The data privacy establishment in the U.S. may sometimes be regarded as trailing Europe, but Senator Kirsten Gillibrand D-N.Y., has a plan. Gillibrand has called for the creation of a domestic privacy regulator that could enable the U.S. to catch up with other countries, narrowing the gap.
Currently, the United States does not have a dedicated agency to enforce privacy laws. This is handled by the Federal Trade Commission (FTC), which has a limited approach. Under Section 5 of the FTC Act, it does not have the power to impose financial penalties for violations of privacy immediately. Instead, it has to issue a consent decree whereby the violator must agree not to break the law in the future) and the defendant can only be fined if it violates the decree.
In a post on Medium, the New York senator said that she would introduce legislation to create a new Data Protection Agency.
The United States is vastly behind other countries on this. Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.
Gillibrand says that as so much commerce is now conducted online, there’s an imbalance between the rights of users and those who control our data. “Lawlessness in the data privacy space,” she writes, “can give rise to new, unexpected forms of injustice.” Like many lawmakers, she says that Google and Facebook, amongst others, have made “a whole lot of money” from our private data.”
And she says the risks, when things go wrong, are getting worse as a consequence of how much data these bodies hold about us. Gillibrand cites the Equifax breach as a prime example, saying that the company’s failure to properly safeguard the data allowed hackers to make off with so much information. And yet, she says, the company “has faced few consequences and little accountability for what happened.”
There are a number of voices which are asking for an improved privacy and data protection regime in the US, often looking to Europe’s GDPR for inspiration. Apple CEO Tim Cook has called for the US to adopt GDPR-style data privacy rules in the US, as has the House Energy and Commerce Committee. The latter, back in 2019, said that the FTC — which currently handles such cases — wasn’t sufficiently empowered to act as a proper privacy regulator, and needed support.
A group of 51 companies, including Amazon, IBM and Qualcomm, have also lobbied Washington in the hope of getting stronger data privacy laws. In October 2019, Senator Ron Wyden sponsored the Mind Your Own Business Act, which would give the FTC more powers. Similarly, rival proposals are being pushed around the Senate Commerce Committee, although The Hill says the plan is still being worked out.
Gillibrand says that the proposed Data Protection Agency would serve as a “‘referee’ to define, arbitrate and enforce rules to defend the protection of our personal data.” It would be responsible for investigating complaints, pushing for better privacy protections and advise lawmakers on issues like deepfakes.
CNBC points out that Gillibrand’s proposal mirrors that from California Democrats Anna Eshoo and Zoe Lofgren, who are also calling for a dedicated privacy agency. The outlet claims to have read a draft of the Gillibrand bill, which would give the new agency powers to bring civil actions against bad actors. And if it finds a company has knowingly violated federal privacy law, then fines would be capped at $1 million per day.
It remains to be seen how well the bill will survive in an environment with a number of competing privacy bills and seemingly insurmountable partisan gridlock. Especially since Gillibrand’s bill leaves some room for states to shape their own rules, and suddenly Republicans are in favor of federal regulations that supercedes states rights. But it is clear that, given the number of people demanding something must be done to reign in big tech, the days of lax data protection laws are numbered.
Sources: Engadget UK, CNBC