On Feb. 13, 2020, U.S. Sen. Kirsten Gillibrand, D-N.Y., joined the ongoing privacy debate in Washington, proposing the Data Protection Act to establish a new federal Data Protection Agency. The DPA would be an independent executive agency, charged with protecting individual privacy and limiting “the collection, disclosure, processing and misuse of personal data.” Gillibrand has described the DPA “as a 'referee' to define, arbitrate, and enforce rules to defend the protection of our personal data.” 

Unlike the proposed legislation from her colleagues in the Senate, Gillibrand’s draft bill focuses on establishing the DPA as an independent enforcement entity with rulemaking authority, not on the creation of specific privacy rights and obligations. The act does, however, include strong statements, such as “privacy is an important fundamental individual right protected by the Constitution” and an individual’s privacy “is directly affected by the collection, maintenance, use, and dissemination of personal data.” 

DPA qualifications and purpose

Under the proposal, the DPA’s director would be appointed by the president and confirmed by the Senate for a five-year term. Qualifications would include knowledge and experience in technology, protection of personal data, civil rights and liberties, law, social sciences, and business. 

The purpose of the DPA would be to protect individuals’ privacy and limit the collection and use of “personal data” by “covered entities.” The term “covered entity” is comprehensive and means “any person that collects, processes, or otherwise obtains personal data.”  

The only exception explicitly carved out is for individuals processing personal data in the course of personal or household activities. The definition of “personal data” is defined broadly, similar to the definition used in the California Consumer Privacy Act, and means “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device.”

What would the DPA do?

The functions of the DPA would be expansive. The agency would be charged with “providing leadership and coordination” for other federal departments and agencies regarding the enforcement of federal privacy and data protection laws, examining and regulating high-risk data practices, and “ensuring fair contract terms in the market.” The act also calls for the DPA to provide “active” leadership, guidance and education to the private sector, to develop model standards and guidelines regarding privacy, data protection and fair information practices, and to promote privacy enhancing techniques.

The DPA would have rulemaking authority to administer and enforce the Act and federal privacy laws, as well as the authority to:

• Supervise covered entities (a) with more than $25,000,000 in annual gross revenues, (b) that derive 50% or more of their annual revenues from the sale of personal data or (c) that buy, receive for commercial purposes, sell, or disclose for commercial purposes, the personal information of 50,000 or more individuals, households or devices. This supervision can include requiring periodic reports and examinations to assess whether these supervised covered entities are complying with federal privacy laws. 
• Prohibit unfair or deceptive acts or practices by a covered entity.
• Collect, research, and respond to consumer complaints, including requiring responses from certain covered entities.

The act requires the DPA to publicly report on its activities every six months, providing information regarding the rules and orders it has adopted, the consumer complaints it received, and enforcement activities.

What about the FTC?

The proposed legislation would transfer the authority of the U.S. Federal Trade Commission to prescribe rules, issue guidelines, or conduct a study or issue a report under existing federal privacy laws to the DPA. 

Enforcement

The act would give the DPA the power to engage in joint investigations, issue subpoenas for witness testimony and the production of documents, and, in the event of a federal privacy law violation, commence a civil action. Notably, if the DPA uncovered evidence of potential criminal conduct, it would be required to provide this information to the U.S. Attorney General for potential criminal proceedings.  

The relief available to the DPA in a civil action would not be limited to civil penalties, but would include injunctive relief, rescission or reformation of contracts, monetary refunds, restitution, disgorgement or compensation for unjust enrichment, payment of damages, public notice of the violation, and limitations on the activities or functions of a covered entity. Civil penalty amounts would be tiered based upon the nature of the violation. While the penalty amount for a violation generally could not exceed $5,000 per day, recklessly engaging in a violation of federal privacy law could increase the penalty up to $25,000 per day and a knowing violation could result in a penalty of up to $1,000,000 per day. Civil penalties obtained related to enforcement of the act would be deposited into a Data Protection Relief Fund, to be used to compensate affected individuals or for educational purposes.

Interaction with state law

The act would preserve state laws, except to the extent they afford lesser protection. It also would allow state authorities to enforce the Act and preserves their right to bring state law claims.

What’s next?

The proposed Data Protection Act will now be considered by Gillibrand’s Senate colleagues alongside the growing number of other privacy proposals tabled in the Senate, including Sen. Cantwell’s Online Consumer Privacy Rights Act and others.

Photo by Andy Feliciotti on Unsplash