Amd 50, Civ Rts L; add Art 21 Title 8 2180 - 2183, Pub Health L
 
Establishes the test, trust, and certify act to establish a protocol for COVID-19 testing, contact tracing, and immunity certification and to protect individuals' right to privacy; grants individuals the right to control their self-sovereign identification data; provides for the anonymization of biometric data for protection from law enforcement.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A10462
SPONSOR: Rules (Kim)
 
TITLE OF BILL:
An act to amend the civil rights law and the public health law, in
relation to establishing a protocol for COVID-19 testing, contact trac-
ing, and immunity certification; and in relation to providing for the
anonymization of biometric data for protection from law enforcement
 
PURPOSE OR GENERAL IDEA OF BILL:
To provide a framework for a decentralized and system of self-sovereign
identity, for the purposes of protecting the privacy of data related to
COVID-19 contact tracing and immunity certification
 
SUMMARY OF PROVISIONS:
Section 1 provides the short title of the bill, hereafter known as the
"Test, Trust, and Certify Act."
Section 2 amends Section 50 of the Civil Rights Law to expand the types
of data protected under the statutory rights to privacy. In particular,
biometric data is explicitly defined, including data pertaining to test-
ing for the novel SARS-CoV-2 coronavirus responsible for coronavirus
disease 2019 (COVID-19), and the presence of antibodies or other forms
of body immunity in convalescing individuals.
Section 3 directs the Commissioner of the Department of Health and the
Attorney General to ensure that any personal information is solely used
for the optimization of contact tracing and certification protocols, and
that data privacy is rigorously protected from government law enforce-
ment agencies (unless otherwise in compliance with the Fourth Amendment
of the United States Constitution) and third-party entities.
Section 4 amends Article 21 of the Public Health Law by adding a new
Title 8, consisting of new Sections 2180-2183, titled "Severe Acute
Respiratory Syndrome Coronavirus 2 (SARS-CoV-2); Coronavirus Disease
2019 (COVID-19)," which outlines the guidelines for a decentralized and
self-sovereign contact tracing and immunity certification protocol.
Title 8, Section 2180 provides definitions for "tracing," "contact trac-
ing," "immunity," "certifying," "self-sovereign identification," and
"COVID-19."
Title 8, Section 2181 directs the Commissioner of Health along with
their counterparts in municipalities to formulate guidelines for contact
tracing and certification for immunity status, and forbids the charging
of testing fees and discrimination against an individual exercising
their self-sovereign identification and data protection rights. Title
8, Section 2182 directs the Department of Health to structure a self-
sovereign identification protocol that guarantees all individuals the
right to a self-sovereign identity. This protocol ensures that data
related to an individual's immigration status, banking status, financial
record, or criminal or policing record are prohibited from being
collected; additionally, the use of any centralized, private, third-par-
ty platform for data storage is prohibited.
Title 8, Section 2183 ensures that the Governor and Commissioner of
Health be responsible for liaising and providing consultation with the
federal Centers for Disease Control and Prevention on matters of data
privacy related to contact tracing and immunity certification.
Section 5 provides the effective date.
 
DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE):
This is a new bill.
 
JUSTIFICATION:
The COVID-19 pandemic has laid bare the sheer infrastructural inadequa-
cies in the state and nation's health care system; in particular, it has
exposed our society's dependence on Big Tech to provide services such as
contact tracing that are crucial towards returning to some semblance of
functioning society.
Even now, tech monopolists such as Apple and Google seek to capitalize
on the contact tracing industry and profit off of the extraction of
individuals' personal biometric data. Moreover, should private employers
mandate their employees to subject themselves to third-party, extractive
testing and contact tracing measures, it would further jeopardize the
privacy rights of New Yorkers while further enriching tech capitalists.
The ramifications of this are severe, and will lead to a society further
divided by class and racial strife if left unabated.
This legislation will endow individuals with their sovereign rights to
access and control of their data, while providing protocols for a decen-
tralized, peer-to-peer system for contact tracing and immunity certif-
ication. It has been said that pandemics end in two ways, medically and
socially: the scope of this bill is to facilitate the social ending of
the COVID-19 pandemic and allowing society to trust one another once
more.
 
PRIOR LEGISLATIVE HISTORY:
This is a new bill.
 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.
 
