ADPPA vs GDPR: Comparing individuals’ rights
Currently, the proposed adoption of the first US federal data privacy legislation, the American Data and Privacy Protection Act (ADPPA), is heavily...
On 20 July 2022, a proposed US federal data privacy legislation has passed the House of Representatives Committee on Energy and Commerce: the American Data and Privacy Protection Act (ADPPA). If successfully passing the full house and the senate, the ADPPA would greatly harmonise the data protection obligations US businesses have to comply with. The ADPPA largely draws on concepts known from the EU GDPR. Accordingly, businesses who are already GDPR complaint will likely be able to rely on implemented data protection safeguards to fulfil their obligations under the ADPPA. However, the ADPPA also displays some important differences in comparison to its European counterpart. It is crucial for businesses to be aware of these and develop compliance strategies early on.
In this post, we will compare the scope and key data protection principles of the ADPPA and the EU GDPR.
The ADPPA applies to the processing of ‘covered data’ which is all information that identifies or is linked or reasonably linkable to individual. Similar to the broad scope of ‘personal data’ under the GDPR, businesses must prepare that most data they are handling will come within the Act’s scope. Three categories of data are however excluded: de-identified data, 2) employee data and 3) publicly available information. This largely correspond to the exceptions found in existing state data protection legislation.
Businesses that also process employee data subject to the GDPR should be aware. Under the GDPR, employee data is not excluded but even subjected to a higher level of data protection. You can for instance only rely on consent as a legal basis to process employees’ data in exceptional circumstances. Publicly available personal data equally comes within the GDPR’s scope.
Both the GDPR and the APPA apply only to data relating to individuals. This protection stems however from two different rationales. In Europe, privacy is recognised as a fundamental human right the respect for which is crucial for a well-functioning democracy. In contrast, the US perceives privacy as an expression of liberty, to be free from unwanted advertising and other invasions into one’s private sphere. The entities carrying out the processing under the ADPPA are defined as ‘covered entities’ and ‘service providers’. These largely correspond to the GDPR’s controllers and processors. If you wish to become ADPPA compliant, it is crucial to have an overview of the different processing operations your business conducts and to identify whether you qualify as covered entity or service provider for each of these. Only then, you can determine which obligations apply to you. You are a covered entity if you alone, or jointly with other, determine the purposes and means of the processing of the covered data and are subject to the Federal Trade Commission Act, the Communications Act of 1934 or are a non-profit organisation or an entity controlled by a covered entity. If you determine why the data is processed and how it is done, you likely qualify as covered entity. Importantly, federal, state or other government entities are excluded from the ADPPA but remain subject to other US sectoral laws containing data protection, security and privacy obligations.
If you merely process personal data on behalf and at the direction of a covered entity, you are a service provider under the ADPPA which corresponds to the GDPR’s processor.
Another important concept only found in the ADPPA is that of large data holders. If your business has a gross annual revenue of at least 250 million dollars and collect, processes or transfers covered data of at least 5 million individuals (200.000 for sensitive data), you qualify large data holder. You then incur specific additional obligations regarding transparency, individuals’ rights. Large data holders will however mainly be data brokers, major big tech companies, e-commerce platforms and retailers.
If your business currently underlies state data protection legislation, you must consider that you can no longer rely on threshold requirements for not having to comply with data protection legislation. For instance, the CPRA only applies to businesses that have an annual gross revenue of more than 25$ mil, annually buy, sell or share personal information of 100,000 or more consumers or households or derives 50% or more annual revenue from selling or sharing personal information. Similar thresholds are found in the VDCPA, the CPA, the CTDPA or the UCPA. No such thresholds are included in the ADPPA.
The ADPPA only applies to the processing of covered data of individuals residing in the US by a covered entity (Sec. 2(16)). These covered entities are established in the US. Under state legislation, the respective privacy obligations can also apply to entities doing business in the state without having a physical establishment there. Similarly, the GDPR applies for a wide extraterritorial scope. It does not only apply to the processing by a controller established in the European Union but also to controllers outside the Union whose processing activities relate to the offering of goods or services to data subjects in the EU or to the monitoring of behaviour of data subjects in the EU.
The ADPPA groups a number of principles under the heading ‘duty of loyalty’ in title 1. These correspond to the data protection principles known from Art. 5 GDPR and include amongst other: data minimisation, accountability, purpose limitation, data security and privacy by design. These principles can also all be found in this or similar form in state legislation. Compliance with these principles is crucial to render your business ADPPA-complaint.
