|SAME AS||No Same As|
|COSPNSR||Simon, Frontus, D'Urso, Mosley, Seawright, Glick, Colton, Cahill, Montesano|
|Amd 50, Civ Rts L; add Art 21 Title 8 2180 - 2183, Pub Health L|
|Establishes the test, trust, and certify act to establish a protocol for COVID-19 testing, contact tracing, and immunity certification and to protect individuals' right to privacy; grants individuals the right to control their self-sovereign identification data; provides for the anonymization of biometric data for protection from law enforcement.|
Go to top
NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
BILL NUMBER: A10462 SPONSOR: Rules (Kim)
TITLE OF BILL: An act to amend the civil rights law and the public health law, in relation to establishing a protocol for COVID-19 testing, contact trac- ing, and immunity certification; and in relation to providing for the anonymization of biometric data for protection from law enforcement   PURPOSE OR GENERAL IDEA OF BILL: To provide a framework for a decentralized and system of self-sovereign identity, for the purposes of protecting the privacy of data related to COVID-19 contact tracing and immunity certification   SUMMARY OF PROVISIONS: Section 1 provides the short title of the bill, hereafter known as the "Test, Trust, and Certify Act." Section 2 amends Section 50 of the Civil Rights Law to expand the types of data protected under the statutory rights to privacy. In particular, biometric data is explicitly defined, including data pertaining to test- ing for the novel SARS-CoV-2 coronavirus responsible for coronavirus disease 2019 (COVID-19), and the presence of antibodies or other forms of body immunity in convalescing individuals. Section 3 directs the Commissioner of the Department of Health and the Attorney General to ensure that any personal information is solely used for the optimization of contact tracing and certification protocols, and that data privacy is rigorously protected from government law enforce- ment agencies (unless otherwise in compliance with the Fourth Amendment of the United States Constitution) and third-party entities. Section 4 amends Article 21 of the Public Health Law by adding a new Title 8, consisting of new Sections 2180-2183, titled "Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2); Coronavirus Disease 2019 (COVID-19)," which outlines the guidelines for a decentralized and self-sovereign contact tracing and immunity certification protocol. Title 8, Section 2180 provides definitions for "tracing," "contact trac- ing," "immunity," "certifying," "self-sovereign identification," and "COVID-19." Title 8, Section 2181 directs the Commissioner of Health along with their counterparts in municipalities to formulate guidelines for contact tracing and certification for immunity status, and forbids the charging of testing fees and discrimination against an individual exercising their self-sovereign identification and data protection rights. Title 8, Section 2182 directs the Department of Health to structure a self- sovereign identification protocol that guarantees all individuals the right to a self-sovereign identity. This protocol ensures that data related to an individual's immigration status, banking status, financial record, or criminal or policing record are prohibited from being collected; additionally, the use of any centralized, private, third-par- ty platform for data storage is prohibited. Title 8, Section 2183 ensures that the Governor and Commissioner of Health be responsible for liaising and providing consultation with the federal Centers for Disease Control and Prevention on matters of data privacy related to contact tracing and immunity certification. Section 5 provides the effective date.   DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE): This is a new bill.   JUSTIFICATION: The COVID-19 pandemic has laid bare the sheer infrastructural inadequa- cies in the state and nation's health care system; in particular, it has exposed our society's dependence on Big Tech to provide services such as contact tracing that are crucial towards returning to some semblance of functioning society. Even now, tech monopolists such as Apple and Google seek to capitalize on the contact tracing industry and profit off of the extraction of individuals' personal biometric data. Moreover, should private employers mandate their employees to subject themselves to third-party, extractive testing and contact tracing measures, it would further jeopardize the privacy rights of New Yorkers while further enriching tech capitalists. The ramifications of this are severe, and will lead to a society further divided by class and racial strife if left unabated. This legislation will endow individuals with their sovereign rights to access and control of their data, while providing protocols for a decen- tralized, peer-to-peer system for contact tracing and immunity certif- ication. It has been said that pandemics end in two ways, medically and socially: the scope of this bill is to facilitate the social ending of the COVID-19 pandemic and allowing society to trust one another once more.   PRIOR LEGISLATIVE HISTORY: This is a new bill.   FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS: None.   EFFECTIVE DATE: Immediately upon passage.