EFFECTIVE DATE:
Immediately upon passage.
STATE OF NEW YORK
________________________________________________________________________
10462
IN ASSEMBLY
May 18, 2020
___________
Introduced by COMMITTEE ON RULES -- (at request of M. of A. Kim) -- read
once and referred to the Committee on Health
AN ACT to amend the civil rights law and the public health law, in
relation to establishing a protocol for COVID-19 testing, contact
tracing, and immunity certification; and in relation to providing for
the anonymization of biometric data for protection from law enforce-
ment
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "test,
2 trust, and certify act".
3 § 2. Section 50 of the civil rights law is amended to read as follows:
4 § 50. Right of privacy. [A] 1. Any person, firm or corporation that
5 collects, stores, and/or uses for the purpose of advertising [purposes,
6 or for the purposes of], trade, data-mining, or generating commercial or
7 economic value, the name, portrait [or], picture, video, voice, like-
8 ness, or any other personal data, biometric data, or location data of
9 any living person without having first obtained the written consent of
10 such person, or if a minor of his or her parent or guardian, or, if such
11 consent is obtained, subsequently fails to exercise reasonable care
12 consistent with its obligations as bailee of such individual's name,
13 portrait, picture, video, voice, likeness, or any other personal data,
14 biometric data, or location data, is guilty of a misdemeanor.
15 2. As used in this section, "biometric data" means an individual's
16 physiological, biological or behavioral characteristics or an electronic
17 representation of such, including an individual's deoxyribonucleic acid
18 (DNA), that can be used, singly or in combination with each other or
19 with other identifying data, to establish individual identity.
20 3. Biometric data includes, but is not limited to, imagery of the
21 iris, retina, fingerprint, face, hand, palm, vein patterns, body temper-
22 ature, data collected from fluid from nasal cavities or saliva to ascer-
23 tain the presence of the novel SARS-CoV-2 coronavirus, data collected
24 from withdrawn blood serum, plasma, or whole blood used to determine the
25 presence of antibodies, or other forms of bodily immunity, in convales-
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD16206-01-0
A. 10462 2
1 cent or otherwise asymptomatic patients of pathogenic and infectious
2 disease, and voice recordings, from which an identifier template, such
3 as a faceprint, a minutiae template, or a voiceprint, can be extracted,
4 and keystroke patterns or rhythms, gait patterns or rhythms, and sleep,
5 health, or exercise data that contain identifying information.
6 § 3. Anonymization of biometric data; protection from law enforcement.
7 The commissioner of the department of health and the attorney general
8 shall ensure that:
9 (a) any sharing of information with governmental entities shall be
10 solely for purposes of optimizing the contact tracing and certification
11 protocol as outlined in title 8 of the public health law;
12 (b) any personal data that is not being used solely to assist the
13 person whose data is being accessed and that is being used for optimiz-
14 ing and administrating the protocol shall be cryptographically anonym-
15 ized and all reasonable care shall be taken to ensure that subsequent
16 deanonymization is not enabled or facilitated through databases used for
17 anonymized data;
18 (c) any personal data shared with law enforcement authorities shall be
19 shared solely in strict compliance with the fourth amendment to the
20 United States constitution and any and all other state, federal and
21 local laws, rules, regulations, or other legal constraints that protect
22 the rights of suspected or accused persons and the contact tracing and
23 certification protocol shall not lessen the degree of legally assured
24 biometric data privacy of New Yorkers;
25 (d) any and all practicable measures, including cryptographic and
26 self-sovereign data storage methods, when reasonable, shall be taken to
27 prevent unnecessary exposure, unnecessary custody over any form of
28 private data, or accidental data privacy breaches stemming from outside
29 or inadvertent disclosure.
30 § 4. Article 21 of the public health law is amended by adding a new
31 title 8 to read as follows:
32 TITLE VIII
33 SEVERE ACUTE RESPIRATORY SYNDROME CORONAVIRUS 2
34 (SARS-CoV-2); CORONAVIRUS DISEASE 2019 (COVID-19)
35 Section 2180. Definitions.
36 2181. Guidelines for contact tracing; certification for immunity
37 status.
38 2182. Self-sovereign identification of data.
39 2183. Liaising with the federal centers for disease control and
40 prevention.
41 § 2180. Definitions. As used in this title, the following terms shall
42 have the following meanings:
43 1. "Tracking" or "contact tracing" shall mean the protocol through
44 which the infectious spread of the novel SARS-CoV-2 coronavirus and
45 corresponding propagation of COVID-19 is monitored in individuals. Such
46 protocol may be implemented through, but not limited to, the use of
47 smart phone applications, an anonymized or pseudonymous digital tracing
48 identifier, and blockchain, GPS, or Bluetooth technology.
49 2. "Immunity" shall mean:
50 (a) the degree to which an individual is diagnostically determined to
51 not be susceptible to infection by or not capable of shedding the novel
52 SARS-CoV-2 coronavirus, as determined by various markers such as serolo-
53 gy-based testing for the presence of antibodies. Such serological test-
54 ing may include, but not be limited to, the rapid diagnostic test (RDT),
55 enzyme-linked immunosorbent assay (ELISA), neutralization assay, or any
56 test that has been approved by the United States Food and Drug Adminis-
A. 10462 3
