On April 7, 2024, U.S. lawmakers Cathy McMorris Rodgers and Sen. Maria Cantwell unveiled the bipartisan American Privacy Rights Act (APRA), aiming to set up a uniform national data privacy and security standard.
The proposed legislation, discussed in a 53-page document, mandates data minimization and enhances consumer rights, allowing individuals to opt-out of targeted advertising and manage their personal data. It introduces a national data broker registry and prohibits mandatory arbitrations in cases of significant privacy harm.
Additionally, the APRA includes civil rights protections, preventing the use of personal information for discriminatory purposes in sectors like housing and employment. It also features a private right of action, enabling enforcement by the Federal Trade Commission, state attorneys general, and individuals, with a shortened grace period of six months before these provisions take effect – something only very few privacy regulations in the U.S. require.
Significantly, the bill aims to pre-empt state privacy laws. This has been a contentious issue - particularly with California's rigorous standards. Pre-emption means that if a state law conflicts with the APRA, the federal law will take precedence. But if a state law imposes stricter regulations, both laws will apply where they complement each other. The APRA also incorporates elements from state laws including those from California, Illinois, and Washington, and allows for consumer lawsuits in cases of data breaches.
This draft marks a pivotal effort to unify privacy standards across the U.S. It also reflects something of a compromise between different political views. It’s a response to evolving landscape of data protection as influenced by technological advancements and global regulatory trends.
The introduction of the APRA is a critical step toward comprehensive federal privacy legislation in the U.S, which is currently fragmented in 15 dedicated state laws and dozens of specific sectoral federal laws, such as HIPPA.
But this could also have implications that extend way beyond the United States. How do these developments align with (or influence) European privacy regulations? And what could they mean for your business? Let’s take a look.
Global consistency: If the APRA sets up strong privacy protections, it might encourage greater harmonization between U.S. and European standards, particularly relating to data minimization and consumer rights. This could lead to fewer barriers for European companies operating in the U.S. as they might not need to adopt vastly different practices for different regions.
The APRA may use different terminology to the General Data Protection Regulation (GDPR). It refers to "covered entities" (that GDPR calls "controllers,") and "service providers" (GDPR "processors"). However, the draft bill includes many familiar GDPR terms and principles.
Influence on future EU regulations: The EU is often seen as a global leader in privacy with the GDPR setting a high standard. If the APRA introduces equally stringent or innovative privacy measures, it might influence future iterations or updates of the GDPR.
Compliance costs: For European businesses, particularly those that operate internationally, understanding and following the APRA would be essential. This might mean you need to make bigger investments in compliance infrastructure - especially for data handling and processing standards that are different from GDPR. In particular, the data minimisation principle in the APRA differs from the one known under the GDPR. It has 15 listed purposes of legitimate data processing, for example.
Operational adjustments: Businesses may need to adjust their operations to ensure that data transfers between the EU and U.S. remain compliant with both regulations in both regions. This might involve stricter data protection measures or revised contracts.
Impact on data transfer mechanisms: Over the past decade, the EU and the U.S. have been in negotiations over data transfer mechanisms. This follows groundbreaking rulings by the European Court of Justice (CJEU), especially after the latest invalidation of the Privacy Shield framework in 2020.
A robust federal privacy law in the U.S. could reassure European courts and regulators that the U.S. offers adequate protection, and this could prevent another invalidation of the current transfer mechanisms by the CJEU.
Legal certainty for businesses: A stronger U.S. privacy law might provide more legal certainty for European businesses about the safety of their data transfer mechanisms, reducing the risk of legal challenges and complex transfer impact assessments.
Level playing field: If the APRA introduces strict privacy standards, it could level the playing field for European companies that have had to adhere to rigorous GDPR standards, potentially making U.S. companies adhere to similar restrictions and compliance costs. Big U.S. Tech companies might incorporate more privacy into their software stack because they’re also then bound to strict data protection requirements in their home country.
Innovation and market opportunities: With great change comes great opportunity... You might want to consider how changes in the U.S. privacy landscape could open new market opportunities for you. It might also mean you need to come up with more innovative approaches to data management and privacy-enhancing technologies. But at the same time, we should consider the rigorous privacy litigation in the U.S. - with class actions and punitive damages – that mean enforcement might be stricter in the United States than in Europe.
The legislative procedure will continue but it might not all be plain sailing. California has already criticised the federal direction of travel. The legislation would also mean that the Federal Trade Commission would need to set up a brand-new bureau in addition to its competition and consumer protection divisions.
We’ll keep an eye on the progress and final provisions of the APRA as EU businesses and lawmakers try to stay on top of potential changes in the global regulatory environment. Because if the new proposals make it into law, it could mean major changes and strategic adjustments to your operations and compliance frameworks.
Watch this space for more.
Related: Discover what the legislation could mean for privacy and compliance in your business— Download your complete guide to the EU AI Act.
If you’d like to chat about what this could mean for your business, contact your DataGuard expert. Not a customer yet? Get in touch right here.