Yesterday, the House Energy and Commerce Committees on Consumer Protection and Commerce held a hearing on the draft American Data Privacy and Protection Act. While substantial challenges still exist, this hearing proved more productive and more hopeful. In past hearings, including ones where I was asked to testify, the two parties seemed highly opposed, more interested in making their points, and holding their ground than trying to find a position that works for everyone. But in this case, the tone and atmosphere were different, as if both sides were genuinely trying to find a solution.
A prominent Democrat, Frank Pallone of New Jersey, and a prominent Republican, Cathy McMorris-Rodgers of Washington, co-sponsored the ADPPA giving it cross-chamber and cross-party support. The Act is also supported by at least several of the FTV commissioners.
However, it is not all easy going, as highlighted by the eight people who testified and the questions from members of the sub-committee, with each and every one asking for some type of change. Most prevalent were discussions about the traditional hot buttons: Private Right of Action, protection for minors, and level of preemption. The limited PRA still was too much for many of those who spoke and the chamber of commerce, while children’s privacy didn’t go far enough. Evidently, state preemption is a more complicated issue for the courts and there seemed to be concern about exemptions to this or if this was the right bill that could even test these limits, with some on the side strengthening and some on the side of eliminating preemption.
I think this Act does, as they said in their press release, “strike a meaningful balance” and contains a “robust set of consumers’ data privacy rights” and “appropriate enforcement mechanisms.” I have a renewed sense of optimism that it may lead to a comprehensive law, but considerable work remains to keep this consolidated bipartisan collaboration from splitting apart.
I personally think the focus on data minimization and privacy by design are some of the best and most important elements in the real-world implementation of this Act. Better alignment with GDPR may enable a US-EU cross-boarded data transfer agreement that holds up to EU court scrutiny via the Privacy Shield framework agreement in principle and would be a highly welcomed consequence if this is passed as well.