Gillibrand bill would create new data protection agency

Sen. Kirsten Gillibrand (D-N.Y.) has introduced legislation that would create a new federal agency dedicated to data protection and digital privacy.

In a blog post on Medium announcing the bill, Gillibrand argued that unregulated private companies have been "the clear winners" in the U.S. economy's transition to the digital age, cultivating "major empires of data" to sell and profit from. Meanwhile, users are hit with a constant stream inconvenience and victimization when those same companies are breached by hackers.

"My legislation would establish an independent federal agency, the Data Protection Agency, that would serve as a "referee to define, arbitrate, and enforce rules to defend the protection of our personal data," Gillibrand wrote.

Under Gillibrand's bill, the new agency would have a presidentially appointed director serving a five-year term to carry out duties that "protect individuals' privacy [and] limit the collection, disclosure, processing and misuse of individuals' personal data." It would coordinate efforts among federal agencies to enforce federal privacy laws, help industry develop its own rules and policies, respond to consumer complaints, study high-risk data privacy practices and conduct investigations and audits of covered entities.

The agency would also tackle how new or emerging technologies like deepfake audio and video or changes in encryption affect the overall privacy landscape and advise Congress on legislative solutions.

Privacy and consumer groups, including the Electronic Privacy Information Center, the Center for Digital Democracy, the Parent Coalition for Student Privacy and the Consumer Federation of America have endorsed the plan.

Companies and policymakers are becoming increasingly concerned that the United States will be left behind when it comes to setting international standards around privacy and data protection. Around the world, laws like the General Data Protection Regulation passed by the European Union in 2018 have had a major impact on how companies operate.

China's 2017 Cybersecurity Law, which in some respects operates like a general data privacy law but has drawn criticism for potentially making it easier for the Chinese government to spy on and access its citizens data. Brazil, India and other major countries have also implemented their own national privacy laws.

Closer to home, California passed comprehensive statewide privacy legislation that mandates companies make a greater effort to inform users about how their data is being used, take additional steps to protect that data and provide users with ways to opt out of sharing certain information. With the largest population of any state and the home to Silicon Valley, the law has the potential to influence the behavior of tech companies across the country.

"The United States is vastly behind other countries on this," Gillibrand wrote. "Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age."