The American Data Privacy and Protection Act (“ADPPA”) is on its way to changing the face of U.S. data protection legislation on a federal level. This will impose new data protection obligations on organizations operating in the U.S. But how does this proposed legislation stack up to the GDPR? Osborne Clarke has reviewed and analyzed the new amended ADPPA bill and has compared it against the GDPR. While the in-depth analysis is available for download below, this Insight summarizes our key findings.
The ADPPA was introduced in the U.S. House of Representatives in July of 2022. This is the first time that a federal privacy legislation in the U.S. has advanced to the full chamber vote of the House. The introduction of the ADPPA marks a significant milestone, even if the further legislative process is expected to be delayed by the U.S. midterm elections in November this year.
The ADPPA, if and when adopted by the U.S. federal legislators, will be the first federal privacy legislation with the aim of harmonizing privacy rules in the US. The status quo of data protection developments in the U.S. varies on a state by state basis. The California Consumer Privacy Act from 2018 (which came into effect in 2020) was followed by state privacy acts in Colorado, Connecticut , Utah, and Virginia, as well as active bills currently discussed by the state legislators in Massachusetts, Minnesota, New Jersey, Ohio, or Pennsylvania, which resulted in a very fragmented privacy landscape in the U.S.
The ADPPA vs the GDPR
Similarities of the amended ADPPA bill to the GDPR:
The general concept of the ADPPA is similar to many other national privacy laws, including the GDPR. Examples of these similarities include (in general terms):
- The key principles of transparency, data minimization, necessity and proportionality apply.
- The scope of data protected by the ADPPA is very broad and does significantly cross over with the definition of personal data under the GDPR. The ADPPA applies to “covered data” referring to information that identifies (or could be linked with other information to identify) an individual. However, “covered data” has significant exclusions (see below in differences of the ADPPA to the GDPR)
- Different roles are associated with different types of obligations (for instance, a “covered entity” under the ADPPA is comparable to a controller under the GDPR and a “service provider” under the ADPPA is comparable to a processor under the GDPR).
- Certain types of organizations subject to the ADPPA will be required to produce and maintain documents which are similar to those required under the GDPR, such as privacy policies, contracts with service providers and impact assessments.
- The concept of “sensitive covered data” under the ADPPA is comparable to the concept of special categories of personal data in that this type of data enjoys special protection under the ADPPA. However, the definition of “sensitive covered data” differs significantly from the definition of special categories of personal data under GDPR (see below in differences of the ADPPA to the GDPR)
- “Individuals” have rights to request access, correction, and deletion of “covered data” and to port “covered data” subject to certain conditions.
Differences of the amended ADPPA bill to the GDPR
There are key differences to the application of the ADPPA. Examples of these differences between the amended ADPPA bill and the GDPR are as follows:
- "Covered data" has some significant exclusions as the term does not include employee data and data that has been put in the public domain (see no. 1 of the in-depth-analysis).
- The term “individuals” (comparable to the term data subjects under the GDPR) only covers U.S. residents (see no. 2 of the in-depth-analysis).
- The term “covered entity” does not include federal, state, or governmental bodies (see no. 3 of the in-depth analysis).
- "Sensitive covered data" includes information which is not considered special categories of personal data under the GDPR, such as government-issued identifiers, financial account numbers, precise geolocation, private communication, and information relating to individuals under the age of 17 (see no. 8 of the in-depth-analysis).
- “Covered entities” and “service providers” that qualify as “large data holders” are subject to additional obligations under the ADPPA, whereas small businesses are exempt from certain obligations in order to reduce their administrative and financial burdens, namely in the area of data security (see no. 3 of the in-depth analysis).
- Companies of the same group are not considered "third parties”. This may result in a privilege for data transfers within a group of companies, unlike the GDPR, as such data transfers would seem to be excluded from the requirements for transfers to “third parties” (see no. 3c and 10 of the in-depth analysis).
- The rights of the “individuals” such as for access, deletion, and correction are further restricted compared to the restrictions under GDPR (see no. 12 of the in-depth analysis).
- There are no specific enforcement instruments under the new ADPPA on a federal level. On a state level, the ADPPA would be enforced by the state attorney general bringing a civil action against an organization. As such, there are no specific defined fines, unlike the GDPR, but organizations who breach the ADPPA could still be subject to pay damages.
Osborne Clarke Comment
Whilst the ADPPA would create a data protection regime in the USA which is more similar to that of the EU under the GDPR, the ADPPA is in many ways different to the GDPR. Should the ADPPA come into force, multi-national companies will need to know the details of the new legislation. Such companies should also understand how the requirements of the ADPPA can be addressed by leveraging any compliance documentation and procedures already existing at the company in order to avoid a fragmented and unharmonized privacy compliance program. As global privacy compliance programs are often times built on the GDPR requirements, it will be key to understand the similarities and differences between the ADPPA and the GDPR.
In addition, the increasing number of U.S. state legislation on privacy may be an additional compliance challenge depending on how the U.S. will solve the question of pre-emption (see no. 17 of the in-depth analysis).
As concerns data transfers under the GDPR to the U.S. in light of the Schrems II decision, we expect that the ADPPA will not have a significant positive impact because the definition of “covered data” protected by the ADPPA only applies to data of U.S. residents.