Next stop: House Floor. ADPPA passes Commerce and Energy Committee

Commerce and Energy Committee votes #ADPPA to move to House floor!

For the changes in the AINS (Amendment in the Nature of a Substitute), see my article from yesterday: https://www.dhirubhai.net/pulse/ains-lovely-adppa-amendment-nature-substitute-out-what-odia-kagan

Below are the key changes in the additional amendments passed (kindly redlined by the Future of Privacy Forum with many thanks to them and h/t to IAPP's Cobun Zweifel Keegan: https://www.dhirubhai.net/posts/cobun_adppa-hr-8152-redline-622-vs-720-activity-6955687956804206592-ojFz/):

• Specific duty to identify and mitigate privacy risks related to covered minors to result in reasonably necessary and proportionate residual risk to covered minors (Castor and Walberg)
• FTC to consults with NIST in connection with establishing processes for practices and procedures to secure covered data against unauthorized access (McNerney and Curtis)
• Narrowing the obligation for the appointment of a privacy and data security office to entities or service provider that have more than 15 employees (Carter and Craig)

Service providers: (Hudson and O'Halleran)

• Required to "adhere to the instructions of covered entity".
• The section clarifies how service providers are to assist covered entities in fulfilling consumer requests - namely - by (1) providing appropriate technical and organizational measures taking into the account the nature of the processing (Hello GDPR Art 28 language); (2) complying with the request per covered entity's instructions or (3) providing written verification to the covered entity that the service provider doesn't hold covered data related to the request.
• Service provider agreement needs to require that downstream service providers (like GDPR sub-processors) also be treated as a service provider.
• Pursuant to covered entity's request, service providers must provide the covered entity with the information necessary for the covered entity to conduct a DPIA (Hi again, GDPR Art 28/35).
• Service provider must allow and cooperate with, reasonable assessments by the covered entity or the covered entity' s designated assessor OR arrange for a qualified and independent assessor to conduct an assessment of the service provider's policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments and provide a report to the covered entity upon request.
• Service provider is not allowed to combine service provider data with data it receives from or on behalf of another person from its interaction with an individual unless necessary to effectuate a permissible purpose and otherwise permitted by the covered entity-service provider contract.
• A person that is not limited in its processing of covered data pursuant to the instructions of a covered entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific processing of covered data. If a service provider begins, alone or jointly with others, determining the purposes and means of the processing of covered data, it is a covered entity and not a service provider with respect to the processing of such data (Hello GDPR purpose and means controller processor analysis).
• Service providers can also be service providers of government entities.