A New Digital Age Privacy Protection Agency Holds Promise

The Data Protection Act of 2021 would strengthen public safeguards over big data.

Data privacy regulation in the United States is overdue for an upgrade. Not only have basic internet governance rules defied comprehensive amendment but specific calls for the U.S. Congress and the Federal Trade Commission (FTC) to address data platform governance in a way that systematically responds to privacy and racial equity problems—along with antitrust and intellectual property concerns—have gone unheeded. For consumers of online platforms, neither industry self-regulation nor litigation has proven effective constraints on Big Tech companies such as Amazon, Facebook, Google, TikTok, Twitter, Airbnb, and Uber that serve as gateways to the internet or provide communication, shopping, travel, and entertainment services.

A recent bill introduced by U.S. Senator Kristen Gillibrand (D-N.Y.) holds promise. If passed, the Data Protection Act of 2021 (DPA) would create a Data Protection Agency. But does it go far enough to meet the enormous challenges?

Enacting the DPA could shine more light on privacy violations, discrimination, and racial bias through the new agency’s research and investigative authority; lead to the development of new regulations grounded in careful evaluation and assessments; and spur compliance through investigations, accountability hearings, and the levying of meaningful penalties.

The DPA would significantly strengthen a bill Senator Gillibrand introduced with similar aims in 2020. The bold, new DPA would push the United States beyond reliance on the under-resourced and power-limited FTC by establishing a new Data Protection Agency with the sweeping policymaking, research, and law enforcement authority needed to make a difference in data privacy regulation.

Specifically, the new agency would enforce privacy regulations, punish violators, and study platform data-collection practices. It would receive rulemaking authority to carry out federal privacy laws and the ability to impose civil penalties. This authority would include the ability to regulate acts and practices involving the use or collection of personal data.

For large data aggregators, the agency could require reports and conduct periodic examinations of their practices. The agency would be required to review and submit a report to the FTC and U.S. Department of Justice on the privacy implications of any merger involving a large data aggregator or involving the transfer of personal data of 50,000 or more individuals.

This new federal agency, analogous to similar agencies in other respected nations, would be composed of three units: an office of civil rights, a research division, and an arm for collecting and tracking consumer complaints.

The office of civil rights would provide oversight and enforcement of federal privacy laws to ensure that the collection and use of personal data is conducted on an equitable and non-discriminatory basis. It would promote and establish data processing practices that would further equal access to aspects of interstate commerce such as housing, education, credit, and employment. The office could address claims such as those made in the past that Facebook’s advertisement-buying platform permitted users to block individuals from protected classes from seeing certain advertisements.

The research unit would study and analyze data collection practices. The agency would employ teams of data scientists and other experts on privacy law and technology competent to conduct its research and evaluations. They would be charged with the measurement of relative costs and benefits of “high-risk data practices,” including the identification of unintended consequences and the assessment of potential disparate impacts and privacy harms.

The bill defines a “high-risk data practice” as an action by a data aggregator that involves automated decision systems, systematic processing of publicly accessible data on a large scale, any profiling of individuals on a large scale, geolocation processing, and the processing of data that reveals sensitive data such as an individual’s protected class, income, and criminal convictions. Research unit risk assessments would entail the detailed study, not only of high-risk data practices but their related development, design, and training data characteristics.

A third unit within the new agency would be dedicated to collecting and tracking complaints. Consumers would have the ability to file complaints via telephone or a publicly available website. Furthermore, the agency would establish a “data protection civil penalty fund” available to compensate victims of federal privacy law violations. Fees and other charges placed upon large data aggregators would go into a separate dedicated fund to support agency activities.

Senator Gillibrand’s proposal has important strengths that make it worthy of endorsement.  Although her proposal establishes a new federal agency to enforce current law without immediately enacting comprehensive new privacy laws, the Data Protection Agency would be an important first step toward a stronger federal privacy law regime based on timely, technically sophisticated regulation.

The new agency’s civil rights office would add an important element that was absent from Senator Gillibrand’s 2020 legislative proposal. This critical reform would enhance the ability of the federal government to respond to the documented racial bias against African Americans and other minorities embedded into algorithms and other automated and human decision-making. The agency would study such systems with the intent of uncovering bias and other harmful discrimination with potential disparate impacts on vulnerable groups.

Finally, the new agency would have sharp teeth. When violations of federal privacy law are suspected, the agency would have the authority to conduct investigations and issue subpoenas. If there has indeed been a violation of federal law, the agency would have the authority to impose civil penalties on offenders, up to $1,000,000 a day. Fines of this magnitude could have deterrence value even against the biggest of Big Tech firms, which are not well motivated by the penalties currently levied by the FTC.

Senator Gillibrand wants to “give Americans control and protection over their own data.” Individuals may not be able to reclaim control over all their data, but they clearly deserve strong federal protections against exploitation, manipulation, and discrimination. Senator Gillibrand’s proposal may have what it takes to get through Congress and onto the desk of President Joseph R. Biden for final passage.

Anita L. Allen

Anita L. Allen is the Henry R. Silverman Professor of Law and Professor of Philosophy at the University of Pennsylvania.

Anita L. Allen thanks Matthew Brotz for his assistance with this essay.