USA: Overview of the House leaders' strategy for draft privacy national standard
U.S. House Energy and Commerce Committee Republican Leader, Cathy McMorris Rodgers, and Republican Leader for the Consumer Protection and Commerce Subcommittee, Gus Bilirakis, announced, on 3 November 2021, the release of a comprehensive federal legislative draft bill to establish a national privacy standard. The draft bill would, if introduced, provide a bill for the Control Our Data Act. It aims to strengthen federal privacy protections, and will be guided by four core principles which aim to promote innovation, increase transparency and accountability, and set clear rules for protecting consumers' data privacy.
Scope and governing principles
The draft bill applies to covered entities, which it defines as any organisation, corporation, trust, partnership, estate, cooperative association, sole proprietorship, unincorporated association, or other entity, including such covered entity's affiliates, over which the Federal Trade Commission ('FTC') has authority. These covered entities shall abide by the draft when processing personal information, which is defined as any information that is linked or reasonably linkable to a specific individual. However, it does not include:
- information that is collected, used, or shared solely for the purpose of employment of an individual, including any information regarding an individual that pertains to such individual in their capacity as an owner, director, or employee of a partnership, corporation, trust, estate, cooperative, association, or other type of entity;
- aggregate information;
- deidentified information;
- information that is rendered unusable, unreadable, or indecipherable such as because the information is redacted, tokenised, or encrypted;
- information legally obtained from a publicly available source, including information obtained from a news report, periodical, or other widely distributed media, or from Federal, State, or local government records; or
- pseudonymised information.
In this respect, Paul Lanois, Director of Technology, Outsourcing, and Privacy at Fieldfisher LLP, provided some interesting insight and explained that, "There is a lot to unpack from the draft bill, but, in a nutshell, the draft bill would generally provide for a greater level of transparency nationally. If passed, the draft bill would require covered entities to:
- provide privacy disclosures in their privacy policies;
- provide information 'at or before the point of collection' of personal information; and
- honour requests for the exercise of privacy rights […]."
The list of principles governing this draft bill goes on, as Lanois explained that "other key provisions include retention limitation (i.e. data can only be retained as long as necessary for the purpose), the establishment of 'privacy by design', the need to perform 'risk assessments' (which are similar to data protection impact assessments), and requirements relating to information security." Lanois goes on to provide that, "[i]nterestingly, the draft bill distinguishes 'small to mid-size entities' from 'large entities' and in certain cases imposes additional requirements to 'large entities'. Finally, the draft bill would introduce new requirements for data brokers – namely a requirement to provide a website notice, a required audit log of accessed and transmitted information, and a registry of data brokers to be maintained by the FTC."
Similarities and divergences with the GDPR
At a first reading, this draft bill may remind those with some familiarity with the European privacy legislative framework of certain provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In fact, some concepts that have now become part of the standard lexicon of the privacy world, such as privacy by design or the right of access, cannot but make one think of the Articles and Recitals of the GDPR.
Analysing this European inspiration within the draft bill further, Lanois considered that indeed, "[t]here are a number of elements of the Control Our Data Act which are similar with those of the GDPR – for example, the focus on transparency, the disclosure requirements, the privacy rights, or the 'risk assessment' requirement. Even the 30-day timeframe to respond to a request for the exercise of privacy rights are reminiscent to the GDPR."
Consumer rights under the draft bill
The draft bill also establishes a series of rights for the consumer. Lanois outlined that such rights include "the right of confirmation (that the organisation has personal information of such individual), the right of access (but only in relation categories, not specific information), the right of correction, the right of deletion, and the right to object to the use of 'sensitive information'. In relation to 'sensitive information', while the definition includes similar items as the GDPR's 'special categories of personal data' (e.g. health or biometric data), the draft bill adds to the category information such as the contents and parties to communications, financial information, drivers' license number, etc."
The current US privacy law system and the draft bill
The US does not have a singular law that covers the privacy of all types of data. Instead, it has a mixture of laws that cover different types of personal data. This mixture extends to having laws which address the privacy and protection of personal data on both an overarching federal level with key laws for set purposes, and on a State level with patchwork laws. Some of these State laws have become a benchmark for the nation, pushing legislative progress following the adoption of privacy laws in California, Virginia, and Colorado, but an overarching national privacy law is still lacking.
Things could change if this draft bill would be introduced and become law. As Lanois explained in fact, "Section 112 of the draft bill – helpfully titled 'One National Standard' – is quite clear that the intention of the drafters is to pre-empt State law. Section 112(a)(1) in particular would prevent any State law relating to 'the collection, use, or sharing of personal information by or on behalf of a covered entity'. It is clear that one of the key goals of the draft bill is to streamline privacy requirements across the nation and prevent the emergence of a requirement emerging from an individual State to become a national state. In other words, State laws would not be able to exceed or provide additional protections than the 'one national standard'."
How would companies be affected by the provisions of the draft bill?
Nonetheless, the path for the draft bill to become a law is still long and uncertain, as Lanois reminded, "assuming the draft bill is passed, which is not necessarily the safest bet to make, as demonstrated by the legislative history of other federal privacy bills which have all failed to pass the finishing line, organisations across the nation will be required to revamp their data privacy policies and practices." In this respect, Lanois highlighted that "[i]n most cases, organisations who have already worked on a GDPR (or California Consumer Protection Act of 2018 ('CCPA')) compliance program would be able to leverage the work they have performed and there would not be too much work needed to comply with the bill. However, organisations who have not worked on GDPR or CCPA compliance because they were out of scope are likely to find that a lot of work needs to be done in order to meet the requirements of the Control Our Data Act."
It is clear that there is still some way to go, and as the draft bill is yet to be approved and formally introduced as a bill in the U.S. Congress, we will have to see what this holds for the US and its ongoing attempts at adopting federal privacy legislation.
Marcello Ferraresi Privacy Analyst
Comments provided by:
Paul Lanois Director of Technology, Outsourcing, and Privacy
Fieldfisher LLP, Palo Alto