“Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act” – Sounds safe to me!
The SAFE Data Act, otherwise known as S. 4626, is a federal attempt to introduce nation-wide protections over data privacy. I’ll go through some high-level pieces of this bill and share the current status with it and my predictions at the end. If you’d like to read the full text, click this download button below to get the bill introduced to Congress during the 116th session.
This bill was introduced to Congress on September 17, 2020, by Senator Roger Wicker (R-MS). At the moment, the bill has only been introduced and will need to be revised, as well as voted on, before it can be passed into law. This can take anywhere between 6 months to two years, maybe more. For example, HIPAA was introduced during the Bill Clinton era in 1996 to standardize privacy expectations and security measures around personal health information. It wasn’t until December 28, 2000, that the act was officially published and finally in 2002, the Office for Civil Rights began enforcing the new act. So a total of six years before HIPAA, a commonly known regulation protecting health information, was finally enforced. If the same time length is followed, it could be 2026 by the time the SAFE Data Act begins enforcing penalties. Another example that aligns more with S.4626 would be Europe’s General Data Protection Regulation (GDPR), which was introduced in 2011 to enhance current privacy law. On March 12, 2014, Parliament voted in support of privacy law reform and by May 25, 2018, GDPR was enforced. That timeline took around the same length of time as HIPAA, so we can safely, and unfortunately, assume that S.4626 will not be enforced until around 2026 or 2025.
What’s in S.4626?
This legislation is broken into four titles and details individual consumer data rights, data transparency, corporate accountability requirements, and enforcement authorities. I will do my best to give a broad overview of each area, while also highlighting some key sections within each title to be aware of as both a consumer and also a data collector. Before TITLE I, the bill lists several terms used throughout and their definitions that will help the reader and listener understand what is being referred to. The definitions and terms consist of the first 26 pages of the bill.
TITLE I – INDIVIDUAL CONSUMER DATA RIGHTS
Overall, this segment pertains to consumer loyalty, transparency, individual control, consent, service providers, data minimization, and the scope of the bill’s coverage. An entity processing data shall not deny products or services from individuals exercising their rights outlined in this bill and no waiver can invalidate the rights addressed in Section 103 of S.4626.
All covered entities shall create and implement a privacy policy that meets eight requirements (contact information of data controller, what data is collected, the purpose of processing, the effective date of the policy, etc.). This policy shall be available in all languages as well.
Section 103 lists out the rights of the data subject and these include the right to correct inaccurate data, the right to delete data, and the right to the portability of their data. All covered entities shall provide the individual’s data to them upon request and no later than 90 days from the initial request. The covered entity shall also provide the individual the opportunity to exercise the rights listed in this section once every twelve months. If the covered entity cannot verify the individual making the request for their data, they must make a reasonable attempt to identify that individual before providing the data.
Individuals also must consent to the transfer of their data to another data controller or entity. This consent is also required, per Section 104, before the covered entity can begin processing the individual’s data. These often look like a standard form that we all see before accessing a website where we check the box that we’ve read and acknowledge the policy (yes, we all read it I’m sure). Coupled with consent, Section 105 requires covered entities to practice data minimization techniques, which is where they collect only what is needed to fulfill a specific purpose and nothing more (See Brown v. Google). This section also outlines retention requirements, which only allow retention for as long as needed to fulfill the original purpose unless the consumer consents otherwise.
Section 106 discusses service providers and third parties and their role in the protection of our data. Overall, they’re subject to the same controls as a covered entity and cannot process data unless it is on behalf of, and at the direction of, the covered entity that originally obtained consent for the original purpose. These third-parties must delete or de-identify the provided data as soon as the covered entity requests them to do so and as practical.
A privacy impact assessment is required in Section 107. This must be conducted over each data processing activity of a large organization that present a heightened risk of harm to individuals. The benefits of the processing shall be weighed against the risks of adverse events. One assessment must be conducted every other year by the organization to comply with this regulation.
Section 108 identifies some exception areas, excluding those outlines in Section 102 (a – c), to this regulation. On noteworthy exception is around small businesses where sections 103, 105, and 301 do not apply. This would be in the cases where the business, for three preceding years, meets the following thresholds:
| Average Annual Revenue less than $50,000,000 | Employs less than 500 individuals at any one time |
| Annual processing of less than 1,000,000 individuals | Revenues derived from processing are less than 50% of total revenues |
TITLE II – DATA TRANSPARENCY, INTEGRITY, AND SECURITY
This segment is primarily concerned with the accountability of covered entities and how they process data. The first section actually outlines the enforcement authority’s responsibilities and security considerations when enforcing S.4626. Although sections 202 (Digital Content Forgeries) and 203 (Data Brokers) are important, section 204 has the more important considerations for consultants and privacy auditors.
