Blog How Might a US Federal Privacy Law Compare with the EU GDPR?

With ten US states now enacting their own privacy laws, the pressure is ramping up on the Federal Government to pass US-wide legislation in this area. But if that does happen, how would such a law compare with the EU GDPR in terms of its scope, requirements and penalties?

It’s been five years since the CCPA (California Consumer Privacy Act) was signed into law and started what might be seen as a rush towards enhanced privacy rights for US citizens, albeit in a rather patchy, state-by-state way. The recent adequacy decision by the EU favouring the EU US Data Privacy Framework largely came about as a result of President Biden raising an executive order entitled “Enhancing Safeguards for United States Signals Intelligence Activities” which was judged to have addressed many of the concerns raised from the Schrems II judgement that had killed the Privacy Shield.

So does all of this mean that there is a “new dawn” for data privacy within the United States which may herald the passing of an all-encompassing Federal data privacy law that mirrors the EU’s GDPR?

How close is a Federal Law?

There have been many, many attempts (we’re talking dozens) to pass a bill that would create a data privacy framework covering all citizens of the United States, but so far none has come to fruition. The latest hopeful contender is the American Data Privacy and Protection Act (ADPPA) which made good progress last year and currently still seems to be on the cards for further consideration this year. But there are a number of sticking points.

Firstly there’s the aforementioned fact that many states have been busy passing their own laws in the area of data privacy and they’re not keen on Washington barging in with a law that would negate theirs. This is known as the “Pre-emption” issue.

Next, there’s the question of who would enforce this law. Would it be done at a federal level, by the Federal Trade Commission, or state level, by the bodies already formed to enforce the state-wide laws?

A further discussion point is whether the law would allow for a private right of action by US citizens, or whether it would just be government bodies who can prosecute organizations for contravening privacy rules.

Some commentators are confident that these issues can be resolved by appropriate compromise and that this is the best attempt yet at getting a US Federal privacy law through.

So is this a “US GDPR”?

If you thought perhaps that the Americans might simply take a copy of the EU GDPR and stick the stars and stripes on the front you’d be very mistaken. Quite apart from the huge incompatibilities between US and European law, there is also a marked difference in the context in which privacy is seen within the two entities.

In the European Union privacy is seen as a “fundamental right” which must be protected under its charter, and is talked about in the same way as food and freedom. As such, the GDPR has very wide-ranging applicability from the smallest local hairdresser through to the largest corporation.

Cross the Atlantic however, and there is a more pragmatic feeling about privacy. It’s seen as a way to reign in the abuses of Big Tech and there’s little appetite to bother “Mom and Pop” businesses with the issue. This is reflected in the definitions of applicability of much of the US legislation, as shown in the table below.

So the bar is set fairly high before an organization needs to concern itself with the privacy rights of its consumers under the above legislation. Let’s not forget of course, that many of the states already have other laws in specific areas that address privacy so it’s not all bad.

Which GDPR-like provisions does the proposed ADPPA have?

Although it’s still a moving target and subject to change, there are a number of aspects of the ADPPA that are likely to remain in the final draft. These include:

• Privacy principles, such as data minimization and privacy by design
• A set of privacy-related rights for the consumer, including consent and opt-out
• The need for a privacy policy
• Extra rules for special categories of personal data
• Special protections for minors
• Security requirements to protect personal data
• Privacy impact assessments
• Contracts between “covered entities” and “service providers” (controllers and processors in the GDPR)
• The need to designate a Privacy Officer and a Data Security Officer
• The intention to have compliance programs in the future

As well as these GDPR-like features, there are a few that go that little bit further too, including:

• More detail about the kinds of security processes that must be in place
• A longer, more specific list of acceptable uses of personal data
• A requirement to specify more information about the use of automated algorithms, including an impact assessment
• Fines collected go into a fund for the benefit of victims

In many cases these look like reasonable enhancements to the GDPR.

But which are missing?

However, there are some topics from the GDPR that do not appear in the proposed ADPPA, or are watered down. These include:

• General applicability is limited to larger entities (as discussed above)
• Specific amounts for maximum penalties (for example a figure in USD or a percentage of revenue)
• Employee data is excluded
• International data transfers are not explicitly mentioned – there is no “adequacy” list
• There is no direct concept of having a representative within the USA for a foreign-based organization that collects the personal data of US citizens
• There are no timescales given for the notification of a breach to the supervising authority (usually the Federal Trade Commission)
• There are limitations on when an individual may take legal action against a controller

Again, we must stress that this is a draft US law, and it must also be seen in the context of many, many other US laws that we don’t pretend to understand and that may have a bearing on the above.

Overall comments

The creation of American law appears from the outside to be a tortuous process involving a high degree of compromise and horse-trading, so whether the ADPPA will ever become legislation (and in what form) is still anyone’s guess. However, those with a reasonable familiarity with the GDPR will recognise a lot of the important content in the ADPPA and it seems on first reading to be a decent stab at a US federal privacy law framework. Let’s hope it continues its rocky path through the US legislature and emerges the other end as a reasonable protection for the privacy of American citizens.

Written by Ken Holmes, CertiKit’s Managing Director and a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E) accreditation. Ken is the primary author of CertiKit’s toolkit range and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.