Respect for the privacy of personal data has become particularly important in the digital era. Companies and governments collect and process information about our daily activities, which makes it essential to have rules that adequately protect the privacy of citizens.
A step towards data protection in the United States.
Although the United States does not have a specific federal law on data protection, an important step was taken on April 7, 2024[1], Republican Congress Cathy McMorris Rodgers and Democratic Senator Maria Cantwell, both from the state of Washington, introduced a federal privacy bill called the American Privacy Rights Act (APRA).
This bill creates a comprehensive regulatory framework for the protection of personal data in the United States. It is a significant step forward towards greater privacy protection for U.S. citizens.
Key aspects of APRA and its relationship with Ecuador.
APRA[2] addresses various aspects contained in most of the laws on the subject, including that of Ecuador, among them:
- Data Minimization: Limits the collection of personal data to the minimum necessary for the intended purpose.
- Transparency in privacy policies: Requires companies and suppliers to provide clear and accessible information about their data collection, use, and disclosure practices.
- Rights management: Grants individuals the right to access, rectify, and delete their personal data. In addition, the right to opt out of receiving targeted advertising.
- Designation of a Privacy or Data Security Officer: Establishes the obligation to designate an officer responsible for data security, who must be qualified and have the experience to perform the position effectively.
APRA news.
The APRA federal bill incorporates aspects related to artificial intelligence (AI) and data. These include:
- Restricting the volume of data used in AI development: Applies the minimization principle to limit the amount of personal data used in the training and operation of AI systems.
- Concept of “covered algorithms”[3]: Defines “covered algorithms” as any computational process that decides or facilitates human decision-making using data. This definition covers a wide range of AI systems, from the simplest to the most complex.
- Obligations for entities using covered algorithms: Entities using covered algorithms will have multiple obligations, among which the most important are:
- Design evaluation: Evaluate the design of the algorithm to identify and reduce the risk of potential damage.
- Impact assessment: Evaluate the impact of the possible effects of the algorithm on individuals and society.
- Notice and opportunity to opt out: Provide the ability to opt out of the use of a covered algorithm if it is used to make “consequential decisions” (decisions that significantly affect an individual’s access to or enjoyment of essential goods or services).
Implications for Ecuador.
The enactment of APRA would have a significant impact in Ecuador, especially in the following aspects:
- Transborder data flow: It will facilitate the transfer of data between the United States and countries with equivalent data protection standards, such as Ecuador. This translates into:
- Simplification of processes: Administrative and legal burdens are reduced for companies transferring data between the two countries.
- Cost reduction: Costs associated with data transfer, such as implementing additional security measures, are minimized.
- International cooperation: It will allow international cooperation on data protection between the United States and other countries, including Ecuador. This will allow Ecuadorian authorities to:
- Safer information sharing: Collaborate on investigations and data protection cases involving U.S. companies.
In conclusion, once approved, the APRA bill will represent a significant advance towards data protection in the United States and will have clear impacts in other countries, including Ecuador, as expressed in previous paragraphs.
[1] https://energycommerce.house.gov/posts/committee-chairs-rodgers-cantwell-unveil-historic-draft-comprehensive-data-privacy-legislation
[2]https://d1dth6e84htgma.cloudfront.net/American_Privacy_Rights_Act_of_2024_Discussion_Draft_0ec8168a66.pdf
[3] https://www.whitecase.com/insight-alert/proposed-american-privacy-rights-act-seeks-establish-comprehensive-national-framework
Thalía Ordoñez
Associate at CorralRosales
tordonez@corralrosales.com