The Data Protection Act of 2020 is the latest federal bill directed to issues of personal data privacy and security. Introduced by Senator Kirsten Gillibrand (D-N.Y.), this legislation establishes an independent federal Data Protection Agency with the power to regulate the processing of personal data through, for example, the power to enforce defined "Federal privacy laws."
Similarly to the European Union’s General Data Protection Regulation (GDPR), the bill recognizes that “[p]rivacy is an important fundamental individual right” which is “directly affected by the collection, maintenance, use and dissemination of personal data.” The bill further notes that the unrestricted collection, disclosure, processing and misuse of personal data (which is broadly defined, similar to the definition of “personal data” under the GDPR) endanger the “opportunities for an individual to secure employment, insurance, credit and housing and the right to due process and other legal protections.” Senator Gillibrand personally echoed these concerns and others in a recent article, stating that “[i]t’s clear that lawlessness in the data privacy space can give rise to new, unexpected forms of injustice.”
As such, the bill provides that “[i]n order to protect the privacy of individuals, it is necessary and proper for Congress to regulate the collection, maintenance, use, processing, storage, and dissemination of information.” The bill seeks to accomplish these goals through the establishment of and granting specific powers to the independent federal Data Protection Agency.
The specific powers include, in part, the ability of the Agency to commence a civil action against a “covered entity” (“any person that collects, processes, or otherwise obtains personal data with the exception of an individual processing personal data in the course of personal or household activity”) who violates a defined “Federal privacy law,” and to seek relief including civil monetary penalties or equitable remedies including injunctive relief for such violations. Civil monetary penalties for knowingly violating a Federal privacy law can be as high as “$1,000,000 for each day during which such violation continues.” Money collected in successful enforcement by the Agency is to be deposited into a “Relief Fund,” and be made available to compensate individuals “affected by an act or practice for which civil penalties have been obtained.”
Clearly, this legislation would not establish a comprehensive federal data privacy/cybersecurity law in the same vein as the GDPR or California’s Consumer Privacy Act (CCPA). However, the Data Protection Agency created by this legislation could coexist with and enforce such a law. Indeed, Senator Gillibrand recognized that the Data Protection Agency “would serve as a ‘referee’ to define, arbitrate, and enforce rules to defend the protection of our personal data.”
The chances of this bill becoming law, at least this year, are probably low given that this is a presidential election year and in view of the continuing acrimony on Capitol Hill.