ADPPA vs GDPR: how does the proposed US law compare to EU privacy standards?

Virtual cyber security creative concept on US flag and city background. Double exposure
(Image credit: Pixels Hunter/Shutterstock)

While many Internet users are looking to secure their personal data with the best VPN services, governments across the world have been busy crafting ad-hoc legislations to protect citizens' privacy and prevent businesses from exploiting their sensitive information for commercial purposes. 

Since 2018, people living in the EU and the UK have benefited from the protection of a comprehensive privacy law, the General Data Protection Regulation (GDPR). This legislation has functioned as a base for further regulations worldwide.  

Four years later, it could finally be the time for US citizens to have more control over their data. Making its way through the House floor right now, the American Data Privacy and Protection Act (ADPPA) has the potential to become the first comprehensive federal privacy law in the US. At the moment, just a handful of States enforce their own regulations.  

Despite the fact the legislative process is still ongoing and the current text might change, let's compare how people in Europe and the US could have their privacy rights preserved. 

ADPPA vs GDPR: key similarities

Both the ADPPA and GDPR seek to give internet users better control over their personal data, preventing organizations from wildly exploiting this information for commercial purposes whilst undermining citizens' constitutional right to privacy. 

Therefore, the two legislations are based on similar fundamental principles. These include data minimization, transparency, necessity and proportionality.

"In Europe we've had a European data protection law for decades and so individuals have always been protected. Their privacy has always been protected for a very, very long time in a way that they've never been protected in the US."

Nigel Jones, The Privacy Compliance Hub

As the name implies, data minimization refers to the practice of collecting as little personal data as possible about users. Data collection is then allowed to fulfill a necessity - like payment details for eCommerce sites like Amazon - while being proportionate to the nature of the service. Similarly to the GDPR, the ADPPA identifies a different array of "covered entities" that will be subjected to specific obligations. 

To ensure better transparency, organizations will also be required to produce and maintain documents like privacy policies - to be shared with users in a way that everyone can understand their terms - and contracts with service providers and regular impact assessments - on the algorithms they employ, for example. 

ADPPA vs GDPR: key differences

There are, however, some points where the ADPPA clearly differs from its European counterpart. 

First of all, under GDPR, employees can exercise their rights over their own personal data. At the moment, the ADPPA doesn't apply to employees.

Talking about this point, former head of the Google legal team in Europe and now co-founder of The Privacy Compliance Hub Nigel Jones explained that this principle is largely used in the UK and rest of EU countries during employment litigation. 

"When there is a dispute between an employer and employee, quite often the employee will ask for all their personal data from the employer as a negotiating tactic. That won't be possible in the US," he said.


(Image credit: Pixabay)

Similarly, under the current form, the US privacy bill doesn't appear to apply to public bodies either. According to Jones this is "very surprising" being that there's been quite of few incidents of data breaches across public organizations in the US.  

Another huge difference with the GDPR is that the ADDPA will apply to US residents only

However, according to Jones, this is not necessarily a bad thing. Quite the opposite, in fact - he thinks it will allow businesses to manage users' digital rights across the world without any conflicts between the two laws. 

The pre-emption issue

The ADPPA has also another challenge to overcome that could slow down its legislative process to become law: the issue around pre-emption. 

This is indeed a point that sparked quite a few discussions amongst lawmakers, privacy advocates and internet users. 

According to the ADPPA's pre-emption principle, no States will be allowed to enforce their own regulations on the same privacy issues that the federal law will cover. This will de-facto substitute previous statutes like the California's Consumer Privacy Rights Act.

However, according to privacy advocates group the Electronic Frontier Foundation (EFF), the ADPPA isn't strong enough to replace existing and future state privacy laws. They believe is also hinders the ability to quickly shape privacy rules to keep up with an ever-changing digital technologies sector. 

This is why House Speaker Nancy Pelosi declared that she would not hold a vote on the ADPPA unless the issues around pre-emption are addressed further.

At the same time, more than 50 organisations are urging Pelosi to vote for the ADPPA as soon as possible despite its weaknesses. These include privacy advocates Access Now, Electronic Privacy Information Center (EPIC) and Swiss-based cybersecurity firm Proton, provider of the top Proton VPN

In a joint statement, they wrote: "We fear that a failure to move the bill in this Congress will forestall progress on this issue for years to come.

"We will continue to work to improve the bill as it moves to the floor and concerns are considered."

What's next?

With growing concerns about ADPPA's current version and the midterm elections approaching, it looks like US citizens will still need to wait a little longer before having their right to privacy fully protected at a federal level. 

And, along the path, the discrepancies between the American Data Privacy and Protection Act and the UK/EU General Data Protection Regulation might even get more substantial. 

Finding a compromise that could bring the necessary data privacy protection for both businesses and individuals isn't an easy task, especially in a place like the US. 

"I think that politically the US is a different place to Europe," said privacy law expert Nigel Jones. "You could say that in the US business is valued a little higher than individuals. Therefore, they're just coming at it from a different way and the compromise they reach will be a different compromise to the one that we have reached." 

Despite this, he thinks that the prospects of a federal privacy law in the US is still a very good thing for citizens.   

"In Europe we've had a European data protection law for decades and so individuals' privacy has been protected for a very long time in a way that it's never been protected in the US." 

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to