US Senator Proposes New Data Protection Bill

• The senator argues that the FTC Act does not address data protection challenges.
• The law, if passed, would apply to any company with revenues over $25 million, or which manages the personal data of 50,000 or more people.

A US senator for New York announced draft legislation known as the ‘Data Protection Act’ to establish an independent data protection agency in the country.

What happened?

Kirsten Gillibrand, the US senator for New York, released a draft legislation last week. According to Gillibrand, the US lags behind in addressing data protection challenges and many other challenges of the digital age. The US also doesn’t have a single dedicated body for enforcing data privacy rules.

"My legislation would establish an independent federal agency, the Data Protection Agency, that would serve as a 'referee' to define, arbitrate, and enforce rules to defend the protection of our personal data," wrote Gillibrand in a Medium blog that she posted before announcing the Data Protection Act.

Alleged flaws in FTC Act

As the senator argued, the FTC Act can’t issue fines for privacy violations immediately in case of a privacy violation. Instead, a consent decree (the violator has to agree that it won’t be violate rules again) is issued to the defaulter and then a fine is imposed when the company violates that decree.

This was the reason behind Facebook being fined $5 billion after eight years for privacy infractions in 2011. The senator argues that the FTC is not focused on privacy issues, hence the need for a federal data protection agency dedicated to the task with three core missions.

Three core missions

The first would give Americans control over their own data by enforcing data protection rules. Authorities would be able to not just conduct investigations and share its findings, but to impose civil penalties.

The second mission would aim at promoting privacy innovations, including technologies that minimize the collection of personal data or eliminate it altogether.

Finally, the third mission would be to “prepare the American government for the digital age” through advising on emerging privacy issues and representing the US at international privacy forums.

Noteworthy clause

The law, if passed, would apply to any company with revenues over $25 million, or which manages the personal data of 50,000 or more people. A noteworthy clause in the bill states that an organization deriving half of its revenue from the sale of personal data are covered under this law. This clause may many of the large social media or search platforms that collect user data and use it internally to target ads for its clients.