February 13, 2020

Confronting A Data Privacy Crisis, Gillibrand Announces Landmark Legislation To Create A Data Protection Agency

The Data Protection Act Would Create a Consumer Watchdog to Give Americans Control and Protection of Their Data, Promote a Competitive Digital Marketplace, and Prepare the U.S. for the Digital Age; U.S. Still One of the Only Democracies Without a Data Protection Agency

Washington, DC – U.S. Senator Kirsten Gillibrand today announced her landmark legislation, the Data Protection Act, which would create the Data Protection Agency (DPA), an independent federal agency that would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent. The DPA will have the authority and resources to effectively enforce data protection rules—created either by itself or congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data. The U.S. is one of the only democracies, and the only member of the Organization for Economic Co-operation and Development (OECD), without a federal data protection agency.

Senator Gillibrand published a Medium post about her new legislation that can be read here.

“Technology is connecting us in new significant ways, and our society must be equipped for both the challenges and opportunities of a transition to the digital age. As the data privacy crisis looms larger over the everyday lives of Americans, the government has a responsibility to step forward and give Americans meaningful protection over their data and how it’s being used,” said Senator Gillibrand. “Data has been called ‘the new oil.’ Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences. The U.S. needs a new approach to privacy and data protection. We cannot allow our freedoms to be trampled over by private companies that value profits over people, and the Data Protection Agency would do that with expertise and resources to create and meaningfully enforce data protection rules and digital rights.”

The agency will address a growing data privacy crisis in America. Massive amounts of personal information—public profiles, health data, photos, past purchases, locations, search histories, and much more—is being collected, processed, and in some cases, exploited by private companies and foreign adversaries. In some instances, the data was not given willingly, and in many others, consumers had little idea what they were signing up for. As a result, the data of everyday Americans is being parsed, split, and sold to the highest bidder, and there is little anyone--including the federal government--can do about it. Not only have these tech companies built major empires and made billions from selling Americans’ data, but they spend millions of dollars per year opposing new regulations.

In recent years, major data breaches have occurred at banks, credit rating agencies and tech firms. In 2017, Equifax failed to safeguard the sensitive credit data of hundreds of millions of Americans, allowing a foreign government to steal and expose this information. In 2018, Facebook exposed the personal information of nearly 50 million users because it reportedly ignored warnings from its own employees about a dangerous loophole in its security. Additionally, the Federal Trade Commission (FTC) has failed to enforce its own orders and has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties.

The Data Protection Agency explained: 

The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge in technology, protection of personal data, civil rights, law, and business. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act.

The DPA would have three core missions:

1. Give Americans control and protection over their own data by creating and enforcing data protection rules. 

  • The agency would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
  • The agency would also take complaints, conduct investigations, and inform the public on data protection matters. So if it seems like a company like Tinder is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation and share findings.  

2. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace. 

  • The agency would promote data protection and privacy innovation across sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.
  • The agency would ensure equal access to privacy protection and protect against “pay-for-privacy” or “take-it-or-leave-it” provisions in service contracts—because privacy, including online privacy, is a right that should be enforced.

3. Prepare the American government for the digital age.

  • The agency would advise Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data. 

The Data Protection Act of 2020 has been endorsed by leading technology, privacy, and civil rights organizations including: 

  • Electronic Privacy Information Center (EPIC)

"The US confronts a privacy crisis. Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans.”- Caitriona Fitzgerald, Policy Director, EPIC.

  • Shoshana Zuboff, Charles Edward Wilson Professor of Business Administration, Emerita, Harvard Business School

"The Data Protection Act of 2020 by Senator Gillibrand offers a crucial bulwark against the pervasive assault on privacy that now disfigures every aspect of daily life. An overwhelming majority of Americans now think that the rampant commercial collection of personal data poses more risks than benefits, even as there is little choice but to depend upon privacy-destroying commercial systems for effective social participation. With this Bill, Senator Gillibrand joins a history-making new wave of legislative and regulatory efforts in the US and Europe that promise to assert democratic governance over commerce in the digital age. Senator Gillibrand’s leadership is critical as we embark on the pivotal decade ahead." – Shoshana Zuboff, Charles Edward Wilson Professor of Business Administration, Emerita, Harvard Business School.

