As the policy community takes time to absorb and reflect on the substantive provisions of the US Data Protection and Privacy Bill, it is worth exploring the basic scope of the bill. . Which organizations would be expected to comply? How do bonds differ by size or function in the data economy? The ADPPA presents a somewhat complex array of organizational roles, with different names than privacy professionals may be familiar with. For example, what is the difference between a “third party” and a “third party collection entity”?

Note that this is an article about a bill, not yet introduced in the US House or Senate. All provisions are subject to change, including scope provisions and definitions. For this analysis, we have reviewed the draft text published on June 3, 2022. Because it represents the buy-in of only three of the four principals involved in the ongoing “four corners” discussions – the leaders of the trade committees of the Senate and House – this discussion The draft has been referred to as ADPPA’s “three-cornered draft”.

Although reports suggest that the final version of this bill has a better chance of passing than ever for a comprehensive US federal privacy bill, passage of the law is a long way off. to be guaranteed. Nonetheless, the evolving understanding among policy makers of privacy roles and responsibilities is worth monitoring.

Who should comply with the ADPPA?

In general, the ADPPA project is broadly applicable to organizations operating in the United States. As defined in the draft, a covered entity is one that “collects, processes, or transfers covered data and is subject to the Federal Trade Commission Act (15 USC 41 et seq.)”, plus non-profit organizations and common carriers , as explored below. Note that “transfer” in this context means any sharing of data, not necessarily a cross-border transfer. As defined in the draft, transfer “means to disclose, publish, share, broadcast, make available, or license in writing, electronically, or by any other means.”

The FTC Act gives the FTC the authority to control unfair or deceptive acts or practices “in or affecting commerce” in the United States. As the SAFE Web Act recently clarified, this includes “such acts or practices involving foreign trade that cause or are likely to cause reasonably foreseeable damage to the United States; or involve material conduct occurring in the United States”, 15 USC Section 45(a)(4)(A).

Data covered in the draft is defined as “information that identifies or is linked or reasonably linked to an individual or device that identifies or is linked or reasonably linked to 1 or more individuals, including derived data and unique identifiers” . Explicitly excluded from this definition are (i) anonymized data, (ii) employee data (broadly defined to include hiring data), and (iii) publicly available information.

Non-profit organizations are in

The ADPPA project would explicitly extend the FTC’s jurisdiction over privacy and data security matters to nonprofit organizations. Because the FTC’s primary jurisdiction applies to matters “in or affecting commerce,” most nonprofit organizations have been deemed exempt from the FTC’s consumer protection enforcement. Although some state-level “mini-FTC” laws apply to nonprofits, detailed state privacy laws have also generally exempted nonprofits from their scope. applicable, except the Colorado Privacy Act.

This would be a significant expansion of the scope of privacy obligations. According to 2021 data from the Urban Institute, there are approximately 1.8 million nonprofit organizations in the United States, including public 501(c)(3) charities, private foundations, and a variety of associative and professional organizations. It should be noted that most nonprofits in the United States would fall under the “small data exception” in the ADPPA project (see below). According to 2019 data, only 5.4% of registered charities had revenues over $10 million (but note that charities are only a subset of nonprofits).

Public carriers are there, but others are still missing

Due to a variety of historical exclusions and overlapping regulatory regimes, the FTC’s jurisdiction over business activities does not include all industries. Exceptions include the insurance sector, banks, savings and credit institutions, credit unions, airlines and the public transport activities of telecommunications service providers. Unlike many data protection authorities, the FTC does not have jurisdiction over government actions.

Draft ADPPA would adjust this by explicitly bringing the common carrier activities of telecommunications companies within the scope of the FTC’s data privacy and security provisions. The other exempt industries would remain unchanged. However, in the section on data security, the bill includes language clarifying that compliance with the data security requirements of the Gramm-Leach-Bliley Act, covering financial institutions, or the Information Technology Act health information for economic and clinical health, covering health care and related technologies, will be considered ADPPA compliant.

