Kirsten Gillibrand wants a new privacy agency

A new bill in the Senate would create a new government agency focused on protecting consumer privacy and data security, removing that authority from the Federal Trade Commission.

Sen. Kirsten Gillibrand’s proposed Data Protection Agency would create and enforce new data protection rules. It would encourage the development of new privacy technologies that minimize or eliminate the collection of personal data. The agency would also take action against companies that deploy “pay-for-privacy” or “take-it-or-leave-it” provisions in their terms of service, according to Gillibrand, a New York Democrat.

While Gillibrand’s bill faces an uphill battle to get passed in the Senate, its proposal for a new privacy agency echoes legislation introduced by two Silicon Valley Democrats late last year.

Current data privacy rules are inadequate, and a “lawlessness” is governing the data privacy space, Gillibrand wrote in a Medium post.

“You deserve to be in control of your own data,” she wrote. “You have the right to know if companies are using your information for profit. You need a way to protect yourself, and you deserve a place that will look out for you.”

Gillibrand’s bill has received support from the Electronic Privacy Information Center, Public Citizen, the Center for Digital Democracy, and other privacy advocates.

The FTC declined to comment on Gillibrand’s Data Protection Act, but FTC Chairman Joseph Simons has defended his agency’s record on privacy. The agency has brought hundreds of privacy cases against tech giants, with “recent cases generating some of the largest privacy fines in the world,” Simons wrote in a letter to the editor of the New York Times late last year.

Simons called for a new federal privacy law and more resources for the FTC. “But the solution to any privacy vacuum is not an untested new bureaucracy that would enter the game in the fourth quarter,” he wrote. “The FTC is already a world-class, award-winning privacy agency, despite its limited authority and resources. Imagine what we could do with more.”

Meanwhile, some other privacy advocates applauded Gillibrand’s bill, saying an agency zeroed in on consumer privacy could provide new protections.

The success of a new agency would depend on several factors, including the resources available, said Doris Brogan, a professor at Villanova University’s Charles Widger School of Law.

“The area is huge and complex and ever-changing,” she said. “The problems are often under the radar until they explode, and the nature of the threats are often nuanced and subtle. So, a good idea to create a dedicated agency? Yes, to the extent the agency comes to the table with real independence, adequate resources, and genuine expertise.”

However, there is the chance that a specialized agency becomes too close to the companies it attempts to regulate, a long-recognized problem called regulatory capture. “With the oversized influence of big tech, and the issues of understanding a dense, rapidly evolving, tech-heavy industry, the risk is significant,” she said.

Similarly, Rich Spinelli, principal engineer at information technology services firm Core Technologies, called the proposal “intriguing.”

If implemented correctly, a new agency “has the potential to hit the nail on the head in addressing and punishing abuse and misuse of data privacy caused largely by social media and other tech giants,” he said.

However, Congress would need to take care of setting up the new Data Protection Agency, he added. “It has the potential to become a bloated bureaucracy if it’s mission isn’t clearly defined or watched over,” he said.

Others questioned the value of a new agency. Issues surrounding data privacy and security are “extremely complex and significantly more nuanced than what appears on first blush,” said David LaVine, founder of the tech- and engineering-focused RocLogic Marketing. The new agency could potentially create large numbers of new regulations that increase the cost of doing business, he added.

A new agency would have to limit its focus on reducing “egregious practices” at large companies collecting massive amounts of data, LaVine said. “That means it should only be applicable to a very small fraction of companies and not make every company suffer through regulation that should only be felt by a few,” he said. “This agency would also recognize that data privacy is not a black and white topic, but rather one with a lot of gray area that should be dealt with in context, not absolutes.”

Related Content