Analysis Introduced in April, the American Privacy Rights Act (APRA) was - in the words of its drafters - "the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information."

That opportunity may have been squandered thanks to legislative changes last week that, advocacy groups claim, diluted the privacy rules fatally. The Lawyers' Committee for Civil Rights Under Law (LCCRUL) on Monday advised lawmakers to vote against APRA because the latest draft contains privacy loopholes and omits previously included civil rights protections.

"Civil rights guardrails are essential for consumer trust in a system that allows companies to collect and use personal data without consent," the legal group said in a statement. "The new draft strips out anti-discrimination protections, AI impact assessment requirements, and the ability to opt-out of AI decision-making for major economic opportunities like housing and credit."

According to LCCRUL, the latest APRA revision fails to cover personal data collected and used on-device. "Tech companies would be able to do almost anything they want with data that stays on a personal device - no data minimization rules, no protections for kids, no advertising limits, no transparency requirements, no civil rights safeguards, and no right to sue for injured consumers," the group said, adding that APRA has become weaker than the state laws it would preempt.

LCCRUL argues that as AI software becomes more powerful and runs on people's devices, this loophole will only grow. Indeed, both Apple and Google have been touting on-device AI applications.

It was all going so well

When first proposed in April by US House Rep Cathy McMorris Rodgers (R-WA) and US Senator Maria Cantwell (D-WA), the APRA was sold as a way to give all Americans meaningful data privacy protections, something many have sought for decades. The legislation was endorsed by the Center for Democracy and Technology [PDF], The Washington Post, and Microsoft, among others.

As described [PDF] by the Congressional Research Service, the APRA would establish rights for those who have their data collected and obligations for those collecting it.

Individuals would gain the right to access, amend, delete, and export their data from covered entities. Affected organizations would have to abide by data minimization requirements, by consent and opt-out signals, by data security standards, and prohibitions on discriminatory practices and manipulative interface elements, among other things.

But even the initial version met resistance. Ashkan Soltani, executive director of the California Privacy Protection Agency, wrote [PDF] to congressional lawmakers in April to express concern that APRA would weaken privacy protections available to Californians and slacken data-broker obligations.

The Electronic Frontier Foundation (EFF) at the time also demanded more of the bill, echoing Soltani's demand that federal legislation should set a floor for privacy - a minimum standard on which further rules can be built, rather than a ceiling limiting more expansive state rules.

A "floor" incidentally is what the US Chamber of Commerce, a business advocacy group, fears. The lobbying organization in April said it wanted to avoid the creation of "a federal floor" that might "encourage states to pass more restrictive privacy laws."

The APRA was revised [PDF] on May 21, and again on Friday, but evidently not for the better, at least that's now rights advocates see it.

Claudia Ruiz, senior policy analyst for civil rights at UnidosUS, a nonprofit advocacy group focused on the Hispanic community, urged Congress to delay further action until the civil rights provisions are restored.

"Moving forward without baseline civil rights protections would create blind spots and permit discriminatory data practices to remain undetected and unchallenged," said Ruiz.

"The EFF could not support the draft bill in the beginning because of its preemption of stronger state laws and its relatively weak private right of action. The removal of civil rights protections makes it even weaker," F. Mario Trujillo, staff attorney at EFF, told The Register.

Evan Greer, director of Fight for the Future, offered a similarly unenthusiastic assessment of the privacy bill.

"This was the one comprehensive privacy bill that had a real chance of passing and now Congress has effectively gutted it as part of a backroom deal to appease right wing extremists," Greer opined to The Register.

"APRA was already a compromise bill that should have been strengthened. By removing crucial civil rights language, lawmakers have turned it into a bill that effectively endorses privacy violations and discriminatory uses of personal data. Americans should be outraged. Congressional inaction on privacy is unacceptable. Congress making things even worse is unforgivable." ®

https://www.theregister.com//2024/06/25/american_privacy_rights_actsa/