US Sen. Gillibrand Announces Legislation to Create a Data Protection Agency

The Data Protection Act (DPA) would create a consumer watchdog to give Americans control and protection of their data, promote a competitive digital marketplace, and prepare the U.S. for the digital age.

Introduced by U.S. Kirsten Gillibrand, the DPA will have the authority and resources to effectively enforce data protection rules—created either by itself or congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data. The U.S. is one of the only democracies, and the only member of the Organization for Economic Co-operation and Development (OECD), without a federal data protection agency, says a press release.

The agency will address a growing data privacy crisis in America, as massive amounts of personal information—public profiles, health data, photos, past purchases, locations, search histories, and much more—is being collected, processed, and in some cases, exploited by private companies and foreign adversaries.

The press release notes that in recent years, major data breaches have occurred at banks, credit rating agencies and tech firms, such as the 2017 Equifax data breach and the 2018 Facebook data breach as well. Additionally, the Federal Trade Commission (FTC) has "failed to enforce its own orders and has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties," adds the release.

The DPA would have three core missions:

1. Give Americans control and protection over their own data by creating and enforcing data protection rules.

The agency would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
The agency would also take complaints, conduct investigations and inform the public on data protection matters. So if it seems like a company like Tinder is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation and share findings, says the release.

2. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace.

The agency would promote data protection and privacy innovation across sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.
The agency would ensure equal access to privacy protection and protect against “pay-for-privacy” or “take-it-or-leave-it” provisions in service contracts—because privacy, including online privacy, is a right that should be enforced, notes the release.

3. Prepare the American government for the digital age.

The agency would advise Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the US at international forums regarding data privacy and inform future treaty agreements regarding data.

Steve Durbin, managing director of the Information Security Forum, says, "As pressure from regulatory compliance increases, businesses must take an increasingly integrated and well-rounded approach to information risk management. There is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. Few jurisdictions, if any, are identical in their regulations, privacy legislation, fraud and breach prevention. Traditional data protection methods may be tough to apply or unusable when it comes to storing or harnessing data in the cloud. Unless you are constantly monitoring the rules, and put tools in place to do so, you might not only be compromising your information, but also your corporate responsibility.”

"Similarly to what happened in the EU with the publication of GDPR, having a strong data protection law is essential to motivate businesses to adhere to a strong code of conduct when manipulating consumer and other business data. This is a positive step forward to bring the US in alignment to what is being done worldwide to protect consumer rights," says Fausto Oliveira, Principal Security Architect at Acceptto. "However, I don't see any recommendations for the size of fine, how those fines would be applied and how the money gathered from those fines would be re-used, I think those are crucial items when publishing a bill to create a new data protection agency. I certainly definitely welcome more level of detail before pronouncing further on the effectiveness of such a law."

"I am not sure if we really need another agency," he continues. "There is an agency already assigned to protect US cybersecurity, and I wonder if it wouldn't be simpler and more effective to expand the powers of CISA to encompass data protection. In that way, the ability to synergize efforts and share information at a federal level would maximize the ability to detect companies that are non-compliant using existing investigative resources. I am always restrained when endorsing new agencies that can lead to efforts being duplicated, or ineffective, due to lack of expertise and manpower."

"This is good first step, however, there are a myriad of factors that would need to be considered for a Federal Regulation on data privacy and security. There was hope that the industry would self-regulate, but we have had some egregious violations of public trust in recent past which makes me believe that may not be possible. In January NIST issued its draft privacy framework to also address these issues. I would hope the Senators bill would consider the carrot and not stick approach in drafting a National Policy on Privacy and Data Protection," notes Terence Jackson, Chief Information Security Officer at Thycotic.

"GDPR has definitely affected the way data is handled in the EU, CCPA was recently enacted in California but it’s too early to tell what effect it will have," he says. "Other states are also considering drafting legislation, the issue I have with that is if each state has its own data law, compliance will be almost untenable for businesses. I do agree that a central governing agency should be created, but I’m not optimistic that our government, without help from the private industry will be able to get it right on the first go."

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.