United States Senator Kirsten Gillibrand (D-NY) introduced the "Data Protection Act of 2020." The bill would form a national Data Protection Agency ("DPA") designed to establish and enforce data privacy and cybersecurity practices.

Under the bill, the newly formed DPA would regulate companies' use of consumer personal data by limiting how it may be collected, disclosed and processed. Specifically, the DPA would:

  • act as an executive agency with a director appointed by the president and confirmed by the Senate for a five-year term;
  • receive consumer complaints and initial investigations of companies believed to have violated data privacy laws, with the power to issue subpoenas and seek fines and injunctive relief;
  • coordinate efforts with all federal departments and agencies to (i) enforce regulations regarding privacy or data protection, and (ii) eliminate inconsistencies among their operations, functions and jurisdictions;
  • oversee high-risk data practices by (i) requiring covered entities to conduct ex-ante impact assessments and ex-post outcomes, and (ii) examining certain impacts and proposing remedies; and
  • ensure that privacy practices (i) comply with fair information practices, (ii) implement fair contract terms in the market (e.g., prohibiting "pay-for-privacy provisions" and "take-it-or-leave-it" provisions within service agreements), and (iii) encourage techniques to minimize data.

Commentary Joseph Moreno

Senator Gillibrand's bill to establish a federal agency focused on data privacy is one of several recent legislative efforts to centralize that function, which currently is performed by the Federal Trade Commission. The fact that such legislation is even necessary is an acknowledgment that the United States lacks a national data privacy and data protection standard akin to the European Union's General Data Protection Regulation (GDPR), or a dedicated regulator to enforce it. Instead, states such as California and New York have taken the lead on various data privacy efforts, coupled with data breach laws now in effect in all fifty states. While the fact that 2020 is a presidential election year casts doubt on Congress' ability to enact significant legislation, Senator Gillibrand is to be commended on identifying and advocating for an issue whose time certainly has come.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.