Another Senate Democrat has introduced a privacy and data security bill. Senator Kirsten Gillibrand’s “Data Protection Act of 2020” (S. 3300) would create a federal data protection authority along the lines of the agencies each European Union member nation has. This new agency would be the primary federal regulator of privacy laws, including a number of existing laws that govern the privacy practices of the financial services industries, healthcare industry, and others. This new agency would displace the Federal Trade Commission (FTC) regarding privacy matters but would receive similar enforcement authority but with the ability to levy fines in the first instance. However, state laws would be preempted only if they are contrary to the new regime, and state attorneys general could enforce the new law. A private right of action would not, however, be created under this law.
The bill would establish the Data Protection Agency (DPA), an independent agency headed by a presidentially nominated and Senate confirmed Director who may serve for a five year term normally or more time until a successor is nominated and confirmed. Hence, Directors would not serve at the pleasure of the President and would be independent from the political pressure Cabinet Members may feel from the White House. However, the Director may be removed for “inefficiency, neglect of duty, or malfeasance in office.” Generally, the DPA “shall seek to protect individuals’ privacy and limit the collection, disclosure, processing and misuse of individuals’ personal data by covered entities, and is authorized to exercise its authorities under this Act for such purposes.”
Personal data is defined widely as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device” including a number of different enumerated types of data such as medical information, biometric information, browsing history, geolocation data, political information, photographs and videos not password protected, and others. The bill also creates a term “high-risk data practice” to cover the collection of processing of personal data that is sensitive, novel, or may have adverse, discriminatory real world effects and would be subject to heightened scrutiny and regulation. For example, new high-risk data practices “or related profiling techniques” may not be used before the DPA conducts “a formal public rulemaking process,” which under administrative law is usually meant as a lengthy process including a public hearing.
Those entities covered by the bill are “any person that collects, processes, or otherwise obtains personal data with the exception of an individual processing personal data in the course of personal or household activity,” an incredibly broad definition that sweeps in virtually any commercial entity collecting or processing personal data. There is no carve out for businesses below a certain revenue level or number of persons whose data they collect and process. Large covered entities would be subject to extra scrutiny from the DPA and extra responsibility. Entities falling into category are those with “gross revenues that exceed $25,000,000;” that buy, receive for the covered entity’s commercial purposes, sells, or discloses for commercial purposes the personal information of 50,000 or more individuals, households, or devices; or that drive “50 percent or more of its annual revenues from the sale of personal data.” The DPA “may require reports and conduct examinations on a periodic basis” from large covered entities to ensure compliance with federal privacy laws, examine their practices, compliance processes, and procedures, “detecting and assessing associated risks to individuals and groups of individuals;” and “requiring and overseeing ex-ante impact assessments and ex-post outcome audits of high-risk data practices to advance fair and just data practices.”
Most notably, it appears that the enforcement and rulemaking authority of current privacy statutes would be transferred to the agency, including Title V of the “Financial Services Modernization Act of 1999” (aka Gramm-Leach-Bliley), Subtitle D of the Health Information Technology for Economic and Clinical Health Act (i.e. HIPAA’s privacy provisions), the “Children’s Online Privacy Protection Act,” and the “Fair Credit Reporting Act.” Specifically, the bill provides “[t]he Agency is authorized to exercise its authorities under this Act and Federal privacy law to administer, enforce, and otherwise implement the provisions of this Act and Federal privacy law.” The bill defines “federal privacy law” to include all the aforementioned statutes. Consequently, the agencies currently enforcing the privacy provisions of those statutes and related regulations would turn over enforcement authority to the DPA. This, of course, is not without precedent. Dodd-Frank required the FTC to relinquish some of its jurisdiction to the Consumer Financial Protection Bureau (CFPB) to cite but one recent example. In any event, this approach sets the “Data Protection Act of 2020” apart from a number of the privacy bills, and aside from the policy elegance of housing privacy statutes and regulations at one agency, this would likely cause the current regulators and the committees that oversee them to oppose this provision of the bill.
The DPA would receive authority to punish unfair and deceptive practices (UDAP) regarding the collection, processing, and use of personal data, but unlike the FTC, notice and comment rulemaking authority to effectuate this authority as needed. However, like the FTC, before the agency may use its UDAP powers regarding unfairness, it must establish the harm would is causing or is likely to cause substantial injury, is unavoidable by the consumer, and is not outweighed by countervailing benefits.
The DPA would receive many of the same authorities the FTC currently has to punish UDAP violations, including injunctions, restitution, disgorgement, damages, and other monetary relief, and also the ability to levy civil fines. However, the fine structure is tiered with reckless and knowingly violations subject to much higher liability. The first tier would expose entities to fines of $5,000 per day the violation is occurring or that the entity fails to heed a DPA order. The language could use clarification as to whether this means per violation per day or just a per day fine regardless of the number of separate violations. Nonetheless, the second tier is for reckless violations and the fines could be as high as $25,000, and the third tier for knowing violations for $1,000,000. However, the DPA must either give notice to entities liable to fines an opportunity and a hearing before levying a fine through its administrative procedures or go to federal court to seek a judgment. However, the DPA could enforce the other federal privacy laws under their terms and not bring to bear the aforementioned authority.
There would be no preemption of state laws to the extent such privacy laws are not inconsistent with the “Data Protection Act of 2020” and states may maintain or institute stronger privacy laws so long as they do not run counter to this statute. This is the structure used under Gramm-Leach-Bliley, and so there is precedence. Hence, it is possible there would be a federal privacy floor that some states like California could regulate above. However, the bill would not change the preemption status quo of the federal privacy laws the DPA will be able to enforce, and those federal statutes that preempt state laws would continue to do so. State attorneys general could bring actions in federal court to enforce this law, but no federal private right of action would be created.
Of course, the only other major privacy and data security bill that would create a new agency to regulate these matters instead of putting the FTC in charge is Representatives Anna Eshoo (D-CA) and Zoe Lofgren’s (D-CA) bill, the “Online Privacy Act of 2019” (H.R. 4978) that would create the U.S. Digital Privacy Agency (DPA) that would supersede the FTC on many privacy and data security issues. For many sponsors of privacy bills, creating a new agency may be seen as a few bridges too far, and so they have opted to house new privacy regulation at the FTC.
Finally, as can be seen in her press release, Gillibrand’s bill has garnered quite a bit of support from privacy and civil liberties advocates, some of which generally endorses the idea of a U.S. data protection authority and not this bill per se. Nonetheless, this is another bill that is on the field, and it remains to be seen how much Gillibrand will engage on the issue. It also bears note that she serves on none of the committees of jurisdiction in the Senate.