights Law to expand the types of data protected under the statutory rights to privacy. In particular, biometric data is explicitly defined, including data pertaining to test- ing for the novel SARS-CoV-2 coronavirus responsible for coronavirus disease 2019 (COVID-19), and the presence of antibodies or other forms of body immunity in convalescing individuals. Section 3 directs the Commissioner of the Department of Health and the Attorney General to ensure that any personal information is solely used for the optimization of contact tracing and certification protocols, and that data privacy is rigorously protected from government law enforce- ment agencies (unless otherwise in compliance with the Fourth Amendment of the United States Constitution) and third-party entities. Section 4 amends Article 21 of the Public Health Law by adding a new Title 8, consisting of new Sections 2180-2183, titled "Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2); Coronavirus Disease 2019 (COVID-19)," which outlines the guidelines for a decentralized and self-sovereign contact tracing and immunity certification protocol. Title 8, Section 2180 provides definitions for "tracing," "contact trac- ing," "immunity," "certifying," "self-sovereign identification," and "COVID-19." Title 8, Section 2181 directs the Commissioner of Health along with their counterparts in municipalities to formulate guidelines for contact tracing and certification for immunity status, and forbids the charging of testing fees and discrimination against an individual exercising their self-sovereign identification and data protection rights. Title 8, Section 2182 directs the Department of Health to structure a self- sovereign identification protocol that guarantees all individuals the right to a self-sovereign identity. This protocol ensures that data related to an individual's immigration status, banking status, financial record, or criminal or policing record are prohibited from being collected; additionally, the use of any centralized, private, third-par- ty platform for data storage is prohibited. Title 8, Section 2183 ensures that the Governor and Commissioner of Health be responsible for liaising and providing consultation with the federal Centers for Disease Control and Prevention on matters of data privacy related to contact tracing and immunity certification. Section 5 provides the effective date.   DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE): This is a new bill.   JUSTIFICATION: The COVID-19 pandemic has laid bare the sheer infrastructural inadequa- cies in the state and nation's health care system; in particular, it has exposed our society's dependence on Big Tech to provide services such as contact tracing that are crucial towards returning to some semblance of functioning society. Even now, tech monopolists such as Apple and Google seek to capitalize on the contact tracing industry and profit off of the extraction of individuals' personal biometric data. Moreover, should private employers mandate their employees to subject themselves to third-party, extractive testing and contact tracing measures, it would further jeopardize the privacy rights of New Yorkers while further enriching tech capitalists. The ramifications of this are severe, and will lead to a society further divided by class and racial strife if left unabated. This legislation will endow individuals with their sovereign rights to access and control of their data, while providing protocols for a decen- tralized, peer-to-peer system for contact tracing and immunity certif- ication. It has been said that pandemics end in two ways, medically and socially: the scope of this bill is to facilitate the social ending of the COVID-19 pandemic and allowing society to trust one another once more.   PRIOR LEGISLATIVE HISTORY: This is a new bill.   FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS: None.   EFFECTIVE DATE: Immediately upon passage.
Go to top

A10462 Text:

                STATE OF NEW YORK
                   IN ASSEMBLY
                                      May 18, 2020
        Introduced by COMMITTEE ON RULES -- (at request of M. of A. Kim) -- read
          once and referred to the Committee on Health
        AN  ACT  to  amend  the  civil  rights law and the public health law, in
          relation to establishing a  protocol  for  COVID-19  testing,  contact
          tracing,  and immunity certification; and in relation to providing for
          the anonymization of biometric data for protection from  law  enforce-
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. This act shall be known and may  be  cited  as  the  "test,
     2  trust, and certify act".
     3    § 2. Section 50 of the civil rights law is amended to read as follows:
     4    §  50.  Right  of privacy. [A] 1. Any person, firm or corporation that
     5  collects, stores, and/or uses for the purpose of advertising  [purposes,
     6  or for the purposes of], trade, data-mining, or generating commercial or
     7  economic  value,  the  name, portrait [or], picture, video, voice, like-
     8  ness, or any other personal data, biometric data, or  location  data  of
     9  any  living  person without having first obtained the written consent of
    10  such person, or if a minor of his or her parent or guardian, or, if such
    11  consent is obtained, subsequently  fails  to  exercise  reasonable  care
    12  consistent  with  its  obligations  as bailee of such individual's name,
    13  portrait, picture, video, voice, likeness, or any other  personal  data,
    14  biometric data, or location data, is guilty of a misdemeanor.
    15    2.  As  used  in  this section, "biometric data" means an individual's
    16  physiological, biological or behavioral characteristics or an electronic
    17  representation of such, including an individual's deoxyribonucleic  acid
    18  (DNA),  that  can  be  used, singly or in combination with each other or
    19  with other identifying data, to establish individual identity.
    20    3. Biometric data includes, but is not  limited  to,  imagery  of  the
    21  iris, retina, fingerprint, face, hand, palm, vein patterns, body temper-
    22  ature, data collected from fluid from nasal cavities or saliva to ascer-
    23  tain  the  presence  of the novel SARS-CoV-2 coronavirus, data collected
    24  from withdrawn blood serum, plasma, or whole blood used to determine the
    25  presence of antibodies, or other forms of bodily immunity, in  convales-
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.

