How a New Proposed Data Protection Agency In the U.S. Might Work

Senator Kristen Gillibrand
Senator Kristen Gillibrand
Photo: Getty Images

It’s no secret that the U.S. trails behind plenty of other countries when it comes to data protection legislation. Today, Senator Kristen Gillibrand has published a bill proposal that would create an independent Data Protection Agency that would act as a regulator tasked with protecting consumer data.


Here’s how Gillibrand proposes the agency would work. In a Medium post, the senator describes the agency as having three core missions. The first would be to give the agency the power to enforce privacy statutes and rules via a “broad range of tools” that includes “civil penalties, injunctive relief, and equitable remedies.” To do so, it would also act as a go-between in that it could take complaints, conduct investigations, and inform the public. So if say, Facebook was to be embroiled in yet another data privacy scandal, this proposed agency would have the authority to investigate and publish their findings.

The other two missions are more nebulous. Gillibrand wants the agency to promote data protection and privacy innovation via new technologies that would either reduce or eliminate personal data collection. It’s also meant to protect against skeezy service contracts that either make you pay for privacy or don’t provide alternative options. This is a broad mandate, and given its a proposal, it understandably doesn’t go into a ton of specifics.

Lastly, Gillibrand wants the agency to “prepare the American government for the digital age,” acting sort of as an advisory body for “emerging privacy and technology issues.” (Gillibrand names deepfakes and encryption as examples of said issues.) The agency would also represent the U.S. at international forums on data privacy and in any future treaties that might involve data.

Overall, the idea for the Data Protection Agency is a good thing. The European Union, for example, implemented General Data Protection Regulation (GDPR) in 2018, which standardized and strengthened data privacy across the entire continent. The lack of strong data protection legislation in the U.S. has already created a hellscape where companies face little to no consequences for massive data breaches. As Gillibrand notes in her blog, the “data privacy space remains a complete and total Wild West.”

That said, while the proposal is a step in the right direction, any big structural change is likely to come with growing pains as companies scramble to make the necessary changes. A recent study found that many sites are still struggling to comply with GDPR properly and on the one-year anniversary of GDPR’s implementation, experts found the results were mixed. So far European regulators have fined tech companies $126.5 million for 160,000 data breaches—but it’s unclear whether this indicates GDPR is equitably enforced. Similar problems would likely face Gillibrand’s bill if it were to move forward.


The bill is also aptly timed—it’s been a little over a month since the California Consumer Privacy Act came into effect. It’s also coming at a moment where multiple presidential candidates and lawmakers are taking aim at Silicon Valley. For now, Gillibrand is the sole sponsor of the bill—but it wouldn’t be surprising to see it gain further support. Or you know, opposition from big tech.

Consumer tech reporter by day, danger noodle by night. No, I'm not the K-Pop star.



I’d have to see the details, but the overview of the agency’s remit sounds good. The devil is in the details, but having a privacy focused agency (as opposed to groups within the FCC and FTC) sounds like a good idea - maybe absorbing the parts of the FCC/FTC that currently do some of that work.

What I don’t like are glamor shots of politicians - gives me the creeps. Doesn’t matter which side of the aisle they are on either.