ADPPA Examined, Part III (Free Preview)

ADPPA Examined, Part III (Free Preview)
Photo by micheile dot com on Unsplash


A modified 143 page “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) requires multiple editions of the Wavelength. This one covers the provisions on “corporate responsibility,” enforcement, the limited private right of action, and the complex preemption provisions.


As the sponsors of ADPPA, three of the four so-called corners of the Commerce Committees in Congress, modify the package to keep stakeholders happy and onsides, the bill has grown. Numerous changes and tweaks have changed many of the details even if the basic framework remains the same. In some places the bill’s protection of people in the United States (U.S.) is increased, while in others it is weakened.


As mentioned, there are some very significant changes to the underlying bill, and this is the final installment on the bill itself, focusing on Titles III and IV.. The previous two editions focused on the definitions and Titles I and II.

Title III (“Corporate Responsibility”) begins with Section 301 (“Executive Responsibility”), which is modified through additional language making clear that “an executive officer” of a large data holders (LDH) must maintain “internal reporting structures” to ensure the LDH’s he or she is involved with and  responsible for the organization’s compliance with ADPPA. The previous iteration required only “reporting structures.” I suppose the change was made to ensure Section 301 could not be read to allow the Federal Trade Commission (FTC) to require LDHs to permit the agency to be a party to these processes of internal accountability.

In Section 301(b), “good faith” is defined with respect to the annual certification LDHs must make to the FTC they have the internal controls and reporting structures that involve senior leadership to ensure compliance with ADPPA. These certifications must be in “good faith,” which “if the certifying officer had, after a reasonable investigation, reasonable ground to believe and did believe, at the time that certification was submitted, that the statements therein were true and that there was no omission to state a material fact required to be stated therein or necessary to make the statements therein not misleading.” The “certifying officer” seems to be the “certifying executive officer” mentioned in the sentence before and in 301(a), and so an executive officer who might be a CEO, a COO, or some other senior official. The impetus for this sort of provision is that the Mark Zuckerberg’s and Jack Dorsey’s of the world would be personally involved in certifying compliance and presumably personally liable for violations. My read of this language is that some other official can be responsible, say a Sheryl Sandberg, sparing a CEO from the responsibility and liability.

Moreover, in terms of the good faith certification, the executive officer needs to conduct a “reasonable investigation” and have “reasonable ground” to believe the certification was true at the time it was submitted. These are terms and thresholds the FTC may elucidate during its rulemaking on this section. Otherwise, these are malleable concepts LDHs will seek to construe in their favor, quite likely in ways that defeat the intent of these provisions.

Subscribe to read the rest of this post and for all the content behind the paywall.

Other Developments

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) published a “Request for Information (RFI)” to obtain input on the regulations it must promulgate on a mandatory cyber incident and ransomware reporting system as established in the “Cyber Incident Reporting for Critical Infrastructure Act of 2022”  (CIRCIA) (Title Y of P.L. 117-103). CISA also issued notice of upcoming “listening sessions” to help the development of these regulations.

European Data Protection Board (EDPB)Chair Andrea Jelinek and European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski sent an open letter to the European Parliament and the European Council expressing their deep concern “that the 2023 budget, if not substantially increased, will be significantly too small to allow the EDPB and the EDPS to fulfil their tasks appropriately.”

The United States (U.S.) Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned “Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for engaging in cyber-enabled activities against the United States and its allies.”

Californians for Consumer Privacy, the group behind enactment of both the “California Consumer Privacy Act” and the “California Privacy Rights Act” wrote Speaker of the House Nancy Pelosi (D-CA) “to oppose H.R. 8152, the American Data Privacy and Protection Act (ADPPA), which would pre-empt the strongest privacy law in the nation, the California Privacy Rights Act (CPRA), and eliminate the fundamental privacy rights almost 9.4 million Californians voted to enact in 2020.”

The United Kingdom’s (UK) Competition and Markets Authority and Office of Communications issued a joint statement on online safety and competition in digital markets that sets out the agencies’ “shared views on the interactions between competition and online safety.

The Australian Competition and Consumer Commission (ACCC) announced that its “Digital Platforms Services Inquiry will examine the state of competition for social media services in Australia as part of the sixth interim report of the ACCC’s five-year Digital Platform Services Inquiry.”

