US privacy proposal inspired by GDPR, with key differences

Following a key vote in a congressional committee last month, the US is the closest it’s been to approving a comprehensive federal data protection law.

The US bill would be a full counterpart to Europe's General Data Protection Regulation, the 2018 law that has become a de facto global privacy standard. In crafting the proposed American Data Privacy and Protection Act, US lawmakers were inspired by privacy principles in Europe’s landmark data protection law.

But the ADPPA isn’t an exact replica of the GDPR. In some ways, the US law would exceed the GDPR's privacy and data security standards.

Now, US companies with a global reach are scrambling to understand the differences. The ADPPA is a long way from final passage and its fate is still uncertain.

Still, critical questions are already looming: Would companies be able to collect the same data under the proposed ADPPA as they they’ve been collecting under European law? Would they face similar consequences over alleged violations in the EU and US?

So far, the answers are unclear.

Uncertain fate

The ADPPA’s momentum seemed unstoppable after the House Energy and Commerce Committee voted 52-2 to send it to the house floor for a vote on July 20.

While the proposal’s rapid progress in Congress has caught many observers by surprise, its final approval is facing challenges in the Senate, with a key senator expressing concerns about enforcement.

No one had anticipated that the ADPPA would move forward after years of gridlock over two key issues: a private right of action for individuals, and preemption of state privacy laws.

The ADPPA, as currently amended, would preempt almost all state privacy laws except for small portions of the California Privacy Rights Act. A key breakthrough was giving California’s privacy agency the power to enforce the federal law.

A notable exception is that Illinois will get to keep its biometric privacy law.

⁠GDPR inspiration

The ADPPA takes on many of the GDPR’s principles regarding users’ rights over their data, such as access, correction, deletion and data portability. Only residents of a few states, including California, Virginia, Colorado, Connecticut and Utah, already have those rights.

It mandates privacy officers for companies considered “large data holders” and establishes an oversight bureau in the Federal Trade Commission that will rival some of the leading data protection authorities in Ireland, France and the UK in terms of resources and responsibilities.

Another major GDPR inspiration is having a harmonized law for the entire country. The ADPPA would preempt state privacy laws, including much of the function of California’s first-in-the-nation, sole-purpose privacy regulator: the California Privacy Protection Agency.

This mirrors the GDPR’s role as the single privacy law for 450 million Europeans, giving companies legal certainty that they don’t have to abide by different laws in each of the 27 EU member states.

Privacy principles

US lawmakers have clearly looked to the GDPR  for inspiration by using broad definitions of personal data to bring as much personal information and data activity as possible under the FTC’s supervision.

Some of the bill’s details aren’t known, as the ADPPA gives the FTC rulemaking authority to address additional categories of “covered data.” Under the draft bill, covered data means information that identifies or is linked or “reasonably linkable” to an individual or a device that identifies or is linked or “reasonably linkable” to an individual.

Still, it’s clear that the ADPPA is built on the GDPR’s core principle of data minimization, in which companies are required to collect as little data as possible, while mitigating privacy and security risks.

Under both ADPPA and GDPR, commercial entities and not-for-profit groups must protect and restrict the processing of all personal information that can identify a person, whether directly or indirectly.

Another important overlap is purpose limitation: The ADPPA, like GDPR, requires companies to analyze the context of the business and nature of the data being collected and processed.

Under the proposal, companies should not deal with covered data “unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate” to the delineated purposes.

And the ADPPA’s broad definition of “covered data” largely tracks with the broad definitions of “personal data” and “personal information” businesses are already used to under the GDPR and state privacy laws.

⁠Sensitive data

For the most part, the ADPPA’s definition of sensitive data aligns with the GDPR’s definition.

The GDPR defines sensitive data as information revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data, biometric data, and health-related data; and data concerning a person’s sex life or sexual orientation.

But the ADPPA goes even further and includes information such as text messages, contact information and calendar entries on electronic devices.

Both laws provide extra protection for minors.

Under the GDPR, a parent or guardian’s consent is required to process a child’s personal data up to a certain age — each EU member state can decide the threshold for consent between ages of 13 to 16. This applies to social networking sites as well as to platforms for downloading music and buying online games.

Like the GDPR, the ADPPA requires companies to adopt policies and procedures mitigating privacy risk to those under the age of 17. There’s also a “privacy by design” element, as companies must design and develop products to mitigate risk.

But the ADPPA includes a civil rights provision not contained in GDPR. The US bill would bar businesses and nonprofits from using personal data in a manner that discriminates on the basis of race, color, religion, national origin, sex or disability.

⁠Consent

An important area where the ADPPA and the GDPR diverge is over consent, and companies are scrambling to figure out what those differences could mean for their data collection practices.

While the ADPPA requires express affirmative action for consent with sensitive data, it still allows for an opt-out standard for most data processing. This contrasts with the GDPR, which mandates a strict opt-in for all data processing.

While both measures define valid consent as “freely given, specific, informed and unambiguous,” obtaining consent under the GDPR is one of several permissible ways that companies are allowed to process data.

Under the GDPR, data processing is allowed if it’s connected with a contractual relationship with the user, or “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.”

The legitimate interest legal basis does not require permission for organizations to process data and is one of the most commonly used of the six provided for by the GDPR. Companies can invoke it as long as they weigh the interest, freedom and fundamental rights of the people whose personal data are used

In contrast, there is no generalized consent exception in the ADPPA.

The ADPPA takes a more prescriptive, situational approach. Under ADPPA, companies would only be allowed to collect and use data if it’s necessary for one of 17 permitted purposes specifically spelled out in the bill, such as authenticating users, preventing fraud, and completing transactions. Everything else would be prohibited.

The question for companies is: how do those categories match up to the GDPR legitimate interest basis for data processing? For companies that rely on legitimate interest in the EU, does it correlate under the ADPPA?

⁠Enforcement

Perhaps the most significant difference concerns enforcement, thanks to compromises intended to break loose years of stalled negotiations in Congress over two seemingly unresolvable issues: preemption and giving private citizens the right to sue. The ADPPA has a three-tiered approach to privacy regulation that sets it apart from the EU, and even other US state privacy laws.

Privacy groups have pointed out that one of the biggest criticisms of GDPR is that it’s not adequately enforced, particularly against big tech companies.

The GDPR’s one-stop-shop mechanism requires cross-border cases to be handled by the national regulator where the target company has its EU headquarters. That has placed a huge burden on the Irish Data Protection Commission, which is struggling with the workload and has been accused by some activists of going soft on the tech giants, a charge it denies.

Another common complaint is that EU member states have inadequate resources to ensure compliance.

The ADPPA aims to avoid this issue by empowering enforcement authorities at the federal, state, and individual levels. It’s elevating the FTC, and giving state attorneys general a role to play as well. Private citizens will also be allowed to sue over violations after certain procedural obligations are fulfilled.

The ADPPA’s preemption compromise, which gives the California Privacy Protection Agency power to enforce the ADPPA, is fraught with controversy. It may prove to be the bill’s Achilles’ heel, with the Californian agency staunchly against the proposal.

It remains to be seen whether US lawmakers will ultimately overcome their misgivings over preemption to grab the chance to approve the US’s first comprehensive privacy bill.

If they’re successful, they could argue that they’ve reached a milestone and taken the US to a new level of privacy protection that’s on par with leading data protection laws, such as the GDPR. While the two laws don’t precisely mirror each other, companies should rest assured that fundamental obligations will be maintained on both sides of the Atlantic.