The United States Senate has introduced a bill that would introduce new protections for the personal information of individuals online.
The bill, entitled the Data Care Act, was proposed by Sen. Brian Schatz (D-HI) on December 12, 2018. There were more than a dozen co-sponsors to the bill, all from the Democratic Party. Should it be introduced into law, the bill would present a radical change; currently, data privacy laws are implemented at a state level. There is no federal data privacy law, and therefore no nationwide standard on data privacy and information security online.
The Act has been widely compared to the EU’s General Data Protection Regulation (GDPR), introduced in May 2018.
Although the Data Care Act would not be as extensive or thorough as its European counterpart, it would revolutionise data privacy culture in the United States should it be introduced.
The Data Care Act would require all companies that collect personal data of users to take “reasonable steps” to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.
The bill places restrictions on organisations as to how they can use, collect, and share the personal information of individuals. Individual consumers are also granted new rights under the bill, such as the ability to access, correct, and delete their personal data.
The bill would also require companies that sell personal data of customers to disclose the names of the persons or companies to whom users’ personal data have been sold. They would also be required to provide information on the individuals or companies that have been licensed to use personal data.
The bill would require organisations to inform their customers about breaches of sensitive information. This is similar to the Health Insurance Portability and Accountability Act’s Breach Notification Rule, which requires healthcare organisations to inform those affected by a data breach in a “timely manner”.
There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, and a Data Protection Officer does not need to be appointed. The Data Care Act does not include a requirement for risk assessments related to high-risk processing activities, which is required in Europe under GDPR. Future amendments to the bill may see the number of differences between GDPR and the Data Care Act change as it makes its way to becoming a law.
If passed, the Data Care Act will be enforced by the Federal Trade Commission (FTC). The FTC will be granted the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.
If an organisation violates GDPR, they may be fined with a maximum penalty of €20 million, or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.
The primary focus of the bill is currently unregulated online companies, Internet Service Providers and Federal Communications Commission common carriers. It also has implications for regulated industries such as the financial services and healthcare.
The Data Care Act affects healthcare data in three ways:
- Health data related to the provision of medical services related to the physical and mental health of an individual
- Health data processed in relation to the provision of health and wellness services
- Health data that is derived from medical tests, including genetic and biological samples.
The bill will grant the FTC authority to further define the types of information classed as health data.
Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”
“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.
“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.