United States: Intel Publishes A Proposed US Federal Privacy Law

American legislators and stakeholders have reached the understanding that in today's economic and technological environment, certain gaps in legislation, especially in comparison with the EU legislation (in particular the GPDR) must be bridged. In this regard, recent calls from the public, research institutions, private corporations and elected officials are being heard, and [at least in some States] have led to new data protection and privacy legislation being enacted (for more information regarding the privacy legislation of certain States, see our special update here).

As part of this trend, Intel has released a private draft proposed bill ("the Bill") for a Federal US privacy law, and launched an online portal where the public can discuss its views and ideas and provide suggestions for the draft legislation. The Bill would override the privacy laws, which have already been enacted in several US states.

Some of the key requirements introduced by Intel's Bill are:

• Collection limitation: most uses of data will require a risk/benefit analysis that will restrict a company from using data in a way that may result in a risk for individuals. Individuals also should be able to provide explicit consent for the use of their data;
• Purpose Specification: the purpose for which the personal data is processed shall be described clearly and specifically and no later than at the time of the collection;
• Prohibited uses: the Bill prohibits the processing of personal data when the company knows, or has reason to know, that the processing of such data will likely violate State or Federal laws or regulation, or deny individuals their rights and privileges under the US Constitution;
• Security safeguards: the Bill requires companies to adopt reasonable measures to protect personal data;
• Openness: the Bill requires three types of policies in order to ensure the understanding by consumers: (i) an explicit notice when particularly sensitive data is being collected; (ii) a thorough report of the company's use of personal data, in order to enable regulators and advocates to understand the company's practices better; and (iii) a detailed privacy policy; and
• Engagement with third parties: the company shall exercise appropriate due diligence of the third party's responsibilities relating to personal data. The Bill also requires a contract in such cases to ensure compliance with the Bill's requirements.

Under the Bill, the Federal Trade Commission ("FTC") and the US Attorney would respectively have civil and criminal enforcement authorities. The Bill allows the FTC to impose fines on noncompliant entities up to $1 million in criminal fines or imprisonment of up to 10 years. As far as civil penalties are concerned, companies could be fined by up to $1 billion for not complying.

We will continue to monitor the related developments in the US and update as this important trend continues to develop.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.