Assessing the ADPPA for Improvements that Would Not Impact Basic Design
The views expressed are Martin Abrams’ and shared by other members of the IAF team. They do not necessarily reflect the views of the IAF Board or other members of the IAF community.
I have been waiting patiently for comprehensive U.S. privacy legislation for over 20 years. So, I am overjoyed that the “American Data Privacy and Protection Act” (“ADPPA”) has been voted out of committee. The ADPPA has a great deal going for it, both substantively and politically. For example, I like the requirements that organizations must be responsible actors and that risks related to the processing of data pertaining to people must be measured and managed. The ADPPA, however, is not perfect. There is room for improvement, particularly around clarity of terms, setting a basis for assessments, and future proofing the legislation without upsetting the political applecart. The political calculus for the ADPPA includes carefully structured compromises on preemption and private rights of action. Enacting and implementing privacy legislation is a delicate balance, and any changes may upset that balance. Odds are that the ADPPA will not be passed prior to the Fall elections, so there is time to think about whether the ADPPA might be improved substantively, without changing its design in a fashion that might make passage more difficult.
Americans want privacy legislation. Consumers/citizens want to be watched only when it benefits them, want fewer surprises, want a sense that their data is providing value to them (not just to a company) and want the prevention of bad outcomes. Businesses want stability and predictability, want less international stress around data transfers, and want to be able to use data to solve problems. Based on these goals, three objectives for privacy legislation can be articulated: (1) protect individuals from the adverse impact of unreasonable processing of data related to people; (2) create a basis for trusted transfers of data to the United States (if national security uses are solved); and (3) create a pathway for trusted, fair processing of data for tomorrow’s necessary data uses.
The stated charitable purpose of the Information Accountability Foundation (IAF) is research and education pertaining to information policy. The IAF team has nearly two centuries in privacy public policy experience. After the ADPPA was drafted, keeping the three objectives set forth above in mind, the IAF team developed a set of criteria to evaluate whether the ADPPA (and similar pending privacy legislation) met their intended objectives. This blog only lists the criteria for analysis and not the results of any analysis. Future blogs by IAF staff will make suggestions where the legislation might be improved. The criteria are as follows:
- Are the objectives for the legislation clearly set forth in specific terms (such as harms to be avoided)? Are the objectives for the legislation vaguely generalized, hard to define or a requirement without a clear objective (such as protect privacy, give individuals control, or mandate data minimization)? Do the objectives set the tone for the legislation?
- Are important terms clearly and consistently defined? Is there ambiguity because important terms are used differently and inconsistently? Does the legislation use terms that are product – or service – agnostic so that the legislation can evolve with time?
- Does the legislation find a route for data to be used when creating new insights are the objective, like legitimate interests is framed in pending Canadian legislation, with reasonable safeguards that are practicably actionable?
- Given the importance of cyber security, does the legislation create a route for using advanced analytics for detecting, defending, and responding to cyber security events? If it does create such a route, does the legislation require organizations to put those systems into effect?
- Does the legislation permit processing for standard business practices without consent but with reasonable controls?
- Does the legislation contain an actionable and demonstrable methodology for data supply chain governance?
- Does the legislation require demonstrable programs to assess and measure the likelihood of adverse processing impacts to individuals and groups of individuals taking place? Where these impacts are balanced against clear benefits, does the legislation set forth who has authority to require demonstration and in what form? Are there requirements and means for protecting against the defined adverse processing impacts, and for updating those protections as technologies and business processes evolve (i.e., without requiring new federal legislation)?
- Does the legislation have enough enforcement muscle that encourages adherence by covered entities? This includes enforcement agencies with the resources to effectively deter bad behavior.
- Are there obligations for transparency that go beyond privacy notices that meet explainability to consumers’ standards and that increase the visibility and understanding of processing of data pertaining to people? Can the legislation be explained in an international context to our trading partners?
- Are data subject rights meaningful and actionable by individuals and implementable by covered entities? Have these rights been balanced against unintended consequences?
Lessons from the GDPR policy process are relevant to assessment of the ADPPA. The GDPR took four years to enact and went into effect two years after enactment. The GDPR’s adaptability to change was based on the six legal bases, the intent that it be risk based, the guidance from recitals, and the ability to define uses as legitimate through demonstrable privacy by design. There was an understanding that there were conflicting elements, and there was a hope they might be resolved through the regulatory process. A number of short comings have been recognized now that are not easily resolvable, without further legislation. The IAF suggests that some clarifications to the ADPPA now would enhance implementation and enforcement of the ADPPA over time, thus attempting to avoid the GDPR conundrum. The ADPPA brings renewed hope for substantive privacy legislation that offers meaningful protections to Americans, and the IAF believes the criteria articulated in this blog will help make that hope a reality.