New Data Protection Agencies are Forthcoming

When we think about data privacy legislation, we usually think about rules, regulations, guidelines and best practices. However, not every data privacy bill on the Senate floor is concerned with telling businesses how to handle their data. A handful of legislators are proposing internal structural changes within government to better-regulate the morphing issues of data privacy.

In fact, some of these bills go as far as to propose the establishment of entirely new government programs, agencies or task forces with the purpose of governing data privacy. Here’s what three of these might look like.

A New Data Protection Agency

The broadly-titled Data Protection Act of 2021 actually has its sights set on something very specific: the creation of a federal data protection agency.

If passed, this bill would create the Data Protection Agency (DPA) – an independent federal agency that would regulate “high-risk data practices” and the “collection, processing, and sharing of personal data.”

What Data Practices Will the DPA Regulate?

The bill is actually quite specific about the data practices it considers “high risk”, which are actions by data aggregators that involve:

• The use of an automated decision system

• Data that involves an individual’s financial information, veteran status, criminal history, citizenship status or health conditions

• A systematic processing of publicly accessible data on a large scale

• The use of technologies that cause or contribute to privacy harm

• Large-scale profiling of individuals

• Processing of biometric data for the purpose of identifying an individual

• Combining, comparing, or matching personal data obtained from multiple sources

• Processing involving an individual’s precise geolocation

• Processing involving groups that are susceptible to exploitation for marketing purposes, profiling, or automated processing such as children under 17, the elderly or disabled people

• Consumer scoring or other business practices that pertain to the eligibility of an individual for employment, credit, insurance, housing, education, professional certification, or the provision of healthcare and related services

How Will the DPA Be Structured?

The DPA would be like most other executive agencies in that it would be led by a director. This director would be a person appointed by the President with expertise on technology, data privacy, civil rights, law and social sciences who, upon appointment, would serve a five year term. Most major decisions involving the agency – such as its administrative, enforcement and research activities – would be made by the director.

The director would also establish two specific functional units within the agency: the Research Unit and the Office of Civil Rights.

The Research Unit’s broad goal would be to research, analyze and assess data issues relevant to the agency. The Office of Civil Rights would have a handful of responsibilities including:

• Providing oversight and enforcement of the act and federal data privacy laws to ensure fair, equitable and non-discriminatory data practices

• Developing, establishing and promoting data practices that further equal opportunity to interstate commerce such as housing, employment, insurance or education

• Coordinating and collaborating with other federal agencies, state regulators, civil rights advocates, privacy organizations and data aggregators

• Serving as a liaison between the government and individuals impacted by harmful data practices

• Reporting to Congress on the efforts of the agency

What Would the DPA Do?

One of the DPA’s primary responsibilities would be hearing and responding to consumer complaints regarding data practices. All these complaints would be made available to the public in a searchable and sortable database on the agency’s website.

The agency would also report to Congress during semi-annual hearings. These hearings would discuss any issues individuals have had exercising their rights as well as any action the agency has taken to regulate data aggregators.

Most importantly, the DPA would have the authority to regulate data activities in the interests of privacy and data protection. While it would also create model guidelines and standards for data aggregators, it could also create legally binding federal regulations regarding issues such as unlawful data practices, deceptive and unfair data activity, consumer data rights and corporate transparency.

What Obligations Would Organizations Have Under This Act?

While this act is not primarily concerned with setting out specific rules or guidelines for data aggregators to follow, the creation of the DPA would bring forth new responsibilities for “large data aggregators” that either make over $25 million in annual gross revenue or process the data of more than 50,000 individuals.

First and foremost, the agency would have the right to periodically require reports from and conduct examinations of large aggregators for the purpose of overseeing their data activity and compliance with federal privacy laws. Under this act, mergers involving large data aggregators would need to be reviewed by both the DPA and the Department of Justice.

The agency would have the authority to collect “an assessment, fee, or other charge” from such aggregators, who would have to report to the agency on their data practices. The DPA would also have the authority to take legal action against aggregators found to be in violation of its regulations including initiating investigations and issuing subpoenas, injunctions, or demands for submission of evidence or appearance in court.

The agency could also commence civil action to impose a civil penalty or injunctive relief against violating entities. Potential remedies resulting from such action range from fines of up to $1 million per day per violation to disgorgement of revenues, data, or technologies. When compensating victims of an action resulting from a violation, the agency would pull from a “Civil Penalty Fund” established and maintained at the Federal Reserve Bank. However, the agency is prohibited from imposing exemplary or punitive damages against violators.

The DPA would also publish a publicly accessible list of aggregators who collect, process or share the personal data of over 10,000 individuals, which would include the permissible purposes for each aggregator’s data activity.

One rule is clear: to process high-risk data, aggregators must conduct a risk assessment prior to processing and an impact evaluation afterwards.

