Intel Releases Final Draft of Privacy Bill

Intel has released its third and final version of draft federal legislation called the Innovative and Ethical Data Use Act of 2019. The original version was released by Intel for comment in November 2018 and an updated version was published in January. The final draft was released on the one-year anniversary of the European Union’s General Data Protection Regulation (GDPR).

In a blog post published on the Intel website, they called for changes in the operation of the FTC including the ability to conduct narrowly tailored rulemaking as well as authority to seek civil penalties for violations of privacy laws. They also urged the addition of more than 450 people to the Division of Privacy and Identity Protection within the Bureau of Consumer Protection. Finally, they also called for concurrent jurisdiction for the state attorneys general so they can enforce federal privacy law when the FTC does not act.

The goal of the bill has been to spark debate and to reach a consensus on text for a new federal privacy law. It remains to be seen whether a member of Congress will back the bill and introduce it for consideration by the federal government. Several other companies and industry associations have also been involved in the process of developing privacy legislation.

The second draft of the bill made a few key changes after industry comments were received. Those changes included improvements to the carve out in the covered entity definition for the small and medium size enterprise. Intel also added a duty of care for businesses covered by the privacy bill. Other areas that they were soliciting feedback on at that time were the accountability provisions and the concept of preemption.

There were a few note-worthy changes in the third version including additional guidance on the explicit consent requirement and additional power to litigate given to the Federal Trade Commission.

Here are the highlights of the final version of Intel’s privacy bill:

– Transparency: It prohibits processing of personal data which is not clearly and specifically described in the privacy notice. The covered entity must provide explicit notice prior to the collection of personal data to be used in a number of ways, including geolocation and facial recognition.

– Lawful Basis: It requires either that the processing does not contain an unreasonable amount of privacy risk, or that the company captures explicit consent from the individual.

– Automated Processing: The company must conduct an assessment about the privacy risk and take all reasonable steps to mitigate the privacy risk.

– Security: Covered entities must develop, document, implement and maintain a comprehensive data security program. The safeguards must be appropriate to the size and complexity of the covered entity, the nature of its activities, and the personal data processed.

– Accountability: It requires, among other things, the appointment of a data privacy leader, reasonable resources to the privacy program, the publication of written policies and procedures, and a training program for data protection.

– Vendor Management: It requires due diligence in the selection of a third party to process personal data on its behalf, contractual requirements, and an annual assessment process of the vendor’s measures to comply with the privacy law.

– Third-Party Data Sharing: The draft bill treats the recipient of personal data similar to a vendor, requiring appropriate due diligence, contractual restrictions, and the implementation of an annual assessment process.

– Safe Harbor: A covered entity would not be subject to civil penalties if an officer of the entity certifies that they conducted a review of the privacy program and their was no material non-compliance revealed.

– Enforcement: It provides for civil enforcement by the FTC, criminal enforcement by the Attorney General, and supplemental civil actions by State attorneys general. The FTC would be given additional resources. The civil penalty would have a cap of $1 billion and the criminal penalty for false certifications provides for up to 10 years imprisonment and a $1 million fine.

– Preemption: It preempts state and local laws focused on reducing privacy risk by regulating personal data collection and processing. It does not preempt consumer protection (except to the extent they regulate privacy) or data breach laws.

– Small Business Carve-out: It excludes businesses with fewer than 25 employees that possesses the personal data of fewer than 50,000 individuals and makes less than half of its annual revenue from personal data sales.