What is the ADPPA?

The ADPPA is a draft privacy bill that, if enacted, will give American citizens unprecedented rights over their data privacy. It is a comprehensive bill creating a framework that provides greater privacy protection to individuals and limits how entities can collect, access, and use individuals' data.

The ADPPA is the first major federal framework that has been proposed to protect American's data and privacy, and represents an important compromise as it is supported by both Democratic and Republican parties.

What and who does the ADPPA cover?

The ADPPA protects covered data. 'Covered data' is defined as:

'information that identifies or is linked or reasonably linked to an individual or a device that identifies or is linked or reasonably linked to 1 or more individuals, including derived data and unique identifiers'.

Covered data specifically excludes de-identified data, employee data, and publicly available information, each of which are separately defined in the ADPPA.

'Publicly available information' is information that is widely accessible to the public that does not reveal any sensitive data or share information that could be reasonably linked to an individual. It does not include any information combined with covered data.

'Sensitive data' includes information such as an individuals' social security number, any other government-issued identifiers, biometric information, financial details, health information, sexual orientation, race, or genetic information.

The ADPPA will regulate any entity that collects, processes, or transfers covered data where that entity is either subject to the Federal Trade Commission's ('FTC') jurisdiction or is a common carrier under the Communications Act of 1934 ('Covered Entity'). This includes corporations, non-profits, and telecommunications companies operating in the US.

The ADPPA anticipates that the FTC will issue guidance on reasonable policies, practices, and procedures under the ADPPA to complement the legislation.

What are some of the key features of the ADPPA?

Key features of the ADPPA include that Covered Entities will:

• Need to obtain consent from individuals before collecting their data.
• Be prohibited from engaging in data processing activities, such as collecting, processing, and transferring sensitive data, without first obtaining affirmative consent from the individual. Affirmative consent means that the individual has freely given specific, informed, and unambiguous consent by taking an action, such as ticking a consent button.
• Need to give individuals the option to opt-out from:
  • the transfer of their data to third parties; and
  • targeted advertising, meaning an online advertisement that is selected based on known or predicted preferences, characteristics, or interests derived from covered data.
• Be required to publish their privacy policies explaining their data processing activities to create transparency around their data practices.
• Not be able to engage in targeted advertising (as defined above) to children under the age of 17.

Under the ADPPA, people residing in the US will be granted new rights, including to access their data and request that their data be deleted, corrected, or exported somewhere else.

While the ADPPA is comprehensive and will override most state privacy laws by creating one federal law, it does have some limitations. The laws of some states are preserved and may supersede the ADPPA if they come into conflict with it, including:

• facial recognition, data breach notifications, and student information;
• parts of the California Consumer Privacy Act of 2018; and
• parts of the Illinois' Biometrics Information Privacy Act of 2008.

It remains to be seen how this will play out in practice.

Algorithms

The ADPPA also aims to protect against discrimination through the use of algorithms. An algorithm is a computational process that makes or facilitates a decision or facilitates human decision-making with respect to covered data.

Large data holders have additional requirements under the ADPPA. Large data holders are Covered Entities that have annual revenues of at least $250 million and collect covered data of more than five million individuals (or sensitive data of more than 100,000 individuals).

Large data holders that use algorithms must assess their algorithms annually and submit annual algorithmic impact assessments to the FTC. These assessments must:

• describe steps taken to mitigate potential harms from algorithms; and
• consider the potential for algorithms to cause harm to an individual based on the individual's race, colour, religion, national origin, gender, sexual orientation, or disability status.

Biometrics

There are also rules relating to the way in which Covered Entities can use biometric information. Covered Entities:

• must obtain express affirmative consent when collecting, processing, or transferring biometric information; and
• may not process biometric information, known non-consensual intimate images, or genetic information, except for specified purposes.

Biometric information means any covered data generated from the measurement, observation, tracking, collecting, or processing of an individual's biological, physical, or physiological characteristics, including:

• fingerprints;
• voice prints;
• iris or retina imagery scans;
• facial or hand imagery, geometry, or templates; or
• gait or personally identifying physical movements.

How does the ADPPA compare to Australia's privacy law?

The ADPPA shares many similarities with the Privacy Act and the Australian Privacy Principles ('APP'), as well as other laws regulating privacy in the UK and EU. Organisations which are subject to the ADPPA will need to consider how they will comply with the new laws once enacted.

We have included some points of similarity to give you a flavour of what can be expected.

Transparency

Both Australian privacy law and the ADPPA emphasise the need for transparency with respect to how entities collect, handle, and process personal information. APP 1 outlines that an entity must have a clearly expressed and up to date privacy policy that is easily accessible to the public and details what information is collected, how it is collected, and how it is used by the entity.

Similarly, the ADPPA mandates that Covered Entities must publish a privacy policy that clearly outlines the entity's data processing activities. However, the ADPPA includes an additional requirement that privacy policies must state whether the data collected will be transferred to, processed in, or otherwise made available in the People's Republic of China, Russia, Iran, or North Korea. Although, the ADPPA does not prohibit transfers to these countries, such transfers must be disclosed.

Enforcement

The Office of the Australian Information Commissioner ('OAIC') is responsible for the enforcement of the Privacy Act in Australia. Similarly, the ADPPA will rely on the FTC for its enforcement. The FTC has enforcement powers, including the power to issue civil penalties to those who breach the ADPPA. Any violation of the ADPPA could result in Covered Entities being fined up to $46,517 for each infringement.

Correction of personal information

Australians can rely on APP 12 to access their personal information held by an entity. APP 13 also allows Australians to request a correction to their personal information. This is to ensure the personal information held is accurate, complete, and not misleading.

The ADPPA will grant individuals data requests rights, including the right to edit, correct, and delete personal information held by the Covered Entity. Currently, Australians do not have the right to ask for their personal information to be deleted, they only have the right to correct their personal information.

The ADPPA requires third parties, who receive covered data from Covered Entities, and Covered Entities themselves, to delete, edit, or correct the data if an individual submits a request unless the relevant entity needs the data to:

• address a security incident;
• guard against illegal activity or fraud;
• comply with legal requirements such as data retention obligations outlined in the ADPPA; and
• maintain or improve the service being provided.

Conclusion

The ADPPA is an exciting development on the data protection front, where individual data rights in the US have been previously subject to a fragmented and state based regime. The ADPPA will give individuals the right to protect and have control over their data.

Australian companies who operate in the US or engage with personal information from American individuals need to assess whether they must comply with the ADPPA, whether their business is a Covered Entity under the ADPPA, and what they must do to comply when collecting covered data.

The ADPPA is still in bill form, therefore we may see some changes before it is enacted into legislation, but certainly there will be much commentary.

Katherine Sainty Director
[email protected]
Aisling Hamilton Graduate Lawyer
[email protected]
Sainty Law, Sydney

1. See: https://www.commerce.senate.gov/services/files/6CB3B500-3DB4-4FCC-BB15-9E6A52738B6C