Blog Post
An Initial Analysis of the American Data Privacy Protection Act and Its Intersection with European Law
The U.S. legislature made a landmark move in July when the American Data Privacy Protection Act (ADPPA) advanced to the House floor, marking a significant step toward establishing the U.S.’s first federal data privacy law. This is the furthest a comprehensive federal data privacy act has progressed in the legislative pipeline, and if passed, it will join and overlap with a labyrinth of sector-specific and regional privacy laws already in place in the U.S.
While this is notable progress toward solidifying stronger data privacy rights for citizens, it’s too early in the process to know for certain whether it will pass and what aspects of the bill will be changed or remain intact as it moves through the legislative process. This means it would be premature to begin actioning any aspects of the proposed legislation. That said, there are some areas that may give companies clues as to what they can prepare for in this, or another iteration of a U.S. federal data privacy law.
Several core components of the ADPPA revolve around a number of existing, known privacy principles. For example, the bill’s Duty of Loyalty component borrows a term from the corporate governance model and imposes a relationship between a consumer and a corporation. While not a novel principle, this idea being codified in the bill is an important step forward for the data privacy space. Also, it is worded in a way that empowers the Federal Trade Commission to potentially define what this truly means through enforcement actions.
Another key principle is Private Right to Action, which would give consumers an avenue to pursue corporations for perceived wrongdoing. The version of this principle in the ADPPA is not exactly robust but does pass along the rights for consumers that residents in California, Colorado, Virginia and other states with comprehensive data privacy laws have come to recognize. In the draft, there is a two-year ban on consumers’ ability to bring an action against a corporation and a number of limitations that would present hurdles for anyone attempting to do so.
One area that seems to have gained a lot of ground, and an area that has already been included in early amendments to the ADPPA, is the subject of pre-emption of the various state regulations and regulators. The bill seems to be moving towards an approach of setting a minimum standard, rather than setting an inflexible framework that would pre-empt current state laws that already have touchpoints with data privacy.
The carve-outs as they exist mean that companies should be aware that the small discrepancies that exist in the state laws might still linger after a federal law is established. From a technical and procedural standpoint, these small deviations are difficult to manage, which is one of the reasons many organisations have looked forward to a federal law that could simplify these aspects. All said, the current state of the ADPPA sets a high bar compared against almost all the state privacy laws that have come before.
The ADPPA makes a specific call-out to focus on the use of algorithms by so-called “large data holders.” This goes beyond a requirement for simply identifying the existence of an algorithm, which might happen in a current privacy impact assessment. It requires organizations to take affirmative steps on an annual basis to describe how they are identifying and mitigating risks presented by the algorithm, in a large swath of actions related to consumer data. Furthermore, these algorithmic assessments and related training material must be submitted to the FTC and the current draft of the bill suggests that “large data holders” seek independent auditors to either run the assessment or verify the results. This requirement does not seem to be in dispute by any of the back-and-forth currently associated with the bill. If not in place already, organizations may want to take a hard look at those areas of their business where they may utilize algorithms to make decisions around consumer data. There may also be a need to identify what qualifies as an independent auditor under this requirement.
Finally, there seems to be a focus on requirements for large data holders and a need to run periodic privacy assessments across the entire organization to measure effectiveness of controls. This type of requirement often lasts for multiple months, as companies work to gather their internal controls set out across all business lines and assess how effective those controls are in mitigating privacy risks. As per this new requirement, privacy assessments are to be submitted to the FTC for review, opening up the door to potentially more audits. This will spur a need for corporations to ensure appropriate staffing and resourcing for their privacy programs as well as work to incorporate audit functions to conduct these assessments.
Looking at ADPPA through a European Lens
With a U.S. federal privacy law on the horizon, U.S. privacy professionals can draw upon the business community’s four-years of experience with Europe’s GDPR. Like GDPR, ADPPA attempts to create common rules across multiple jurisdictions with historical differences in their approach to privacy regulation, compliance culture and enforcement. Although there are substantial differences between GDPR and the draft ADPPA, there are also notable similarities.
For example, ADPPA allows for the processing of personal data only where reasonably necessary and proportionate to the purpose, which follows the data minimization principle that is deeply rooted in European data protection law. Consent requirements (freely given, specific, informed and unambiguous) and individuals’ rights in relation to their personal data (access, correction, deletion, portability) are also present. As a result, organizations able to leverage the know-how from GDPR-based privacy programs will likely be nimbler in the face of ADPPA and emerge as privacy leaders. U.S.-based organizations caught by the GDPR due to its extra-territorial applicability (e.g., companies collecting information on individuals in the EU through cookies), with privacy programs reconciling rules from both sides of the Atlantic, could also be looking at an easier adjustment.
Identifying the common shortfalls will also help organizations advocate for their avoidance as they wait for conclusion to legislative proceedings around the bill.
What Can the U.S. Learn From the European Privacy Regime?
