On Thursday, Sen. Kirsten Gillibrand (D-NY) released a proposal to overhaul the way the US government regulates privacy. Gillibrand’s Data Protection Act would found a new independent agency called the Data Protection Agency (or DPA), tasked with protecting consumer data at large. Consumers would file complaints with the DPA that could trigger larger investigations into data malpractice, potentially implicating major platforms like Google and Facebook. If a company is found to have abused consumer data, the DPA could take action by inflicting civil penalties or seeking injunctive relief.
“The tech giants — Google and Facebook among them — have been the clear winners of our transition to the digital age,” Gillibrand said in her blog post outlining the measure. “Companies have declared that this data is theirs for the taking, and they’ve repeatedly rejected responsibility and accountability for the greater impacts of any bad behavior.”
On top of its investigative work, the DPA would collaborate directly with the tech industry to promote the development of Privacy Enhancing Technologies, or PETs, that “minimize or even eliminate the collection of personal data.” In theory, these technologies would enable the industry to move away from pay-for-privacy business models. The DPA would also research emerging tech threats like deepfakes and advise Congress on how to regulate them.
The proposal has already garnered a high-profile endorsement from Shoshana Zuboff, former Harvard Business School professor and author of The Age of Surveillance Capitalism.
“With this Bill, Senator Gillibrand joins a history-making new wave of legislative and regulatory efforts in the US and Europe that promise to assert democratic governance over commerce in the digital age,” Zuboff said in a statement.
The Federal Trade Commission currently conducts much of this investigatory work, but confidence in the FTC has plummeted in recent years, in part due to a series of disappointing efforts to police large tech platforms. Last July, the FTC slapped Facebook with a $5 billion fine for its alleged data abuses, but did little to restrict the company from misbehaving in the future. The agency penalized YouTube $170 million for allegedly violating the Children’s Online Privacy Protection Act (COPPA), but many of the new requirements fall on creators.
Sen. Josh Hawley (R-MO), one of the fiercest conservative tech hawks, introduced his own measure this week that would house the FTC within the Justice Department and appoint a Senate-confirmed director to lead the office. Both the FTC and DOJ currently have the authority to act against anticompetitive behavior in tech, but Hawley and others believe the FTC to be a wholly ineffective enforcer.
“The agency as presently constituted is in no shape to ensure competition in today’s markets, let alone tomorrow’s,” Hawley said in a statement on Monday.
Hawley’s bill wasn’t the first to target the FTC’s authority on tech, however. Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) laid out their own framework for a federal data protection agency last November. Unlike the Gillibrand measure, though, the Eshoo-Lofgren bill would enact a federal data privacy framework alongside the agency’s establishment. So far, Gillibrand’s Data Protection Agency lacks any new rules for her agency to enforce once it’s founded.
Outside of these few measures, Congress has been skeptical about the establishment of a brand-new agency for data protection, although the idea has garnered significant support from consumer groups.
“The US confronts a privacy crisis,” said Caitriona Fitzgerald, policy director at EPIC. “Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans.”