Data Protection Act of 2021: Paving the Way for a US DPA?

U.S. Senator Kirsten Gillibrand announced reintroduced Senate Bill 2134 for the Data Protection Act of 2021. The bill creates an independent federal Data Protection Agency ('DPA') to protect individuals' data, safeguard their privacy, and ensure that data practices are fair and transparent.

Key points:

• Very broad definition of "high risk data practice". Definition includes: automated decision making, financial status (income), citizenship, health or mental health, systematic processing of publicly accessible data on a large scale, processing involving the use of new technologies, decisions about an individual's access to a service, profiling on a large scale, processing biometric information for the purpose of identifying; combining comparing or matching personal data obtaining from multiple sources, processing precise geolocation, consumer scoring re: employment, compensation etc.
• Processing high disk data requires conducting an ex-ante risk assessment (for which there are detailed requirements) and a ex-post impact evaluation.
• Privacy harm is defined to include psychological harm including embarrassment or anxiety, the use of IT to covertly influence decision making by targeting.
• All complaints to the DPA shall be public (with personal data redacted).
• DPA to develop model privacy and data protection standards and guidelines and to issue regulations including re: high risk data practice and unlawful, unfair or deceptive acts in the collection and processing of personal data, as well as the rights and transparency that companies must provide individuals.
• DPA to have all powers and duties under the Federal privacy laws to prescribe rules, issue guidelines, or to conduct studies or issue reports mandated by such laws, that were previously vested in the Federal Trade Commission.
• DPA to require reporting from "large data aggregators" (more than $25M annual gross revenue or processing data of more than 50k individuals)
• DPA to publish a publicly accessible list of data aggregators that collect, process, or share personal data of more than 10,000 persons or households, and the permissible purposes for which the data aggregators purport to collect personal data.
• DPA and DOJ to conduct merger review of mergers involving large data aggregators.
• DPA may initiate investigations, issue subpoenas, issue investigative demands requiring the submission of evidence or reports; issue injunctions (temporary cease and desist orders); issue notices of charge (for hearing to be held at the relevant Federal judicial district) with a right of appeal to the court of appeals; commencement of a civil action to impose a civil penalty or injunctive relief.
• The bill includes a variety of remedies that the court may issue (including disgorgement of revenues, data or technologies) and a list of heavy fines (tiered from $5k, $25K and $1M per day of violation), but specifically prohibits "exemplary or punitive damages".
• Assumed fine of $1M a day for any person that re-identifies, or attempts to re-identify, anonymized data, unless conducting authorized testing to prove personal data has been anonymized.
• Law not to be construed as limiting the authority of State Attorneys General or State Privacy Data Regulators.