  • Public Citizen

“It’s no longer possible for individuals to protect themselves from intrusive online surveillance and manipulation. The FTC’s response to even the most egregious privacy violations has been tepid, and so it is past time to invest in a new agency expert in how data is used and abused. As corporations gobble up more and more data as part of their day-to-day operations, we need a watchdog on the beat to stop them from breaking the law, and to provide meaningful consequences when they do. Along with new privacy laws that protect individual access to courts and don’t scuttle the importance of the states, having a DPA is necessary to protect consumers in the digital age.”  - Robert Weissman, President, Public Citizen.

  • Color of Change

“Current privacy laws give free rein to companies to exploit Black people’s data, replicating and amplifying racial and economic injustices in the process. Senator Gillibrand’s bill will advance civil rights protections for Black communities, and allow us to begin to take back our privacy in an era of unregulated big data. Federal oversight with the resources and authority to hold companies accountable to data protection obligations and tackle emerging privacy challenges is the key to ensuring our safety online.” - Brandi Collins-Dexter, Senior Campaign Director, Color Of Change.

  • Consumer Federation of America

“We support this legislation because protecting our privacy is a big job and we need an agency with the responsibility, resources and resolve to do it.” - Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America.

  • U.S PIRG

"Senator Gillibrand's proposal for a strong Data Protection Agency recognizes that consumers need a tough, independent cop to protect their data and their privacy. The FTC is not that agency." - Ed Mierzwinski, Senior Director for Consumer Programs, U.S. PIRG.

  • Center for Digital Democracy

“Americans are losing more of their privacy daily. It is wrong to assume, as industry likes us to believe, that individual consumers can manage their privacy in a world of non-stop surveillance. It is time we had 21st century safeguards in place. That is why we need a strong and independent data protection agency that will place the interests of consumers, and those most disadvantaged, ahead of the companies that regularly take all of our information and exploit us.  The FTC has totally failed to protect the public for many years—regardless of which party has been in power. We applaud Senator Gillibrand’s proposal, which if enacted, could help ensure that our digital rights are protected in the U.S.” - Katharina Kopp, Ph.D., Deputy Director, Director of Policy, Center for Digital Democracy.

  • Consumer Action

“As data violations occur at warp speed and with impunity, consumers need an agency that makes data protection its primary mission. Senator Gillibrand’s plan to create a Data Protection Agency is the right step to ensure that companies use individuals’ data fairly, responsibly and with accountability.” - Linda Sherry, Director of National Priorities, Consumer Action.

  • Campaign for a Commercial-Free Childhood

“The FTC has stood idly by while big tech companies have preyed upon children and families with an unfair business model based on illegal data collection and manipulative personalized marketing. Violations of the Children’s Online Privacy Protection Act are rampant as everyone, from major platforms to small developers, ignores the law. We applaud Senator Gillibrand for her legislation which would create a new COPPA cop to rein in the blatant and widespread misuse of kids’ personal data.” - Josh Golin, Executive Director, Campaign for a Commercial-Free Childhood.

  • Parent Coalition for Student Privacy

“We endorse this important bill that takes the protection of our children’s personal data out of the hands of the FTC, which has proven itself incapable of ensuring their privacy, and into the hands of a new federal agency which will be empowered to enforce the law, respond to parents’ complaints when their children’s privacy is put at risk, and analyze the potentially discriminatory impacts of current data practices.”  - Leonie Haimson, Co-chair, Parent Coalition for Student Privacy

  • Professor Anita L. Allen, Henry R. Silverman Professor of Law and Professor of Philosophy, University of Pennsylvania Law School

“It is critical that Americans’ personal data and communications finally be protected through the coordinated expertise of a dedicated federal agency.” - Professor Anita L. Allen, Henry R. Silverman Professor of Law and Professor of Philosophy, University of Pennsylvania Law School

  • Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School

"Data centers in the U.S. are vulnerable to attack, and as a country we need to do a much better job with data security. That's why the U.S. needs a data protection agency.” - Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School.

  • Professor Francesca Bignami, Leroy Sorenson Merrifield Research Professor of Law, The George Washington University Law School

“Just like 19th-century Americans got a federal regulatory agency to curb the power of the railway magnates, 21st-century Americans deserve one to tackle the problems of the tech industry. This Data Protection Agency is a vital step for protecting privacy and liberty in today's digital economy.” - Professor Francesca Bignami, Leroy Sorenson Merrifield Research Professor of Law, The George Washington University Law School

The full text of the legislation may be found here.