1 tration for diagnostic use in the United States and in the state of New
2 York.
3 (b) the definition that the commissioner is authorized, in conjunction
4 and in consultation with medical researchers and health officers, to
5 unilaterally determine, as research continues to be conducted on immune
6 response to the novel coronavirus, serological testing, antiviral drug
7 therapies, and candidates for a vaccine.
8 3. "Certifying" shall mean the protocol through which an individual is
9 determined to have immunity to COVID-19 or is otherwise deemed non-con-
10 tagious and able to participate in greater society.
11 4. "Self-sovereign identification" shall mean, with respect to the
12 collection and monitoring of data used for the tracking of the spread of
13 the novel coronavirus, COVID-19, the right of an individual to maintain
14 sovereign access and control of their data and their anonymity, provid-
15 ing proof of validity without being required to disclose unneeded
16 private data, and protect such data from extraction for profit or
17 exploitation by an authority or external entity, such as, but not limit-
18 ed to, a person, firm, corporation, or government entity that is not
19 done with the explicit intent for aiding the individual in mitigating
20 the spread of the novel coronavirus, COVID-19, or convalescing from
21 COVID-19, pursuant to sections twenty-one hundred eighty-one and twen-
22 ty-one hundred eighty-two of this title.
23 5. "COVID-19" shall mean the novel severe acute respiratory syndrome
24 coronavirus 2 (SARS-CoV-2).
25 § 2181. Guidelines for contact tracing; certification for immunity
26 status. 1. The commissioner, in conjunction with his or her counter-
27 parts in municipalities of the state and the chief medical and health
28 officers in hospitals and medical facilities in the state, and at the
29 federal centers for disease control and prevention, shall develop a
30 protocol for contact tracing and certifying for immunity to mitigate the
31 spread of COVID-19.
32 2. The department shall ensure that authorized diagnostic tests for
33 immunity be conducted unconditionally and free of charge for any indi-
34 vidual.
35 (a) No provider of COVID-19 and antibody testing shall discriminate
36 against a consumer for exercising his or her right to unconditional and
37 free testing for immunity.
38 (b) A testing provider shall not discriminate against a patient who
39 exercises any of their self-sovereign identification and data protection
40 rights under this title or does not provide consent to additional data
41 collection or sharing under this title, including, but not limited to,
42 by:
43 (i) denying testing services to the consumer;
44 (ii) charging a fee for testing;
45 (iii) providing a different level or quality of testing or medical
46 service to the consumer; or
47 (iv) suggesting that the consumer will receive a fee for testing or
48 medical service or a different level or quality of testing or medical
49 service.
50 § 2182. Self-sovereign identification of data. 1. The department shall
51 structure the protocol developed pursuant to section twenty-one hundred
52 eighty-one of this title to make provisions for accepting and function-
53 ing with the self-sovereign identification of individuals' data.
54 2. Information related or pertaining to an individual's immigration
55 status, banking status, financial affairs, or criminal or policing
56 record, shall be deemed to be sensitive personally identifiable informa-
A. 10462 4
1 tion, and shall not be procured from the individual at any point
2 throughout the tracing and certification process.
3 3. For applications or agencies to support tracing, testing, and
4 certification protocols required use of any centralized, third-party
5 private platform or digital cloud infrastructure as central data storage
6 for the purposes of implementing the protocol is prohibited.
7 4. The collection and storage of tracing and certification data for
8 the implementation of the protocol shall be supported using a decentral-
9 ized database, in order to facilitate:
10 (a) The protection of personal health records and individual identity,
11 and the preservation of self-sovereignty over one's own personal biome-
12 tric data;
13 (b) The maximization of data integrity and security through encryption
14 and verification of personal health records to mitigate the necessary
15 involvement or infiltration of central parties not privy to access such
16 information; and
17 (c) Accessibility to published data and data provenance, to ensure the
18 transparency of tracing data inputs.
19 5. (a) Every individual has a right of self-sovereign identity whereby
20 they can issue, revoke, and recover their identity autonomously.
21 (b) Every individual has the right to use their self-sovereign identi-
22 ty to submit provable information about themselves and have such infor-
23 mation accepted as valid if it has been attested to cryptographically by
24 an acceptable authority.
25 (c) Every self-sovereign identity system has the right to create a
26 cryptographically secure digital signature, which shall be accepted as
27 legally binding if properly attested to as representing the individual
28 by an acceptable authority or authorities.
29 § 2183. Liaising with the federal centers for disease control and
30 prevention. The governor and the commissioner shall be responsible for
31 liaising with the federal centers for disease control and prevention to
32 coordinate state and federal efforts to mitigate the spread of COVID-19,
33 ensure that adequate data protections as prescribed in this title are
34 being taken at the federal level, and provide consultation to the feder-
35 al government for implementing a similarly decentralized and self-
36 sovereign system for contact tracing and immunity certification nation-
37 wide.
38 § 5. This act shall take effect immediately.