HR 8152, U.S. Congress, New Draft Privacy Legislation
On June 23, 2022, U.S. Congress representatives Pallone, Rodgers, Schakowsky, and Bilirakis introduced HR 8152, otherwise known as the American Data Privacy and Protection Act. The law represents the Federal Government’s most significant effort to pass comprehensive data privacy legislation to date. Modeled after other major comprehensive data protection regulations that have been enacted both domestically and internationally in recent years, such as the EU’s GDPR law and the California Consumer Protection Act (CCPA), the draft law grants American citizens numerous rights as it pertains to the collection, processing, retention, destruction, and dissemination of their personal data. Subsequently, some significant provisions within the proposed law include the duty of loyalty, consumer data rights, and corporate responsibility.
Duty of Loyalty
The American Data Privacy and Protection Act imposes a wide range of legal duties upon covered entities within the U.S. with respect to the collection and processing of the personal data of members of the American populace. To this point, the law defines a covered entity as “any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including nonprofits, and telecommunications common carriers. “Covered data” is defined as information identifying, linked, or reasonably linkable to an individual or device linkable to an individual. This includes derived data and unique identifiers, but does not include de-identified data, employee data, or publicly available information.”
Likewise, HR 8152 holds covered entities responsible for protecting the individual privacy of the U.S. citizens they collect data from, as well as ensuring that certain forms of sensitive data are afforded an even higher degree of protection. Examples of personal data that is considered to be sensitive under the law include any personal information pertaining to individuals under the age of 17, as well as social security and passport numbers, among various other forms of data. With all this being said, covered entities are also required to implement reasonable safeguards, policies, and procedures that will serve to protect the personal information they collect from data subjects.
Consumer Data Rights
Staying on the point of data privacy policies, the American Data Privacy and Protection Act grants U.S. citizens a number of rights as it relates to the protection of the personal data they provide to covered entities in accordance with business purposes, one of which is the right for data subjects to be informed about their ability to exercise their rights under the law. More specifically, these privacy policies must address the manner in which a covered entity intends to collect, process, transfer, and secure the personal information they collect from data subjects. Furthermore, covered entities must also provide data subjects with a notification whenever material changes are made to their privacy policies.
To this end, the draft law grants data subjects numerous privacy rights, which include but are not limited to the following:
- The right to access their personal data.
- The right to correct their personal data.
- The right to delete their personal data.
- The right to data portability.
- The right to consent and object.
- The right to opt-out.
Notably, the American Data Privacy and Protection Act also contains a corporate accountability provision that requires large data holders to certify that their respective companies are maintaining “reasonable internal controls and reporting structures for compliance with the Act.” This certification must be submitted on an annual basis, and the law states that a review of such certifications will be conducted by “certifying officers” within 90 days of submission. Additionally, covered entities are also required to appoint one or more privacy or data security officers that will both implement the privacy policies of said entities, as well as ensure that said entities maintain compliance with the law.
Alternatively, third parties that collect personal information on behalf of covered entities must also adhere to the corporate accountability provisions set forth in the law. For example, third parties are prohibited from using the personal data they collect from data subjects for any purpose other than what they were directed to do by the covered entities that facilitated such transactions. Subsequently, third parties generally have the same obligations under the law as covered entities, “with the exception that, given their non-consumer facing role, they are only required to assist the covered entities they process covered data for from fulfilling requests by individuals to exercise their rights under sections 203 and 204 of the Act.”
While the American Data Privacy and Protection Act is a draft law that may never end up being passed, the fact that a comprehensive data protection law has the potential to be enacted at all signifies a positive development. As American citizens all around the country submit their data to companies, small businesses, and major corporations alike on a daily basis, federal legislation that protects this personal data from unauthorized access, use, and disclosure is of the utmost importance. As virtually every other major nation in the world has passed some level of comprehensive data protection law as of 2022, the introduction of HR 8152 to the U.S. Congress was a long time coming.