Privacy Law Update: July 25, 2022
Despite facing a time crunch, a flood of stakeholder feedback and unforeseen Congressional opposition, the proposed American Data Privacy and Protection Act keeps on chugging. The bill’s next act will come in the U.S. House floor after the House Committee on Energy and Commerce markup July 20 resulted in a 53-2 vote to advance the bill to full House consideration. The vote to advance marks the first time a comprehensive privacy bill will be made available for a full chamber vote in either the House or the Senate.
California Attorney General Rob Bonta today led a coalition of ten attorneys general in urging Congress to respect the role of states to enforce and provide for strong consumer privacy laws while advancing legislation enacting long-overdue privacy protections nationwide. The states call on Congress to create a baseline of consumer privacy laws that do not preempt states’ ability to respond with legislation to address changing technology and data protection practices. Numerous states already have strong privacy protections in place — including California — and state laws and enforcement are critical to protect consumers and their data.
On July 18, 2022, the UK government introduced the Data Protection and Digital Information Bill ‘DPDI Bill’ to Parliament. Previously known as the Data Reform Bill, it is the result of a consultation from 2021 and its aim is to update and simplify the U.K.’s data protection framework. According to the U.K. government, the new legal framework created by the DPDI Bill will reduce burdens on organizations while maintaining high data protection standards.
In 2020, Shaun Brown wrote about what he considered a significant flaw under the proposed Consumer Privacy Protection Act in Bill C-11, which was tabled in November 2020, and then died when the federal election was called in 2021. Bill C-11 retained the definition of personal information — information about an identifiable individual — but introduced a new concept of “deidentify.” This seemed to, by implication, alter the concept of personal information, expanding the scope of federal privacy legislation and tossing away years of judicial guidance in the process. Bill C-27 would do this as well, though in a slightly more complicated way.
The Cyberspace Administration of China plans to fine Chinese ride-hailing company Didi Chuxing more than $1 billion in relation to alleged insufficient data security practices, The Wall Street Journal reports. The fine is the last remedial step Didi faces as part of a yearlong investigation by the CAC, which removed the company’s mobile applications from China’s app stores over data security concerns in July 2021. Payment of the fine would restore Didi apps and allow the company to begin a new share listing in Hong Kong.
Different Approaches to Data Privacy: Why EU-US Privacy Alignment in the Months To Come Is Inevitable
Even though it is hardly disputable that origins of modern data privacy, as well as computer technology, are to be found in the US, it is currently the EU with its GDPR that sets the global tone in terms of what is the generally accepted privacy standard, especially for multinational companies operating worldwide.
For historically marginalized groups, the right to privacy is a matter of survival. Privacy violations have put these groups at risk of ostracization, discrimination, or even active physical danger. These tensions have long pre-dated the digital age. In the 1950s and 1960s, the government used surveillance programs to target Black Americans fighting against structural racism, with the Federal Bureau of Investigation’s (FBI) Counterintelligence Program (COINTELPRO) targeting Dr. Martin Luther King, Jr. and members of the Black Panther Party. During the HIV/AIDs epidemic, LGBTQ+ individuals were fearful that with an employer-based healthcare system, employers would find out about a doctor’s visit for HIV/ AIDS and that individuals would then face stigma at work or risk losing their jobs.
American Data Privacy and Protection Act: On July 29, the House Energy & Commerce committee voted to advance the American Data Privacy and Protection Act to the full House by a 53-2 vote. The only nays were California Representatives Eshoo (D-CA) and Barragán (D-CA).
The Committee considered a number of amendments to the ADPPA, summarized below (in order of appearance):
- The overarching Amendment in the Nature of a Substitute from Chair Pallone and Ranking Member McMorris Rodgers (discussed in yesterday’s message). The AINS was adopted by voice vote.
- An amendment from Reps Lesko (R-AZ) and Kuster (D-NH) to exclude NCMEC (National Center for Missing & Exploited Children) from the Act was adopted by voice vote.
- An amendment from Reps Trahan (D-MA) and Bucshon (R-IN) intended to clarify the ‘permissible purpose’ for sharing data for conducting public interest research was adopted by voice vote.
- An amendment from Reps Castor (D-FL) and Walberg (R-MI) expanding ADPPA’s ‘Privacy by Design’ requirements to identify, assess, and mitigate privacy risks to minors in an age-appropriate way was adopted by voice vote.
- An amendment from Reps McNerney (D-CA) and Curtis (R-UT) authorizing the FTC to promulgate regulations (in consultation with NIST) establishing processes for complying with the ADPPA’s data security requirements was adopted by voice vote.
- An amendment from Reps Carter (R-GA) and Craig (D-MN) reinserting requirements for covered entities to appoint data privacy and security officers (but exempting businesses with under 15 employees) was adopted by voice vote.
- An amendment from Reps Hudson (R-NC) and O’Halleran (D-AZ) reinserting revised language on service providers and third parties was adopted by voice vote.
- An amendment from Rep. Eshoo (D-CA) that would limit ADPPA’s preemptive effect to only provisions of state laws inconsistent with the Act failed by a 8 – 48 vote.
- An amendment from Rep. Walberg (R-MI) that would expand ADPPA carveouts applicable to small businesses was offered and withdrawn.
- An amendment from Rep. Hudson (R-NC) that would explicitly provide that ADPPA covered entities will not be covered by FCC privacy laws and regulations was offered and withdrawn.
- An amendment from Rep. Curtis (R-UT) focused on advertising that would provide, in part, that the definition of “targeted advertising” does not include “first party advertising or marketing” was offered and withdrawn.
- An amendment from Rep. Long (R-MO) that would strike the ADPPA’s explicit grant of enforcement authority to the California Privacy Protection Agency (seemingly based on a concern that it could provide California a preeminent role in the interpretation and implementation of the ADPPA) was offered and withdrawn.