While many Internet users are looking to secure their personal data with the best VPN services, governments across the world have been busy crafting ad-hoc legislations to protect citizens' privacy and prevent businesses from exploiting their sensitive information for commercial purposes.
Since 2018, people living in the EU and the UK have benefited from the protection of a comprehensive privacy law, the General Data Protection Regulation (GDPR). This legislation has functioned as a base for further regulations worldwide.
Four years later, it could finally be the time for US citizens to have more control over their data. Making its way through the House floor right now, the American Data Privacy and Protection Act (ADPPA) has the potential to become the first comprehensive federal privacy law in the US. At the moment, just a handful of States enforce their own regulations.
Despite the fact the legislative process is still ongoing and the current text might change, let's compare how people in Europe and the US could have their privacy rights preserved.
ADPPA vs GDPR: key similarities
Both the ADPPA and GDPR seek to give internet users better control over their personal data, preventing organizations from wildly exploiting this information for commercial purposes whilst undermining citizens' constitutional right to privacy.
Therefore, the two legislations are based on similar fundamental principles. These include data minimization, transparency, necessity and proportionality.
"In Europe we've had a European data protection law for decades and so individuals have always been protected. Their privacy has always been protected for a very, very long time in a way that they've never been protected in the US."
Nigel Jones, The Privacy Compliance Hub
As the name implies, data minimization refers to the practice of collecting as little personal data as possible about users. Data collection is then allowed to fulfill a necessity - like payment details for eCommerce sites like Amazon - while being proportionate to the nature of the service. Similarly to the GDPR, the ADPPA identifies a different array of "covered entities" that will be subjected to specific obligations.
To ensure better transparency, organizations will also be required to produce and maintain documents like privacy policies - to be shared with users in a way that everyone can understand their terms - and contracts with service providers and regular impact assessments - on the algorithms they employ, for example.
ADPPA vs GDPR: key differences
There are, however, some points where the ADPPA clearly differs from its European counterpart.
First of all, under GDPR, employees can exercise their rights over their own personal data. At the moment, the ADPPA doesn't apply to employees.
Talking about this point, former head of the Google legal team in Europe and now co-founder of The Privacy Compliance Hub Nigel Jones explained that this principle is largely used in the UK and rest of EU countries during employment litigation.
"When there is a dispute between an employer and employee, quite often the employee will ask for all their personal data from the employer as a negotiating tactic. That won't be possible in the US," he said.
Similarly, under the current form, the US privacy bill doesn't appear to apply to public bodies either. According to Jones this is "very surprising" being that there's been quite of few incidents of data breaches across public organizations in the US.
Another huge difference with the GDPR is that the ADDPA will apply to US residents only.
However, according to Jones, this is not necessarily a bad thing. Quite the opposite, in fact - he thinks it will allow businesses to manage users' digital rights across the world without any conflicts between the two laws.
The pre-emption issue
The ADPPA has also another challenge to overcome that could slow down its legislative process to become law: the issue around pre-emption.
This is indeed a point that sparked quite a few discussions amongst lawmakers, privacy advocates and internet users.
According to the ADPPA's pre-emption principle, no States will be allowed to enforce their own regulations on the same privacy issues that the federal law will cover. This will de-facto substitute previous statutes like the California's Consumer Privacy Rights Act.
However, according to privacy advocates group the Electronic Frontier Foundation (EFF), the ADPPA isn't strong enough to replace existing and future state privacy laws. They believe is also hinders the ability to quickly shape privacy rules to keep up with an ever-changing digital technologies sector.
This is why House Speaker Nancy Pelosi declared that she would not hold a vote on the ADPPA unless the issues around pre-emption are addressed further.
The Energy and Commerce Committee is to be commended for its work on federal data privacy legislation. Importantly, Democrats won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.September 1, 2022
At the same time, more than 50 organisations are urging Pelosi to vote for the ADPPA as soon as possible despite its weaknesses. These include privacy advocates Access Now, Electronic Privacy Information Center (EPIC) and Swiss-based cybersecurity firm Proton, provider of the top Proton VPN.
In a joint statement, they wrote: "We fear that a failure to move the bill in this Congress will forestall progress on this issue for years to come.
"We will continue to work to improve the bill as it moves to the floor and concerns are considered."
What's next?
With growing concerns about ADPPA's current version and the midterm elections approaching, it looks like US citizens will still need to wait a little longer before having their right to privacy fully protected at a federal level.
And, along the path, the discrepancies between the American Data Privacy and Protection Act and the UK/EU General Data Protection Regulation might even get more substantial.
Finding a compromise that could bring the necessary data privacy protection for both businesses and individuals isn't an easy task, especially in a place like the US.
"I think that politically the US is a different place to Europe," said privacy law expert Nigel Jones. "You could say that in the US business is valued a little higher than individuals. Therefore, they're just coming at it from a different way and the compromise they reach will be a different compromise to the one that we have reached."
Despite this, he thinks that the prospects of a federal privacy law in the US is still a very good thing for citizens.
"In Europe we've had a European data protection law for decades and so individuals' privacy has been protected for a very long time in a way that it's never been protected in the US."
