Senator calls for dedicated US data protection agency

On Feb 18, 2020

The US needs a data protection agency of its own, and Kirsten Gillibrand wants to be the one that makes it happen.

Gillibrand, the US senator for New York, released the call to action last week. She announced draft legislation known as the Data Protection Act on Thursday 13 February, a day after explaining her reasoning in a post on Medium. We need to do this to catch up, she said:

The United States is vastly behind other countries on this. Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.

At the moment, the US doesn’t have a single body dedicated to enforcing privacy rules. It’s a side-mission at the Federal Trade Commission (FTC), which is limited in its approach.

Under Section 5 of the FTC Act, it can’t issue fines for privacy violations immediately. Instead, it has to issue a consent decree (the violator has to agree that it won’t be naughty again) and it can only fine a company if it violates that decree. That’s why it didn’t fine Facebook for privacy infractions in 2011 but did levy a $5bn fine last year.

In any case, the FTC doesn’t just focus on privacy. Gillibrand wants a federal data agency dedicated to the task with three core missions.

The first would give Americans control over their own data by enforcing data protection rules. The key word here is ‘enforcing’ – it would be able to not just conduct investigations and share its findings, but to impose civil penalties. These would be capped at $1m for each day that an organisation knowingly violates the Act. This money would go into a relief fund that the Agency would use to help compensate victims of data privacy violations.

The second mission would be to promote privacy innovations, including technologies that minimise the collection of personal data or eliminate it altogether. Under this mission, Gillibrand would also come down hard on service contracts that gave customers no choice but to give up their privacy. She also says that she’d protect against “pay for privacy” provisions in service contracts.