HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.