A new Data Protection Agency would overhaul federal regulation efforts around data privacy – but experts are skeptical that the U.S. government can get it right.

A new federal bureaucracy, the Data Protection Agency (DPA), has been proposed to completely revamp how the U.S. government regulates data collection and misuse by big tech companies. However, while privacy experts call the agency a “good first step,” they remain skeptical about how effective it would be once enforced.

Currently, the responsibility of privacy regulation is divvied between several various agencies, including the Federal Communications Commission (FCC), Federal Trade Commission (FTC) and Department of Justice (DOJ). The new agency, introduced by Sen. Kirsten Gillibrand (D-NY), would streamline data regulation efforts under one group, billed with enforcing data privacy and penalizing improper data collection or use.

“The United States is vastly behind other countries on this,” said Gillibrand in a Wednesday post. “Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.”

The agency would have a three-pronged approach to data privacy regulation, said Gillibrand. First, it would serve as an enforcer for data protection rules and regulation. Americans would be able to file complaints with the DPA regarding data privacy abuse, and the agency could then launch investigations into issues like inappropriate data collection, data misuse and more. And, if companies are found abusing data, the DPA would have the power to inflict civil penalties and seek injunction.

The agency would also work directly with the tech industry to promote resources that could minimize personal data collection. And, it would aim to ensure equal access to privacy, protecting against “pay-for-privacy” provisions in service contracts.

Finally the DPA would aim to keep the U.S. government up to speed on emerging privacy and security issues, like encryption and deepfakes, said Gillibrand. The agency’s director would be appointed by the president and approved by the senate, she said.

Privacy Experts Skeptical

But privacy experts are hesitant in endorsing the new DPA, citing concerns about how effective it would actually be once enforced.

“There are a myriad of factors that would need to be considered for a Federal Regulation on data privacy and security,” Terence Jackson, chief information security officer at Thycotic, told Threatpost. “There was hope that the industry would self-regulate, but we have had some egregious violations of public trust in recent past which makes me believe that may not be possible… I do agree that a central governing agency should be created, but I’m not optimistic that our government, without help from the private industry, will be able to get it right on the first go.”

Fausto Oliveira, principal security architect at Acceptto, meanwhile told Threatpost that he is “reticent to endorse new agencies that can lead to efforts being duplicated or ineffective due to lack of expertise and manpower.” One big red flag, said Oliveira, is that the proposal around the DPA lacks important details that are critical when regulating privacy.

“I think this is a positive step forward to bring the US in alignment to what is being done worldwide to protect consumer rights,” Oliveira said. “However, I don’t see any recommendations for the size of fine, how those fines would be applied and how the money gathered from those fines would be re-used, I think those are crucial items when publishing a bill to create a new data protection agency. I would definitely welcome more level of detail before pronouncing further on the effectiveness of such a law.”

Other Privacy Regulation

The proposal for a DPA comes on the heels of privacy experts criticizing the U.S. government for the way it has handled high-profile data abuse scandals, most notably by Facebook. After Facebook’s Cambridge Analytica scandal, the FTC slapped a $5 billion fine on the social media company for data privacy violations – a figure which, while it was the largest ever levied by the agency, was being derided as “chump change” and ineffective by lawmakers and privacy analysts.

Previous attempts to bolster digital privacy have either come via state-level regulation (as opposed to federal) or through proposed bills that would attempt to give the FTC more teeth when it comes to providing oversight on tech companies’ use of consumer data (as opposed to creating a completely new agency).

The California Consumer Privacy Act (one of the strongest privacy regulations in the country, so far) was enacted on January 1, 2020, for instance. The “Mind Your Own Business Act,” proposed by Sen. Ron Wyden (D-Ore.) in October, gave the FTC the ability to establish privacy and security standards for tech platforms. And the Consumer Online Privacy Rights Act (COPRA), introduced in November, would provide for a new FTC bureau to be established to enforce these digital privacy rights with steeper fines.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.