Kirsten Gillibrand's new bill would establish a US data protection agency
The Data Protection Agency would enforce federal privacy laws out of the hands of the FTC.
Members of Congress still haven't written the rules of the road for consumer privacy in America. But on Thursday, Democratic Sen. Kirsten Gillibrand introduced a new bill that would at least appoint a traffic cop.
The so-called Data Protection Act of 2020 would create the country's first data protection agency to oversee how privacy laws in America are enforced and guide Congress on the development of those laws. The agency would be empowered to impose penalties on companies that violate people's privacy, taken them to court, field consumer complaints, and launch investigations.
Get what matters in tech, in your inbox every morning. Sign up for Source Code.
In a blog post, Gillibrand wrote that the country faces an inflection point similar to the post-9/11 days when the government realized it needed to shore up national security and established the Department of Homeland Security to do it.
"As our country and economy continue to evolve with the digital age, we face a national crisis as our personal data gets targeted — and not just for marketing by brands, but also to establish if we can access certain jobs, loans, or prices on products," Gillibrand wrote. "Americans should be able to go to an institution that will look out for, and actively work to protect, their privacy and freedom."
The agency would enforce current privacy laws and any future laws Congress passes and have rule-making authority to determine how those laws are carried out. Specifically, the agency would be able to conduct impact assessments on companies deploying "high-risk practices" with regard to data. That includes companies using data to profile people on a large scale. The bill also gives the agency the power to regulate consumer scoring in sensitive areas like housing, employment and education.
The agency would have subpoena power and the ability to take companies to court over violations of federal privacy law. It would also closely monitor large companies — both in terms of revenue and in terms of the amount of data they collect — and ask for reports from these companies, to ensure they're complying with the law. Meanwhile, the agency would be tasked with guiding Congress on emerging technologies and representing the United States in international deals regarding privacy.
Today, the federal privacy laws that do exist, like the Children's Online Privacy Protection Act and the Fair Credit Reporting Act, are enforced by the Federal Trade Commission. The FTC Act also prohibits unfair or deceptive practices, a law that the agency has used to punish companies like Facebook for their privacy scandals. But consumer advocates have always said the FTC lacks teeth, primarily because the agency can't levy fines on first-time offenders. Some federal privacy bills that have been introduced recently, including one sponsored by Washington Democrat Sen. Maria Cantwell, would change that, creating a new privacy bureau within the FTC and giving it more punitive powers.
But Gillibrand's bill aims to start fresh with a brand-new agency, which would assume much of the enforcement power from the FTC. Privacy groups like the Electronic Privacy Information Center, which worked with Gillibrand's office on the bill, view this as a welcome change.
"The FTC has failed over and over again to protect American consumers," said Caitriona Fitzgerald, chief technology officer and policy director at EPIC. Fitzgerald points to the consent decree the FTC reached with Facebook over privacy issues in 2011. That didn't stop Facebook from committing subsequent privacy violations that ultimately led to the Cambridge Analytica scandal. Last year, the FTC fined Facebook $5 billion, a penalty that Fitzgerald thinks was woefully inadequate. "The FTC did nothing to ensure this won't happen again. And that's only the latest example," she said.
The agency Gillibrand seeks to create would be similar to the data protection authorities that oversee enforcement of the General Data Protection Regulations throughout Europe. The only difference is in the United States, there is no comprehensive data privacy law to enforce. The closest thing the U.S. has to GDPR is the California Consumer Privacy Act, which only concerns California residents. A new ballot initiative in California that seeks to rewrite CCPA would create an independent data protection agency, but that agency would still only protect Californians.
The avalanche of high-profile consumer privacy failures over the past few years has led to calls for a strong federal privacy law, including from the tech industry itself. Gillibrand's proposal for a data protection agency is a response to that, but it stops short of proposing new limits on data use itself. In her blog post, Gillibrand pointed to an array of perceived privacy violations she wants to prohibit, from fitness apps sharing data with health insurance companies to Instagram giving advertisers access to data about its users. Her new Data Protection Agency would be able to do very little to stop that, unless Congress passed a law that said it could.
Fitzgerald says she thinks Gillibrand's bill could be easily integrated into Cantwell's comprehensive privacy bill in the Senate. Another comprehensive consumer privacy bill in the House that was introduced last year also calls for the creation of what it calls a "digital privacy agency."
But some, like Mary Stone Ross, associate director of EPIC, say that even on its own, Gillibrand's bill has value. Ross argues that it doesn't matter what privacy laws Congress passes if there's nobody who's going to hold companies accountable. "On one hand it might seem a little backward, like you're putting the cart before the horse, building the enforcement agency before you pass federal consumer privacy law, but in my mind it's not," Ross said. "I think the most important place to start is enforcement."