A draft bipartisan bill has been introduced to replace current data privacy laws in different U.S.states. Introduced to the house of representatives in early June, the draft requests the implementation of updated federal data privacy and protection regulations. The authors of the American Data Privacy and Protection Act (ADPPA) included representatives Frank Pallone, Cathay McMorris Rodgers, Roger Wicker, Gus Bilirakis, and Jan Schakowsky.
The ADPPA possesses several similarities to the European Union’s General Protection Regulation (GDPR). Despite sharing many provisions with state data privacy and protection laws, the new bill will preempt state privacy laws in the same way the GDPR laws would. The ADPPA pertains to ‘covered data’, which is defined as information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers.” Under the new regulations, covered entities are required to minimize the accumulation, processing, and transmission of data. Covered entities are commonly regarded as any entity subject to the Federal Trade Commision, an independent agency who protects U.S consumer rights. For this reason, nonprofits and government entities are exempt from ADPPA requirements.
The ADPPA will offer U.S. citizens their rights over their personal information. This will include the right to access personal information maintained by a covered entity, the right to correct inaccuracies, the right to documentation regarding disclosures, the right to erase their personal information, and to limit how the information can be used. The ADPPA will also require its covered entities to implement a variety of physical, technical, and administrative data security safeguards in order to improve covered data protection against malicious unauthorized third parties. Consent from the subject individual will be required before a covered entity can disclose information to a third party. Under the new regulations, ADPPA-covered entities must publicize a privacy policy, including a suitable description
Healthcare organizations subject to HIPAA law, will be required to comply with ADPPA. However, only in circumstances where the data they maintain is covered by ADPPA laws. The ADPPA would be applicable to any covered data that is not subject to HIPAA regulations, including healthcare data that is utilized by non-HIPAA-covered entities. Covered entities who are non-compliant to ADPPA can face punishment imposed by the FDA and state attorneys general. It is uncertain whether the bill will pass through congress in its current form. The bill will be subject to criticism and will likely receive several changes.