Go to top
STATE OF NEW YORK ________________________________________________________________________ 10462 IN ASSEMBLY May 18, 2020 ___________ Introduced by COMMITTEE ON RULES -- (at request of M. of A. Kim) -- read once and referred to the Committee on Health AN ACT to amend the civil rights law and the public health law, in relation to establishing a protocol for COVID-19 testing, contact tracing, and immunity certification; and in relation to providing for the anonymization of biometric data for protection from law enforce- ment The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. This act shall be known and may be cited as the "test, 2 trust, and certify act". 3 § 2. Section 50 of the civil rights law is amended to read as follows: 4 § 50. Right of privacy. [ A] 1. Any person, firm or corporation that 5 collects, stores, and/or uses for the purpose of advertising [ purposes,6 or for the purposes of], trade, data-mining, or generating commercial or 7 economic value, the name, portrait [ or], picture, video, voice, like- 8 ness, or any other personal data, biometric data, or location data of 9 any living person without having first obtained the written consent of 10 such person, or if a minor of his or her parent or guardian, or, if such 11 consent is obtained, subsequently fails to exercise reasonable care 12 consistent with its obligations as bailee of such individual's name, 13 portrait, picture, video, voice, likeness, or any other personal data, 14 biometric data, or location data, is guilty of a misdemeanor. 15 2. As used in this section, "biometric data" means an individual's 16 physiological, biological or behavioral characteristics or an electronic 17 representation of such, including an individual's deoxyribonucleic acid 18 (DNA), that can be used, singly or in combination with each other or 19 with other identifying data, to establish individual identity. 20 3. Biometric data includes, but is not limited to, imagery of the 21 iris, retina, fingerprint, face, hand, palm, vein patterns, body temper- 22 ature, data collected from fluid from nasal cavities or saliva to ascer- 23 tain the presence of the novel SARS-CoV-2 coronavirus, data collected 24 from withdrawn blood serum, plasma, or whole blood used to determine the 25 presence of antibodies, or other forms of bodily immunity, in convales- EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD16206-01-0A. 10462 2 1 cent or otherwise asymptomatic patients of pathogenic and infectious 2 disease, and voice recordings, from which an identifier template, such 3 as a faceprint, a minutiae template, or a voiceprint, can be extracted, 4 and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, 5 health, or exercise data that contain identifying information. 6 § 3. Anonymization of biometric data; protection from law enforcement. 7 The commissioner of the department of health and the attorney general 8 shall ensure that: 9 (a) any sharing of information with governmental entities shall be 10 solely for purposes of optimizing the contact tracing and certification 11 protocol as outlined in title 8 of the public health law; 12 (b) any personal data that is not being used solely to assist the 13 person whose data is being accessed and that is being used for optimiz- 14 ing and administrating the protocol shall be cryptographically anonym- 15 ized and all reasonable care shall be taken to ensure that subsequent 16 deanonymization is not enabled or facilitated through databases used for 17 anonymized data; 18 (c) any personal data shared with law enforcement authorities shall be 19 shared solely in strict compliance with the fourth amendment to the 20 United States constitution and any and all other state, federal and 21 local laws, rules, regulations, or other legal constraints that protect 22 the rights of suspected or accused persons and the contact tracing and 23 certification protocol shall not lessen the degree of legally assured 24 biometric data privacy of New Yorkers; 25 (d) any and all practicable measures, including cryptographic and 26 self-sovereign data storage methods, when reasonable, shall be taken to 27 prevent unnecessary exposure, unnecessary custody over any form of 28 private data, or accidental data privacy breaches stemming from outside 29 or inadvertent disclosure. 30 § 4. Article 21 of the public health law is amended by adding a new 31 title 8 to read as follows: 32 TITLE VIII 33 SEVERE ACUTE RESPIRATORY SYNDROME CORONAVIRUS 2 34 (SARS-CoV-2); CORONAVIRUS DISEASE 2019 (COVID-19) 35 Section 2180. Definitions. 36 2181. Guidelines for contact tracing; certification for immunity 37 status. 38 2182. Self-sovereign identification of data. 39 2183. Liaising with the federal centers for disease control and 40 prevention. 41 § 2180. Definitions. As used in this title, the following terms shall 42 have the following meanings: 43 1. "Tracking" or "contact tracing" shall mean the protocol through 44 which the infectious spread of the novel SARS-CoV-2 coronavirus and 45 corresponding propagation of COVID-19 is monitored in individuals. Such 46 protocol may be implemented through, but not limited to, the use of 47 smart phone applications, an anonymized or pseudonymous digital tracing 48 identifier, and blockchain, GPS, or Bluetooth technology. 49 2. "Immunity" shall mean: 50 (a) the degree to which an individual is diagnostically determined to 51 not be susceptible to infection by or not capable of shedding the novel 52 SARS-CoV-2 coronavirus, as determined by various markers such as serolo- 53 gy-based testing for the presence of antibodies. Such serological test- 54 ing may include, but not be limited to, the rapid diagnostic test (RDT), 55 enzyme-linked immunosorbent assay (ELISA), neutralization assay, or any 56 test that has been approved by the United States Food and Drug Adminis-A. 10462 3 1 tration for diagnostic use in the United States and in the state of New 2 York. 3 (b) the definition that the commissioner is authorized, in conjunction 4 and in consultation with medical researchers and health officers, to 5 unilaterally determine, as research continues to be conducted on immune 6 response to the novel coronavirus, serological testing, antiviral drug 7 therapies, and candidates for a vaccine. 