        A. 10462                            2

     1  cent  or  otherwise  asymptomatic  patients of pathogenic and infectious
     2  disease, and voice recordings, from which an identifier  template,  such
     3  as  a faceprint, a minutiae template, or a voiceprint, can be extracted,
     4  and  keystroke patterns or rhythms, gait patterns or rhythms, and sleep,
     5  health, or exercise data that contain identifying information.
     6    § 3. Anonymization of biometric data; protection from law enforcement.
     7  The commissioner of the department of health and  the  attorney  general
     8  shall ensure that:
     9    (a)  any  sharing  of  information with governmental entities shall be
    10  solely for purposes of optimizing the contact tracing and  certification
    11  protocol as outlined in title 8 of the public health law;
    12    (b)  any  personal  data  that  is not being used solely to assist the
    13  person whose data is being accessed and that is being used for  optimiz-
    14  ing  and  administrating the protocol shall be cryptographically anonym-
    15  ized and all reasonable care shall be taken to  ensure  that  subsequent
    16  deanonymization is not enabled or facilitated through databases used for
    17  anonymized data;
    18    (c) any personal data shared with law enforcement authorities shall be
    19  shared  solely  in  strict  compliance  with the fourth amendment to the
    20  United States constitution and any and  all  other  state,  federal  and
    21  local  laws, rules, regulations, or other legal constraints that protect
    22  the rights of suspected or accused persons and the contact  tracing  and
    23  certification  protocol  shall  not lessen the degree of legally assured
    24  biometric data privacy of New Yorkers;
    25    (d) any and all  practicable  measures,  including  cryptographic  and
    26  self-sovereign  data storage methods, when reasonable, shall be taken to
    27  prevent unnecessary exposure,  unnecessary  custody  over  any  form  of
    28  private  data, or accidental data privacy breaches stemming from outside
    29  or inadvertent disclosure.
    30    § 4. Article 21 of the public health law is amended by  adding  a  new
    31  title 8 to read as follows:
    32                                 TITLE VIII
    34              (SARS-CoV-2); CORONAVIRUS DISEASE 2019 (COVID-19)
    35  Section 2180. Definitions.
    36          2181. Guidelines for contact tracing; certification for immunity
    37                  status.
    38          2182. Self-sovereign identification of data.
    39          2183. Liaising  with the federal centers for disease control and
    40                  prevention.
    41    § 2180. Definitions. As used in this title, the following terms  shall
    42  have the following meanings:
    43    1.  "Tracking"  or  "contact  tracing" shall mean the protocol through
    44  which the infectious spread of  the  novel  SARS-CoV-2  coronavirus  and
    45  corresponding  propagation of COVID-19 is monitored in individuals. Such
    46  protocol may be implemented through, but not  limited  to,  the  use  of
    47  smart  phone applications, an anonymized or pseudonymous digital tracing
    48  identifier, and blockchain, GPS, or Bluetooth technology.
    49    2. "Immunity" shall mean:
    50    (a) the degree to which an individual is diagnostically determined  to
    51  not  be susceptible to infection by or not capable of shedding the novel
    52  SARS-CoV-2 coronavirus, as determined by various markers such as serolo-
    53  gy-based testing for the presence of antibodies. Such serological  test-
    54  ing may include, but not be limited to, the rapid diagnostic test (RDT),
    55  enzyme-linked  immunosorbent assay (ELISA), neutralization assay, or any
    56  test that has been approved by the United States Food and Drug  Adminis-

