How does the draft US federal privacy bill measure up to the GDPR?
Months after the “agreement in principle” between the EU and the US for a new ‘Trans-Atlantic Data Privacy Framework,’ a draft federal data privacy bill has been proposed by US Congress members. The question remains whether the US bill will stand up to the EU General Data Protection Regulation (GDPR).
After a thorough review of the US federal bill, the American Data Privacy and Protection Act (ADPPA), similar elements from the GDPR have been identified, although with potentially less impact and restriction on businesses.
A lack of unbiased oversight for US state data privacy laws has long been a concern among EU privacy professionals, especially when it comes to cross-border data transfers. This draft discussion bill means to address this concern directly by including stipulations for accountability and protections for data subjects.
The ADPPA establishes requirements for businesses to maintain the privacy principles of transparency, data minimization, and accountability. While GDPR operates with these privacy principles, it also provides purpose limitation, accuracy, storage limitation, and integrity and confidentiality.
The ADPPA would create oversight through the requirement that covered entities designate a privacy officer. It describes the responsibilities of the privacy officer and establishes that the privacy officer of a “large data holder” should report to the highest official or executive. This closely models the GDPR’s requirement for businesses conducting large-scale data processing or monitoring data subjects to designate a Data Protection Officer.
The bill also stands to establish a new bureau of the Federal Trade Commission with oversight on consumer protection and competition for agency enforcement. This may not compare to the number of institutions with GDPR oversight in the EU—a Supervisory Authority per member state, plus six EU-wide institutions—but it is a good first step for increased oversight in the US.
The draft US federal bill would preempt the existing US state laws as they pertain to the same issues—making the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Utah Consumer Data Protection Act (UCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Consumer Protection Act (ColoPA), Oklahoma Computer Data Protection Act (OCDPA), and Connecticut Data Privacy Act (CTDPA) redundant in part or in full. CPRA would be an exception as it regulates employee information where this bill doesn’t. Specific laws like the Illinois Biometric Information Privacy Act (BIPA) would still apply on top of this bill. Similarly to how the GDPR preempts member state laws in most areas, this bill would strengthen current US state privacy laws by restricting permitted data use and creating protections for data subjects.
Protections for data subjects
One major area where the US draft bill falls short compared to GDPR regards consent. While it would require express affirmative action for consent with sensitive data and expand the definition of sensitive data, it still allows for opt out to be the standard concerning most data processing. By comparison GDPR allows only opt-in consent for all data processing.
Data subject access requests (DSARs)
This draft bill would advance the state laws’ current data subject rights to include access, correction, deletion, and portability for all US residents. It would allow a data subject to withdraw consent at any time, a sentiment shared by GDPR and various state privacy laws. EU data subjects are also allowed to restrict processing and object to automated decision-making, which this US law may only allow for certain processing (targeted advertising and data transfers). It does require a response within 30-90 days (GDPR: 30 days) and allows two requests be provided for free within 12 months.
Private right of action
Lastly, but perhaps most importantly, the US bill does provide a private right of action, as permitted under GDPR for EU data subjects. There are several exceptions to the ADPPA private right of action, one being that it doesn’t start until 4 years after the bill is adopted. It also would make private rights of action subject to a decision first by the state Attorney General and then the FTC.
What people are saying
Early critics of the draft bill say it has too many loopholes for enforcement—like the four-year wait period before private right of action goes into effect. Then there are those who oppose the private right of action altogether, whose opinions which US lawmakers will need to decide whether to appease with edits. The US Chamber of Commerce said in a statement that including a private right of action would incentivize “abusive class action lawsuits” and “harm small businesses.” In a LinkedIn webinar on the draft bill hosted by the International Association of Privacy Professionals, Tisch Distinguished Visiting Fellow at Brookings Cameron Kerry explained that there’s disagreement on whether mandatory arbitration clauses should be allowed in US law.
Statements of support have called the bill impressive, profound, and encouraging, even as a draft. However, the senators who proposed the bill have a lot of work to do to garner bipartisan support for the bill if they want it to pass, and even more if they want to provide an adequate level of protection compared to GDPR.