Will U.S. Launch Data Protection Agency?

Senator Kirsten Gillibrand (D-NY) in June 2021 announced the reintroduction of the Data Protection Act of 2021 (the “bill”). The bill would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.”

The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.

Senator Kirsten Gillibrand (D-NY)

The Senator’s press release indicates the Data Protection Agency would have three core missions:

  • Provide individuals control and protection over data via its authority to create and enforce data protection rules, including through handling complaints, conducting investigations and administering civil penalties, injunctive relief and other equitable remedies.
  • Ensure fair competition within the digital marketplace, such as by developing model privacy and data protection standards, guidelines and policies.
  • Prepare the U.S. government for the digital age, such as by advising Congress on emerging privacy and technology issues, representing the U.S. in international privacy forums and promoting the consistent regulatory treatment of personal data across federal and state regulators.

In particular, the new agency would be responsible for supervising data aggregators, maintaining a publicly accessible list of data aggregators meeting certain thresholds and reporting to the FTC on the privacy and data protection implications of any mergers that involve a large data aggregator or that propose the transfer of personal data of 50,000 or more individuals. Additionally, the bill would prohibit data aggregators from engaging in certain acts, such as the commission of unfair, deceptive, abusive or discriminatory acts in connection with the processing or sharing of personal data, and re-identifying (or attempting to re-identify) an individual, household or device from anonymized data.

Read the bill here.

Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.