Well-defined layers

Beyond the general definition of “covered entity” in the draft legislation, there are specific types of defined entities, each with additional requirements or exclusions. In general, the organizations covered are first broken down in terms of scale (turnover and number of individuals involved), then by role vis-à-vis the individual (direct relationship, third party or service provider Services). See the table below for a breakdown of how the defined roles change the substantive requirements of the draft bill.

Small and medium-sized businesses must comply with the ADPPA, but are exempt from a few substantive provisions under the bill’s “small data exception.” To fall under the exception, the organization must meet all of the following requirements: (1) annual gross revenues below a certain threshold (the project proposes $41 million) for each of the previous 3 years, (2 ) not process the data of more than 100,000 people, and (3) not derive more than 50% of its revenue from the transfer of Covered Data.

At the other end of the scale, ADPPA’s project adds additional responsibilities to “big data owners,” which are defined as organizations (1) with more than $250 million in gross annual revenue over the course of the previous calendar year and (2) that processed covered data of more than 5 million individuals or covered sensitive data of more than 100,000 individuals. (The definition of sensitive data in the draft includes all EU General Data Protection Regulation special categories of data, as well as government-issued identifiers, financial account numbers, precise geolocation data, private communications, login credentials, personal files, television viewing data, intimate images, data about persons under the age of 17, and “information identifying a person’s online activities over the time or on third-party websites or online services”.)

Rules and roles

The draft ADPPA also includes substantive requirements prescribed based on an organization’s role with respect to the data covered.

In the context of an organization transferring (sharing) personal data with another entity, the bill distinguishes between a “service provider” and a “third party”. For privacy professionals, these roles echo the distinction between processors and controllers in the GDPR.

A Service Provider within the meaning of the draft ADPPA means a “covered entity that collects, processes or transfers covered data in connection with the performance of one or more services or functions on behalf of and under the direction of another covered entity, but only to the extent that such collection, processing or transfer (i) is in connection with the performance of that service or function; or (ii) is necessary to comply with a legal obligation. In other words, service providers can also be general “covered entities” when they are not acting as a service provider.

A Third Party is defined as an entity that is not a Service Provider but “Collects, Processes or Transfers Third Party Data” (contextually defined as “Covered Data that has been transferred to a Third Party by a Covered Entity” ). If an entity is considered a large data holder, the bill treats it as a third party even if it is under common ownership or corporate control with another entity (or vice versa). It is important to note that third parties are subject to a limitation that their processing of data must be consistent with that of a reasonable person.

A data broker under another name

The final type of entity that is subject to specific prescriptive rules under the ADPPA draft is called a “Third Party Collection Entity”. This includes any Covered Entity “whose primary source of revenue is from the processing or transfer of Covered Data of individuals that the Covered Entity did not collect directly from the individuals to whom the Covered Data relates”. The definition clarifies that this does not include a covered entity that processes employee data “for the sole purpose of that third party providing benefits to the employee.” Primary source of revenue is also clarified to mean either more than 50% of revenue or processing/transferring data of more than 5 million individuals, if not collected directly. For these entities, Section 206 provides additional notification requirements, audit logging, and inclusion on a public list administered by the FTC.

Work in progress

ADPPA’s Three Corners Project would expand the scope of the FTC’s authority over data privacy and security issues. It covers most, but not all, industries and includes targeted requirements for certain types of entities. Most of the draft’s analysis suggests that the “covered entity” requirements would apply to all types of entities, including service providers, if they were not explicitly exempted. Compared to current practices, this would likely lead to tougher restrictions for those who do not collect data directly from individuals. Again, this is a public discussion project, intended to solicit feedback from stakeholders. On Tuesday, June 14 at 10:30 a.m. EDT, there will be a House subcommittee hearing on the project. The hearing is titled “Protecting American Consumers: Bipartisan Legislation to Strengthen Privacy and Data Security.”

Click to view in PDF

Photo by Quick PS on Unsplash