Senator proposes new digital privacy agency with sweeping powers
Senator Kirsten Gillibrand (D-NY) recently issued an initial 41-page “discussion draft” of proposed legislation, the Data Protection Act of 2020, which she has formally introduced as S-3300, that if passed would create a federal Data Protection Agency.
Among other things, this new federal department would have the authority to oversee and regulate the profiling of individuals on a large scale and the processing of biometric data to uniquely identify an individual.
Referred to the House Committee on Commerce, Science, and Transportation, the bill so far has no co-sponsors.
“Lawlessness in the data privacy space can give rise to new, unexpected forms of injustice,” Gillibrand stated, emphasizing that “The United States must make an effort to take the lead and do something about data protection.”
Gillibrand says the Data Protection Act “would address this head-on” by “establish[ing] an independent federal agency … that would serve as a ‘referee’ to define, arbitrate, and enforce rules to defend the protection of our personal data.”
“Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans,” said Electronic Privacy Information Center (EPIC) Policy Director Caitriona Fitzgerald, saying “The U.S. confronts a privacy crisis. Our personal data is under assault. Congress must establish a data protection agency.”
“Businesses’ inconsistent approach towards compliance with the California Consumer Protection Act proves that enforcement of privacy regulations is critical,” added EPIC Associate Director and former President of Californians for Consumer Privacy Mary Stone Ross. “Thankfully, Senator Gillibrand’s Data Protection Act puts enforcement first.”
The Data Protection Agency would have three core missions.
First, it would provide Americans control and protection over their own data by enforcing data protection rules. The agency would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies. The agency would also take complaints, conduct investigations, and inform the public on data protection matters.
“So, if it seems like a company is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation and share findings,” Gillibrand explained.
Second, the new agency would work to maintain the most innovative, successful tech sector in the world and ensure fair competition within the digital marketplace by promoting data protection and privacy innovation across sectors; developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data; and would ensure equal access to privacy protection and protect against “pay-for-privacy” or “take-it-or-leave-it” provisions in service contracts, “because privacy, including online privacy, is a right that should be enforced,” she stated.
Finally, the Data Protection Agency would “prepare the American government for the digital age by advising Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data.
“The United States is vastly behind other countries on this,” according to Gillibrand, who pointed out that “virtually every other advanced economy has established an independent agency to address data protection challenges and many other challenges of the digital age.”
Gillibrand called the targeting of personal data “a national crisis” and compared the creation of a new agency in response to the creation of the Department of Homeland Security after the attacks of September 11, 2001.
“Kids across the country commonly use platforms like YouTube, Instagram, and Tik Tok,” she wrote on her Medium page, but “these companies can monitor their activity, see what types of content they choose to watch and which pages they choose to visit. But we don’t know what these companies are doing with that information. Are they allowed to share my teenage son Theo’s data from his Instagram page with advertisers? What are the limits on how and why they collect his information? And if Henry decided to download a new app to his phone, or worse my phone, would that app company then have backdoor access to all of the phone’s data?”
Gillibrand gives examples of a fitness app that monitors users’ heart rates selling data to a health insurance company, or a tech company determining credit scores and serving ads for predatory lenders.
From a national security frame of reference, she noted that “as we stare down the barrel of threats from foreign adversaries trying to target personal data in consumer households, businesses, and government agencies, the data privacy space remains a complete and total Wild West. And that is a huge problem.”
“As opposed to the Online Privacy Act, a bill introduced by Representatives Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) that also would create a new privacy agency, Sen. Gillibrand’s bill would not create a new omnibus federal privacy law. Instead, it is focused on the creation of the Data Protection Agency and its rulemaking authority. However, various aspects of the new agency’s authority provide valuable insights into what privacy regulation at the federal level might look like under the bill,” wrote Jadzia Pierce and Frank Broomell of Covington & Burling LLP for Inside Privacy. Pierce specializes in privacy, cybersecurity, and consumer protection issues, including privacy and cybersecurity compliance obligations, cybersecurity incident preparedness and response, and defending against regulatory inquiries and class-action litigations. Broomell specializes in data privacy and cybersecurity and litigation practice and served as a Marine Corps intelligence officer.
“For example, one of the most notable aspects of the proposed agency is its involvement in overseeing ‘high-risk data practices.’ ‘High-risk data practices’ include ‘systematic or extensive evaluation[s] of personal data that [are] based on automated processing … on which decisions are based that produce legal effects concerning [an] individual or household;’ ‘any processing of biometric data for the purpose of uniquely identifying an individual;’ and ‘processing the personal data of an individual that has not been obtained directly from the individual,’” Broomell and Pierce wrote.
“It also includes ‘sensitive data uses,’ which are defined to include ‘the processing of data in a manner that reveals’ personal data such as an individual’s race, religion, sexuality, or familial status, as well as uses of biometric or genetic data of an individual,” they continued, noting that the “definition of ‘personal data’ is very similar to the definition of ‘personal information’ under the California Consumer Privacy Act, with a few key divergences (for example, Senator Gillibrand’s definition applies to particular individuals or devices, but not to households).”
Gillibrand’s proposed bill defines “high-risk data practice’’ by a covered entity as activities that involve:
• A systematic or extensive evaluation of personal data that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or household or similarly significantly affect the individual or household;
• Sensitive data uses;
• Systemic monitoring of publicly accessible data on a large scale; processing involving the use of new technologies, or combinations of technologies, that creates adverse consequences or potential adverse consequences to an individual or society;
• Decisions about an individual’s access to a product, service, opportunity, or benefit which is based to any extent on automated processing;
• Any profiling of individuals on a large scale;
• Any processing of biometric data for the purpose of uniquely identifying an individual;
• Any processing of genetic data, other than data processed by a health care professional to provide health care to the individual;
• Combining, comparing, or matching personal data obtained from multiple sources;
• Processing the personal data of an individual that has not been obtained directly from the individual;
• Processing which involves tracking an individual’s geolocation; and
• The use of personal data of children or other vulnerable individuals for marketing purposes, profiling, or automated processing.
In their analysis, Broomell and Pierce said the new agency would be tasked with “ensuring that privacy practices are ‘fair, just, and comply with fair information practices,’ and developing model privacy and data protection standards and guidelines; supervise ‘very large’ covered entities, including by requiring periodic reports and conducting examinations to assess compliance with federal privacy law; and “prohibiting ‘unfair or deceptive acts or practices’ for all covered entities. The bill grants the agency rulemaking authority for identifying practices which would be deemed ‘unfair’ or ‘deceptive.’”
Also, the Data Protection Agency “would have the authority to coordinate with appropriate federal regulatory agencies to establish procedures for providing timely responses to consumer complaints concerning covered entities. Relatedly, the agency would have significant enforcement authorities, including the ability to conduct joint investigations with subpoena authority, seek equitable and legal remedies, rescind or reform contracts, and pursue civil penalties.”
Gillibrand’s proposal would allow state attorneys general to bring civil suits in their state to enforce the rules of the bill or its agency, and only preempt state privacy laws that are inconsistent with federal laws.