Climate change poses a significant challenge to our planet, our personal lives and our businesses.
Right now, there’s probably at least one area of your business facing transformative change driven by technology or digital risk.
The vast majority of businesses operate in and benefit from the urban environment.
Published on 8th Aug 2022
The American Data Privacy and Protection Act (ADPPA) is on its way to changing the face of US data protection legislation on a federal level. This will impose new data protection obligations on organizations operating in the U.S. But how does this proposed legislation stack up to the GDPR? Osborne Clarke has reviewed and analysed the new amended ADPPA bill and has compared it against the GDPR. While the in-depth analysis is available for download below, this Insight summarizes our key findings.
The ADPPA was introduced in the U.S. House of Representatives in July of 2022. This is the first time that a federal privacy legislation in the US has advanced to the full chamber vote of the House. The introduction of the ADPPA marks a significant milestone, even if the further legislative process is expected to be delayed by the U.S. midterm elections in November this year.
The ADPPA, if and when adopted by the U.S. federal legislators, will be the first federal privacy legislation with the aim of harmonizing privacy rules in the US. The status quo of data protection developments in the US varies on a state by state basis. The California Consumer Privacy Act from 2018 (which came into effect in 2020) was followed by state privacy acts in Colorado, Connecticut, Utah, and Virginia, as well as active bills currently discussed by the state legislators in Massachusetts, Minnesota, New Jersey, Ohio, or Pennsylvania, which resulted in a very fragmented privacy landscape in the U.S.
The general concept of the ADPPA is similar to many other national privacy laws, including the GDPR. Examples of these similarities include (in general terms):
There are key differences to the application of the ADPPA. Examples of these differences between the amended ADPPA bill and the GDPR are as follows:
Whilst the ADPPA would create a data protection regime in the USA which is more similar to that of the EU under the GDPR, the ADPPA is in many ways different to the GDPR. Should the ADPPA come into force, multi-national companies will need to know the details of the new legislation. Such companies should also understand how the requirements of the ADPPA can be addressed by leveraging any compliance documentation and procedures already existing at the company in order to avoid a fragmented and unharmonized privacy compliance program. As global privacy compliance programs are often times built on the GDPR requirements, it will be key to understand the similarities and differences between the ADPPA and the GDPR.
In addition, the increasing number of U.S. state legislation on privacy may be an additional compliance challenge depending on how the U.S. will solve the question of pre-emption (see no. 17 of the in-depth analysis).
As concerns data transfers under the GDPR to the U.S. in light of the Schrems II decision, we expect that the ADPPA will not have a significant positive impact because the definition of “covered data” protected by the ADPPA only applies to data of U.S. residents.
Do you need any assistance with data protection? We have a number of specialists around the globe on hand to help your business, just contact us below.
Click here to download the in-depth analysis of the ADPPA and GDPR comparison.
* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.