A new US data privacy measure promises to offer you greater control over your data and change how businesses handle it

In many ways, there are no laws in the U.S. that protect data privacy. Even though there are some protections for health and financial data, the United States, which is home to some of the biggest tech companies in the world, like Apple, Amazon, Google, and Meta (Facebook), does not have a federal law that protects data privacy in a comprehensive way. This means that U.S. citizens have less privacy protection for their data than people in other countries. But that could soon change.

Galeanu Mihai/istockphoto

When it comes to protecting the personal data of individuals, the United States may soon catch up to the standards set by the European Union according to recent report of Anne Toomey McKenna, University of Richmond

On July 20, 2022, with unusually strong bipartisan support, the American Data and Privacy Protection Act was approved by a vote of 53-2 and went on to the full House for consideration. The law has not yet passed both houses of Congress, and talks are still underway. Responsible data practices is a priority for the Biden administration, therefore the White House is expected to back the legislation in some form. Anne Toomey McKenna has been keeping a close eye on the legislation, also known as ADPPA, due to her expertise as a legal scholar and attorney in the fields of technology and data privacy law. If passed, it would have far-reaching effects on data privacy law in the United States.

ADPPA fills the privacy gap, gives the federal government control over some state privacy laws, lets people sue for privacy violations, and makes a lot of changes to how privacy laws are enforced. Like all big changes, the media, scholars, and businesses all have different things to say about ADPPA. But many people see the bill as a win for U.S. data privacy because it sets a national standard for data practices, which was needed.

Who and what will ADPPA regulate?

The ADPPA would apply to "covered" entities, which are defined as any entity that collects, processes, or transfers covered data. This includes sole proprietorships and charitable organizations. Additionally, it regulates mobile phone and internet service providers in addition to other common carriers, which may result in changes to federal communications regulation that are cause for concern. It does not apply to entities associated with the government. ADPPA says that "covered" data is any information or device that can be used to identify a person or that can be linked to a person in a reasonable way. It also protects genetic information, biometric information, and information about where you are.

Protected data includes your location.

The bill doesn't cover three types of big data: data that doesn't identify anyone, data about employees, and public information. In this last group are social media accounts with privacy settings that let anyone see them. Even though research has repeatedly shown that deidentified data can be easily reidentified, the ADPPA tries to fix this by requiring covered entities to take "reasonable technical, administrative, and physical measures" to make sure that the information can never be used to re-identify any person or device.

How ADPPA protects your data

The act would call for as little data collection as possible. The bill says that covered entities can only collect, use, or share a person's data when it is reasonable and proportional to provide the person with a product or service they have asked for or to respond to a communication they have started. It makes it possible to collect information for authentication, security incidents, stopping illegal activities or serious harm to people, and following the law. People would be able to access their data and have some say over it. ADPPA gives users the right to have their data held by "covered entities" changed if it is wrong or even deleted if it is no longer needed. The bill makes it possible to collect data for research that is good for the public. It lets people collect data for peer-reviewed research or research done in the public interest, like checking if a website discriminates against people in a way that is against the law. This is important for researchers who could get in trouble with site rules or hacking laws if they didn't know this. The ADPPA also features a section that addresses the issue of services contingent on user agreement, such as the ubiquitous yet frustrating "I Agree" checkboxes that require users to accept confusing legalese. When you use a service, go to a website, or buy a product and are asked to check one of those boxes, you are waiving your right to privacy under the terms of a contract. No entity that is subject to the bill's provisions will be able to use contracts as a means of evading those rights.

Looking to federal electronic surveillance law for guidance

When finalizing ADPPA, federal lawmakers can look to the United States' Electronic Communications Privacy Act for inspiration. Similar to the ADPPA, the Electronic Communications Privacy Act (ECPA) of 1986 underwent a significant revamp of U.S. electronic privacy law to address threats to privacy and civil rights brought about by developments in surveillance and communication technologies. Once again, new forms of monitoring and data collection technology, such as AI, have far-reaching implications for the liberties of the general public.

The ECPA is still in force, providing a minimum level of protection against electronic surveillance at the national level. Unless both parties agree, ECPA prevents eavesdropping on communications. However, the ECPA does not prevent states from enacting even stricter privacy legislation if they so desire. A result is that about a quarter of U.S. states now demand authorization from all parties in order to intercept a communication, giving their residents more protections against government intrusion. The ECPA's federal/state balance has been effective for decades, and the act has neither weakened the judicial system or disrupted commercial activity.

National preemption

Some state data privacy laws are preempted by ADPPA as currently written. Although the Illinois Biometric Information Privacy Act and other state laws regulating facial recognition technologies are not superseded, the Consumer Privacy Act of California is affected. However, the preemption clauses are still being negotiated by House members.

Source: The Conversation