What is the American Data Privacy and Protection Act?
The American Data Privacy and Protection Act (ADPPA or Bill) is a draft privacy bill that, if enacted will give American citizens unprecedented rights over their data privacy. It is a comprehensive bill creating a framework that provides greater privacy protection to individuals and limits how entities can collect, access and use individuals’ data.
This Bill is the first major federal framework that has been proposed to protect American’s data and privacy and represents an important compromise as it is supported by both Democratic and Republican parties.
What and who does the ADPPA cover?
The ADPPA protects covered data. Covered Data is defined as:
“information that identifies or is linked or reasonably linked to an individual or a device that identifies or is linked or reasonably linked to 1 or more individuals, including derived data and unique identifiers“.
Covered Data specifically excludes de-identified data, employee data, and publicly available information, each of which are separately defined in the Bill.
Publicly available information is information that is widely accessible to the public that does not reveal any sensitive data or share information that could be reasonably linked to an individual. It does not include any information combined with Covered Data.
Sensitive data includes information such as an individuals’ social security number, any other government-issued identifiers, biometric information, financial details, health information such as sexual orientation, race, or genetic information.
The ADPPA will apply to regulate any entity that collects, processes or transfers Covered Data, where that entity is either subject to the Federal Trade Commission’s (FTC) jurisdiction or is a common carrier under the Communications Act of 1934 (Covered Entity). This includes corporations, non-profits and telecommunications companies operating in the US.
The ADPPA anticipates that the FTC will issue Guidance on reasonable policies, practices and procedures under the Act to complement the legislation.
What are some of the key features of the Bill?
Key features of the Bill include that Covered Entities will:
- need to obtain consent from individuals before collecting their data;
- be prohibited from engaging in data processing activities, such as collecting, processing and transferring sensitive data, without first obtaining affirmative consent from the individual. Affirmative consent means that the individual has freely given specific, informed and unambiguous consent by taking an action, such as ticking a consent button;
- need to give individuals the option to optout from:
- the transfer of their data to third parties; and
- targeted advertising. Targeted advertising means an online advertisement that is selected based on known or predicted preferences, characteristics, or interests derived from Covered Data;
- be required to publish their privacy policies explaining their data processing activities to create transparency around their data practices.
- Not be able to engage in targeted advertising (as defined above) to children under the age of 17.
Under the Bill people residing in the United States will be granted new rights including to access their data and request that their data be deleted, corrected or exported somewhere else.
While the ADPPA is comprehensive and will override most State Privacy Laws by creating one federal law, it does have some limitations. The laws of some States are preserved and may supersede the ADPPA if they come into conflict with it, including:
- facial recognition, data breach notifications and student information;
- parts of the California Privacy Act; and
- parts of the Illinois Biometrics Privacy Act.
It remains to be seen how this will play out in practice.
Algorithms
The ADPPA also aims to protect against discrimination through the use of algorithms. An algorithm is a computational process that makes or facilitates a decision or facilitates human decision-making with respect to Covered Data.
Large data holders have additional requirements under the Bill. Under the ADPPA, large data holders are Covered Entities that have annual revenues of at least $250 million and collect Covered Data on more than 5 million individuals (or sensitive data of more than 100,000 individuals).
Large data holders that use algorithms must assess their algorithms annually and submit annual algorithmic impact assessments to the FTC. These assessments must:
- describe steps taken to mitigate potential harms from algorithms.
- consider the potential for algorithms to cause harm to an individual based on the individual’s race, colour, religion, national origin, gender, sexual orientation, or disability status.
Biometrics
There are also rules relating to the way in which Covered Entities can use Biometric Information. Covered Entities:
- must obtaining express affirmative consent when collecting, processing, or transferring Biometric Information.
- may not process Biometric Information, known non-consensual intimate images, or genetic information, except for specified purposes.
Biometric Information means any Covered Data generated from the measurement, observation, tracking, collecting, or processing of an individual’s biological, physical, or physiological characteristics, including:
- fingerprints;
- voice prints;
- iris or retina imagery scans;
- facial or hand imagery, geometry, or templates; or
- gait or personally identifying physical movements.
How does the ADPPA compare to Australia’s privacy law?
The ADPPA shares many similarities with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) and other laws regulating privacy in the UK and EU. Organisations which are subject to the ADPPA must consider how they will comply with the new laws once enacted.
We have included some points of similarity to give you a flavour of what can be expected.
Transparency
Both Australian privacy law and the ADPPA emphasise the need for transparency with respect to how entities collect, handle and process personal information. Australian Privacy Principle 1 outlines that an entity must have a clearly expressed and up to date privacy policy that is easily accessible to the public and details what information is collected, how it is collected and how it is used by the entity.
Similarly, the ADPPA mandates that Covered Entities must publish a privacy policy that clearly outlines the entity’s data processing activities. However, the Bill includes an additional requirement that privacy policies must state whether the data collected will be transferred to, processed in or otherwise made available in the People’s Republic of China, Russia, Iran or North Korea. Although, the Bill does not prohibit transfers to these countries, such transfers must be disclosed.
Enforcement
The Office of the Australian Information Commissioner is responsible for the enforcement of the Privacy Act in Australia. Similarly, the ADPPA will rely on the FTC to enforce the Bill. The FTC has enforcement powers, including the power to issue civil penalties to those who breach the ADPPA. Any violation of the ADPPA could result in Covered Entities being fined up to USD 46,517 for each infringement.
Correction of personal information
Australians can rely on APP 12 to access their personal information held by an entity. APP 13 also allows Australians to request a correction to their personal information. This is to ensure the personal information held is accurate, complete and not misleading.
The ADPPA will grant individuals data requests rights, including the right to edit, correct and delete personal information held by the Covered Entity. Currently, Australians do not have the right to ask for their personal information to be deleted. Australians only have the right to correct their personal information.
The ADPPA requires third parties, who receive Covered Data from Covered Entities, and Covered Entities themselves, to delete, edit or correct the data if an individual submits a request unless the relevant entity needs the data to:
- address a security incident;
- guard against illegal activity or fraud;
- comply with legal requirements such as data retention obligations outlined in the ADPPA; and
- maintain or improve the service being provided.
Conclusion
The ADPPA is an exciting development on the data protection front, where individual data rights in the United States have been previously subject to a fragmented and state based regime. This Bill will give individuals the right to protect and have control over their data.
Australian Companies who operate in the US or engage with personal information from American individuals, need to assess whether they must comply with ADPPA, whether their business is a Covered Entity under the ADPPA and what they must do to comply when collecting Covered Data.
The ADPPA is still in bill form so we may see some changes before it is enacted into legislation. Certainly, there will be much commentary.
This article by Sainty Law was originally published on OneTrust DataGuidance which you can access here. Please get in touch with us to understand your obligations under the ADPPA.