House pivots on data privacy bill, removing algorithmic discrimination coverage
The intended final draft of the American Privacy Rights Act includes new language on biometric data and data on minors, but notably removes civil rights protections sought by privacy advocates.
The American Privacy Rights Act will be introduced Tuesday in the House of Representatives, though recent cuts to the bill have drawn the criticism of privacy advocates.
Helmed by Reps.Cathy McMorris Rodgers, R-Wash. and Rep. Frank Pallone, D-N.J., APRA is intended to replace a patchwork of state-based data privacy rules with a national standard to safeguard the data privacy of Americans online.
The final draft of the bill alters previously expected provisions included in multiple rounds of discussion drafts, leading many privacy groups to withdraw support for the bill.
A provision titled “Civil Rights and Algorithms,” was originally intended to implement protections for Americans against biased decision-making as a result of algorithmic automation. Its removal effectively eliminates the bill text specifically prohibiting the collection and processing of data to discriminate “on the basis of race, color, religion, national origin, sex, or disability.”
A provision authorizing the Federal Trade Commission to oversee improper access and use of personal data was omitted in the latest version of the bill, as were measures requiring large data holders to conduct algorithm impact assessments to gauge and reduce harm, mandating algorithm design evaluations and notifying users when an algorithm is being used in an online service as well as giving them an opt-out choice.
A spokesperson on the Democratic side of the Energy and Commerce Committee said that these provisions didn’t make it into the updated version of APRA due to partisan disagreements.
“We're not giving up on it. We're going to keep fighting to get a comprehensive algorithmic accountability provision passed and signed into law,” the spokesperson told Nextgov/FCW. “Unfortunately, this isn't the vehicle for it, but we're going to keep fighting to get it done.”
The removal of the civil rights section sparked backlash from digital privacy advocates. Evan Greer, the director of Fight for the Future, noted that the omissions of the algorithm discrimination components undermines the bill’s intent to apply federal regulation to large tech companies and further blamed partisan divides.
“This was the one comprehensive privacy bill that had a real chance of passing and now Congress has effectively gutted it as part of a backroom deal to appease right wing extremists,” Greer said in a statement. “APRA was already a compromise bill that should have been strengthened. By removing crucial civil rights language, lawmakers have turned it into a bill that effectively endorses privacy violations and discriminatory uses of personal data.”
Similarly, civil rights advocate group Lawyers’ Committee for Civil Rights Under Law released a statement saying they were “opposed” to the bill in its new form.
“A privacy bill is not a comprehensive privacy bill without civil rights,” the group said. “Over and over again, we have seen how many of the worst harms from tech companies’ exploitative data practices disproportionately affect Black people and other people of color. A privacy law that does not account for discrimination is a house with no foundation.”
The first discussion draft of the bill, released in April, drew bipartisan support in both chambers of Congress. It remains to be seen whether the Democratic-controlled Senate will adopt the new House version or will continue with legislation that includes the civil rights and algorithmic discrimination provisions. Emails to majority staff on the Senate Commerce Committee were not immediately answered.
The new version of the bill does include similar — but not identical — language from the FTC’s Children's Online Privacy Protection rule to safeguard the data and personal information of minors. Under this update, the FTC will be required to submit a report on how platforms that offer online services and applications to children are complying with APRA.
The updated draft also expands online user control of biometric data and information. The bill requires express consent for the transfer and access of biometric or genetic information from the user to a digital service provider, and further prohibits the transfer of biometric data to third party entities.
Despite the major revisions to the draft, some experts anticipate that the bill would still effectively protect Americans’ data privacy.
Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, said the bill’s current provisions are still “substantive” absent the civil rights component of APRA.
“Civil rights provisions have recently come to be seen as an important touchpoint for a comprehensive U.S. privacy framework, at least within the civil society community,” he told Nextgov/FCW. “Most of the bill could be enforced by private lawsuits from consumers, and all of the bill’s requirements would be enforceable by the FTC and state attorneys general. This change does not affect the types of enforcement teeth in the law, it just removes a tooth from the picture, while keeping most of the substantive privacy requirements that are expected in comprehensive laws.”
The bill heads for committee markup on Thursday, where amendments could alter its current content.