Sen. Kirsten Gillibrand wants to create a new agency to deal with data privacy

Sen. Kirsten Gillibrand (D-NY) is introducing a revamped version of her Data Protection Act, which would create a new government agency in charge of regulating and enforcing federal privacy laws — the ones we have now as well as any we might get in the future.

“Big Tech companies are free to sell individuals’ data to the highest bidder without fear of real consequences, posing a severe threat to modern-day privacy and civil rights,” Gillibrand said in a statement. “A data privacy crisis is looming over the everyday lives of Americans and we need to hold these bad actors accountable.”

The bill builds on her 2020 version in ways that seem to reflect the Biden administration’s agenda and the fact that Democrats now have control over both houses of Congress and are therefore more likely to be able to carry out that agenda. It also includes new sections addressing antitrust and civil rights.

The Data Protection Act isn’t a privacy bill in and of itself. Rather, it establishes a Data Protection Agency, whose job would be to regulate and enforce federal data privacy laws. The bill also spells out some prohibited data collection and usage practices, including those that are discriminatory or deceptive, and bans re-identifying users from de-identified data.

The agency would also, in this new version, review the privacy implications of any mergers that include transferring the data of at least 50,000 users — think Facebook and Instagram, but also those of data brokers like Oracle’s acquisition of BlueKai. That review would then be sent to the Federal Trade Commission (FTC) and the Department of Justice to be used in determining whether to allow the mergers to go through.

The Data Protection Agency would also have its own Office of Civil Rights that ensures data is not collected or used in a way that discriminates against protected classes. Facebook allowing users to place housing ads that exclude certain races and ethnicities is one example of this, but there are myriad ways that data you didn’t even know you were providing can be used against you — and there’s no one agency responsible for overseeing those violations.

Currently, enforcing federal privacy laws generally falls to the FTC and state attorneys general. This bill would take that out of the FTC’s purview, and opinions are divided on whether this is a good idea. Some believe the power should stay with an established agency that can be expanded to better take it on. The FTC recently said it needed more people and new units to properly tackle privacy issues. The agency currently only has about 40 people dedicated to privacy matters out of its roughly 1,100 full-time employees. Washington Rep. Suzan DelBene’s privacy bill, introduced in March, would give the FTC significantly more money and employees, which she told Recode she believes is a better way to regulate privacy than a new agency.

“There’s nothing wrong with the FTC that can’t be corrected with stronger legal authority and more resources,” Cameron Kerry, a fellow at the Brookings Institution’s Center for Technology Innovation, told Recode last March. “I think it’s got experience. You don’t just stand up a new agency. I think there are advantages to having an agency doing this that also has competition authority.”

But others point out that many countries have data protection authorities, and a dedicated body is needed considering the huge companies and ecosystem it would be regulating — data collection is, in many ways, the backbone of the internet and mobile apps. The FTC, many argue, has fallen short on data privacy and is frequently called “toothless” for levying fines against Big Tech companies that are essentially slaps on the wrist — first offenses often don’t even merit a fine. Even the enormous $5 billion fine the FTC handed down to Facebook for privacy violations didn’t seem to make a dent in the company’s bottom line, and only happened because Facebook violated a 2012 settlement that didn’t require it to pay a fine at all.

And Gillibrand isn’t the only lawmaker who wants an agency like this: California Reps. Anna Eshoo and Zoe Lofgren’s Online Privacy Act called for a Digital Privacy Agency, and that bill could also make a reappearance this Congress. Ohio Sen. Sherrod Brown’s draft version of his Data Accountability and Transparency Act included a provision establishing an independent agency, and his office told Recode he intends to introduce his bill this Congress. He’s a co-sponsor of Gillibrand’s bill. Meanwhile, California will soon have its own Privacy Protection Agency.

It’s also not yet known where data privacy will fall on the FTC’s docket, now that Lina Khan is the agency’s chair. Khan rose to prominence as a Big Tech critic and antitrust expert, and her appointment reflects that the Biden administration wants to prioritize those antitrust matters, as do lawmakers in both parties and both houses of Congress. Khan was a co-author of the House Democrats’ massive antitrust report, which blamed Big Tech’s perceived anti-competitive practices for eroding user privacy. Data privacy will likely be a part of her agenda, but it may not be the focus.

Perhaps the biggest issue with this bill is not the bill itself but what the agency it creates would be able to do. While the US does have data privacy laws, almost everyone — including the companies the laws target — agrees that existing regulations aren’t enough and don’t reflect the online-centric way many people live their lives now. They just don’t agree on how to address that problem, so federal privacy bills have historically gone nowhere. And that’s something this bill can’t fix.