        A. 10462                            3
     1  tration  for diagnostic use in the United States and in the state of New
     2  York.
     3    (b) the definition that the commissioner is authorized, in conjunction
     4  and  in  consultation  with  medical researchers and health officers, to
     5  unilaterally determine, as research continues to be conducted on  immune
     6  response  to  the novel coronavirus, serological testing, antiviral drug
     7  therapies, and candidates for a vaccine.
     8    3. "Certifying" shall mean the protocol through which an individual is
     9  determined to have immunity to COVID-19 or is otherwise deemed  non-con-
    10  tagious and able to participate in greater society.
    11    4.  "Self-sovereign  identification"  shall  mean, with respect to the
    12  collection and monitoring of data used for the tracking of the spread of
    13  the novel coronavirus, COVID-19, the right of an individual to  maintain
    14  sovereign  access and control of their data and their anonymity, provid-
    15  ing proof of  validity  without  being  required  to  disclose  unneeded
    16  private  data,  and  protect  such  data  from  extraction for profit or
    17  exploitation by an authority or external entity, such as, but not limit-
    18  ed to, a person, firm, corporation, or government  entity  that  is  not
    19  done  with  the  explicit intent for aiding the individual in mitigating
    20  the spread of the novel  coronavirus,  COVID-19,  or  convalescing  from
    21  COVID-19,  pursuant  to sections twenty-one hundred eighty-one and twen-
    22  ty-one hundred eighty-two of this title.
    23    5. "COVID-19" shall mean the novel severe acute  respiratory  syndrome
    24  coronavirus 2 (SARS-CoV-2).
    25    §  2181.  Guidelines  for  contact tracing; certification for immunity
    26  status. 1.  The commissioner, in conjunction with his  or  her  counter-
    27  parts  in  municipalities  of the state and the chief medical and health
    28  officers in hospitals and medical facilities in the state,  and  at  the
    29  federal  centers  for  disease  control  and prevention, shall develop a
    30  protocol for contact tracing and certifying for immunity to mitigate the
    31  spread of COVID-19.
    32    2. The department shall ensure that authorized  diagnostic  tests  for
    33  immunity  be  conducted unconditionally and free of charge for any indi-
    34  vidual.
    35    (a) No provider of COVID-19 and antibody  testing  shall  discriminate
    36  against  a consumer for exercising his or her right to unconditional and
    37  free testing for immunity.
    38    (b) A testing provider shall not discriminate against  a  patient  who
    39  exercises any of their self-sovereign identification and data protection
    40  rights  under  this title or does not provide consent to additional data
    41  collection or sharing under this title, including, but not  limited  to,
    42  by:
    43    (i) denying testing services to the consumer;
    44    (ii) charging a fee for testing;
    45    (iii)  providing  a  different  level or quality of testing or medical
    46  service to the consumer; or
    47    (iv) suggesting that the consumer will receive a fee  for  testing  or
    48  medical  service  or  a different level or quality of testing or medical
    49  service.
    50    § 2182. Self-sovereign identification of data. 1. The department shall
    51  structure the protocol developed pursuant to section twenty-one  hundred
    52  eighty-one  of this title to make provisions for accepting and function-
    53  ing with the self-sovereign identification of individuals' data.
    54    2. Information related or pertaining to  an  individual's  immigration
    55  status,  banking  status,  financial  affairs,  or  criminal or policing
    56  record, shall be deemed to be sensitive personally identifiable informa-

        A. 10462                            4
     1  tion, and shall not  be  procured  from  the  individual  at  any  point
     2  throughout the tracing and certification process.
     3    3.  For  applications  or  agencies  to  support tracing, testing, and
     4  certification protocols required use  of  any  centralized,  third-party
     5  private platform or digital cloud infrastructure as central data storage
     6  for the purposes of implementing the protocol is prohibited.
     7    4.  The  collection  and storage of tracing and certification data for
     8  the implementation of the protocol shall be supported using a decentral-
     9  ized database, in order to facilitate:
    10    (a) The protection of personal health records and individual identity,
    11  and the preservation of self-sovereignty over one's own personal  biome-
    12  tric data;
    13    (b) The maximization of data integrity and security through encryption
    14  and  verification  of  personal health records to mitigate the necessary
    15  involvement or infiltration of central parties not privy to access  such
    16  information; and
    17    (c) Accessibility to published data and data provenance, to ensure the
    18  transparency of tracing data inputs.
    19    5. (a) Every individual has a right of self-sovereign identity whereby
    20  they can issue, revoke, and recover their identity autonomously.
    21    (b) Every individual has the right to use their self-sovereign identi-
    22  ty  to submit provable information about themselves and have such infor-
    23  mation accepted as valid if it has been attested to cryptographically by
    24  an acceptable authority.
    25    (c) Every self-sovereign identity system has the  right  to  create  a
    26  cryptographically  secure  digital signature, which shall be accepted as
    27  legally binding if properly attested to as representing  the  individual
    28  by an acceptable authority or authorities.
    29    §  2183.  Liaising  with  the  federal centers for disease control and
    30  prevention.  The governor and the commissioner shall be responsible  for
    31  liaising  with the federal centers for disease control and prevention to
    32  coordinate state and federal efforts to mitigate the spread of COVID-19,
    33  ensure that adequate data protections as prescribed in  this  title  are
    34  being taken at the federal level, and provide consultation to the feder-
    35  al  government  for  implementing  a  similarly  decentralized and self-
    36  sovereign system for contact tracing and immunity certification  nation-
    37  wide.
    38    § 5. This act shall take effect immediately.
Go to top