On Feb. 13, 2020, U.S. Sen. Kirsten Gillibrand, D-N.Y., joined the ongoing privacy debate in Washington, proposing the Data Protection Act to establish a new federal Data Protection Agency. The DPA would be an independent executive agency, charged with protecting individual privacy and limiting “the collection, disclosure, processing and misuse of personal data.” Gillibrand has described the DPA “as a 'referee' to define, arbitrate, and enforce rules to defend the protection of our personal data.”
Unlike the proposed legislation from her colleagues in the Senate, Gillibrand’s draft bill focuses on establishing the DPA as an independent enforcement entity with rulemaking authority, not on the creation of specific privacy rights and obligations. The act does, however, include strong statements, such as “privacy is an important fundamental individual right protected by the Constitution” and an individual’s privacy “is directly affected by the collection, maintenance, use, and dissemination of personal data.”
DPA qualifications and purpose
Under the proposal, the DPA’s director would be appointed by the president and confirmed by the Senate for a five-year term. Qualifications would include knowledge and experience in technology, protection of personal data, civil rights and liberties, law, social sciences, and business.
The purpose of the DPA would be to protect individuals’ privacy and limit the collection and use of “personal data” by “covered entities.” The term “covered entity” is comprehensive and means “any person that collects, processes, or otherwise obtains personal data.”
The only exception explicitly carved out is for individuals processing personal data in the course of personal or household activities. The definition of “personal data” is defined broadly, similar to the definition used in the Sen. Cantwell’s Online Consumer Privacy Rights Act and others.
Photo by Andy Feliciotti on Unsplash
