Security news that informs and inspires

Senate Bill Would Create Data Protection Agency


A new Senate bill introduced this week would create a new federal Data Protection Agency to handle the creation and enforcement of privacy and data rules in an effort to fill a major gap in the United States’ regulatory infrastructure.

Sen. Kirsten Gillibrand (D-N.Y.) drafted the Data Protection Act, which is aimed squarely at major platform providers and data brokers. The DPA would have authority to draft its own data-protection regulations as well as enforce those passed by Congress. Gillibrand said that the lack of privacy and data-protection regulation right now is leading to unforeseen injustices and serious intrusions on personal freedom.

“Even the savviest consumers of technology cannot fully understand how companies use their data, where their data goes, how far they are willing to go to profit from that data, and whether their business practices encroach on their privacy and freedom,” Gillibrand said in a post Thursday.

“Moreover, companies have declared that this data is theirs for the taking, and they’ve repeatedly rejected responsibility and accountability for the greater impacts of any bad behavior.”

The U.S. is one of the few major nations without either a federal privacy law or a data protection agency, a situation that has led to the development of a tangle of state laws and industry regulations, not all of which are complementary. Security experts, privacy advocates, and civil liberties organizations have been pushing for a federal data privacy law and an agency to oversee enforcement for many years and there have been various attempts at one or both. But none of those has gotten to the finish line.

"The US confronts a privacy crisis. Our personal data is under assault."

Gillibrand’s legislation would give the new DPA enforcement authority over companies with annual revenue of $25 million or more, gets at least 50 percent of its revenue from the sale of personal data, or buys or sells the personal data of more than 50,000 people. Those descriptors would apply to all of the major platform providers, including Facebook, Google, Twitter, and others. The collection of user data is integral to the business models of most of the large platform companies and regulating the ways in which that data is gathered, protected, and used is a complicated challenge.

“Data has been called “the new oil.” Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences,” Gillibrand said.

“So as we stare down the barrel of threats from foreign adversaries trying to target personal data in consumer households, businesses, and government agencies, the data privacy space remains a complete and total Wild West. And that is a huge problem.”

In addition to creating and enforcing privacy and data-protection regulations, the DPA would also advise Congress on technology and privacy issues and act as a clearinghouse for citizens’ complaints and conduct investigations.

In November, a separate bill was introduced in the House of Representatives that would create a federal privacy agency.

"The US confronts a privacy crisis. Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans,” Caitriona Fitzgerald, policy director at the Electronic Privacy Information Center, said in a statement.