The US needs a data protection agency of its own, and Kirsten Gillibrand wants to be the one that makes it happen.
Gillibrand, the US senator for New York, released the call to action last week. She announced draft legislation known as the Data Protection Act on Thursday 13 February, a day after explaining her reasoning in a post on Medium. We need to do this to catch up, she said:
The United States is vastly behind other countries on this. Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.
At the moment, the US doesn’t have a single body dedicated to enforcing privacy rules. It’s a side-mission at the Federal Trade Commission (FTC), which is limited in its approach.
Under Section 5 of the FTC Act, it can’t issue fines for privacy violations immediately. Instead, it has to issue a consent decree (the violator has to agree that it won’t be naughty again) and it can only fine a company if it violates that decree. That’s why it didn’t fine Facebook for privacy infractions in 2011 but did levy a $5bn fine last year.
In any case, the FTC doesn’t just focus on privacy. Gillibrand wants a federal data agency dedicated to the task with three core missions.
The first would give Americans control over their own data by enforcing data protection rules. The key word here is ‘enforcing’ – it would be able to not just conduct investigations and share its findings, but to impose civil penalties. These would be capped at $1m for each day that an organisation knowingly violates the Act. This money would go into a relief fund that the Agency would use to help compensate victims of data privacy violations.
The second mission would be to promote privacy innovations, including technologies that minimise the collection of personal data or eliminate it altogether. Under this mission, Gillibrand would also come down hard on service contracts that gave customers no choice but to give up their privacy. She also says that she’d protect against “pay for privacy” provisions in service contracts.
Finally, the third mission would be to “prepare the American government for the digital age”. It would advise Congress on emerging privacy and technology issues like deepfakes and encryption, and represent the US at international privacy forums.
The law defines personal data very broadly, as the California Consumer Protection Act (CCPA) does, including online identifiers and IP addresses alongside names and addresses as identifying information. Bank account numbers also count.
The law would apply to any company with revenues over $25m, or which handles the personal data of 50,000 or more people. The clause that would seem to throw many companies outside the scope of the act is that a covered organisation would have to derive at least half its annual revenues from the sale of personal data.
It isn’t clear that a company such as Facebook would fall under those conditions, as it doesn’t actually sell personal data – it collects and uses it internally to target ads for its clients. Still, this is only a draft for discussion.
In any case, this law wouldn’t pre-empt state laws. A company that violated California’s CCPA privacy law would still be liable for state prosecution under that law too.
This isn’t the only attempt at reform being considered on the Hill. The Consumer Online Privacy Rights Act (COPRA) would outline strict privacy rules and establish a dedicated office within the FTC to enforce them. The Brookings Institute, which researches policy in Washington DC, has said that the FTC is up to the job of regulating privacy, but hasn’t been doing an especially good job lately, taking on too few cases and focusing on issuing consent decrees rather than legislating. It would need some significant reforms to be ready – including a clear Congressional mandate.