Legal icons in front of businessman showing proposed data protection agency with broad enforcement actions
New Legislation in U.S. Proposes Federal Data Protection Agency, Broad Range of New Enforcement Actions

New Legislation in U.S. Proposes Federal Data Protection Agency, Broad Range of New Enforcement Actions

The United States lags behind much of the world in having yet to establish some sort of a data protection agency at the national level. Several attempts at federal data privacy standards have been floated in recent years, but failed to gather traction. Senator Kirsten Gillibrand is taking another pass at the issue, but is the first to propose creating a data protection agency at the federal level with sweeping enforcement powers similar to those of counterparts in the European Union.

About the proposed data protection agency

The Democrat senator from New York introduced the public to the bill in an article posted to Medium, characterizing the United States as being in a “data privacy crisis.”

The Data Protection Act would establish a new federal department called the Data Protection Agency. National data protection and privacy rules would be created by either this body or Congress, and the Data Protection Agency would enforce these rules. The bill calls for it to be an executive agency, with a director appointed by the president and confirmed by the Senate. The person appointed would serve for five years.

The core missions of the department would be to create and enforce data protection rules that give Americans greater control over their personal information, ensure fair competition within the digital marketplace, and advise Congress on emerging technology and privacy issues.

The bill would leave the drafting of any new rules up to the newly created agency, but does propose some guidelines. For example, the bill expressly mentions the prohibition of “pay for privacy” contracts or “take it or leave it” terms of service. The bill also mandates a formal rulemaking process before any new high-risk data practice or profiling technique is put into use.

Warren Poschman, Senior Solutions Architect at Comforte AG, pointed out that the bill also appears to leave exemptions for smaller businesses:

“In today’s data-driven economy, there is perhaps no greater reason for action at the federal level than data privacy.  Although the bill as it stands today would seemingly apply only to medium and large businesses (either $25M+ in revenue or 50,000+ records), the key takeaway is that the U.S. Federal government cannot continue to hide behind the 10th Amendment by leaving data security and privacy to state and local governments.”

The Data Protection Act has been endorsed by a number of privacy and technology organizations including the Electronic Privacy Information Center (EPIC), the Consumer Federation of America, the Public Interest Research Group (US PIRG), and the advocacy group Public Citizen. The bill does not yet have any other sponsors in Congress, but it builds directly from a proposed bill from November of last year introduced by Reps. Anna Eshoo and Zoe Lofgren of California.

What enforcement might look like

Gillibrand’s letter to the the public cites a number of enforcement scenarios that are addressed by privacy laws in other countries, such as the EU’s General Data Protection Regulation (GDPR): tracking of children for advertising purposes, the use of fitness apps to determine health insurance prices, or the targeting of low-income individuals for high-interest payday loans.

Gillibrand also cites massive data breaches (such as the 2017 Equifax incident), voice-activated AI assistants and senior citizen scams as privacy failures that require improved laws and enforcement measures to protect consumers.

The wording of the bill indicates that enforcement would be complaint-based, similar to the way that the GDPR is structured. Citizens could bring complaints not just about breaches of existing law, but of practices that might be considered deceptive or unfair.

Enforcement would be by way of fines and civil penalties, with a maximum possible fine of $1 million per day suggested. Injunctive relief would also be available, and the bill establishes a fund for those who have suffered damages as a result of data privacy breaches.

The wording of the bill, confirmed by follow-up reporting by TechCrunch, indicates that the data protection agency’s rules would not supersede state laws. So existing laws, such as California’s new Consumer Privacy Act, would appear to take precedence.

Is this act more likely to succeed than previous efforts?

Danny Allan, CTO of Veeam, encapsulates the desire for a federal data privacy standard:

“While California may have been the first state to adopt a consumer privacy law, it was likely that other states would begin to follow suit, especially as public awareness and demand for stronger data protection practices continues to grow. At a national level, when the CCPA went into effect in January, data privacy regulation in America became more complicated than ever before. If each state implements their own approach to data privacy, America could become a patchwork quilt of regulation, making it an extremely challenging place to do business. This challenge grows still further as organizations increasingly share customer data across teams, partners and third party contractors. We will eventually need a common set of rules, across all states, that would allow businesses to operate across state lines (and globally), similar to what U.S. organizations doing business in the EU are already following.”

Though there is broad interest in the idea, the US has struggled to create its own data protection agency for several reasons. One is that some prior bills were considered too weak and also included a clause that forced their terms to pre-empt any state laws. On the other side of the coin, federal laws that are too strong face significant pushback from Silicon Valley tech companies. In part, the issue has been due to a glut of different bills being introduced in the last couple of years and political haggling over which enforcement terms should stay and which should go.

The Federal Trade Commission is the main entity currently tasked with protecting data privacy. The agency is working from long-established laws that were not really written to address the digital age, however, and critics contend that even when the FTC is capable of stepping in it often does not. Aside from the Children’s Online Privacy Protection Act (COPPA), which is now two decades old, the FTC’s primary enforcement tool is the 1934 Federal Trade Act.

This issue of a federal data protection agency may end up sitting in a holding pattern until the 2020 national elections are settled. Unlike many current issues in United States politics, there has been strong and consistent bipartisan support for some sort of uniform national data privacy law. The tech industry does not have strong ties to any particular party, as some other industries do; it has been both at odds and in agreement with each at times. Republicans have shown opposition to some of the items included in Gillibrand’s bill, however.