Brussels/Hanover, September 2022 | The US Congress has taken a new approach to a uniform US federal data protection law, the American Data Privacy and Protection Act (ADPPA).
So far, no uniform data protection law exists in the USA. At federal level, data protection is regulated sporadically by sector-specific laws, such as the Electronic Communications Privacy Act or the Children’s Online Privacy Protection Act. At state level, data protection exists where states have enacted their own data protection laws – so far in Virginia, Colorado, Utah, Connecticut and the pioneer California.
The published draft of the ADPPA has many parallels to the European GDPR. For example, the draft adopts principles from the GDPR, defines “personal data” and provides stricter rules for “sensitive covered data”.
The ADPPA is a big step towards a uniform, adequate data protection level in the USA. However, the European Commission is unlikely to adopt an adequacy decision for the USA. An adequacy decision facilitates the transfer of personal data from the EU to a third country, as the Commission recognises an adequate level of data protection for the respective third country, thus classifying it as “safe”. In the USA, an adequate level of data protection will very likely fail because the envisaged ADPPA will have no influence on the far-reaching powers of US intelligence and other security agencies.
Easier data transfers between the EU and the USA can thus only be achieved through a bilateral agreement. After the Safe Harbour agreement and the Privacy Shield were declared invalid by the European Court of Justice because of the far-reaching powers of US security agencies, the EU and the USA are now working on the Trans-Atlantic Data Protection Framework (TADPF).
Read more about the background in our Compacts: