ADPPA vs. CPRA (Free Preview)

ADPPA is marginally stronger than the CPRA.

Many California based or affiliated proponents of the “California Privacy Rights Act” (Proposition 24) (CPRA) have argued that the American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) is weaker and would leave Californians with diminished privacy rights. There has been pushback from national civil liberties and privacy groups that have argued the contrary. Hence, this edition of the Wavelength will compare and contrast the two bills to see which side has the better case.

Even before the House Energy and Commerce Committee marked up and reported out an amended version of the “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152), proponents of California’s data privacy laws have been claiming the latter regime provides better protection for residents of California. These claims have been part of overt and covert efforts to press California Members, especially those in the House, to oppose ADPPA unless and until language is added softening the language preempting state privacy laws or ideally exempting California’s state privacy law. When the committee considered the bill, only the eight California Democrats on the committee voted for an amendment to carveout California.

Thereafter, ADPPA hit the considerable roadblock named Speaker of the House Nancy Pelosi’s (D-CA). It is not news that Speaker Nancy Pelosi (D-CA)  has been iffy on any data privacy law that would preempt California’s laws. In 2019, Pelosi said“[w]e in California are not going to say, “You pass a law that weakens what we did in California.”..[t]hat won’t happen.” In a recent statement, Pelosi asserted that “Governor Newsom, the California Privacy Protection Agency and top state leaders have pointed out the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California’s existing privacy laws.” It is interesting that Pelosi herself is not making the claims that ADPPA falls short; rather she is quoting Newsom, the CPPA, and state officials. This could give Pelosi the wriggle room she needs to permit the House to pass something short of what California state officials want. Moreover, their claims that ADPPA is weaker than California’s privacy laws, the soon-to-be moot “California Consumer Privacy Act” (AB 375) (CCPA) and soon-to-be operative “California Privacy Rights Act” (Proposition 24) (CPRA), is debatable.

Pelosi’s refusal to bring ADPPA to the floor without major change has endangered the quid pro quo that gave us the bill. For years, Democrats have resisted preemption of state privacy laws when California had the only data privacy law in the U.S. Republicans and many industry stakeholders demanded one national data privacy standard because they claimed businesses would not be able to navigate many different state privacy laws. And yet, U.S. businesses have managed to navigate different data breach laws in every state and territory, but I digress. However, after extensive negotiation and the passage of weaker state laws, key Congressional stakeholders came to agreement. The bargain they struck would preempt almost all state privacy laws in exchange for one of the strongest data privacy laws that has ever received serious legislative consideration. If Pelosi prevails in rolling back the preemption provisions, Republicans would lose a significant incentive to support the bill, probably leading to the collapse of the effort to pass data privacy legislation in this Congress.

Given how crucial preemption of state laws is to the bargain struck on U.S. data privacy legislation, if Pelosi and California Democrats insist on something less than full preemption, the effort to pass ADPPA could fall apart before coming to a vote in the House. In any event, Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) opposes ADPPA for different reasons, making passage of the bill all but impossible at present.

As all this was occurring, some stakeholders were making their views public on which bill is better. In early July, the CPPA sent Pelosi a memorandum on how ADPPA “could remove protections from Californians, likely including nearly all of the authority for the CPPA, the independent agency that implements regulations and will provide administrative enforcement of the law; California’s unique privacy floor that prevents protections from being weakened in the future; could preclude the California legislature (and the public through the ballot initiative) from adding new, stronger protections; and compromise additional existing protections.” In mid-August, the CPPA wrote Pelosi and House Minority Leader Kevin McCarthy (R-CA) arguing that “ADPPA’s sweeping preemption seeks to remove important protections and significantly weaken the privacy Californians currently enjoy under the CCPA…[and] could nearly eliminate the ability of the California Privacy Protection Agency, the first data protection authority in the United States, to fulfill its responsibility to protect Californians’ privacy rights.” The Californians for Consumer Privacy (CCP), the organization behind enactment of the CPPA and CPRA, claimed the CPRA is stronger than ADPPA and wrote Pelosi making their case for the CPRA earlier this month.

A number of advocacy organizations think ADPPA is stronger and are urging lawmakers to pass the bill. In response to the mid-July CPPA memorandum, the Center for Democracy and Technology (CDT), Electronic Privacy Information Center (EPIC) and the Lawyers' Committee for Civil Rights Under Law made available a side-by-side comparison of ADPPA and the CPRA and found the former to be much stronger. In late August, “48 civil rights, privacy, and consumer organizations” wrote Pelosi urging her “to expeditiously move H.R. 8152, the American Data Privacy and Protection Act (ADPPA), to a vote by the full House of Representatives.”

The United States (U.S.) Senate Judiciary Committee voted the “Journalism Competition and Preservation Act of 2021” (S.673) out of committee after adopting a revised bill.