8 3. "Certifying" shall mean the protocol through which an individual is 9 determined to have immunity to COVID-19 or is otherwise deemed non-con- 10 tagious and able to participate in greater society. 11 4. "Self-sovereign identification" shall mean, with respect to the 12 collection and monitoring of data used for the tracking of the spread of 13 the novel coronavirus, COVID-19, the right of an individual to maintain 14 sovereign access and control of their data and their anonymity, provid- 15 ing proof of validity without being required to disclose unneeded 16 private data, and protect such data from extraction for profit or 17 exploitation by an authority or external entity, such as, but not limit- 18 ed to, a person, firm, corporation, or government entity that is not 19 done with the explicit intent for aiding the individual in mitigating 20 the spread of the novel coronavirus, COVID-19, or convalescing from 21 COVID-19, pursuant to sections twenty-one hundred eighty-one and twen- 22 ty-one hundred eighty-two of this title. 23 5. "COVID-19" shall mean the novel severe acute respiratory syndrome 24 coronavirus 2 (SARS-CoV-2). 25 § 2181. Guidelines for contact tracing; certification for immunity 26 status. 1. The commissioner, in conjunction with his or her counter- 27 parts in municipalities of the state and the chief medical and health 28 officers in hospitals and medical facilities in the state, and at the 29 federal centers for disease control and prevention, shall develop a 30 protocol for contact tracing and certifying for immunity to mitigate the 31 spread of COVID-19. 32 2. The department shall ensure that authorized diagnostic tests for 33 immunity be conducted unconditionally and free of charge for any indi- 34 vidual. 35 (a) No provider of COVID-19 and antibody testing shall discriminate 36 against a consumer for exercising his or her right to unconditional and 37 free testing for immunity. 38 (b) A testing provider shall not discriminate against a patient who 39 exercises any of their self-sovereign identification and data protection 40 rights under this title or does not provide consent to additional data 41 collection or sharing under this title, including, but not limited to, 42 by: 43 (i) denying testing services to the consumer; 44 (ii) charging a fee for testing; 45 (iii) providing a different level or quality of testing or medical 46 service to the consumer; or 47 (iv) suggesting that the consumer will receive a fee for testing or 48 medical service or a different level or quality of testing or medical 49 service. 50 § 2182. Self-sovereign identification of data. 1. The department shall 51 structure the protocol developed pursuant to section twenty-one hundred 52 eighty-one of this title to make provisions for accepting and function- 53 ing with the self-sovereign identification of individuals' data. 54 2. Information related or pertaining to an individual's immigration 55 status, banking status, financial affairs, or criminal or policing 56 record, shall be deemed to be sensitive personally identifiable informa-A. 10462 4 1 tion, and shall not be procured from the individual at any point 2 throughout the tracing and certification process. 3 3. For applications or agencies to support tracing, testing, and 4 certification protocols required use of any centralized, third-party 5 private platform or digital cloud infrastructure as central data storage 6 for the purposes of implementing the protocol is prohibited. 7 4. The collection and storage of tracing and certification data for 8 the implementation of the protocol shall be supported using a decentral- 9 ized database, in order to facilitate: 10 (a) The protection of personal health records and individual identity, 11 and the preservation of self-sovereignty over one's own personal biome- 12 tric data; 13 (b) The maximization of data integrity and security through encryption 14 and verification of personal health records to mitigate the necessary 15 involvement or infiltration of central parties not privy to access such 16 information; and 17 (c) Accessibility to published data and data provenance, to ensure the 18 transparency of tracing data inputs. 19 5. (a) Every individual has a right of self-sovereign identity whereby 20 they can issue, revoke, and recover their identity autonomously. 21 (b) Every individual has the right to use their self-sovereign identi- 22 ty to submit provable information about themselves and have such infor- 23 mation accepted as valid if it has been attested to cryptographically by 24 an acceptable authority. 25 (c) Every self-sovereign identity system has the right to create a 26 cryptographically secure digital signature, which shall be accepted as 27 legally binding if properly attested to as representing the individual 28 by an acceptable authority or authorities. 29 § 2183. Liaising with the federal centers for disease control and 30 prevention. The governor and the commissioner shall be responsible for 31 liaising with the federal centers for disease control and prevention to 32 coordinate state and federal efforts to mitigate the spread of COVID-19, 33 ensure that adequate data protections as prescribed in this title are 34 being taken at the federal level, and provide consultation to the feder- 35 al government for implementing a similarly decentralized and self- 36 sovereign system for contact tracing and immunity certification nation- 37 wide. 38 § 5. This act shall take effect immediately.