Some variations regarding the GDPR exist:
Under the GDPR’s principle of lawfulness, processing must be based one of the lawful grounds provided for. The broadest ground constitutes the controller’s legitimate interest which requires however an extensive balancing with the data subject’s interests and freedoms. Under the ADPPA, you must ensure that your processing is reasonably necessary and proportionate for 1) a specific product or service requested by the individual, 2) for reasonably anticipated communication with the individual or 3) for one of the expressly permitted purposes of section 101(b) ADPPA. Carefully go through the very concrete and extensive list to identify whether your processing operations falls within one of the categories. If not, you need to stop the processing operations to remain ADPPA compliant. Also, please note that no equivalent to the flexible ‘legitimate interest’ ground exists under the ADPPA.
As the GDPR, the ADPPA classifies certain categories of data as sensitive. These include health data, biometric genetic data and data revealing sexual orientation but also categories not classified as sensitive data under the GDPR such as government-issued identifiers, financial account numbers or private photos and videos. You have to respect additional obligations when processing such data. Therefore, it is important that you clearly identify which types of data you process in each processing operation. Unlike under the GDPR, the ADPPA refrains from classifying data disclosing race, ethnic origin or trade union membership as sensitive data. State legislation all classify data disclosing ethnic or racial origin as sensitive data.
To safeguard the principle of transparency, you must provide all individuals whose data you process with an extensive privacy policy. You can find guidance as to the required contact of such policy under sec. 202(b)ADPPA which largely corresponds to the content required by the GDPR. Pay attention when you disclose data to the People’s Republic of China, Russia, Iran or North Korea. You must disclose such transfers in the notice as well.
Under the principle of data security, you must implement reasonable administrative, technical and physical data security practices and procedures against unauthorised access and acquisition of the data. Please refer to sec.208b for the minimum data security practices to be implemented which also largely correspond with the ones required under the GDPR.
Hence, the ADPPA seems to align well with the EU GDPR and existing state legislation. Amongst the most remarkable differences are probably the exclusion from its scope of federal or state governmental entities as well as the processing of employee data. If the Act passes the hurdles to its adoption, it is crucial that businesses have a good overview of their data processing operations and develop compliance strategies early on.
|
|
GDPR |
ADPPA |
Scope |
material |
Personal data: data identifying or rendering identifiable an individual Excluded: anonymised data |
Covered data: information which identifies or is linked or reasonably linkable to an individual Excluded: 1) de-identified data, 2) employee data 3) publicly available information |
personal |
Data subjects: individuals controller: determines alone, or jointly with others, the purposes or means of processing processor: processes data on behalf of controller |
Consumers: individuals covered entity: determines alone, or jointly with others, the purposes or means of processing service provider: processes data on behalf of covered entity large data holder: gross annual revenue of at least 250 million dollars + processing data of at least 5 million individuals (200.000 for sensitive data) |
|
territorial |
broad extraterritorial scope |
Processing of data of individuals residing in the US |
|
Principles |
Lawfulness |
exhaustive list of lawful grounds in Art. 6 (Art.9 for sensitive data) broad ‘legitimate interest’ ground (Art.6(1)(f)) |
processing must be reasonably necessary & proportionate for:
|
Transparency |
privacy notice: content in Art. 13/14 |
privacy notice: content in sec.202(b) include if data disclosed to People’s Republic of China, Russia, Iran or North Korea |
|
Data security |
suitable technical and organisation measures (Art.32ff) |
reasonable administrative, technical and physical data security practices (sec.208b) |
|
Data minimisation & purpose limitation |
processing only for specific, well-defined purpose + compatible purposes (Art.5(2)(b))
only data that is ‘adequate, relevant and not excessive’ in relation to the purpose (Art.5(1)(c)) |
Processing must be reasonably necessary and proportionate for underlying purpose (sec.101) |
|
Privacy by Design & Default |
Privacy by Design and Default (Art.25) |
Privacy by Design (sec.103) |
Currently, the proposed adoption of the first US federal data privacy legislation, the American Data and Privacy Protection Act (ADPPA), is heavily...
The US is currently very active in updating and enhancing its privacy protection framework. We already examined the US proposal for a comprehensive...
Following the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA), Colorado is the third US State to adopt...