Perhaps the most striking difference between the two continents’ approach to umbrella privacy law is that the current draft of the ADPPA does not include data breach reporting, which would leave the U.S. with a patchwork of different state laws regulating data breaches. Consequently, cross-state data breach management, which companies typically need to handle swiftly while in crisis mode, would remain a complicated exercise of juggling different rules and deadlines. Conversely, GDPR lays down common EU-wide data breach reporting rules, which eases cross-border data breach management in Europe.
ADPPA’s closed list of permissible purposes for processing (in section 101 of the draft bill) could be limiting, especially for artificial intelligence and internet of things developers. While GDPR prescribes legitimate interest of the data controller or a third party as a ground for processing (provided it does not override individuals’ rights), ADPPA does not provide a similar catch-all provision to cover other purposes not explicitly mentioned. None of ADPPA’s enumerated permissible purposes appear to cover processing personal data for algorithmic training in a universal manner (although training data haven’t been entirely overlooked by the drafters of the ADPPA as they are mentioned elsewhere, in the context of algorithm impact assessment and algorithm design evaluation). Relying on consent alone would not be an ideal solution, since a withdrawal of consent could disturb an AI development process.
Excluding employee data from the scope of ADPPA application is an important business-friendly move. Europe varies here, as GDPR rules on record keeping and cross-border transfer limitations capture all routinely processed employee data, even business email addresses. This creates a massive burden for European employers, even more so for multinationals with frequent employee movements across groups and regions. ADPPA also excludes publicly available data from the scope of its application. Consequently, U.S. organizations that systematically process data known to the wider public (e.g., trade associations keeping database of stakeholders’ political affiliation) would, unlike their European counterparts, benefit from an exemption from nation-wide privacy requirements.
Another example of ADPPA’s recognition of business realities is the exemption of certain small entities from the obligation to perform a full-fledged algorithm impact assessment, publish a log describing the changes to privacy policy and provide individuals with a short form notice in addition to privacy policy. This could benefit a large number of U.S. enterprises, including startups, and may prompt a better uptake of the law nationwide and higher compliance rates. Conversely, GDPR does not provide thresholds for privacy impact assessment based on business size and maintains instead a purely risk-based approach. GDPR also provides limited exemptions from record keeping duties so enterprises, no matter how small, are obligated to keep records of processing activities unless the processing is occasional. According to the 2020 report of the European Commission following GDPR’s second anniversary, European small and medium-sized companies often struggle with the implementation of the accountability principle and administrative tasks due to lack of resources.
ADPPA Could Ease Challenges With Transatlantic Data Transfers
If adopted, ADPPA alone will not instantly catalyze transatlantic data transfers and eliminate the tensions that culminated with the Schrems II decision. ADPPA does not apply to governmental entities and does not tackle the surveillance practices of U.S. intelligence authorities, which are core issues with the current restrictions around data transfers from Europe to the U.S.
Nevertheless, a comprehensive U.S. privacy law could mean a step toward liberalizing transatlantic data flows. On the political level, a set of nationwide privacy rules would demonstrate the U.S.’s commitment to stronger privacy regulation and help improve Europeans’ trust in U.S. privacy practices. This would likely ease bilateral negotiations towards a robust data transfer framework in the aftermath of Schrems II.
On the practical level, ADPPA could increase the volume of transatlantic data flows by easing the implementation of security measures which might be necessary to compensate for the lack of data protection essentially equivalent to that ensured in EU. As a result of Schrems II, an EU data exporter must assess on a case-by-case basis the necessity of — and accordingly implement — supplementary measures (e.g., encryption) to accompany the standard contractual clauses or other instrument used for transferring data to the U.S.
This exercise, known as a transfer impact assessment (TIA), requires, where appropriate, U.S. data importers’ collaboration (per paragraph 134 of the Schrems II ruling). Such collaboration includes, for instance, U.S. importer informing the EU exporter of any development potentially affecting the level of protection of the personal data in the U.S. EU exporters also need to verify if the U.S. importer’s commitments enabling data subjects to exercise their rights (such as access, correction and deletion requests for transferred data) can be effectively applied in practice (EDPB Recommendations no. 01/2020 of 18 June 2021).
Finally, proper implementation of security measures requires the data importer’s readiness to apply and maintain them. Nationwide rules as in the ADPPA would guarantee better readiness of the U.S. data importer to collaborate with the data exporter and maintain an adequate security level, in particular by mandatory designation of a privacy officer, mandatory assessment of vulnerabilities and by establishing individuals’ rights, vis-à-vis their personal data, as national standard. U.S. federal privacy rules could also help EU exporters justify their risk assessment.
Conclusion
Given that ADPPA has so far made greater progress than any other federal privacy law proposal in the U.S., organizations should begin following its developments and analyze how those trends may impact their current practices. For most organizations, adjustments to privacy programs and other business functions will need to be adjusted or revamped. A comparison with the EU privacy landscape might provide useful clues as to the practical implications of the proposed changes.
European companies doing business with the U.S. should also keep up with the potential changes in the U.S. privacy legislation, which might ultimately boost the volume of transatlantic data flows. They should pay special attention to how the U.S. trends stemming from ADPPA interplay with the EU-specific requirements, in particular the transfer impact assessment process and ensure timely adjustment of their related tools and processes.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.