Senate Bill Would Create Federal Data Protection Agency

February 14, 2020 - Sen. Kristen Gillibrand, D-New York, recently unveiled her take on privacy legislation, which would establish a federal data protection agency (DPA) to give consumers more control over their data.

The bill bears hallmarks to a Congressional bill proposed in November by Reps. Anna Eshoo, D-California and Zoe Lofgren, D-California. The legislation also proposed establishing a federal data watchdog agency and create standard obligations for organizations to protect the data of individuals.

Gillibrand’s bill, The Data Protection Act, would create an independent federal agency focused solely on protecting consumer data, safeguarding privacy, and ensuring organizations are following fair and transparent privacy practices.

The DPA would have the authority to enforce data protection rules that would be created by Congress or the office itself. Further, Congress would equip the agency with enforcement tools, such as civil penalties, injunctive relief, and equitable remedies.

Further, the office would be tasked with promoting data privacy and protection across both public and private sectors, while developing and providing resources for organizations. Those tasks would include providing Privacy Enhancing Techniques (PETs) designed to minimize or eliminate the collection of personal data.

According to the legislation, the DPA director would be appointment by the president and confirmed by the Senate, serving a 5-year term. The director would have experience with technology, protection of personal data, civil rights, business, and law.

The agency would also be empowered with investigating, subpoenaing for testimony and documents, and issue civil investigative demands. It would also develop rules, issue orders, and provide guidance to carry out federal privacy laws. State agencies and attorneys general would be maintained.

DPA would also inform Congress on emerging privacy and technology issues, while enforcing statutes and rules around data protection.

The bill is meant to shore up gaps in a “growing data privacy crisis,” as increasingly more personal data is being amassed by private companies and often exploited at the expense of consumer privacy. The issue permeates into healthcare, as the majority health apps chosen by patients share data with outside third parties and most are not covered by HIPAA.

The Department of Health and Human Services’ planned released of interoperability and information blocking rules have continued to fuel the HIPAA privacy debate, as privacy leaders stress that it’s Congress that has the authority to create legislation to better protect patient privacy – not HHS.

What’s more, Gillebrand noted that the US is one of the only democracies and the only member of the Organization for Economic Co-operation and Development (OECD) without a federal data protection agency.

“Technology is connecting us in new significant ways, and our society must be equipped for both the challenges and opportunities of a transition to the digital age,” Gillibrand said in a statement. “As the data privacy crisis looms larger over the everyday lives of Americans, the government has a responsibility to step forward and give Americans meaningful protection over their data and how it’s being used.”

“Data has been called ‘the new oil,’” she added. “Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences.”

To Gillibrand, the US needs to improve its approach to privacy and data protection. The hope is that a DPA would accomplish this through resources and expertise to “meaningfully enforce data protection rules and digital rights.”

The proposed bill has already received support from the Electronic Privacy Information Center, Public Citizen, Consumer Federation of America, Color of Change, and the Center for Digital Democracy, among others.

“It’s no longer possible for individuals to protect themselves from intrusive online surveillance and manipulation,” Robert Weissman, president of Public Citizen, said in a statement. “The FTC’s response to even the most egregious privacy violations has been tepid, and so it is past time to invest in a new agency expert in how data is used and abused.”

“As corporations gobble up more and more data as part of their day-to-day operations, we need a watchdog on the beat to stop them from breaking the law, and to provide meaningful consequences when they do,” he added.