At the House Energy and Commerce’s data privacy hearing April 17, lawmakers discussed for the first time Chair Cathy McMorris Rodgers’ discussion draft of a new federal data privacy bill, the American Privacy Rights Act (APRA), since its reveal last week.
The legislation is a slight departure from the committee’s last piece of data privacy legislation, the American Data Privacy and Protection Act (ADPPA), which was passed out of committee almost unanimously in 2022 but never made it to the House floor. The differences between the pieces of legislation did not go unnoticed, especially by the committee’s ranking democrat, Frank Pallone, of New Jersey.
Amid mounting breaches of health data ranging from BetterHelp to Change Healthcare along with the mental health challenges children and adolescents face while using social media, the protection of health data and kids’ online safety is top of mind for the committee.
Here are the top three things you should know about what lawmakers and witnesses said at the hearing:
1. The implications for major corporations
A national data privacy framework would make it easier for corporations to follow the law, Katherine Kuehn, CISO-in-residence at the National Technology Security Coalition, said during lawmakers’ questioning. “From an implementation standpoint, this would actually be a simplification for a lot of corporations and international organizations trying to do more business with the United States. One of the issues today is with so many disparate state laws, it is very difficult to make sure that they're maintaining proper privacy regulation in states.”
Fifteen states have passed comprehensive data privacy laws, and more are expected to be introduced this year. Healthcare organizations’ data privacy requirements could be simplified if APRA passes. But how the law interacts with the Health Insurance Portability and Accountability Act (HIPAA) remains to be seen.
Joe Jones, director of research and insights for the International Association of Privacy Professionals, told Fierce Healthcare that because APRA does not displace HIPAA, healthcare organizations will likely be subject to both HIPAA and APRA if the latter is passed.
“It's going to take some diligence and a gap analysis really, to see, like, where are the gaps in these laws and what we do? Where are the overlaps? … Maybe there are conflicts or tensions between the different approaches. So that's going to be a really important task for the legal compliance divisions of these various organizations,” Jones said.
Jones said it is not yet clear from the discussion draft how APRA and HIPAA would interact. He also expects there to be more debate on whether the law should preempt state data privacy laws.
Moreover, APRA will also apply to nonprofit organizations, which were exempted from previously proposed national privacy laws, Jones said.
2. Lawmakers are unified across the aisle on data privacy
Energy and Commerce leadership expressed support for APRA, and Innovation, Data, and Commerce Subcommittee Chair Gus Bilirakis, R-Florida, said, “I’m fired up. Let’s get this into law.” He also said a data privacy law would “get done this year.”
McMorris Rodgers, R-Washington, and Pallone have stressed the need for a national data privacy framework in health subcommittee hearings, especially considering the hot debate on whether Congress should step in and regulate the use of artificial intelligence in healthcare.
Pallone commended the law’s foundation of data minimization, which would require companies to only collect necessary data on consumers, rather than the status quo, notice and consent privacy policies.
Witnesses agreed that notice and consent privacy policies are often bypassed by consumers due to their length and legalese and said they do not adequately inform consumers.
3. APRA needs work
APRA, though bipartisan and bicameral, is not likely in its final form. Most witnesses offered revisions to the legislation, and Pallone and ranking subcommittee Democrat Jan Schakowsky, of Illinois, said APRA should be a jumping-off point for a national data privacy framework.
Pallone criticized APRA’s lack of a universal deletion mechanism, which ADPPA included, that would allow a consumer to delete all personal data held by companies.
Pallone also took issue with the fact that APRA does not provide as many protections for children as ADPAA did. He suggested APRA or the other online safety bills discussed during the hearing like COPA 2.0 or KOSA require companies to implement privacy by design and create a youth privacy division at the Federal Trade Commission.
David Brody, managing attorney at the Lawyers Committee for Civil Rights Under Law, said at the hearing that APRA backtracks from ADPAA by scaling back some of the private rights of action. Private rights of action are important for minority communities, he said, and have historically not been protected by institutions.