Proposed bill would create a new federal agency to protect consumer data

In mid-June, Senator Kirsten Gillibrand (D-NY) reintroduced a new version of her bill, the Data Protection Act of 2021, that would create a new independent, executive-level government agency, the Data Protection Agency (DPA). The DPA would “protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent.”

Under the bill, the DPA would have the authority and resources to enforce any data protection rules created by Congress or the agency itself, backed by a range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. In addition to creating privacy rules and enforcing federal-level rules, the DPA would reach out to organizations to promote data protection and encourage the adoption of model privacy and data protection standards, guidelines and policies.

The new bill, which features substantial changes to Gillibrand’s original 2020 legislation, spells out DPA’s three core missions:

1. Authorize DPA to create and enforce data protection rules to give Americans more control and protection over their data by regulating high-risk data practices and personal data collection.
2. Foster innovation by ensuring fair competition within the digital marketplace by having DPA’s research unit analyze and report on data protection and privacy innovation across sectors. The research unit would also develop the model privacy and data protection templates.
3. Prepare the American government for the digital age by advising Congress on emerging privacy and tech issues while coordinating with Federal agencies and State regulators to promote consistent regulatory treatment of personal data.

Defining high-risk data, privacy harm

When it comes to high-risk data practices, the legislation encompasses an extensive range of practices. According to the bill’s text, high-risk data practices include everything from using an automated decision system to profiling individuals on a large scale.

The bill’s definition of what constitutes privacy harm is likewise wide-ranging. According to the draft language, privacy harm means an adverse consequence to any person’s financial, physical, and even psychological well-being. It can also mean an adverse outcome involving an individual’s ability to enjoy housing, education, professional, employment, healthcare or other rights. The bill goes so far as to cite damages to free speech or information technology use as privacy harms.

Funding DPA

The bill proposes the DPA fund its existence by assessing fees and charges (determined by the DPA’s director) to large data collectors of all stripes, not just data brokers, defined as aggregators that have annual gross revenues of more than $25 million or aggregators that collect, use, or share the personal data of 50,000 or more individuals, households, or devices. The DPA would also publish a publicly accessible list of data aggregators that collect, process, or share more than 10,000 persons’ or households’ data, along with the permissible purposes for which the data aggregators purport to collect personal data.

The bill also spells out remedies that a court could issue for organizations that violate the statute, including hefty fines that range from $5,000 to $1 million per day. However, “exemplary or punitive damages” are prohibited. It further imposes a fine of $1 million per day for any person who re-identifies or tries to re-identify anonymized data unless they do so for testing purposes.

Merger reviews

One consequential provision of the bill would give the new agency some level of antitrust merger review authority. Right now, only the Federal Trade Commission (FTC) and the Department of Justice (DOJ) have unambiguous antitrust merger review authority, which has traditionally hinged on whether a merger increases or decreases market or economic power.

Under the bill, the DPA would conduct reviews of mergers involving large data aggregators and submit a report on the privacy implications of those mergers to the FTC and DOJ, which presumably would then also take data market power into account when reviewing mergers.

DPA won’t preempt state laws

Despite its role as an independent agency in the executive branch of the government, with a director nominated by the President and confirmed by the Senate, the DPA would not ostensibly function in ways that preempt state law. For example, California, Virginia and Colorado have robust state-level privacy and data protection laws that could conceivably run afoul of whatever requirements the DPA establishes.

The bill states that nothing in it should “be construed as annulling, altering, or affecting, or exempting any person subject to the provisions of this title from complying with, the statutes, regulations, orders, or interpretations in effect in any State,” except if there is any inconsistency. The bill defines inconsistencies as situations where the protections of the proposed DPA law are greater than those provided under state statutes. In other words, if state laws are weaker in any particular provision than what the proposed federal law contemplates, then the federal law would preempt the state law in those circumstances.

Civil rights a data privacy, protection issue

The bill also has something of a unique provision rarely found in privacy: the creation of an Office of Civil Rights. The Civil Rights office’s purpose is to ensure that the DPA proceeds in a fair, equitable, and non-discriminatory manner.

The Civil Rights office also is charged with “developing, establishing, and promoting data processing practices that affirmatively further equal opportunity to and expand access to housing, employment, credit, insurance education, healthcare, and other aspects of interstate commerce.” In addition, this office within DPA would further coordinate with other federal agencies to promote enforcement of civil rights laws and work with various communities to meet their needs.

A new sheriff for data privacy

In a blog post accompanying her latest bill, Gillibrand writes that her bill is needed because “Congressional inaction has allowed tech companies to take on a bloated role as decision-makers in our greater society—and their decisions are failing to protect consumers, competition, and our democracy.”

She also says that data breaches and ransomware attacks expose Americans’ private information at an unprecedented pace. “So, as we stare down the barrel of threats from foreign adversaries and unrestrained private firms trying to target personal data in consumer households, businesses, and government agencies, the data privacy space remains a complete and total Wild West in need of a new sheriff in town.” Gillibrand says that the DPA is “an important part of the solution” to these growing problems.

Privacy regulation from the ground up

This bill “highlights the kind of center stage that privacy is taking and putting it on the federal level,” Odia Kagan, partner and chair of the GDPR compliance and international privacy practice at Fox Rothschild, tells CSO. “It is a more ambitious list of defining risky practices than we’ve seen in other laws. Europe doesn’t take a prescriptive approach [in its General Data Privacy Regulation] to risk in the law. It just says risk high risk.”

Another interesting aspect of the bill to Kagan is that “the DPA is supposed to develop model privacy and data protection standards and guidelines and issue regulations. And that’s really helpful.”

“The most important thing it’s doing, and I think it’s smart, is starting from the ground up essentially by establishing a dedicated privacy regulator to not only enforce this new law but also to enforce all federal privacy-related laws,” Michael La Marca, counsel at Hunton Andrews Kurth’s privacy and cybersecurity practice, tells CSO. “They’re also going to take over rulemaking authority from the FTC. The FTC has been the primary referee from a privacy perspective, but they have a lot going on, and they have a lot on their plate.”

The proposed Act does have downsides. If Congress passed the proposed law, organizations would undoubtedly face uncertainty regarding compliance with the law, given that three US states have already enacted similar privacy laws, not to mention the GDPR and similar laws in Asia. “You’ve got this big matrix, and figuring out which one is the strictest is impossible,” Kagan says. “You’re trying to figure out what is going on. That lack of certainty is there, and it imposes a burden on companies.”