The United Kingdom’s Information Commissioner’s Office (ICO) has issued a preliminary decision (i.e. a notice of intent) to fine TikTok “£27 million fine after an ICO investigation found that the company may have breached UK data protection law, failing to protect children’s privacy when using the TikTok platform.” In the past, the ICO reduced initial fines on other multinationals like Marriott (an initial £99.2 million fine became an £18.4 million fine) and British Airways (an initial £183.39 million fine became a £20 million fine.)

The United States (U.S.) Court of Appeals for the Fifth Circuit reversed a trial court and will allow Texas’ House Bill 20 to go into effect.

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), U.S. Cyber Command Cyber National Mission Force (CNMF), the U.S. Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) released a joint Cybersecurity Advisory (CSA) “to highlight continued malicious cyber activity by advanced persistent threat (APT) actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).”

Denmark’s data protection authority, Datatilsynet, found that Google Analytics “cannot, without more, be used lawfully….[and] [l]awful use requires the implementation of supplementary measures in addition to the settings provided by Google.”

The European Data Protection Board published the binding dispute resolution decision from earlier this year that pushed Ireland’s Data Protection Commission to fine Instagram/Meta €405 million.

The United States (U.S.) Court of Appeals for the Third Circuit reversed a trial court in finding that “publication of [a person’s] sensitive personal information on the Dark Web” met the “injury-in-fact” requirement a litigant needs to satisfy under Supreme Court-created doctrine in order to be able to sue. Recent Supreme Court decisions have increased the threshold plaintiffs must meet to be able to sue in TransUnion LLC v. Ramirez and Spokeo, Inc. v. Robins.

The European Data Protection Supervisor “requested that the Court of Justice of the European Union (CJEU) annuls two provisions of the newly amended Europol Regulation, which came into force on 28 June 2022” that “seriously undermine legal certainty for individuals’ personal data and threaten the independence of the EDPS - the data protection supervisory authority of EU institutions, bodies, offices and agencies.”

United States (U.S.) Representative Anna Eshoo (D-CA) wrote the U.S. Federal Trade Commission (FTC), urging the agency “to investigate Fog Data Science LLC (“Fog”) for a tool it developed using data gathered from surveillance advertising called Fog Reveal, which offers law enforcement the ability to conduct mass surveillance by allowing them to track cell phone locations without a warrant.”

United States (U.S.) Federal Trade Commission (FTC) Chair Lina Khan remarked in a speech that the agency will soon consider a new policy statement on “unfair methods of competition,” which would spell out how the FTC views its authority in this area and how it plans to use its authority.

The White House’s Office of Science and Technology Policy (OSTP) published “its report, Technical Evaluation for a U.S. Central Bank Digital Currency System, which lays out policy objectives for a potential U.S. CBDC system and analyzes key technical design choices for a U.S. CBDC system.”

The United Nations (UN) Office of the United Nations High Commissioner for Human Rights published a report “on privacy in the digital age” that “looks at three key areas: the abuse of intrusive hacking tools (“spyware”) by State authorities; the key role of robust encryption methods in protecting human rights online; and the impacts of widespread digital monitoring of public spaces, both offline and online.”

The United States (U.S.) Securities and Exchange Commission announced a $35 million settlement with Morgan Stanley Smith Barney LLC (MSSB) “stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers.”

United States (U.S.) Senator Ron Wyden (D-OR) and U.S. Representative Anna G. Eshoo (D-CA) and other Democratic colleagues wrote the National Telecommunications and Information Administration (NTIA) urging the agency “to upgrade its privacy practices to protect the personal information of .US users.”

The United States (U.S.) Department of Homeland Security (DHS) announced a Notice of Funding Opportunity (NOFO) for the State and Local Cybersecurity Grant Program, “with $185 million available for FY22, to support state, local, and territorial (SLT) efforts to address cyber risk to their information systems.”

New Zealand’s government “is considering potential changes to the notification rules for collecting personal information under the Privacy Act 2020” and the Ministry of Justice “wants to hear from stakeholders and the public on the form and scope of the proposals.”

California Attorney General Rob Bonta issued “a consumer alert providing tips and guidelines to help safeguard your privacy while accessing reproductive or abortion care.”

United States (U.S.) Senator Ben Ray Luján (D-NM) and U.S. Representative Doris Matsui (D-CA) “led U.S. Senators Jeff Merkley (D-OR), Martin Heinrich (D-NM), Ed Markey (D-MA), Richard Blumenthal (D-CT), and Amy Klobuchar (D-MN) to introduce the Digital Equity Foundation Act, legislation to establish a nonprofit foundation to leverage public and private investments to make progress closing the divide on digital equity, digital inclusion, and digital literacy.”

The United States (U.S.) Federal Communications Commission (FCC) announced that “the Broadband Data Task Force (Task Force), together with the Wireline Competition Bureau (WCB) and Office of Economics and Analytics (OEA)[released the] Data Specifications for Bulk Fixed Availability Challenge and Crowdsource Data, which provides guidance as to the requirements in the Commission’s rules and orders for filing bulk challenges, as well as bulk crowdsource information, to the fixed broadband availability data that will be published on the FCC’s Broadband Maps as part of the new Broadband Data Collection (BDC).”

Per President Joe Biden’s March 2020 Executive Order (EO) on Ensuring Responsible Development of Digital Assets, United States (U.S.) agencies released nine reports that “articulate a clear framework for responsible digital asset development and pave the way for further action at home and abroad”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) “through the Enduring Security Framework (ESF), have published a paper titled, Open Radio Access Network Security Considerations which assesses the benefits and security considerations with implementing Open RAN architecture.”

France’s Commission Nationale Informatique & Libertés (CNIL) has started a consultation on a draft technical recommendation on application programming interfaces (APIs).

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) “co-chaired the first meeting of the Joint Ransomware Task Force (JRTF), an interagency body established by Congress to unify and strengthen efforts against the ongoing threat of ransomware.”

The White House named the leadership for “newly-established CHIPS for America offices.”

The United States (U.S.) Government Accountability Office (GAO) issued a report titled “Chief Information Officers: Private Sector Practices Can Inform Government Roles.”

TikTok announced “a series of changes to government, politician, and political party accounts that we believe will help ensure TikTok remains a fun, positive and joyful experience.”

“US expected to publish Privacy Shield executive order next week” By Vincent Manancourt, Alfred Ng, Mark Scott and Eric Geller — Politico EU

“Australia phones cyber-attack exposes personal data” By Shiona McCallum — BBC

“Little Latino visibility in mainstream media, report says, but content dominates streaming” By Edwin Flores — NBC News

“Inside the civil rights campaign to get Big Tech to fight the ‘big lie’” By Naomi Nix — Washington Post

“Meta Antitrust Suit Should Be Reinstated on Appeal, States Argue” By Leah Nylen — Bloomberg

“Uber investigating hack on its computer systems” By Shiona McCallum — BBC

“Russian official says civilian satellites may be “legitimate” military target” By Jon Brodkin — Ars Technica

“Pentagon Orders Review of Its Overseas Social Media Campaigns” By Julian E. Barnes and Sheera Frenkel — The New York Times

“Pentagon opens sweeping review of clandestine psychological operations” By Ellen Nakashima — Washington Post

“TikTok’s C.E.O. Navigates the Limits of His Power” By Ryan Mac and Chang Che — New York Times

“Australian Police Probe Optus Cyberattack as Data Threats Emerge” By Sybilla Gross — Bloomberg

“TikTok sets new verification rules for politicians and political parties” By David K. Li — NBC News

“Outside audit says Facebook restricted Palestinian posts during Gaza war” By Elizabeth Dwoskin — Washington Post

“Beloved browser extension acquired by non-beloved antivirus firm” By Kevin Purdy — Ars Technica

“US school app accounts hacked to send explicit image” — BBC

“Regulators Accuse Amazon of Singling Out Union Organizers for Discipline” By Noam Scheiber — New York Times

“Ukraine’s Cyberwar Chief Sounds Like He’s Winning” By Chris Stokel-Walker — WIRED

“There's a Sneaky Reason Your Wi-Fi May Suddenly Be Slower” By David Priest — C|Net

“The online incel movement is getting more violent and extreme, report says” By Taylor Lorenz — Washington Post

“New York to install surveillance cameras in every subway car” By Kevin Collier — NBC News

“How a Quebec Lithium Mine May Help Make Electric Cars Affordable” By Jack Ewing — New York Times

“Pentagon launches effort to assess crypto’s threat to national security” By Tory Newmyer — Washington Post

“UK Police Charge Teenager Over Hacking, Bail Breaches” By Jeff Stone — Bloomberg

§ 29 September

o   The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting with this agenda.

o   The United States (U.S.) House Science, Space, and Technology Committee’s Research and Technology Subcommittee will hold a hearing titled “Trustworthy AI: Managing the Risks of Artificial Intelligence.”

o   The United States (U.S.) Senate Commerce, Science, and Transportation Committee’s Space and Science Subcommittee will hold a hearing titled “Securing U.S. Leadership in Emerging Compute Technologies.”

§ 4 October

o   The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) will host its 5th Annual Cybersecurity Summit in Atlanta, Georgia.

§ 10 October

o   The European Data Protection Board will hold a plenary meeting.

§ 11 October

o   The European Data Protection Board will hold a plenary meeting.

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media” with this agenda.

§ 26 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 27 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.

Photo by Erik Mclean on Unsplash

Photo by Ketan Saptasagare on Unsplash

Photo by George Pagan III on Unsplash

Photo by Linford Miles on Unsplash

Photo by Omar Flores on Unsplash

Photo by Clark Van Der Beken on Unsplash

Photo by Victor on Unsplash

Photo by JOSHUA COLEMAN on Unsplash

Photo by Alexander Andrews on Unsplash