The United States lags behind much of the world in having yet to establish some sort of national data protection agency. Several attempts at federal data privacy standards have been launched in recent years, but have failed to gain traction. Senator Kirsten Gillibrand takes another turn on the matter, but is the first to propose the creation of a data protection agency at the federal level with broad enforcement powers similar to those of its counterparts in the European Union.
About the proposed data protection agency
The New York Democratic senator introduced the bill to the public in a article published on Medium, calling the United States a “data privacy crisis.”
The data protection law would create a new federal ministry called the Data Protection Agency. National data protection and privacy rules would be created either by this body or by Congress, and the Data Protection Agency would enforce those rules. The bill provides that it is an executive agency, with a director appointed by the president and confirmed by the Senate. The appointee would serve for five years.
The department’s primary missions would be to create and enforce data protection rules that give Americans greater control over their personal information, ensure fair competition in the digital marketplace, and advise Congress on new technologies and confidentiality issues.
The bill would leave the drafting of any new rule to the newly created agency, but offers some guidelines. For example, the bill expressly mentions the prohibition of “pay for privacy” contracts or “take it or leave it” conditions of service. The bill also mandates a formal rulemaking process prior to the implementation of any new high-risk data practice or profiling technique.
Warren Poschman, Senior Solutions Architect at Comforte AG, pointed out that the bill also appears to leave exemptions for small businesses:
“In today’s data-driven economy, there may be no greater reason to act at the federal level than data privacy. While the bill as it stands today would apparently only apply to medium and large businesses (i.e. over $ 25 million in revenue or over 50,000 registrations), the main takeaway is that the US federal government cannot continue to hide behind the 10th Amendment by leaving data security and privacy to state and local governments.
The data protection law has been approved by a number of privacy and tech organizations, including the Electronic Privacy Information Center (EPIC), the Consumer Federation of America, the Public Interest Research Group ( US PIRG) and the Public Citizen advocacy group. The bill does not yet have any other sponsors in Congress, but it builds directly on a bill from November last year introduced by Representatives Anna Eshoo and Zoe Lofgren of California.
What law enforcement might look like
Gillibrand’s letter to the public cites a number of application scenarios that are addressed by privacy laws in other countries, such as the General Data Protection Regulation (GDPR) of the EU: Tracking children for advertising purposes, using fitness apps to determine health insurance or targeting low income people for high interest payday loans.
Gillibrand also cites massive data breaches (such as the Equifax incident in 2017), voice activated AI assistants and senior citizen scams as privacy lapses that require laws and action. improved applications to protect consumers.
The wording of the bill indicates that the enforcement would be complaint-based, in the same way the GDPR is structured. Citizens could file complaints not only for violations of the law in force, but also for practices that could be considered deceptive or unfair.
Enforcement would be through fines and civil penalties, with a suggested maximum fine of $ 1 million per day. An injunction would also be available, and the bill establishes a fund for those who have suffered damage as a result of data privacy breaches.
The wording of the bill, confirmed by TechCrunch tracking reports, indicates that the data protection agency’s rules would not replace state laws. Thus, existing laws, such as California’s new privacy law, seem to take precedence.
Is this act more likely to succeed than previous efforts?
Danny Allan, Technical Director of Veeam, summarizes the desire for a federal data privacy standard:
“While California may have been the first state to pass consumer privacy legislation, it was likely that other states would start to follow suit, especially as public awareness and the demand for stricter data protection practices continues to grow. Nationally, when the CCPA came into effect in January, data privacy regulations in the United States became more complicated than ever. If each state implements its own approach to data privacy, America could become a patchwork of regulations, making it an extremely difficult place to do business. This challenge becomes even greater as organizations increasingly share customer data between teams, partners and third-party contractors. Ultimately, we will need a common set of rules, across all states, that would allow companies to operate across state borders (and around the world), similar to what U.S. organizations doing business in the world are already following. the EU. “
Although the idea has generated widespread interest, the United States has struggled to establish its own data protection agency for several reasons. The first is that some earlier bills were considered too weak and also included a clause that required their terms to anticipate state laws. On the other side of the coin, overly strict federal laws face a major setback for Silicon Valley tech companies. In part, the problem is due to a glut of different bills introduced over the past two years and political haggling over which terms of application should stay and which should go.
The Federal Trade Commission is the main body currently responsible for protecting the confidentiality of data. However, the agency works from long-established laws that weren’t really written to deal with the digital age, and critics argue that even when the FTC is able to step in, it is not. often not. Aside from the Children’s Online Privacy Protection Act (COPPA), which is now two decades old, the FTC’s primary enforcement tool is the Federal Commerce Act of 1934.
This question of a federal data protection agency could remain open until the 2020 national elections are settled. Unlike many current issues in US politics, there has been strong and consistent bipartisan support for some sort of uniform national data privacy law. The tech industry does not have strong ties to any particular party, as it does with other industries; he both disagreed and agreed with everyone at times. Republicans have, however, expressed their opposition to some of the elements included in Gillibrand’s bill.