?? 2024-W15: Draft of US Federal Privacy Bill, EU-US AI Collaboration, ICO targets child privacy online and more
Eli Atanasov, CIPP/E, PhD
?? I help businesses put their privacy compliance on autopilot, saving them time and money in the process.
Hi privacy navigators,
Here is the latest from the ?? Privacy Navigator - your one-stop destination for everything privacy. Another week full of news and resources passed by. Here are the highlights:
Bipartisan Draft of US Federal Privacy Bill Announced
After more than two years in the making, the US adopts a first draft of a new bipartisan federal privacy protection law - the American Privacy Rights Act (APRA). ?
The proposed 53-page bill advocates for stringent data protection measures including data minimization and enhanced consumer rights. These rights would allow individuals to opt out of targeted advertising and to access, correct, export, or delete their personal data. Notably, the bill introduces robust data security requirements, establishes a national data broker registry, and includes an "executive responsibility" section aimed at bolstering corporate accountability in data handling.
A standout feature of the APRA is its civil rights protections, prohibiting the discriminatory use of personal data in critical areas such as housing, employment, healthcare, credit and others. This provision seeks to curb abuses in algorithmic decision-making by allowing individuals to opt out of such processes.
The bill also addresses a longstanding contentious issue—state preemption. While it would override certain state privacy laws, it respects state regulations concerning civil rights and consumer protection, among others. It includes a pivotal clause from California allowing citizens to sue for damages resulting from data breaches, significantly reducing the barrier to legal recourse for consumers.
As we look toward the future of this pivotal legislation, Brandon Pugh of R Street, who penned an analysis of the draft bill, reminds us that "there is still a long path forward" in the legislative process. Acknowledging the necessity for compromise, Pugh emphasizes that finding a middle ground is essential "to make a federal bill a reality and to ensure it best balances the needs of consumers, industry, innovation, and security."
See the full text of the American Privacy Rights Act (APRA) section by section draft here .
See the full text of the American Privacy Rights Act?discussion draft here .
This week's edition is sponsored by?Conformally .
If you are a privacy professional and want to do your job even better and faster check out Conformally. Manage and collaborate on everything - DPIAs, Vendors, DSARs, Policies, and more. Try free for 7 days.?
EU-US Generative AI Collaboration
In a significant development for artificial intelligence (AI) governance, the EU and US are reportedly advancing discussions on a joint framework for regulating generative AI, despite a lack of updates following their scheduled meeting on April 4-5. A draft statement, which Euractiv had access to prior to the sixth ministerial meeting of the EU-US Trade and Technology Council (TTC), highlighted these ongoing talks.
The EU has already implemented comprehensive AI regulations with binding measures, contrasting the US approach of non-binding guidelines set by an executive order. Both entities are exploring closer collaboration through their respective AI offices—the newly-formed AI Office at the European Commission and the US AI Safety Institute—aiming to align their efforts more closely.
The discussions have included potential cooperation to develop a framework for evaluating generative AI, which can create realistic audio, images, and video. This technology is particularly scrutinized given its implications during an election-heavy year globally, including significant polls in Europe and the US.
Kentucky Enacts Consumer Data Protection Act
Kentucky has officially joined the ranks of states with comprehensive privacy laws by enacting the Kentucky Consumer Data Protection Act (KCDPA), signed into law by Governor Andy Beshear on April 4, 2024. This marks Kentucky as the third state this year, following New Jersey and New Hampshire, and the fifteenth overall, to adopt such legislation. The KCDPA, which mirrors aspects of the Virginia Consumer Data Protection Act, is set to take effect on January 1, 2026.
The law targets "controllers"—businesses operating within Kentucky or targeting Kentucky residents. It applies to those handling personal data of at least 100,000 consumers, or 25,000 if they derive more than half their gross revenue from selling personal data. This threshold is consistent with similar provisions in states like California and Virginia.
Under the KCDPA, consumers gain several rights including confirming the processing of their data, correcting inaccuracies, deleting their data, obtaining copies of their data, and opting out of data processing for targeted advertising, sales, or profiling that leads to significant decisions. Notably, Kentucky's law does not include some of the broader consumer rights found in New Jersey and New Hampshire, such as revoking consent and recognizing universal opt-out signals.
领英推荐
The KCDPA exempts certain entities like financial institutions and state agencies and applies only to specific data types, like protected health information. Enforcement is solely the purview of the state's attorney general, with no private right of action allowed, and violations can attract fines of up to $7,500 per incident. Unlike some other states, Kentucky's law does not sunset the mandatory 30-day cure period before enforcement actions can commence, giving businesses a consistent opportunity to rectify issues.
ICO Targets Enhanced Child Privacy Protections Online
The UK's Information Commissioner's Office (ICO) has announced its focus for the 2024-2025 period, emphasizing the need for enhanced privacy protections for children online. This directive targets social media and video-sharing platforms, urging them to elevate their data protection practices to safeguard young users.
Since implementing the Children’s Code of Practice in 2021, the ICO has seen substantial progress in how online services, including websites, apps, and games, manage the personal information of children. These services are now more aware of privacy risks and are working to mitigate them.
For the coming year, the ICO has outlined several priority areas under the new Children's Code strategy. These include setting default privacy and geolocation settings to protect children's locations and personal details automatically. There is also a call for a reduction in profiling children for targeted advertisements, which can undermine their autonomy and potentially expose them to financial risks through incentivized in-app purchases.
Another significant concern is the use of children's data in recommender systems, which can inadvertently direct them to harmful content. Additionally, the ICO stresses the importance of obtaining proper consent for using personal information of children under 13, requiring parental approval and reliable age verification methods.
John Edwards, the UK Information Commissioner, highlighted the global nature of children's privacy, stressing the need for international cooperation to enhance protections. The ICO plans to engage further with other UK regulators like Ofcom and counterparts worldwide to elevate global data protection standards for children.
ECJ Rules Against EU Biometric ID Law (it's not what you think)
The European Court of Justice (ECJ) has delivered a pivotal ruling on the legality of a 2019 EU regulation that mandated EU citizens to include their fingerprints on national identification cards. On Thursday (21 March), the ECJ found that this regulation was based on an incorrect legal foundation and declared it invalid. However, it upheld that the collection of two fingerprints, although it impinges on fundamental rights, is justified for security purposes.
Despite the ruling, the regulation will remain in effect until a new law is enacted or until December 2026 at the latest, to allow EU legislators time to establish a new regulation on the appropriate legal basis. Originally, the regulation required unanimity in the Council, a condition not met when the Czech Republic and Slovakia voted against it.
The requirement has been contentious, particularly in Germany where it was implemented in 2021. Digitalcourage, a German data rights group, has been a vocal critic, arguing that fingerprint collection infringes on the European Charter of Fundamental Rights. The group highlights the irreversible nature of biometric data as a key issue, noting that unlike passwords, fingerprints cannot be altered once compromised.
The implications of the ECJ's decision are significant. If a new agreement is not reached by the deadline, national authorities may need to issue ID cards without fingerprint data and could have to delete existing biometric data. This situation underscores ongoing concerns about the security and appropriateness of storing biometric data, especially given the risks of data breaches and the broad potential for misuse under current regulations which allow member states to decide how fingerprints may be used beyond ID creation.
The ruling caps a lengthy legal battle initiated by Digitalcourage, which included a temporary suspension of the fingerprint requirement by the Hamburg Administrative Court pending the ECJ's decision.
?? Privacy Navigator
We have added new resources to the Privacy Navigator. You can enjoy:
That's all for now, see you next week!
Eli
email:?[email protected]