HR 8152, U.S. Congress, New Draft Privacy Legislation

July 07, 2022 | 4 minutes read
HR 8152, U.S. Congress, New Draft Privacy Legislation

On June 23, 2022, U.S. Congress representatives Pallone, Rodgers, Schakowsky, and Bilirakis introduced HR 8152, otherwise known as the American Data Privacy and Protection Act. The law represents the Federal Government’s most significant effort to pass comprehensive data privacy legislation to date. Modeled after other major comprehensive data protection regulations that have been enacted both domestically and internationally in recent years, such as the EU’s GDPR law and the California Consumer Protection Act (CCPA), the draft law grants American citizens numerous rights as it pertains to the collection, processing, retention, destruction, and dissemination of their personal data. Subsequently, some significant provisions within the proposed law include the duty of loyalty, consumer data rights, and corporate responsibility.

Duty of Loyalty

The American Data Privacy and Protection Act imposes a wide range of legal duties upon covered entities within the U.S. with respect to the collection and processing of the personal data of members of the American populace. To this point, the law defines a covered entity as “any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including nonprofits, and telecommunications common carriers. “Covered data” is defined as information identifying, linked, or reasonably linkable to an individual or device linkable to an individual. This includes derived data and unique identifiers, but does not include de-identified data, employee data, or publicly available information.”

Likewise, HR 8152 holds covered entities responsible for protecting the individual privacy of the U.S. citizens they collect data from, as well as ensuring that certain forms of sensitive data are afforded an even higher degree of protection. Examples of personal data that is considered to be sensitive under the law include any personal information pertaining to individuals under the age of 17, as well as social security and passport numbers, among various other forms of data. With all this being said, covered entities are also required to implement reasonable safeguards, policies, and procedures that will serve to protect the personal information they collect from data subjects.

Consumer Data Rights

Staying on the point of data privacy policies, the American Data Privacy and Protection Act grants U.S. citizens a number of rights as it relates to the protection of the personal data they provide to covered entities in accordance with business purposes, one of which is the right for data subjects to be informed about their ability to exercise their rights under the law. More specifically, these privacy policies must address the manner in which a covered entity intends to collect, process, transfer, and secure the personal information they collect from data subjects. Furthermore, covered entities must also provide data subjects with a notification whenever material changes are made to their privacy policies.

To this end, the draft law grants data subjects numerous privacy rights, which include but are not limited to the following:

Corporate Accountability

Notably, the American Data Privacy and Protection Act also contains a corporate accountability provision that requires large data holders to certify that their respective companies are maintaining “reasonable internal controls and reporting structures for compliance with the Act.” This certification must be submitted on an annual basis, and the law states that a review of such certifications will be conducted by “certifying officers” within 90 days of submission. Additionally, covered entities are also required to appoint one or more privacy or data security officers that will both implement the privacy policies of said entities, as well as ensure that said entities maintain compliance with the law.

Alternatively, third parties that collect personal information on behalf of covered entities must also adhere to the corporate accountability provisions set forth in the law. For example, third parties are prohibited from using the personal data they collect from data subjects for any purpose other than what they were directed to do by the covered entities that facilitated such transactions. Subsequently, third parties generally have the same obligations under the law as covered entities, “with the exception that, given their non-consumer facing role, they are only required to assist the covered entities they process covered data for from fulfilling requests by individuals to exercise their rights under sections 203 and 204 of the Act.”

While the American Data Privacy and Protection Act is a draft law that may never end up being passed, the fact that a comprehensive data protection law has the potential to be enacted at all signifies a positive development. As American citizens all around the country submit their data to companies, small businesses, and major corporations alike on a daily basis, federal legislation that protects this personal data from unauthorized access, use, and disclosure is of the utmost importance. As virtually every other major nation in the world has passed some level of comprehensive data protection law as of 2022, the introduction of HR 8152 to the U.S. Congress was a long time coming.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »