American Data Privacy & Protection Act.

For the first time in the history of the U.S. federal legal system, a comprehensive organic bill - Bill H.R. 8152 - American Data Privacy and Protection Act - ADPPA - was introduced in the U.S. House of Representatives on June 21, 2022 to recognize the rights of American consumers to privacy of their data. The American Data Privacy and Protection Act, if passed, would become the first organic federal data privacy and data protection bill in the US.

Composed of four Titles (Title I "Duties of Loyalty" - Title II "Consumer Rights to Data" - Title III "Responsibilities of Companies" and Title IV "Enforcement and Miscellaneous") with a total of 28 articles, the ADPPA aims to provide specific rights to (only) individuals residing in the U.S. (being excluded, as in the EU General Data Protection Regulation 679/2016 - "GDPR" - data about legal entities, and also - contrary to the GDPR - other non-resident individuals). The data of children under the age of 17 are also subject to protection. The right to exercise control over one's own data is centered on consent, and a number of obligations are introduced for companies, including nonprofit organizations (but excluding - contrary to the GDPR - public entities and government authorities), such as the obligation to comply with the principle of data minimization or to identify proper legal bases for the collection, processing, and transfer of data persons, the obligation to make the Processing Notice, etc.

The ADPPA also establishes the right of data subjects to access, correct and delete personal data and specific constraints against profiling and to preemptively opt-out of targeted advertising. In addition, companies will have to implement specific security measures to protect personal data from unauthorized access, and the Federal Trade Commission (FTC) will issue a series of regulations and guidelines implementing the various institutions of the ADPPA.

The ADPPA also establishes the right of data subjects to access, correct and delete personal data and specific constraints against profiling and to preemptively opt-out of targeted advertising. In addition, companies will have to implement specific security measures to protect personal data from unauthorized access, and the Federal Trade Commission (FTC) will issue a series of regulations and guidelines implementing the various institutions of the ADPPA.

As for oversight of compliance with the ADPPA, the FTC and state attorneys general are responsible. Finally, starting four years after the ADPPA takes effect, citizens will be able to file civil actions for violations of the law and their privacy rights. It is obvious that this important legislative initiative-in some ways historic-should also be read in light of similarities and differences with the EU General Data Protection Regulation 679/2016 (this is precisely the approach taken by the dossier). While there are many principles and institutes that the ADPPA takes directly from the GDPR (from the fundamental principles of processing, to the legal bases; from the provision of the DPO to the Processing Disclosure), in relevant parts the proposed U.S. federal law deviates - and a lot - from the European data protection approach, starting with the consumerist perspective that characterizes the U.S. regulatory framework, being protected consumer rights from a commercial perspective, rather than fundamental rights and freedoms (which is instead the primary protection aimed at by the data protection legislation in the GDPR).

  Visualizza il documento allegato