Released to the public on June 3, the American Data Privacy and Protection Act outlines foundational data privacy rights for US citizens. The bill requires bipartisan agreement from both chambers of Congress to be enacted into law and aims to give people privacy by design.
Till today, America does not have any National Data Privacy Law. This bill represents the result of some serious collaboration between Reps. Frank Pallone Jr., Cathy McMorris Rodgers, and Sen. Roger Wicker, and will give people full control over their data and the right to sue companies that violate it. While releasing the draft, the senators, in a written statement, mentioned that they hope to give people more control over personal data with this bill. They added, “This bill strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress, including the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms. We believe strongly that this standard represents the best opportunity to pass a federal data privacy law in decades, and we look forward to continuing to work together to get this bill finalized and signed into law soon.”
In a conversation with Politico, Ann Cavoukian, who coined the term “privacy by design” and came up with seven foundational principles in 1997 talked about how the bill must take pressure off individuals by asking for permission. She mentions that the idea behind privacy by design is to preserve control for the data subject. Data privacy implies having control over the use and disclosure of your personal information.
Proposed changes as per the American Data Privacy and Protection Act
Once the bill becomes law it will give online users power over how their data is accessed and shared by host platforms and third-party data brokers. There are also provisions concerning how algorithms and biometric information gathering must be monitored.
The proposed American Data Privacy and Protection Act also gives some guidelines on targeted advertising, especially for kids under 16 years of age. It limits advertisers from exposing kids to certain types of sensitive content.
Large data holders will be required to conduct annual civil rights assessments on their algorithms’ impacts and submit those reports to the FTC.
What is privacy by design?
Privacy by design puts the onus of embedding these principles on the creator. The design and operation of IT systems, networked infrastructure, and business practices must as a rule safeguard individual privacy by default.
The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. They are independent regulators who keep tabs on privacy, data protection, and freedom of information.
The seven principles of privacy by design are:
1. Privacy is proactive not reactive – this approach implies a proactive approach to privacy wherein systems must factor in privacy rights at the outset to prevent misuse of data.
2. Privacy as the default setting – this principle calls for a default privacy setting that lets the user have the final say in how data is collected, used, retained, and must eventually be destroyed.
3. Privacy embedded into design – privacy must be embedded into the design and infrastructure of systems and companies must adhere to ethical practices.
4. Full functionality (positive-sum, not zero-sum) – this principle deals with the idea that it is only possible to have privacy or security. It urges corporations to implement all legitimate objectives while adhering to obligations.
5. End-to-end protection – Lifetime security – there should be security measures in place that protect data securely throughout its lifecycle.
6. Visibility and transparency – organizations that gather data must be transparent about their objectives and let individuals know what data is processed and why.
7. Respect for user privacy (Keep it user centric) – the interest of the user must take priority while designing and implementing any system or service.
The privacy by design provisions cater to the end consumer and seeks to prevent big corporations from trampling on individual rights. Once the American Data Privacy and Protection Act becomes law it will give data subject’s ultimate control over how their personal information can be harvested or used.
