United States: American Privacy Rights Act introduced in Congress.

After the failure to pass the ADPPA, the United States is once again trying its hand at a federal data protection law. On 7 April, the American Privacy Rights Act - APRA, a bipartisan, bicameral bill aimed at introducing a national data protection standard in the US, was introduced in Congress. Compared to the previous text, the ADPPA, which the Democrats failed to pass in June 2022, there are no major changes: the approach of the US legislature is quite different from the strict regime of protections of the European GDPR; the concept of protected 'covered data' excludes important categories of data subjects (e.g. workers); the protections with respect to marketing activities (e.g: targeted advertising) and profiling are based on opt-out mechanisms; a commercial perspective prevails, that of data protection issues included in the context of consumer relations (an example of this is the 'do-not-sell' mechanism whereby the data subject can object in advance to the sale of his or her data). Certainly appreciable are the principles of direct derivation from the GDPR: from the obligations of transparency to the principle of minimisation; from the catalogue of rights for data subjects to the rules on security and data breach. However, the regulatory choices between the two sides of the Atlantic are quite different. As in the previous ADPPA bill, there is an interesting re-proposal of the section on algorithm-based processing, with rules very similar to those of the European AI Act.