New Law Would Create a Federal Data Protection Agency
Earlier this month, U.S. Senator Kirsten Gillibrand submitted a bill called the Data Protection Act of 2021 that would seek to protect citizen’s data, safeguard their privacy, and ensure data practices are fair and transparent. Among the bill’s various provision is the creation of a new federal office that would be called the Data Protection Agency.
Gillibrand first submitted her Data Protection Act in February 2020, just before the COVID-19 pandemic began. The bill was aimed at protecting individuals’ privacy and limiting the collection and use of “personal data” by “covered entities.
In many ways, her 2020 bill mirrored the terms and scope of the California Consumer Privacy Act (CCPA), with the exception of the creation of the DPA. The new agency, which would be led by a director appointed by the President and confirmed by the Senate for five-year terms, would have rulemaking authority to administer and enforce the new national data law, as well as existing federal privacy laws.
The DPA would have a mandate to regulate the use of data at specific companies that meet certain qualifications, including: those with $25 million in gross revenues; companies that derive 50% or more of their annual revenues from the sale of personal data; or those that work with the information of 50,000 or more individuals, households, or devices. In this manner, it is much like the CCPA.
Senator Gillibrand’s 2020 bill died in committee, but she resurrected it on June 17. It’s largely the same, save for several provisions giving the DPA the authority to review mergers of big data companies and those involving a large data aggregator. She also added provisions to strengthen protection against privacy harms, to oversee the use of “high-risk data practices,” and also to examine the social, ethical, and economic impacts of data collection.
The DPA would have three core missions, including:
- Work to protect Americans’ data, enforce data protection rules and civil rights online, and protect individuals from data discrimination;
- Work to maintain the most innovative, successful tech sector in the world and ensure fair competition within the digital marketplace;
- Prepare American government for the digital age.
The Senator says the new law is necessary to “modernize the way we handle technology” and to stamp out abusive data practices.
“In today’s digital age, Big Tech companies are free to sell individuals’ data to the highest bidder without fear of real consequences, posing a severe threat to modern-day privacy and civil rights,” she stated in a press release. “The new and improved DPA of 2021 takes on even bigger and bolder reforms, including provisions to help the DPA address Big Tech mergers, penalize high-risk data practices, and establish a DPA Office of Civil Rights.”
The United States is one of the only democracies in the world that does not have a national data protection law, Senator Gillibrand points out. The new law and the new agency will address a “growing data privacy crisis” in America, her office says.
“Massive amounts of personal information—public profiles, health data, photos, past purchases, locations, search histories, and much more—is being collected, processed, and in some cases, exploited by private companies and foreign adversaries,” Gillibrand’s press release states. “In some instances, the data was not given willingly, and in many others, consumers had little idea what they were signing up for. As a result, the data of everyday Americans is being parsed, split, and sold to the highest bidder, and there is little anyone–including the federal government–can do about it. Not only have these tech companies built major empires and made billions of dollars from selling Americans’ data, but they spend millions of dollars per year opposing new regulations.
Haniyeh Mahmoudian, the global AI ethicist at machine learning and AI platform provider DataRobot, applauded Senator Gillibrand’s bill, but with caveats.
“In recent years, the cause of responsible AI has become ever more prominent. Based on a realization that customers’ trust is crucial to their business success, companies and organizations across all industries are seeking to implement ethical frameworks to ensure the integrity of their data and AI-driven operations,” Mahmoudian says.
“However, overly strict regulations can significantly limit companies’ ability to serve their customers through the use of AI,” she warned. “They can disproportionately harm small businesses. The Data Protection Act devised by Senator Gillibrand promises to enforce data protection and data privacy while ensuring the continuous success of the tech sector in finding innovative solutions to serve the needs of its customers. By providing frameworks and standards for data protection and data privacy, it makes it easier for businesses, especially small businesses, to become responsible and compliant AI creators and protectors of their customer’s data.”
Dave Sikora, the CEO of ALTR, a provider of cloud data management solutions, applauded the new bill, calling it “an essential step to safeguard our sensitive information amid today’s onslaught of privacy and security threats.”
“Creating an agency that is the control center for data privacy, defense, and compliance gives both the government and the tech industry an opportunity to put data as close to the consumer as possible, without leaving it vulnerable,” Sikora tells Datanami. “We should all be empowered to own and knowingly share our data, and an agency with the authority to enact data privacy and security protections will be an excellent partner in helping businesses to shape a future where sensitive data is a protected asset, not a liability.”
The proposed law would take a very wide definition of “high risk data practice,” according to the Fox Rothschild law firm. The definition would include any automated decision making; financial status (income); citizenship; health or mental health; systematic processing of publicly accessible data on a large scale; processing involving the use of new technologies; decisions about an individual’s access to a service; profiling on a large scale; processing biometric information for the purpose of identifying, combining, comparing, or matching personal data; obtaining data from multiple sources; processing precise geolocation; and consumer scoring regarding employment and compensation.”
Penalties of up to $1 million per day could be levied by the DPA for violations of the new law, and it could also take remedies such as the “disgorgement of revenues, data or technologies,” Rotschild says.
Several states have passed data protection laws, including California, Maine, and Nevada, and several more have laws pending, including New York, Virginia, Arizona, Nebraska, Florida, South Carolina, Indiana, Minnesota, and Wisconsin. Gillibrand’s law would apply across the entire country, and would supersede states with weaker data protection.