American Privacy Rights Act (APRA): What it could mean for EU businesses and regulators

In a surprise move earlier this month, US congress released a draft of proposed new U.S. privacy laws. The legislation would mandate data minimization and enhance consumer rights, allowing individuals to opt-out of targeted advertising and manage their personal data. 

But what could it mean for lawmakers and businesses on this side of the pond? We’ve had a look.

 

On April 7, 2024, U.S. lawmakers Cathy McMorris Rodgers and Sen. Maria Cantwell unveiled the bipartisan American Privacy Rights Act (APRA), aiming to set up a uniform national data privacy and security standard.

 

What is APRA? 

The proposed legislation, discussed in a 53-page document, mandates data minimization and enhances consumer rights, allowing individuals to opt-out of targeted advertising and manage their personal data. It introduces a national data broker registry and prohibits mandatory arbitrations in cases of significant privacy harm.

Additionally, the APRA includes civil rights protections, preventing the use of personal information for discriminatory purposes in sectors like housing and employment. It also features a private right of action, enabling enforcement by the Federal Trade Commission, state attorneys general, and individuals, with a shortened grace period of six months before these provisions take effect – something only very few privacy regulations in the U.S. require.

Significantly, the bill aims to pre-empt state privacy laws. This has been a contentious issue - particularly with California's rigorous standards. Pre-emption means that if a state law conflicts with the APRA, the federal law will take precedence. But if a state law imposes stricter regulations, both laws will apply where they complement each other. The APRA also incorporates elements from state laws including those from California, Illinois, and Washington, and allows for consumer lawsuits in cases of data breaches.

 

What will APRA achieve? 

This draft marks a pivotal effort to unify privacy standards across the U.S. It also reflects something of a compromise between different political views. It’s a response to evolving landscape of data protection as influenced by technological advancements and global regulatory trends.

The introduction of the APRA is a critical step toward comprehensive federal privacy legislation in the U.S, which is currently fragmented in 15 dedicated state laws and dozens of specific sectoral federal laws, such as HIPPA.

 

What does APRA mean for your business? 

But this could also have implications that extend way beyond the United States. How do these developments align with (or influence) European privacy regulations? And what could they mean for your business? Let’s take a look.
 

1. Harmonization of standards 

Global consistency: If the APRA sets up strong privacy protections, it might encourage greater harmonization between U.S. and European standards, particularly relating to data minimization and consumer rights. This could lead to fewer barriers for European companies operating in the U.S. as they might not need to adopt vastly different practices for different regions.

The APRA may use different terminology to the General Data Protection Regulation (GDPR). It refers to "covered entities" (that GDPR calls "controllers,") and "service providers" (GDPR "processors"). However, the draft bill includes many familiar GDPR terms and principles.

Influence on future EU regulations: The EU is often seen as a global leader in privacy with the GDPR setting a high standard. If the APRA introduces equally stringent or innovative privacy measures, it might influence future iterations or updates of the GDPR.

2. Business operations and compliance

Compliance costs: For European businesses, particularly those that operate internationally, understanding and following the APRA would be essential. This might mean you need to make bigger investments in compliance infrastructure - especially for data handling and processing standards that are different from GDPR. In particular, the data minimisation principle in the APRA differs from the one known under the GDPR. It has 15 listed purposes of legitimate data processing, for example.

Operational adjustments: Businesses may need to adjust their operations to ensure that data transfers between the EU and U.S. remain compliant with both regulations in both regions. This might involve stricter data protection measures or revised contracts.

3. Data transfer and safe harbor agreements

Impact on data transfer mechanisms: Over the past decade, the EU and the U.S. have been in negotiations over data transfer mechanisms. This follows groundbreaking rulings by the European Court of Justice (CJEU), especially after the latest invalidation of the Privacy Shield framework in 2020.

A robust federal privacy law in the U.S. could reassure European courts and regulators that the U.S. offers adequate protection, and this could prevent another invalidation of the current transfer mechanisms by the CJEU.

Legal certainty for businesses: A stronger U.S. privacy law might provide more legal certainty for European businesses about the safety of their data transfer mechanisms, reducing the risk of legal challenges and complex transfer impact assessments.

4. Strategic and competitive implications

Level playing field: If the APRA introduces strict privacy standards, it could level the playing field for European companies that have had to adhere to rigorous GDPR standards, potentially making U.S. companies adhere to similar restrictions and compliance costs. Big U.S. Tech companies might incorporate more privacy into their software stack because they’re also then bound to strict data protection requirements in their home country.

Innovation and market opportunities: With great change comes great opportunity... You might want to consider how changes in the U.S. privacy landscape could open new market opportunities for you. It might also mean you need to come up with more innovative approaches to data management and privacy-enhancing technologies. But at the same time, we should consider the rigorous privacy litigation in the U.S. - with class actions and punitive damages – that mean enforcement might be stricter in the United States than in Europe.

 

Next steps for EU businesses 

The legislative procedure will continue but it might not all be plain sailing. California has already criticised the federal direction of travel. The legislation would also mean that the Federal Trade Commission would need to set up a brand-new bureau in addition to its competition and consumer protection divisions.

We’ll keep an eye on the progress and final provisions of the APRA as EU businesses and lawmakers try to stay on top of potential changes in the global regulatory environment. Because if the new proposals make it into law, it could mean major changes and strategic adjustments to your operations and compliance frameworks.

Watch this space for more.

 

Related: Discover what the legislation could mean for privacy and compliance in your business— Download your complete guide to the EU AI Act.

 

Stay up to date and prepare your company for compliance

If you’d like to chat about what this could mean for your business, contact your DataGuard expert. Not a customer yet? Get in touch right here.

 

 

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk