China in the spotlight: US federal data and privacy bill unveiled, Alex Roberts, Tiantian Ke

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

From an explicit namecheck to provisions that suggest China is a regulatory influencer, links between the US and China remain evident in the American Data Privacy and Protection Act

US lawmakers officially released a discussion draft of the American Data Privacy and Protection Act (the ADPPA) late last week – the first comprehensive US federal privacy proposal to gain bipartisan and bicameral support.

The ADPPA aims to establish a strong national framework to protect consumer data privacy and security, by introducing requirements such as duties of loyalty to individuals in the appropriate use of their data, transparency obligations, opt-out consent mechanisms and individual rights, enhanced data protection for minors, and a certification regime.

Although the fate of the draft bill remains unclear at this stage (as explained in the article below), certain features under the bill, if implemented, are relevant to businesses operating between China and the US.

Spell it out if you are transferring data from the US to China

Countries or markets seeking to impose restrictions on the export of data to third countries which might not have as robust data protection regimes is not new. It is a clear principle under the world’s gold standard for privacy laws, the GDPR, and was reinforced for the EU with the Schrems II case.

The ADPPA arguably goes one step further with inclusion of a transparency requirement that mandates in-scope entities to detail certain information in their privacy policies, including whether any covered data will be made available to China, Russia, Iran, or North Korea.

Query if Hong Kong SAR is included in the “People’s Republic of China” under this bill, as in certain other US regulatory contexts, but with mainland China (plus Hong Kong SAR) seeing more cross-border data flows than any other territory – and about twice the amount of the data than the US – since 2019, international data transfers today have economic, geopolitical and, to an increasing extent, national security prominence. Nevertheless, the ADPPA appears to mark the first time that a provision in national data legislation has called out specific territories in this way.

Having said that, the ADPPA does not contain provisions with teeth relating to data localisation and cross-border data restrictions. The practical impact of this part of the bill for multinationals and supply chains beginning in mainland China impact is still be seen.

Joining the trend in regulating algorithms

We commented in our previous briefing on the China’s Algorithm Regulation that “even if your tech operations are not based in China, the commentary below may give you a head start on what is coming down the (digital) track.”. Data-driven prophets that we are, here it comes!

The ADPPA also lays out rules on the use of algorithms by large data holders, some stipulations of which share a similar favour with those we analysed in the Chinese algorithm regulations. In particular, in-scope entities must assess their algorithms annually and submit annual impact assessments to the competent regulators (in the ADPPA’s case, the Federal Trade Commission). As such, the unveiling the algorithmic “black boxes” belonging to Big Tech seems to be a trend of increasing regulatory scrutiny that will have relevance around an ever-digitising world.

Has the time for a federal privacy law in the US finally come?

Disparate state-level privacy regimes have been springing up following the inspiration of California’s pioneering CCPA. US-, China- and third country-based business may welcome a comprehensive federal privacy law that provides for standardised compliance requirements across the market that remains part of the world’s largest economy.

No doubt time will be needed to onboard all key stakeholders in the legislation process, but the released draft of the ADPPA symbolises a big step in the right direction, even if some provisions may raise eyebrows beyond the halls of Washington. We wait to see if Beijing’s lawmakers invoke the reciprocity articles clearly included in China’s new data laws in anticipation of such eventualities.

For deeper analysis on the substance of the ADPPA, stay tuned to updates from our global Data and Tech Solutions team!

{

Americans want and desperately need legislation to protect their personal data and promote trust in the online world. While it’s not perfect, the draft is a hopeful first step.

https://iapp.org/news/a/congress-unveils-american-data-privacy-and-protection-act/