CEDAR RAPIDS, IOWA – FEBRUARY 18: U.S. Senator Kirsten Gillibrand speaks to guests during a campaign stop at the Chrome Horse Saloon on February 18, 2019 in Cedar Rapids, Iowa.
Scott Olson | Getty Images News | Getty Images
Sen. Kirsten Gillibrand, D-N.Y., just unveiled her new proposal for digital privacy legislation, including a new federal agency to enforce consumers’ privacy rights online. It adds to a growing stack of bills aimed at empowering consumers with new digital rights and keeping tech companies’ data collection in check.
“These companies have built major empires of data with information about our private lives. They’re processing that information with increasingly complex and sophisticated algorithms. And they’re making a whole lot of money off of it,” Gillibrand wrote.
The bill could add momentum to the idea of creating an independent agency to enforce digital privacy laws or at least push the discussion further in the direction of stronger enforcement mechanisms. But it does little to advance toward bipartisan support, which many lawmakers agree will be necessary to push privacy legislation forward.
What the Data Protection Agency could do
Gillibrand’s Data Protection Agency (DPA), which is similar to the agency proposed by Silicon Valley House Democrats Anna Eshoo and Zoe Lofgren, would have a director with a five-year term appointed by the president and confirmed by the Senate. The president would have the power to remove a director “for inefficiency or neglect of duty,” according to a summary of the bill provided by Gillibrand’s office.
The proposed DPA could commence civil actions if it finds companies violating federal privacy laws, and could grant relief to victims in the form of refunds, restitution, damages and reformation of contracts. Civil penalties would vary based on the severity of the violations, but would be capped at $1 million per day for anyone who knowingly violates the federal privacy law. The bill would establish a relief fund for people who prove they were harmed by privacy violations, with the civil penalties covering these charges. The DPA would have rulemaking authority as well as the ability to issue subpoenas.
In addition to enforcement, the agency would be charged with examining privacy innovation and developing best practices. To ensure compliance, the bill would allow the DPA to request reports from especially large companies, like those with annual gross revenue above $25 million or whose businesses involve collecting a lot of data.
Gillibrand’s bill echoes aspects of other proposals put forth by legislators, some of which will face resistance from Republicans.
Like a Senate bill backed by Democrats, including Commerce Committee Ranking Member Maria Cantwell, D-Wash., Gillibrand’s proposal does not preempt state laws, meaning it would not create a sweeping national standard for privacy. That makes it a non-starter for many Republicans who favor a single standard.
(A draft bipartisan proposal from the top members of the House Subcommittee on Consumer Protection and Commerce, Reps. Jan Schakowsky, D-Ill., and Cathy McMorris Rodgers, R-Wash., doesn’t even touch the highly charged topic of preemption yet, with the congresswomen behind it arguing it’s more important to get the language of the bill right first.)
On the other hand, Gillibrand’s bill does not mention a private right of action, which Republicans tend to oppose. Such a provision would allow individuals to sue companies they believe violated their rights under the law. Conservatives and industry players fear such a provision would spur an onslaught of frivolous lawsuits.
The idea for a new agency will likely face resistance from conservatives or lawmakers concerned about the complexities of setting up a new organization to enforce the law. Several other proposals from both Democrats and Republicans delegate enforcement to the Federal Trade Commission, with some establishing a new bureau there and boosting funds.
McMorris Rodgers, the Republican working on the bipartisan House bill, said in an interview with CNBC last month “the most effective way to provide the certainty as well as the enforcement is through the FTC, through the existing agency, and giving them more direction and more resources to be able to do that.”
But like Lofgren and Eshoo, Gillibrand pointed to other countries’ enforcement mechanisms to justify her proposal.
“The United States is vastly behind other countries on this,” she wrote in the Medium post. “Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.”