The Commerce and Energy Committee has voted to send the American Data Privacy and Protection Act (ADPPA) to the House, but not without some changes.

For the changes in the AINS (Amendment in the Nature of a Substitute), see my previous post.

But below are the key changes involved in the additional amendments that were passed.

  • Specific duty to identify and mitigate privacy risks related to covered minors to result in reasonably necessary and proportionate residual risk to covered minors (Castor and Walberg).
  • FTC to consults with NIST in connection with establishing processes for practices and procedures to secure covered data against unauthorized access (McNerney and Curtis).
  • Narrowing the obligation for the appointment of a privacy and data security office to entities or service provider that have more than 15 employees (Carter and Craig).

Service providers: (Hudson and O’Halleran)

  • Required to “adhere to the instructions of covered entity.”
  • The section clarifies how service providers are to assist covered entities in fulfilling consumer requests, namely by (1) providing appropriate technical and organizational measures while taking into the account the nature of the processing (Hello GDPR Art 28 language), (2) complying with the request per covered entity’s instructions or (3) providing written verification to the covered entity that the service provider doesn’t hold covered data related to the request.
  • Service provider agreement needs to require that downstream service providers (like GDPR sub-processors) also be treated as a service provider.
  • Pursuant to covered entity’s request, service providers must provide the covered entity with the information necessary for the covered entity to conduct a DPIA (Hi again, GDPR Art 28/35).
  • Service provider must allow and cooperate with reasonable assessments by the covered entity or the covered entity’ s designated assessor OR arrange for a qualified and independent assessor to conduct an assessment of the service provider’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments and provide a report to the covered entity upon request.
  • Service provider is not allowed to combine service provider data with data it receives from or on behalf of another person from its interaction with an individual unless it is necessary to effectuate a permissible purpose and otherwise permitted by the covered entity-service provider contract.
  • A person that is not limited in its processing of covered data pursuant to the instructions of a covered entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific processing of covered data. If a service provider begins, alone or jointly with others, determining the purposes and means of the processing of covered data, it is a covered entity and not a service provider with respect to the processing of such data (Hello GDPR purpose and means controller processor analysis).
  • Service providers can also be service providers of government entities.