Civil rights and privacy advocates are incensed that protections against data-driven discrimination and bias in artificial intelligence have been stripped from the most recent draft of federal comprehensive data privacy legislation.
The latest version of the American Privacy Rights Act (APRA) became public late Thursday with several significant changes, including most notably the deletion of two sections of the bill covering civil rights protections and algorithmic bias guardrails.
The revised bill, first published by Punchbowl News, will be debated in a House Energy and Commerce Committee markup reportedly scheduled for Thursday. Committee Chair Cathy McMorris Rodgers (R-WA) and her Senate counterpart, Maria Cantwell (D-WA) unveiled the first draft of the bill in April.
While advocates have focused much of their ire on the new draft’s exclusion of civil rights and algorithmic bias protections, they are also separately concerned that the latest legislative text does not give adequate privacy protections to data collected on individuals’ personal devices.
“As written, there are very few protections for that data, which would allow companies to engage in all kinds of privacy-intrusive practices because data minimization, opt outs, transparency and other provisions would not apply to data processed on a device,” Eric Null, co-director of the Privacy & Data Project at the Center for Democracy and Technology, told Recorded Future News.
The new language means the bill’s protections would not apply when the data that a company collects or processes is pulled directly from a personal device rather than a company’s servers, Null said.
In foregoing protections for data on personal devices, Congress has created what the advocacy group the Lawyers Committee for Civil Rights Under Law calls a “massive loophole.“
This loophole will only grow bigger as AI and computing become “more powerful, allowing more processing to occur on a device,” they said in a blistering critique published Monday.
It will also make the federal legislation weaker than the state data privacy laws it would preempt, they said.
Civil rights protections stripped
The removal of the civil rights and algorithmic bias sections of the bill, which had accounted for 13 of the overall 174 pages of legislative text in the prior draft, is “incredibly frustrating and will make it nearly impossible for civil society to support the bill,” Null said.
The original draft required that service providers and others covered by the law not “collect, process, retain, or transfer covered data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex or disability.”
It also required large data holders using algorithms to make a “consequential decision” about individuals to obtain “impact assessments” from independent third parties to ensure their practices were not discriminatory.
A provision requiring individuals be given the opportunity to opt- out of having algorithms make consequential decisions about them also has been struck from the new draft.
Null said the deletion of that language makes the latest APRA draft a “significant step backward.”
The deleted language was included in APRA’s predecessor bill, the American Data Privacy and Protection Act, and has been a “top priority for civil society for years,” Null said.
“Using data, or creating algorithms, that discriminate based on protected characteristics is one of the most abhorrent things companies do with data,” Null said.
“Without those protections in the bill, other limits on data practices will not be as effective and the bill will not address one of the most significant privacy harms of our time.”
Other privacy advocates seconded Null’s arguments.
“The new draft strips out anti-discrimination protections, AI impact assessment requirements, and the ability to opt-out of AI decision-making for major economic opportunities like housing and credit,” the Lawyers Committee said, noting the organization is now recommending its supporters vote against APRA.
Its statement said the organization cannot support legislation that is a “form of ‘Jim Code’: ‘the employment of new technologies that reflect and reproduce existing inequities.’”
A third prominent digital privacy and civil rights advocacy group also came out swinging on Monday, saying in a statement that “civil rights protections are a critical piece of meaningful privacy legislation.”
“When companies use our personal data to make decisions about us, they should not be allowed to do so in ways that discriminate,” Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center, said in a statement..
She included a call to members of Congress to “reinstate the civil rights provisions in APRA.”
Political tradecraft
The latest version of APRA appears to have gained the support of House Energy and Commerce ranking member Frank Pallone (D-NJ), who had not clearly backed prior versions, according to Joe Jones, director of research and insights for the International Association of Privacy Professionals.
Jones told Recorded Future News it is likely the removal of the civil rights and algorithmic bias protections are the result of behind the scenes “horse trading” in Congress.
“It’s important to think of the politics that is going on here,” Jones said. “A lot of these legislative initiatives can turn into Christmas trees where you add on lots of things that are related or tangential or it becomes a sort of wish list for everything at the same time.”
There is a growing consensus that both federal privacy legislation and more AI legal safeguards are needed, Jones said, but “the extent to which those things are coupled is up for debate.”
“You can sometimes derail or delay progress when you add too much to it,” he said.
Jones said he expects that even if the deleted language disappears from APRA permanently it will turn up in other legislation down the road given the “very vibrant AI law and policy discussion happening right now on the Hill and elsewhere.”
APRA has been dogged by controversy, particularly over how it could preempt many state data privacy laws. Last month, attorneys general from 15 states called on congressional leaders to ensure federal legislation does not preempt 19 enacted comprehensive data privacy laws at the state level.
Earlier this month, a coalition of business associations and big tech advocacy groups responded, calling for a “uniform national privacy standard.”
In a letter to McMorris Rodgers, they said “without full preemption of state laws, APRA will add to the privacy patchwork, create confusion for consumers, and hinder economic growth.”
