A modified 143 page “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) requires multiple editions of the Wavelength. This one covers the provisions on “corporate responsibility,” enforcement, the limited private right of action, and the complex preemption provisions.
As the sponsors of ADPPA, three of the four so-called corners of the Commerce Committees in Congress, modify the package to keep stakeholders happy and onsides, the bill has grown. Numerous changes and tweaks have changed many of the details even if the basic framework remains the same. In some places the bill’s protection of people in the United States (U.S.) is increased, while in others it is weakened.
As mentioned, there are some very significant changes to the underlying bill, and this is the final installment on the bill itself, focusing on Titles III and IV.. The previous two editions focused on the definitions and Titles I and II.
Title III (“Corporate Responsibility”) begins with Section 301 (“Executive Responsibility”), which is modified through additional language making clear that “an executive officer” of a large data holders (LDH) must maintain “internal reporting structures” to ensure the LDH’s he or she is involved with and responsible for the organization’s compliance with ADPPA. The previous iteration required only “reporting structures.” I suppose the change was made to ensure Section 301 could not be read to allow the Federal Trade Commission (FTC) to require LDHs to permit the agency to be a party to these processes of internal accountability.
In Section 301(b), “good faith” is defined with respect to the annual certification LDHs must make to the FTC they have the internal controls and reporting structures that involve senior leadership to ensure compliance with ADPPA. These certifications must be in “good faith,” which “if the certifying officer had, after a reasonable investigation, reasonable ground to believe and did believe, at the time that certification was submitted, that the statements therein were true and that there was no omission to state a material fact required to be stated therein or necessary to make the statements therein not misleading.” The “certifying officer” seems to be the “certifying executive officer” mentioned in the sentence before and in 301(a), and so an executive officer who might be a CEO, a COO, or some other senior official. The impetus for this sort of provision is that the Mark Zuckerberg’s and Jack Dorsey’s of the world would be personally involved in certifying compliance and presumably personally liable for violations. My read of this language is that some other official can be responsible, say a Sheryl Sandberg, sparing a CEO from the responsibility and liability.
Moreover, in terms of the good faith certification, the executive officer needs to conduct a “reasonable investigation” and have “reasonable ground” to believe the certification was true at the time it was submitted. These are terms and thresholds the FTC may elucidate during its rulemaking on this section. Otherwise, these are malleable concepts LDHs will seek to construe in their favor, quite likely in ways that defeat the intent of these provisions.