United States (U.S.) Senate Judiciary Committee Chair Dick Durbin (D-IL) and Ranking Member Chuck Grassley (R-IA) wrote to Twitter CEO Parag Agrawal in advance of today’s hearing with Twitter whistleblower Peiter “Mudge” Zatko “regarding recent allegations that Twitter has turned a blind eye to foreign intelligence infiltration, does not adequately protect user data, and has provided misleading or inaccurate information about its security practices to government agencies.”

The New Jersey Department of Labor and Workforce Development (NJDOL) announced that “Uber Technologies Inc. and a subsidiary have submitted a $100 million payment to the NJDOL Unemployment Trust Fund after an audit found the ride-share companies improperly classified hundreds of thousands of drivers as independent contractors, depriving them of crucial safety-net benefits such as unemployment, temporary disability and family leave insurance, and failed to make required contributions toward unemployment, temporary disability and workforce development.”

President Joe Biden signed an executive order “on Advancing Biotechnology and Biomanufacturing Innovation for a Sustainable, Safe, and Secure American Bioeconomy.”

An Australian Federal Court “ordered Google LLC to pay $60 million in penalties for making misleading representations to consumers about the collection and use of their personal location data on Android phones between January 2017 and December 2018, following court action by the Australian Competition and Consumer Commission (ACCC).”

Tweet of the Day

Further Reading

Senators blast Twitter’s alleged security failures as whistleblower testifies” By Jon Brodkin — Ars Technica

Twitter whistleblower exposes limits of FTC’s power” By Cat Zakrzewski and Joseph Menn — Washington Post

Twitter Reached $7 Million Settlement With Whistle-Blower” By Kate Conger — New York Times

Google faces €25bn lawsuit in UK and EU over digital advertising” By Dan Milmo — The Guardian

Starlink appeals FCC rejection of $886M grant, calls reversal “grossly unfair”” By Jon Brodkin — Ars Technica

A Cyber Workforce Strategy is Coming From the White House, Along with an Implementation Body to Make Sure it Works” By Natalie Alms — Nextgov

Disinformation via text message is a problem with few answers” By Kevin Collier — NBC News

Montenegro wrestles with massive cyberattack; Russia blamed” — Associated Press

‘I didn’t want it anywhere near me’: how the Apple AirTag became a gift to stalkers” By Anna Moore — The Guardian

What TikTok and Facebook may track with their in-app browsers” By Tatum Hunter — Washington Post

Coming Events

§ 12 September

o   The European Data Protection Board will hold a plenary meeting with this agenda.

§ 13 September

o   The European Data Protection Board will hold a plenary meeting with this agenda.

o   The United States (U.S.) Senate Judiciary Committee will hold a hearing titled “Data Security at Risk: Testimony from a Twitter Whistleblower.”

§ 14 September

o   The United States (U.S.) Senate Judiciary Committee’s Privacy, Technology, and the Law Subcommittee will hold a hearing titled “Protecting Americans’ Private Information from Hostile Foreign Powers.”

o   The United States (U.S.) Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled “Social Media’s Impact on Homeland Security.”

o   The United States (U.S.) House Small Business Committee’s Rural Development, Agriculture, Trade, and Entrepreneurship Subcommittee will hold a hearing titled “Right to Repair and What it Means for Entrepreneurs.”

§ 15 September

o   The United States (U.S.) House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee will hold a hearing titled “Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks.”

o   The United States (U.S.) House Agriculture Committee will hold a hearing titled “A 2022 Review of the Farm Bill: Broadband.”

§ 19 September

o   The President's National Infrastructure Advisory Council Meeting will hold a meeting.

§ 29 September

o   The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting with this agenda.

§ 4 October

o   The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) will host its 5th Annual Cybersecurity Summit in Atlanta, Georgia.

§ 10 October

o   The European Data Protection Board will hold a plenary meeting.

§ 11 October

o   The European Data Protection Board will hold a plenary meeting.

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event“to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.”

§ 26 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 27 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.

Photo Credits

Photo by Silas Baisch on Unsplash

Photo by Jeremy Bishop on Unsplash

Photo by Gatis Marcinkevics on Unsplash

Photo by Maryna Yazbeck on Unsplash

Photo by Sean Oulashin on Unsplash

Photo by Mourad Saadi on Unsplash

Photo by Philipp Kämmerer on Unsplash