Governance & Risk Management , Legislation & Litigation , Privacy

Bill Would Create a Federal Digital Privacy Agency

Legislation Spells Out Privacy Rights and Enforcement Measures

Two Democratic members of the U.S. House have proposed a national privacy law that calls for the formation of a new federal agency to enforce the privacy rights that it defines.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

Representatives Anna Eshoo and Zoe Lofgren, both from the Silicon Valley area of California, are the sponsors of the Online Privacy Act, which would create a digital privacy agency. The act would authorize the new agency to hire up to 1,600 employees and give it the authority to impose fines for privacy violations.

The move comes after a series of efforts to enact national privacy legislation have failed. Meantime, California has enacted its own legislation, the California Consumer Privacy Act, that was inspired, in part, by the European Union's General Data Protection Regulation. CCPA goes into effect Jan. 1, 2020.

The Bill's Provisions

The proposed federal legislation would give consumers the right to "access, correct and delete data about them." The bill also requires opt-in consent for personal data to be used for machine learning and artificial intelligence algorithms. And it gives individuals the right to sue companies when they fail to meet the law's requirements.

The bill would require companies to:

Disclose why they need to collect and process data;

Minimize employee and contractor access to user data;

Refain from using email for targeted ads;

Obtain consent to disclose or sell personal information;

Process genetic information only in limited circumstances.

"The U.S. needs a legal framework to protect consumers from the ever-growing data-collection and data-sharing industries that make billions annually off Americans' personal information," Lofgren says.

"Privacy for online consumers has been non-existent - and we need to give users control of their personal data by making legitimate changes to business practices.

The sponsors say the federal measure would not pre-empt state law.

Other Privacy Efforts

For years, Congress has tried and failed to pass a wide variety of privacy-related legislation. And several new proposals have been introduced this year.

For example, last month, Senator Ron Wyden, D-Oregon, proposed the Mind Your Own Business Act, which imposes criminal penalties, including jail time, for leaders of companies that fail to comply with privacy requirements (see: Fresh Privacy Legislation Would Jail CEOs for Violations)

Earlier this year, Senator Marco Rubio, R-Florida, proposed the American Data Dissemination Act, which would create a process and timeline for the Federal Trade Commission to establish privacy rules.

Case for Federal Law

Data protection specialist Rob Masson, CEO at the DPO Center, a U.K.- based organization that provides outsourced data protection officerss, argues that it's time for the U.S. to follow Europe's lead and adopt national privacy legislation.

"The General Data Protection Regulation is by no means easy to comply with. Rather, it gives companies the clarity on the law to be followed for data of Europeans," he says. "I don't see why the U.S. cannot have a federal privacy law."

A Washington-based think tank, the Information Technology and Innovation Foundation, has voiced support for a new federal data privacy law that would not only pre-empt state laws, but also repeal certain sector-specific federal privacy laws, such as the Family Educational Rights and Privacy Act and the Children's Online Privacy Protection Rule, according to a report on The Verge.