House Republicans have made a fresh attempt to introduce federal data privacy legislation that, if passed, will replace the current patchwork of state privacy laws. The new privacy bill – the Securing and Establishing Consumer Uniform Rights and Enforcement over Data (SECURE Data) Act, and a companion bill covering financial firms – the GUARD Financial Data Act – were introduced by Republican members of the House Committee on Energy and Commerce and the House Committee on Financial Services. Unlike previous attempts to enact comprehensive federal data privacy legislation, the SECURE Data Act and GUARD Financial Data Act are not bipartisan. No input was sought from Democratic committee members.

Efforts to develop the bills were led by Congressman John Joyce, M.D., Chairman of the House Committee on Energy and Commerce, who led the Energy and Commerce Data Privacy Working Group, and Congressman John Joyce, M.D. (PA-13), Chairman of the Energy and Commerce Subcommittee on Oversight and Investigations and leader of the Energy and Commerce Data Privacy Working Group.

The bills were developed following more than a year of stakeholder consultation, and aim to create new federal data privacy standards, and are based on common data subject rights and provisions from states that have implemented their own comprehensive data privacy laws.

Key consumer rights in the SECURE Data Act include:

• The right to know data is being collected and used
• The right to access a copy of the personal data collected by an entity, including in a portable format
• The right to request that their personal data be deleted
• The right to opt out of targeted advertising, the sale of their personal data, and certain automated decisions
• To only process sensitive data with a consumer’s consent
• To only process a child or teen’s personal data with parental consent

The obligations for covered businesses under the SECURE Data Act include:

• Limiting the collection of personal data to what is “adequate, relevant, and reasonably necessary for the purposes disclosed to consumers
• Required disclosure of the personal data shared with others, and any personal data processed in or sold to China, Russia, or other foreign adversaries.
• Implementation of data security practices to protect the personal data they process.

There are specific requirements for data brokers, which include:

• Data minimization, disclosure, and data security requirements.
• Registration with the FTC, including disclosure of the privacy and data security practices and personal data sold.
• The FTC will establish a searchable public-facing registry of data brokers, where consumers can learn how to exercise their privacy rights.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Energy and Commerce Chair Brett Guthrie, R-Ky., and Rep. John Joyce, R-Penn., said in a joint statement. “We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The SECURE Data Act would apply to nonfinancial firms that control consumer data, exempting financial data and financial institutions covered by the Gramm-Leach-Bliley Act. The companion bill, the GUARD Financial Data Act, would update the Gramm-Leach-Bliley Act and would exempt nonfinancial firms. While there is a clear need for federal data privacy legislation to replace data privacy laws that vary considerably from state to state, for certain states such as California, it would mean a watering down of their current privacy protections for state residents. For instance, the SECURE Data Act does not include a private cause of action, which means individuals whose privacy is violated would not be able to sue for SECURE Data Act violations.

The SECURE Data Act has been criticized for failing to implement meaningful privacy protections and weakening protections for consumers in states that have placed limits on the collection, use, and sharing of consumers’ data. Critics say the legislation ultimately protects corporations and big tech firms rather than protecting consumers’ privacy. “We should be protecting the little guy with a bill that empowers consumers, not one that pre-empts consumer protections at the behest of Big Tech,” said Energy and Commerce Ranking Member Frank Pallone (D-NJ).

Some privacy groups have criticized the bill for important omissions, such as failing to address AI-related privacy harms. There are no provisions limiting the data that can be collected on consumers for training AI algorithms, and while companies are required to disclose if they are using AI-based automated decision-making systems, consumers do not have the right to opt out.

There are grave concerns that if enacted, it will allow big tech firms to continue collecting and using vast amounts of consumer data. “It places the onus on regular people to wade through reams of privacy policies and ask tech companies to stop abusing our data, and it leaves us without real recourse — even blocking us from going to court — if our requests go unanswered. On top of that, the bill would entirely destroy the work that states have been doing for years to protect their residents,” said American Civil Liberties Union attorney Cody Venzke.

While previous efforts to pass a comprehensive federal data privacy law, such as the American Data Privacy and Protection Act (ADDPA), have been bipartisan, bicameral, and have proposed stronger privacy protections, they have all failed to be enacted. While there is a good chance that the SECURE Data Act would be passed by the House of Representatives, it may be difficult, in its current form, for the bill to survive a Senate vote.

The post House Republicans Make New Attempt to Introduce Federal Data Privacy Legislation appeared first on The HIPAA Journal.