U.S. National Privacy Legislation Introduced: The SAFE DATA Act

Written by: Richard Sheinis, Esq.

Sen. Roger Wicker, R-Miss., has introduced yet another national privacy legislation bill, known as The SAFE DATA Act.  The full name of the bill is the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act.”  (As usual, I think legislators select an acronym they like, and then think of a name for the Act that will support the acronym.)  The SAFE DATA Act combines elements of previously introduced privacy legislation to put forth a single, more robust and comprehensive privacy bill.

The main components of the SAFE DATA Act include the following:

  • INDIVIDUAL CONSUMER DATA RIGHTS – These are the usual data rights we have become accustomed to seeing in legislation such as GDPR and CCPA. They provide consumers with greater individual control over their personal data, and requires transparency as to the use of data, while minimizing data collection, processing and retention.
  • DATA TRANSPARENCY, INTEGRITY AND SECURITY – This section is more forward looking than previous privacy legislation. It requires transparency as far as algorithms used to process data, data security requirements, and something called “filter bubble transparency.”  Filter bubble transparency involves providing notice about the algorithm used to make inferences about a consumer based on user-specific data to select the content the user sees.
  • CORPORATE ACCOUNTABILITY – Companies are required to designate a data privacy officer and a data security officer, as well as establish internal controls and whistle-blower protections.
  • ENFORCEMENT AUTHORITY – The SAFE DATA Act is enforced by the Federal Trade Commission but can also be enforced by state Attorneys General. Although there is no provision for a private right of action, state Attorneys General may bring a civil action to obtain damages, civil penalties, restitution and other compensation on behalf of residents of the state. Importantly, the SAFE DATA Act preempts any state law or regulation related to the data privacy or data security and associated activities of covered businesses.

Points of contention between Republicans and Democrats are the same as we see in almost all proposed federal privacy legislation, that is, the lack of a private right of action and preemption of state privacy law.  The looming question, now that the SAFE DATA Act has been added to the list of proposed federal privacy legislation, is when will Congress ever act on any of the proposed legislation?