.svg)
Republican and Democratic lawmakers in the US have proposed a GDPR-like privacy bill that would, if passed, impose sweeping new obligations on companies handling consumer data, including payment service providers, but also simplify their regulatory requirements across state lines.
The proposed American Privacy Rights Act (APRA) minimizes the data that companies can collect and would ban them from transferring Americans’ personal information, including financial data, biometric information, geolocation histories and calendar and phone logs, to third parties without justification.
This justification might take the form of clear, affirmative consent from the user for their data to be processed, or a specific regulatory requirement such as fraud prevention.
The proposed agreement has emerged after years of stalled negotiations between Congressional Republicans and Democrats, who have long disagreed over whether a federal law should override state privacy laws that may contain tougher protections and whether private citizens should be able to file lawsuits against violators.
Control over personal data has become an increasing concern given the growth of online payments, the emergence of Web3 applications and its use in training artificial intelligence (AI) models.
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” Representative Cathy McMorris Rodgers and Senator Maria Cantwell said in a joint statement.
The new law would bring strict requirements for companies but also regulatory certainty, by replacing a patchwork of state laws with a single national set of rules.
The Network Advertising Initiative (NAI), an industry group that develops self-regulatory standards for online advertising, welcomed the proposal, but noted that its restrictions on data processing could have unintended consequences.
The proposal “represents significant commitment and progress, but it also reflects many of the same problems that have stymied previous efforts to pass federal privacy legislation”, David LeDuc, the NAI’s vice president of public policy, said in a statement.
“Rather than seeking to protect consumers from harmful uses of consumer data, the draft APRA broadly restricts data processing in a way that would curtail beneficial uses of data that consumers want and that business can provide responsibly. Further, the processing allowed under the APRA draft is subject to confusing and conflicting opt-out and opt-in requirements.”
Microsoft, which is among the tech giants whose use of data lawmakers are looking to rein in, expressed support for a comprehensive federal law.
“The privacy bill unveiled by Chairs Cantwell and McMorris Rodgers is a good deal,” said Brad Smith, Microsoft vice chair and resident. “Their willingness to work across party lines on an issue of common cause has led to a bill that would give all consumers in the US robust rights and protections. It would also provide clarity by establishing a national standard.”
New obligations
If passed, the bill would allow individuals to opt out of targeted advertising. They would be able to access and delete the data a company holds, and companies would be liable to pay damages if sued for violating a citizen’s privacy rights.
The bill would also prevent companies from using Americans’ personal data to discriminate against them, allowing individuals to opt out of a company’s use of algorithms to make decisions about housing, employment and education, healthcare, credit and so on.
Companies would be subject to strong data security standards to prevent data from being hacked or stolen, and would be required to inform US customers if their data is transferred to countries that are considered “foreign adversaries”, such as China or Russia.
The Federal Trade Commission (FTC) and state authorities would have the power to enforce the law, alongside private lawsuits brought by citizens. Company executives would be held responsible for ensuring that their companies take all necessary actions to protect customer data, and companies would have to conduct annual reviews of algorithms to ensure they are compliant.
The draft bill must be passed in both the House and Senate before being sent to President Biden for signing into law. However, passing proposed legislation into law is notoriously difficult in an election year.
