President Obama proposed a draft of the Consumer Privacy Bill of Rights Act (CPBORA) on 27 February 2015. If passed, CPBORA will be an umbrella data protection law for the United States that will be based on conditions or principles. It will be like the GDPR in Europe or POPI in South Africa – a law that sets the conditions for the lawful processing of personal data. All entities in the US will have to do many things to comply.
What is the impact of Consumer Privacy Bill of Rights Act?
CPBORA will govern the storage and transfer of personal data of consumers in the US. The idea behind CPBORA is that is that it protects individual privacy rights at the same time as promoting American businesses by requiring them to meet a high regulatory standard for consumer privacy, which may give them a competitive advantage.
But what is the impact of CPBORA on businesses? As a business what do you have to do to comply with CPBORA? How is CPBORA going to interact with newly negotiated EU-US Privacy Shield?
Who has to comply with CPBORA?
Virtually all entities in the US
CPBORA applies to a ‘covered entity’, which is defined as a person (natural or juristic) that collects, creates, processes, retains, uses or discloses personal data in, or affecting interstate commerce. There are a few exceptions to this definition but most entities (including profit and non-profits) will fall within the ambit of CPBORA. A covered entity is the same as the data controller in the EU and a responsible party in South Africa.
It will also affect various industry bodies because CPBORA requires some industries to develop a code of conduct for the handling of consumer information. This code of conduct would then be reviewed and either approved as being in compliance with CPBORA or denied for lack of compliance.
When will it come into force?
Maybe never. Obama has proposed it but it has a long way to go before it becomes a law. It may never happen, but some form of it will probably be enacted.
What will covered entities have to do to comply with CPBORA?
Lots of things. Some of them are:
- Process personal data in a reasonable manner relative to the context in which it is being processed. If it is unreasonable, conduct a privacy risk analysis.
- Provide individuals with notice if the personal data is being used unreasonably for the context. This notification must be done in manner that enables the individual to decide how to respond to the increased privacy risk and gives them the choice to reduce the risk.
- Delete, destroy and de-identify personal data in a reasonable time.
- Identify reasonably foreseeable internal and external risks to privacy and the security of personal data.
- Establish and implement safeguards for that data which are regularly assessed.
- Take measures to ensure compliance with CPBORA including: staff training, internal and independent evaluations of data protection mechanisms and build protections into systems and practices.
What is it gong to replace?
CPBORA would override most state specific laws with a few exceptions. This would be in alignment with one of the purposes of CPBORA to create a cohesive system of data privacy law throughout the US.
How will CPBORA interact with the EU-US Privacy Shield?
The EU Commission and US Government have recently negotiated a Safe Harbour agreement 2.0 – the EU-US Privacy Shield. The exact content of the agreement is a work in progress. Generally, it seems to have substantially the same elements as the original Safe Harbour agreement but with greater limitations on US government surveillance of trans-Atlantic communications. It remains to be seen if the US will bring its own national legislation in line with International commitments. The agreement of the US to the EU-US Privacy Shield and the provisions of CPBORA may be an indication that the US intends to align its data privacy policies with International standards.