Forward Progress on America’s GDPR?

Congress is gradually approaching a new federal data privacy and protection standard for the US.  Proposed in 2022, the American Data Privacy and Protection Act (ADPPA) was a bipartisan attempt at federal data privacy legislation, and the first to successfully pass committee markup.  Now, after revisions to the initial bill, both House and Senate committees have furthered its development with the proposal of the American Privacy Rights Act (APRA).

Part of the holdup over the past few years revolved around where priority should be assigned.  We’ve discussed before the lack of a national data security regulation, which has led to a score of disparate standards across states.  California was the first, emulating Europe’s GDPR with its own California Consumer Privacy Act (CCPA), but over a dozen more have since followed.  One of the biggest wrinkles in this scenario has been the efforts required for a company doing business in multiple states to navigate the labyrinth of rules and regulations.  It’s often a disordered patchwork scheme: for example, two people living just across state lines could have drastically different protections for their sensitive data.  

And yet, businesses must adhere to these myriad regulations or risk financial penalties when a data breach occurs. Understanding the new legal and financial ramifications can be a cumbersome and expensive process. As organizations work toward staying current with the latest trends, compliance and data security cannot be overlooked.  To help ease the burden, NetLib Security’s Encryptionizer secures stored data across physical, virtual and cloud environments, helping organizations meet compliance requirements for PCI, GDPR, HIPAA Omnibus/HiTECH and FIPS 140-2.

The road to a national standard has been long. One of the principal hurdles has been the decision regarding priority between existing state laws and any potential rule that comes into effect.  Which takes precedence?  Should an inferior federal standard replace laws in certain states like California that already have a more robust framework via CCPA?  The obvious answer would be no, as it makes little sense to forcibly downgrade one just to fit it in under a new, lower ceiling. 

Now, according to a press release for the final APRA, legislators believe they have struck “a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress.”  Specifically, the issue of preemption is stated as “State laws covered by the Act are preempted, with the exception of an enumerated list of state laws,” including consumer protection laws, civil rights laws, provisions of laws that address the privacy of students, employees and data breach notifications, along with a host of others.

So it appears that with a decent list of exemptions, the new rule will supersede existing state laws, hopefully not to the detriment of any consumers affected by a breach.  Lawmakers intend to get this bill through Congress before the next presidential elections, thereby replacing the current clunky patchwork with a framework along the lines of GDPR, creating clearly defined rights and protections for Americans’ data security.