A US Federal Data Protection Act?
While data protection rules have been highly harmonised within the European Union through the adoption of the EU General Data Protection Regulation, the situation looks different in the United States. Despite some states having enacted comprehensive data protection and privacy legislation in recent years (e.g. California, Colorado, Utah and Virginia), no data protection regulation is in place at the federal level. As a result, the level of data protection in the US remains fragmented. This situation could however change soon with the proposed American Data and Privacy Protection Act (ADPPA). For the first time, a bipartisan federal data privacy legislation has passed the US House of Representatives Committee on Energy and Commerce on 20 July 2022. To be adopted, it still requires the approval of the full house and the Senate. However, if the Act is successful, it will fundamentally change the level of data protection in the US. In this post, we will have a first look at the proposed rules.
Scope of application
The Act applies to ‘covered entities’ which are defined as ‘any entity collecting, processing or transferring covered data’. It addresses businesses, non-profit organisations and common carriers alike. The Act further introduces the term of ‘large data holders’, which are entities generating an annual gross revenue of 250 dollars or more and collect or process data of five million people or the sensitive data of more than 100 000 people. Some of the Act’s provisions impose stricter obligations on entities classified as ‘large data holder’. Importantly, government entities are entirely excluded from the ADPPA’s scope. Covered data is defined as ‘any information or device that identifies or can be reasonably linked to a person’. Three categories of data do not fall within the act’s scope: 1. De-identified data, in relation to which entities must however take ‘reasonable technical, administrative and physical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device’. 2. Employee data and 3. Publicly available information, for instance information shared by users on their Instagram account if the account is open for public viewing.
The ADPPA mirrors many elements which we already know from the EU’s GDPR and other recently enacted data protection and privacy legislation. It provides for duties of loyalty according to which covered entities are prohibited from ‘collecting, using or transferring covered data beyond what is reasonably necessary and proportionate to provide a service requested by an individual.’ Specific protection applies for data classified as ‘sensitive data’. Amongst others, sensitive data can only be transferred to third parties based on the consumer’s affirmative, express consent. The introduced principle of data minimisation obliges the data collection by covered entities to be kept as minimal as possible. The Act equally provides for transparency obligations. Covered entities must make available a comprehensive privacy notice encompassing the following elements: the categories of personal information collected and processed, the purposes for this collection and processing, the categories and names of third parties to whom the personal information is transferred, the purposes of these third party transfers, the retention time of the data, how individuals can exercise the rights conferred upon them by the ADPPA, a general description of the entity’s data security practices and whether the data is accessible to in China, Russia, Iran or North Korea. Additionally, the Act confers a broad range of rights upon individuals whose data is collected and processed, including the right to access the data, to have any inaccuracies corrected, to have their stored data deleted or to opt out of a data transfer for the purposes of targeted advertising. The Act further strives to particularly protect individuals under the age of 17, amongst others through a prohibition on data processing of such individuals for targeted advertising purposes. It provides for the establishment of a Youth Privacy and Marketing Division at the FTC. This protection only applies if the covered entity knew the age of the minor. However, the burden of proof to show that it was unaware of the age is higher for large data holders and social media companies.
The ADPP will be subject to primary enforcement by the Federal Trade Commission (FTC) which can institute a civil action against violations of the Act’s provisions. The state attorney generals (AGs) cannot themselves file own suits on behalf of a group of consumers, they can however choose to intervene in an ongoing FTC action. Additionally, the ADPPA confers a limited right to private action upon consumers. Individuals who consider a covered entity to be in breach of their obligations under the act can notify the FTC or the AG of their state of residence. The FTC or the AG must then decide within 60 days as to whether they will also independently take action. If successful, individuals can claim compensatory damages, injunctive or declaratory relief, attorney’s fees and the litigation costs.
The road ahead
The ADPP faces a long road ahead to its possible adoption as it still has to pass the full House of Representatives as well as the Senate. Negotiations are currently ongoing. Nevertheless, it already constitutes a remarkable effort in attempting to harmonise the data protection standards across the United States. No proposed federal data protection legislation has ever made it this far before. To be optimally prepared for the possible entry into force of the ADPPA, businesses are best advised to already review their existing data processing operations. Having an overview of which data your business collects and to which entities such data is transferred will facilitate to reach compliance with the new rules and avoid sanctions in the long run.