Section 204 addresses the protection of covered data. This section requires that all covered entities establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, integrity, and security of data. In other words, covered entities must have controls in place to protect data. Sounds like many gap assessments and privacy readiness projects are in the future for auditors and consultants like us. Additionally, this bill also notes that any covered entity complying with Section V of the Gramm-Leach-Bliley Act (GLBA) or the Health Information Technology for Economic and Clinical Health Act (HITECH) is also in compliance with S.4626.
Section 205 highlights the requirement to inform users if the algorithm used by a company is opaque. Opaque means that the algorithm will make inferences based on user-specific data to select the content seen by the user. This notice should be clear and understood by the consumer and also be a one-time notice after the first interaction by the user. Section 206 prohibits modifying a user interface to interfere with the user’s decision-making when providing consent to the collection of data.
One duty of a large organization (i.e. over 1,000 employed individuals) is to have an independent review board for any behavioral or psychological research conducted on users or on the basis of user activity or data. This board would conduct the reviews over processing to verify the procedures are in compliance with company policies. The company policies should be in compliance with S.4626. The remaining areas of this title deal with the establishment of a professional body of standards for companies to use when drafting policies and procedures.
TITLE III – CORPORATE ACCOUNTABILITY
This segment is mainly concerned with holding corporations accountable, even more so than TITLE II. The first section addresses the requirement to name a data privacy officer, or at least an individual with primary responsibility of controlling and processing data, as well as making sure the organization is in compliance with privacy law (like in GDPR). These can be one or more qualified individuals.
Section 302 requires a set of internal controls to be maintained, emphasizing section 204 from earlier.
Section 303 identifies protections for whistleblowers and the definition of such. Privileges and immunities are identified, as are the effect of whistleblowers on penalties levied against the organization. Also, just because someone blows the whistle doesn’t mean they will be protected. An investigation must be conducted to determine there was actual fault by the organization and the individual discovered such fault through reasonable means (i.e. they didn’t create the fault to then blow the whistle).
This section is quite short and only encompasses 3 pages at the moment!
TITLE IV – ENFORCEMENT AUTHORITY AND NEW PROGRAMS
The primary purpose of this segment is to highlight the enforcement authority of this bill. The Federal Trace Commission (FTC) will be primarily responsible for carrying out the considerations and requirements seen in the earlier titles. The powers of the FTC are set to enforcing the act and eventually, an approved certification program would be developed to allow for voluntary compliance with this act by covered entities.
Authority to seek remedies and levy fines towards violators is permitted by the FTC, as well as relation to other federal and state laws.
This title isn’t very long and needs additional information to address special cases not mentioned in the earlier titles of S.4626.
My Thoughts on the Future of this Act and Privacy
This bill will eventually pass through the red tape and become a law, but not without additional revisions. I didn’t see much about how enforcement will be handled with international organizations conducting business within the United States. Or further, how this will deal with companies who commit violations on US soil, but with customers who are on the other side of the world.
The term “reasonably” is used a lot throughout the bill. Determining what is “reasonable” will be decided in the courts, but the bill doesn’t make it clear beyond saying “the information that is linked or reasonably linked, to an individual.”
Overall, I think this will be a good thing for the United States. Hopefully, this bill will be as effective as GDPR and LGDP in Brazil. India created their own federal law as well, known as “Privacy and Data Protection.” Several of these federal regulations have influenced the initial draft of S.4626. The US bill will be further refined until final completion in approximately six years.
Several state laws currently exist that apply specifically to citizens of that state. These states are California, New York, Maryland, Massachusetts, Hawaii, and North Dakota. These laws will still apply once S.4626 is enacted. If there are any gaps in the state law, these should be closed by federal law and vice-versa.
In case you’ve been concerned with how much data exists on you on the web, as well as in company databases, I want you to stay positive. In my opinion, I don’t believe the government gets things right too often, but I think this is one area they will get right six years from now. But who knows? They may find a way to screw this one up. The initial draft looks promising and I hope our lawmakers can build on what they’ve currently got.
But since this is six years away, you should be informed of what you can do now. Practicing good cybersecurity measures will help you take more control of your data (or at least you’ll know where it’s at). Using a password manager, such as LastPass (what I use) will help you inventory all your online accounts and the passwords to those accounts. Only putting out information you’re comfortable with strangers knowing is also a good practice (I’m pretty much an open book, so you can probably find a lot about me. But good luck on your Google search). It’s not uncommon to not know a lot of this stuff, but to at least have an idea is the first step in knowing what to do next!
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.