At a minimum, a risk assessment would need to include:

• A description of the high-risk practice including its design, methodologies, training data characteristics, data and purpose

• An assessment of the practice’s relative benefits and costs

• The methods used to store the data

• The duration of the data’s storage

• What information about the practice is available to individuals–and the extent to which individuals can correct or object to its results

• The risks of privacy harm, and inaccurate, biased, or discriminatory decisions resulting from the practice

• The measures taken to minimize the risks, including technical and practical safeguards

At a minimum, an impact evaluation would need to include:

• An evaluation of the practice’s accuracy, disparate impacts on protected classes and privacy harms

• An evaluation of the effectiveness of the measures taken to minimize the risks outlined in the risk assessment

• Further recommendations on how to minimize the risks and harms of the practice

The act is quite vague about what specific activity it prohibits and what constitutes a violation. It is clear that large aggregators failing to cooperate with the DPA on risk assessments, records, reports and investigations would constitute a violation. The act does prohibit “any unlawful, unfair, deceptive, abusive, or discriminatory acts or practices in connection with the collection, processing, or sharing of personal data” – however, it does not detail the exact criteria for this. It can be assumed that this would entail violations of existing state laws or any laws the DPA eventually passes.

Interestingly enough, the act gets more specific regarding violations on the individual level. For example, anyone who “knowingly or recklessly” assists a data aggregator in violation of this act will be found liable. Likewise, there is a massive fine of $1 million a day for any person who re-identifies, or attempts to re-identify, anonymized data, unless they are conducting authorized testing to prove that the personal data has been anonymized.

The Federal Rotational Cyber Workforce Program

While nowhere near as sweeping of a change as the establishment of the Data Protection Agency, another bill has proposed an interesting way to build a culture of cybersecurity in America from the bottom-up.

The Federal Rotational Cyber Workforce Program (FRCWP) Act of 2021 establishes a pipeline through which veterans and members of the U.S. armed forces transitioning into civilian life can find federal jobs in information technology or cybersecurity.

How would this work? Well, the heads of federal agencies would prepare a detailed list of relevant cybersecurity and IT positions within their agency that could qualify for the program. These positions would then be made available to veterans or army members who have completed the relevant training for the job.

At this point, the details of the process have not been fleshed out. However, the policies, processes and procedures for the program would need to be determined no later than 270 days after the enactment of the act. At a minimum this plan would:

• Identify executive agencies for participation in the program

• Establish the training, education, and career development requirements individuals would need to participate in the program

• Establish accountability devices to evaluate the program–such as performance measures, reporting requirements and employee exit surveys

In short, an individual participating in this program would be treated much like a normal employee of their respective federal agency. They would be hired at the agency’s discretion, would have all the rights available to other employees and would be subject to the same performance evaluations. Notably, if their employment is interrupted because they have to serve in the army, they would be able to return to their job without loss of pay, seniority, or benefits.

However, it is worth noting that a position under this program would be more like an apprenticeship and less like a full-time job. The employment would last between 180 days and a year and would be primarily concerned with building the skills and experiences the veteran would need to enter the cybersecurity industry.

The Digital Connectivity and Cybersecurity Partnership

Another proposed government program is buried within the pages of a much bigger bill: the Strategic Competition Act of 2021.

On the surface, the broader purpose of this bill doesn’t seem to have much to do with data privacy. In the words of Senate Foreign Relations Committee Chairman Bob Menendez, this bill “focuses on countering and confronting China’s predatory international economic behavior,” with intellectual property violations, alleged Chinese circumvention of U.S. export controls and the “presence of Chinese companies in U.S. capital markets” among its primary concerns. While not completely relevant here, it is worth noting that this bill has generated controversy for enabling the racial profiling of Chinese Americans.

So what does a bill concerned with strengthening America’s global competitiveness and countering Chinese Communist Party influence have to do with data privacy? Well, the bill would authorize the Secretary of State to establish a new government program known as the Digital Connectivity and Cybersecurity Partnership.

The purpose of the program would be to aid foreign countries in the development of technological assets – including data – as well as to “foster and encourage open, interoperable, reliable, and secure internet, the free flow of data, multi-stakeholder models of internet governance, and pro-competitive and secure information and communications technology (ICT) policies and regulations.”

Similarly, the program would help countries build cybersecurity capacity and promote best practices for a national approach to cybersecurity while simultaneously promoting exports of U.S. technology goods to increase the market share of U.S. companies in foreign tech markets.

In short, the program appears to be a mechanism for the U.S. to gain a competitive edge against China by establishing a presence of U.S. goods in international technology markets. At this stage, the details of this program are vague but it serves as an example of U.S. legislators taking large steps to prioritize IT goods and data in not only their domestic policy but in their foreign policy as well.