U.S. Sen. Kirsten Gillibrand (D-New York) announced that she reintroduced Senate Bill 2134, the Data Protection Act of 2021. The bill creates an independent federal Data Protection Agency (DPA) to protect individuals' data, safeguard their privacy and ensure that data practices are fair and transparent.
- Very broad definition of "high risk data practice." The definition includes: automated decision making, financial status (income), citizenship, health or mental health, systematic processing of publicly accessible data on a large scale, processing involving the use of new technologies, decisions about an individual's access to a service, profiling on a large scale, processing biometric information for the purpose of identifying; combining comparing or matching personal data obtaining from multiple sources, processing precise geolocation, consumer scoring re: employment, compensation etc.
- Processing high disk data requires conducting an ex-ante risk assessment (for which there are detailed requirements) and a ex-post impact evaluation.
- Privacy harm is defined to include psychological harm including embarrassment or anxiety, and the use of IT to covertly influence decision making by targeting.
- All complaints to the DPA shall be public (with personal data redacted).
- DPA to develop model privacy and data protection standards and guidelines and to issue regulations including those related to: high risk data practices and unlawful, unfair or deceptive acts in the collection and processing of personal data, as well as the rights and transparency that companies must provide to individuals.
- DPA to have all powers and duties under federal privacy laws to prescribe rules, issue guidelines, or to conduct studies or issue reports mandated by such laws that were previously vested in the Federal Trade Commission.
- DPA to require reporting from "large data aggregators" (those with more than $25 million in annual gross revenue or that process the data of more than 50,000 individuals)
- DPA to publish a publicly accessible list of data aggregators that collect, process or share the personal data of more than 10,000 persons or households, and the permissible purposes for which the data aggregators purport to collect personal data.
- DPA and DOJ to review mergers involving large data aggregators.
- DPA may initiate investigations, issue subpoenas and issue investigative demands requiring the submission of evidence or reports; issue injunctions (temporary cease and desist orders); issue notices of charge (for hearing to be held at the relevant federal judicial district) with a right of appeal to the court of appeals; and commence a civil action to impose a civil penalty or injunctive relief.
- The bill includes a variety of remedies that the court may issue (including disgorgement of revenues, data or technologies) and a list of heavy fines (tiered from $5,000, $25,000 and $1 million per day of violation), but specifically prohibits "exemplary or punitive damages."
- Assumed fine of $1 million a day for any person who re-identifies, or attempts to re-identify, anonymized data, unless they are conducting authorized testing to prove personal data has been anonymized.
- Law not to be construed as limiting the authority of State Attorneys General or State Data Privacy Regulators.