Ain’t Gonna Cut It: The (current) American Data Privacy Protection Act
Privacy Plus+
Privacy, Technology and Perspective
Ain’t Gonna Cut It: The (current) American Data Privacy Protection Act. This week, we spotlight the American Data Privacy Protection Act, or the ADPPA (H.R. 8152), a draft bill in Congress that purports to be a comprehensive data privacy bill. A link to the current draft follows:
https://www.eff.org/files/2022/07/20/2022-07-18_-_hr_8152_adppa_-_ains.pdf
The ADDPA rushes out of the gate, then stops to graze: The ADDPA and even supposedly “comprehensive” state data privacy laws, such as California’s CPRA, focus almost entirely on consumer protection. (Reflect for a moment on how “CPRA” is an abbreviation for “Consumer Privacy Rights Act.)
But consumer protection – that is, privacy protection for persons in their roles as consumers – is only one aspect of privacy. The fact is that privacy means much more than consumer protection. The ADPPA doesn’t even attempt to embrace privacy’s true scope and therefore falls short of its potential.
Compare Americans’ focus on consumer protection with the Europeans’ focus on true privacy. The text of the EU Charter of Fundamental Human Rights makes clear that the right to privacy and, separately, the protection of personal data are fundamental rights of individuals. In other words, privacy and data protection are part of the meaning of freedom in Europe. This freedom extends to all Europeans regardless of context or activity, consumer-based or otherwise. Specifically, Title II provides:
Article 7
Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and communications.
Article 8
Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified...
A link to the text follows:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT&from=EN
The ADPPA fails to address the real question: what “privacy” really means as an element of freedom in the United States. Of course, “Privacy” and data protection should be imperative for a consumer acting in a transaction. But a law that addresses privacy comprehensively should include more, such as the freedoms to seek solitude, shake off controls on deeply personal and family issues, and not to be lied to or manipulated. These freedoms shouldn’t just exist in the digital world and should undoubtedly extend beyond the commercial context.
Privacy isn’t just about consumers, companies, data, and transactions -- it is about individuals as Americans and their relations with each other, with governments, and with the technology that is becoming daily more weaponized against them. In short, it is part of what it means to be an American.
The ADPPA doesn’t address this, and it falls short on many other points that the Electronic Frontier Foundation helpfully highlights in the following article:
Grazing on half the grass. We understand the need for a national consensus on a privacy bill, including substantial preemption to make it more practical for businesses to implement and people to understand (and we’re open to suggestions on proper parallel roles for state activity, as in many industries). There may yet be time to work all that out, given (at the latest report) Senator Cantwell’s objection that the ADDPA’s enforcement provisions aren’t strong enough and the California Privacy Protection Agency’s determined opposition to preemption. Additionally, we firmly subscribe to the precept, “don’t make ‘perfect’ the enemy of the ‘good.’”
We fear that the ADPPA (and therefore Congress) will either remain ignorant about or ignore the most troublesome issues in the privacy world. These issues involve existential risks to our democracy and even to human life, including cybersecurity risks and the weaponization of data.
Instead, we believe and urge that for Americans, privacy and data protection are -- and should be recognized as -- fundamental rights. True privacy rights should be truly prioritized and made genuinely comprehensive.
--
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.