Data Protection Act of 2021 Would Create US Data Protection Agency
The proposed legislation would create an agency to enforce data protection rules and oversee high-risk data practices.
One way or another, forward thinking, privacy-minded politicians are hoping to lay the groundwork this year for a comprehensive federal privacy law in the United States.
One thing that could help pave the way towards a law would be an independent federal agency in charge of regulating personal data collection – just one of the goals of recently reintroduced legislation in the Senate, the Data Protection Act of 2021.
While there's been no shortage of bills introduced lately geared towards creating a federal standard for consumer data privacy, the 2021 DPA, first introduced in 2020, then reintroduced this month by Senator Kirsten Gillibrand, seems more focused on how to best equip an agency to keep companies in line.
“In today’s digital age, Big Tech companies are free to sell individuals’ data to the highest bidder without fear of real consequences, posing a severe threat to modern-day privacy and civil rights. A data privacy crisis is looming over the everyday lives of Americans and we need to hold these bad actors accountable,” Gillibrand said earlier this month.
Gillibrand’s legislation would create an agency similar to the Consumer Financial Protection Bureau to enforce data protection rules, created either by the agency or Congress, ensure that data practices are fair and transparent, and promote data protection and privacy innovation.
As the Senator points out, this is one area that the US has really lagged in. The Organization for Economic Cooperation and Development, a group of countries that works to build policies, has 38 different countries including Germany, France, Italy, the United Kingdom and more as members; the US is the only one that doesn’t have a DPA. It’s also one of the only democracies, worldwide, without a federal data protection agency.
One of the groups duties would include supervising and policing data aggregators and working with the Federal Trade Commission if any of these aggregators were to merge or transfer data on more than 50,000 individuals. The bill is also designed to crack down on aggregators who engage in nefarious activities with their vast reserves of data, anything unfair, deceptive, or abusive, or attempting to re-identify individuals, households, or devices from anonymized data.
In doing so, the unit, an executive agency known as the Data Protection Agency, would have a range of tools at its disposal, including the ability to levy civil penalties, injunctive relief, and equitable remedies.
The FTC currently enforces federal privacy laws but it’s been made clear, especially over the last year, that it doesn’t have enough resources to do so properly. In a report responding to a Senate Appropriations Committee Report in 2020, the FTC said it had 40-45 employees working in its Privacy and Identity Protection division, far fewer than the 700 employees that the UK’s Information Commissioner’s office has and the 180 employees that the Irish Data Protection Commissioner has.
According to Gillibrand, the DPA would have three missions:
- Give Americans control and protection over their own data by authorizing the DPA to create and enforce data protection rules.
- Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace.
- Prepare the government for the digital age.
As an example of what the DPA will be able to do, Gillibrand cites a company like Tinder. If Tinder is believed to be doing something with its users data, Gillibrand says the DPA will be able to launch and carry out an investigation, then issue penalties if need be.
From the sounds of it, the agency will have some heavy lifting to do when it comes to overseeing what it deems high-risk data practices. According to Gillibrand, the agency will take on almost a think tank role by examining “the social, ethical, and economic impacts of data collection.” This will involve a great deal of research and analysis around how algorithms impact discrimination, development of data protection standards, and how data collection processes can often negatively impact people of color and disadvantaged communities.
Another component of the DPA would be an Office of Civil Rights, an office Gillibrand says will be tasked with advancing data justice and protecting individuals from discrimination.
While it remains to be seen how far the retooled version of the bill will go - 2020's was introduced and referred to the Senate's Committee on Commerce, Science, and Transportation in February 2020 but didn't go anywhere - the 2021 version has scored some early support from the Electronic Privacy Information Center (EPIC), the Center for Digital Democracy, along with Representatives Anna Eshoo (CA-18) and Zoe Lofgren (CA-19). The last two have been banging the data privacy drum for some time, introducing online privacy legislation geared towards limiting the use, collection, and sharing of personal information in 2019. That legislation also called for the creation of a digital privacy agency with upwards of 1,600 employees to enforce privacy rights.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business