DATA PROTECTION
USA: bipartisan discussion draft of comprehensive Data Privacy Bill.
A bipartisan group of U.S. Senate and U.S. House of Representative leaders released, on 3 June 2022, a discussion draft for a federal comprehensive data privacy bill which, if passed, would become the American Data Privacy and Protection Act.
The bill is the first comprehensive federal privacy bill on data protection.
The American Data Privacy and Protection Act would:
In addition, the bill addresses a subset of covered entities defined as 'large data holders' who would be subject to additional obligations.
Notably, there is a 'small data exemption' which excuses certain organisations from a limited set of provisions.
The bill includes provisions on the duty of loyalty, including in relation to data minimisation, outlining that a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to certain circumstances.
Regarding Privacy by Design, the bill outlines an express duty to establish and implement reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data. Furthermore, the bill prohibits a covered entity from charging different rates or offering different services/products based on agreements to waive privacy rights.
In addition, the bill outlines a number of consumer data rights, with a view to providing:
Transparency - covered entities would be required to make publicly available, in a clear, conspicuous, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity's data collection, processing, and transfer activities.
Individual data ownership and control - a covered entity would be required, after receiving a verified request from the individual, to provide them with the right to access, correct, delete, and portability.
The right to consent and object - sensitive covered data would need the express consent of the concerned individual before being collected, processed, or transferred to a third party. In addition, the bill outlines that covered entities would need to provide individuals with a clear means of withdrawing their consent, the right to opt-out of covered data transfers, and the right to opt-out of targeted advertising.
Data protections for children and minors - the bill would prohibit targeted advertising to any individual under the age of 17, if the covered entity is aware that the individual is under this age threshold.
Third-party collecting entities - third-party collecting entities would be required to place a clear and conspicuous notice on their website or mobile application and register with the Federal Trade Commission ('FTC') in certain circumstances.
Civil rights and algorithms - a covered entity may not collect, process, or transfer covered data in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, colour, religion, national origin, gender, sexual orientation, or disability, except for in a limited set of instances. Furthermore, the bill outlines that all covered entities must conduct an algorithmic design evaluations and large data holders to conduct algorithmic impact assessment.
Data security and protection of covered data - the bill includes provisions which would require covered entities to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorised access and acquisition.
The bill also includes a number of general exceptions would require the FTC to finalise a feasibility study on the creation of unified opt-out mechanisms.
Regarding corporate accountability, the bill would require all covered entities to appoint one or more qualified employees as privacy officers and/or one or more qualified employees as data security officers.
In addition, a large data holders would be required to designate at least one of the aforementioned officers to report directly to the highest official as a privacy protection officer, responsible for:
Large data holders would also be required to conduct a Privacy Impact Assessment that weighs the benefits of its data collection, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy.
Enforcement
The bill would require the FTC to establish a new bureau related to consumer protection and competition. In addition, the bill provides that State Attorney Generals, or the chief consumer protection officer of the State, may bring a civil action in the name of the State while also granting individuals with a private right of action starting from four years after the effective date of the bill.
Timeline
If passed, the bill would come into effect 180 days after the date of its enactment.
(Source: Data Guidance web site)
The bill is the first comprehensive federal privacy bill on data protection.
The American Data Privacy and Protection Act would:
- Establish a strong national framework to protect consumer data privacy and security;
- Grant broad protections for Americans against the discriminatory use of their data;
- Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;
- Require covered entities to comply with loyalty duties with respect to specific practices while ensuring consumers don’t have to pay for privacy;
- Require covered entities to allow consumers to turn off targeted advertisements;
- Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval;
- Establish regulatory parity across the internet ecosystem; and
- Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete.
- any entity or person that collects, processes, or transfers covered data that is:
- subject to the Federal Trade Commission Act of 1914;
- a common carrier subject to title II of the Communications Act of 1934 as currently enacted or subsequently amended; or
- an organisation not organised to carry on business for their own profit or that of their members; and
- includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity.
In addition, the bill addresses a subset of covered entities defined as 'large data holders' who would be subject to additional obligations.
Notably, there is a 'small data exemption' which excuses certain organisations from a limited set of provisions.
The bill includes provisions on the duty of loyalty, including in relation to data minimisation, outlining that a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to certain circumstances.
Regarding Privacy by Design, the bill outlines an express duty to establish and implement reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data. Furthermore, the bill prohibits a covered entity from charging different rates or offering different services/products based on agreements to waive privacy rights.
In addition, the bill outlines a number of consumer data rights, with a view to providing:
Transparency - covered entities would be required to make publicly available, in a clear, conspicuous, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity's data collection, processing, and transfer activities.
Individual data ownership and control - a covered entity would be required, after receiving a verified request from the individual, to provide them with the right to access, correct, delete, and portability.
The right to consent and object - sensitive covered data would need the express consent of the concerned individual before being collected, processed, or transferred to a third party. In addition, the bill outlines that covered entities would need to provide individuals with a clear means of withdrawing their consent, the right to opt-out of covered data transfers, and the right to opt-out of targeted advertising.
Data protections for children and minors - the bill would prohibit targeted advertising to any individual under the age of 17, if the covered entity is aware that the individual is under this age threshold.
Third-party collecting entities - third-party collecting entities would be required to place a clear and conspicuous notice on their website or mobile application and register with the Federal Trade Commission ('FTC') in certain circumstances.
Civil rights and algorithms - a covered entity may not collect, process, or transfer covered data in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, colour, religion, national origin, gender, sexual orientation, or disability, except for in a limited set of instances. Furthermore, the bill outlines that all covered entities must conduct an algorithmic design evaluations and large data holders to conduct algorithmic impact assessment.
Data security and protection of covered data - the bill includes provisions which would require covered entities to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorised access and acquisition.
The bill also includes a number of general exceptions would require the FTC to finalise a feasibility study on the creation of unified opt-out mechanisms.
Regarding corporate accountability, the bill would require all covered entities to appoint one or more qualified employees as privacy officers and/or one or more qualified employees as data security officers.
In addition, a large data holders would be required to designate at least one of the aforementioned officers to report directly to the highest official as a privacy protection officer, responsible for:
- establishing the process for periodically reviewing and updating the privacy and security policies, practices, and procedures;
- conducting audits of such policies, practices, and procedures;
- developing a programme to educate and train employees;
- maintaining updated, accurate, clear, and understandable records; and
- serving as the point of contact between the large data holder and enforcement authorities.
Large data holders would also be required to conduct a Privacy Impact Assessment that weighs the benefits of its data collection, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy.
Enforcement
The bill would require the FTC to establish a new bureau related to consumer protection and competition. In addition, the bill provides that State Attorney Generals, or the chief consumer protection officer of the State, may bring a civil action in the name of the State while also granting individuals with a private right of action starting from four years after the effective date of the bill.
Timeline
If passed, the bill would come into effect 180 days after the date of its enactment.
(Source: Data Guidance web site)
