U.S. Senator Kirsten Gillibrand today announced her renewed legislation, the Data Protection Act of 2021, which would create the Data Protection Agency (DPA), an independent federal agency that would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent. First introduced in 2020, the updated legislation has undergone significant improvements, including updated provisions to protect against privacy harms and discrimination, oversee the use of high-risk data practices, and to examine and propose remedies for the social, ethical, and economic impacts of data collection. Additionally, the DPA would have the authority and resources to effectively enforce data protection rules—created either by itself or Congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing model privacy and data protection standards, guidelines, and policies for use by the private sector. The U.S. is one of the only democracies, and the only member of the Organization for Economic Cooperation and Development (OECD), without a federal data protection agency. Senator Brown is an original cosponsor of the Data Protection Act.
“In today’s digital age, Big Tech companies are free to sell individuals’ data to the highest bidder without fear of real consequences, posing a severe threat to modern-day privacy and civil rights. A data privacy crisis is looming over the everyday lives of Americans and we need to hold these bad actors accountable,” said Senator Gillibrand. “It’s critical that we modernize the way we handle technology, which is why I first introduced the Data Protection Act last year, in order to create an executive agency whose sole job is to protect data and privacy. The new and improved DPA of 2021 takes on even bigger and bolder reforms, including provisions to help the DPA address Big Tech mergers, penalize high-risk data practices, and establish a DPA Office of Civil Rights. The U.S. needs a new approach to privacy and data protection and it’s Congress’ duty to step forward and seek answers that will give Americans meaningful protection from private companies that value profits over people.”
“Facebook, YouTube, and other big tech companies have abused millions of users’ data, and paying fines has become part of the cost of doing business,” said Senator Brown, Chairman of the U.S. Senate Committee on Banking, Housing, and Urban Affairs. “We need stronger protections for people’s personal data. That means a robust independent data protection agency like the CFPB, with the tools and resources to protect people’s data and privacy.”
The renewed Data Protection Act of 2021 has undergone significant improvements to its purpose, objectives, and functions, and makes explicit the agency’s mission to prevent privacy harms and discrimination. Improvements to the 2021 DPA include:
- Supervision of Data Aggregators: Grants the DPA authority to review Big Tech mergers involving a large data aggregator, or any merger that proposes the transfer of personal data of 50,000 or more individuals.
- Office of Civil Rights: Establishes the DPA Office of Civil Rights to advance data justice and protect individuals from discrimination.
- Enforcement Powers: Improves DPA enforcement powers to oversee the use of high-risk data practices and to penalize, examine, and propose remedies to the social, ethical, and economic impacts of data collection.
- Penalties and Fines: Prohibits data aggregators from committing any unlawful, unfair, deceptive, abusive, or discriminatory data practices; and allows for penalties and fines to be levied if violated, including triple penalties for violations against children.
- Defines Key Terms for Transparency: Provides Key Definitions for Privacy Harm, Data Aggregators, and High-Risk Data Practice, among other key terms.
The agency will address a growing data privacy crisis in America. Massive amounts of personal information—public profiles, health data, photos, past purchases, locations, search histories, and much more—is being collected, processed, and in some cases, exploited by private companies and foreign adversaries. In some instances, the data was not given willingly, and in many others, consumers had little idea what they were signing up for. As a result, the data of everyday Americans is being parsed, split, and sold to the highest bidder, and there is little anyone–including the federal government–can do about it. Not only have these tech companies built major empires and made billions of dollars from selling Americans’ data, but they spend millions of dollars per year opposing new regulations.
In recent years, major data breaches have occurred at banks, credit rating agencies and tech firms. It was recently discovered that over 530 million Facebook users had personal data lifted in a breach sometime before August 2019 that was made available in a public database. In July 2019, months before patching up the issue that led to the breach, Facebook reached a $5 billion settlement with the U.S. Federal Trade Commission for violating an agreement with the agency to protect user privacy. Clearview AI was allowed to build a facial recognition database of over three billion photos scraped from the internet without any oversight. This past week, Volkswagen and Audi were hit by a data breach that exposed the contact information and, in some cases, personal details, like driver license numbers, of more than three million customers in the United States and Canada. Additionally, the Federal Trade Commission (FTC) has failed to enforce its own orders and has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties.
The Data Protection Agency explained: The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge of technology, protection of personal data, civil rights, and law. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act. The DPA would have three core missions:
1. Give Americans control and protection over their own data by authorizing the DPA to create and enforce data protection rules.
- The agency would regulate high-risk data practices and the collection, use, and sharing of personal data. It would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
- The agency would also take complaints, conduct investigations, and inform the public on data protection matters. So if it seems like a company like Tinder is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation, share findings, and issue penalties, including with civil action or other appropriate relief.
2. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace.
- The agency’s research unit would analyze and report on data protection and privacy innovation across sectors, developing and providing resources that assess unfair, deceptive, or discriminatory outcomes that result from the use of automated decision systems, such as algorithms.
- The agency would develop model privacy and data protection standards, guidelines, and policies for use by the private sector to make it easier for businesses, especially small businesses, to comply with privacy and data protection rules and better prepare themselves against threats like ransomware.
3. Prepare the American government for the digital age.
- The agency would advise Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data.
- The Agency would coordinate with and provide leadership to other Federal agencies and State regulators to promote consistent regulatory treatment of personal data.
