This year brought exciting developments to privacy. In March, the Biden Administration announced the Trans-Atlantic Data Privacy Framework (TADPF) to facilitate transatlantic data transfers following the invalidation of the EU-US Privacy Shield.
In June, the House Committee on Energy and Commerce introduced the American Data Privacy and Protection Act (ADPPA), a promising step toward federal consumer privacy legislation. The committee passed the bill on July 20, 2022, and it is now awaiting a House vote.
These developments raise the question: if the ADPPA passes, how would it fare in an adequacy review under the EU’s General Data Protection Regulation (GDPR)? A useful place to start is with the TADPF itself. In announcing the agreement in principle with the European Commission (EC), the Administration’s fact sheet stated that “[p]articipating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.” If the Privacy Shield Principles are deemed adequate by the EC, then they can provide a helpful benchmark for reviewing the relevant provisions of the ADPPA.
Accordingly, I compared certain Privacy Shield principles that participating companies are obligated to adhere to as a member of the program and the ADPPA, and found that ADPPA reflects many of Privacy Shield’s core principles, while also providing additional protections to consumers.
Data Minimization/Purpose Limitation Requirements
Privacy Shield and the ADPPA limit how companies collect, process, or transfer personal information. Under Privacy Shield Principle 5(a), companies must limit personal information to information “that is relevant for the purposes of processing” and “may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.”
Section 101 of the ADPPA uses similar but stronger language. Under ADPPA, covered entities “may not collect, process, or transfer covered data” unless the transfer is limited to “what is reasonably necessary and proportionate” to providing a service or specific product or for a purpose listed in Section 101(b). The ADPPA relies on necessity and proportionality as a principle for collection, emulating the European Union’s (EU) position when assessing the right to data protection.
Both mechanisms list opt-out provisions for third-party disclosure, but the ADPPA takes it a step further and allows individuals to opt-out of targeted advertising. Section 204(c) of the ADPPA states that “a covered entity or service provider that directly delivers a targeted advertisement shall. . . provide such individual with a clear and conspicuous means to opt-out of targeted advertising.” Further, the ADPPA bans covered entities from using sensitive data in targeted advertising.
The ADPPA’s approach to sensitive data is more expansive than Privacy Shield’s. Privacy Shield requires affirmative consent (opt-in) from individuals if sensitive information is disclosed to a third party or used for a purpose other than what was stated at the time of collection. Further, Privacy Shield categorizes sensitive data as “personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.”
The ADPPA requires covered entities to obtain affirmative, express consent before using an individual’s “sensitive covered data.” Sensitive covered data under the ADPPA includes over sixteen categories, defining more categories than Privacy Shield. Finally, covered entities must allow individuals to object before transferring data to third parties or before it is used for targeted advertisement.
Although the Privacy Shield and ADPPA have enforcement provisions, the ADPPA offers a more robust enforcement framework. The Privacy Shield required its participants “to have in place an independent recourse mechanism” and “procedures for verifying compliance.” The Federal Trade Commission (FTC) under the FTC Act could challenge non-compliance as “deceptive” and seek a court order to prohibit misrepresentations by the organization. In many cases, it did.
The ADPPA, if passed, can be enforced by the FTC, state Attorney General or State Privacy Authority, or by private right of action. Further, the FTC will be required to create a “Bureau of Privacy” to assist with ADPPA compliance. This bureau will be “of similar structure, size, organization, and authority as the existing bureaus within the Commission related to consumer protection and competition.”
On initial review, it appears that among its many positive attributes, the ADPPA positions the U.S. legal framework even more strongly with respect to GDPR requirements. Combined with the national security safeguards under the TADPF, there is reason for optimism that the transatlantic data relationship is headed in a positive direction. As the US and global privacy landscape continues to evolve, it is important to note that there are many commonalities between past and current solutions. PAB will continue to monitor these developments and provide our analysis on our blog. Follow PAB on Twitter @privacyab to keep up to date on our work!