The Data Protection Act of 2021 has been endorsed by leading technology, privacy, and civil rights organizations and experts including:
“It’s time for America to catch up with the rest of the world and create a Data Protection Agency. Congress’ ongoing failure to modernize our privacy laws imposes enormous costs on individuals, communities, and American businesses alike. We need a new approach. Senator Gillibrand’s Data Protection Act creates an agency dedicated to safeguarding the personal data of individuals and ensuring that data practices are fair and non-discriminatory. The Data Protection Act is the game-changing proposal we need in order to ensure adequate oversight over what has become a massive sector of our economy and affects the daily lives of all Americans. EPIC urges Congress to enact the Data Protection Act.” – Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC)
“As an organization dedicated to building economic opportunity and well-being for communities of color, The Greenlining Institute welcomes the Data Protection Act (DPA) of 2021. It is time that tech companies are held accountable for the social, ethical and economic consequences of their data collection and algorithmic decision-making practices which far too often manipulate and discriminate against people of color and disadvantaged Americans. The DPA creates a path forward for the United States to ensure that our existing civil rights laws work in the digital age and that high-risk algorithms that control access to housing, credit, benefits and economic opportunity are tested to see if they are fair, non-deceptive and non-discriminatory. This is critical if we are to close the racial wealth gap and rebuild eroding public trust in government and technology.” -Vinhcent Le, Technology Equity Legal Counsel, The Greenlining Institute
“Violations of the Children’s Online Privacy Protection Act are rampant, and kids and teens are targeted with dark patterns which lure them to stare at screens so their data can be scooped up and monetized. We thank Senator Gillibrand for her legislation which calls for a new enforcer to help create an Internet that families can use safely.” – Josh Golin, Executive Director, Campaign for a Commercial-Free Childhood
“Senator Gillibrand’s proposal for a strong Data Protection Agency recognizes that consumers need a tough, independent cop to protect their data and their privacy. The FTC is not that agency.” – Ed Mierzwinski, Senior Director for Consumer Programs, U.S. PIRG
“Abuse and misuse of our data continue to occur regularly and with impunity. Consumers need an agency that makes data protection its primary mission. Senator Gillibrand’s plan to create a Data Protection Agency is the right step to ensure that companies use individuals’ data fairly, responsibly and with accountability.” – Linda Sherry, Director of National Priorities, Consumer Action
“It is time we had 21st-century safeguards in place. That is why we need a strong and independent data protection agency that will place the interests of consumers, and those most disadvantaged, ahead of the companies that regularly take all of our information and exploit us. We applaud Senator Gillibrand’s proposal, which if enacted, could help ensure that we are treated fairly and equitably online and that our digital rights are protected in the U.S.” – Katharina Kopp, Ph.D., Deputy Director, Director of Policy, Center for Digital Democracy
“For too long, social media giants like Facebook and Google have violated federal privacy laws to surveil American consumers across the internet and develop detailed dossiers about them, which they sell to advertisers for enormous profit, oftentimes without the consumer’s knowledge or consent. A surveillance-based economy that treats sensitive personal data about consumers as the primary commodity is incompatible with American’s right to privacy. Senator Gillibrand’s Data Protection Act would bring our regulatory framework for the Internet of Things into the 21st century and serve as a consumer watchdog to stop Big Tech from breaking the law, and hold them accountable when they do.” – Rishi Bharwani, Director of Policy and Partnerships, Accountable Tech
“The Parent Coalition for Student Privacy strongly supports this important bill that creates a new federal agency empowered to enforce the law, respond to parents’ complaints when their children’s privacy is put at risk, and analyze the potentially unsafe and discriminatory impacts of current data practices, in and out of schools.” – Leonie Haimson, Co-chair, Parent Coalition for Student Privacy
“Imagine the twentieth century without the National Labor Relations Board, the Food and Drug Administration, the Federal Deposit Insurance Corporation, the Federal Trade Commission, or any one of the dozens of critical institutions invented in that century to keep America’s industrial economy safe for democracy, tethered to the rule of law and the values and principles of a democratic people. The Data Protection Act of 2021 begins the urgent work of inventing the institutions that will make our digital century safe for democracy, advancing the democratic values of citizens’ rights, the rule of law, and inclusive prosperity. With this bill, Senator Gillibrand joins a history-making new wave of legislative and regulatory efforts in the US and Europe that promise to assert democratic governance over unconstrained tech power for the sake of a digital and democratic future.” – Shoshana Zuboff, Author, The Age of Surveillance Capitalism; Charles Edward Wilson Professor of Business Administration, Emerita, Harvard Business School
“Data protection is among the most significant regulatory challenges of the twenty-first century, and legacy regulatory agencies and statutes simply can’t meet that challenge. Senator Gillibrand proposes to create a new Data Protection Agency and give it the authority it needs to oversee high-risk data practices and combat privacy harms that put individuals and communities at risk. This is necessary legislation.” Julie Cohen, Mark Claster Mamolen Professor of Law and Technology, Georgetown Law
“Data centers in the U.S. are vulnerable to attack, and as a country we need to do a much better job with data security. That’s why the U.S. needs a data protection agency.” –Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School
“It’s no longer possible for individuals to protect themselves from intrusive online surveillance and manipulation. The FTC’s response to even the most egregious privacy violations has been tepid, and so it is past time to invest in a new agency expert in how data is used and abused. As corporations gobble up more and more data as part of their day-to-day operations, we need a watchdog on the beat to stop them from breaking the law, and to provide meaningful consequences when they do. Along with new privacy laws that protect individual access to courts and don’t scuttle the importance of the states, having a DPA is necessary to protect consumers in the digital age.” – Robert Weissman, President, Public Citizen
“We support this legislation because protecting our privacy is a big job and we need an agency with the responsibility, resources and resolve to do it.” – Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America.
-Color of Change
The full text of the legislation may be found here.
A section-by-section layout of the proposal can be found here.
For more information, a one pager on the bill can be found here.
Senator Gillibrand published a Medium post about her legislation that can be read here.