By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.
Will the U.S. finally get a Data Protection Agency? The question and answer may finally have come full circle. You may be surprised to read or expect that the U.S. is following other European Member States in establishing a Data Protection Authority. To privacy and computer professionals, this is just a remake of an old version of proposed legislation to create a Federal Privacy Board, only rebranded to stay current with today’s lexicon, the Data Protection Agency (DPA).
On Feb. 13, 2020, U.S. Sen. Kirsten Gillibrand, D-N.Y., proposed the Data Protection Act to establish a new federal Data Protection Agency. The DPA would be an independent executive agency, charged with protecting individual privacy and limiting “the collection, disclosure, processing and misuse of personal data.”
Based on a simple premise: when you give personal information for a particular purpose – to reserve a hotel room, charge a dinner, sign up for rewards program, shop online, obtain a warranty (emphasis added) – you do not reasonably expect that the information will be used for another purpose without your consent. That is the implied promise between you and the institution. When the institution breaks that trust, they have undermined your expectation of privacy and acted without regard to your interest in controlling records of your personal life.
Large organizations in both the government and the private sector have an obligation not to disclose personal information about individuals without the consent of the individual. This was the principle underlying the Privacy Act of 1974 and it is the thread that ties together virtually all of the privacy laws in the U.S. When an organization discloses personal information without consent, or effectively compels the disclosure of personal information as the cost of doing business, it has diminished the right of privacy, our most fragile freedom.
Former Representative Frank Horton [R-NY29, 1983-1992] was quoted as saying, “One of the most practical of our present safeguards of privacy is the fragmented nature of personal information. It is scattered in little bits across the geography and years of our life. Retrieval is impractical and often impossible. A central data bank removes completely this safeguard.” 
Data breaches are happening daily; it is the high-profile breaches that resonates with all us, such as, Yahoo (affecting 3 billion user accounts), Marriott International (affecting 500 million customers), eBay (affecting 145 million users), Equifax (affecting 143 million consumers including 209,000 consumers’ credit card data exposed), Target Stores (affecting up to 110 million individuals), Uber (affecting 57 million users), U.S. Office of Personnel Management (affecting 22 million current and former federal employees), Sony’s PlayStation Network (affecting 77 million network accounts), and the list goes on. Consumer education, industry self-regulation, and voluntary guidelines are not a substitute for enforceable legal rights that guarantee the protection of consumer privacy.
The establishment of a Federal Privacy Board was the cornerstone of legislation introduced by Senator Sam Ervin in 1974. His bill became the Privacy Act, the foundation of privacy protection in the United States. However, strong opposition by the Ford White House led to the demise of the proposed Board before final passage. In its place, a Privacy Protection Study Commission was created. But when the Commission completed its study of privacy protection in 1977, the same conclusion was reached. The Privacy Protection Study Commission recommended the creation of the Federal Privacy Board. It believed that the Board could play an important role in safeguarding privacy.
This need not be an adversarial process that pits the Federal government against the private sector, but it must be a determined process, conducted with dedication and a commitment to individual liberty. This is also not about restricting technology; it is about the responsible application of technology so that risks to personal privacy are reduced.
The Data Protection Act, which would create the Data Protection Agency, an independent federal agency that would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent. The DPA will have the authority and resources to effectively enforce data protection rules—created either by itself or congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data. The U.S. is one of the only democracies, and the only member of the Organization for Economic Co-operation and Development (OECD), without a federal data protection agency.
The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge in technology, protection of personal data, civil rights, law, and business. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act.
There is a clear need to carry forward the principles embodied in privacy law in the United States and to ensure that Fair Information Practices apply to private sector record systems. The intimate details of our private lives enjoy the same protection whether big business or big government is the custodian. Absent clear privacy safeguards, we are left at the mercy of a rapidly evolving technology and an industry that can say little more than “trust us.” This is at odds with the history of privacy protection in the United States and places the fragile freedom of American citizens in a precarious position.
 The U.S. Needs a Data Protection Agency, Sen. Kirsten Gillibrand, 2/12/2020 @ https://medium.com/@gillibrandny/the-u-s-needs-a-data-protection-agency-98a054f7b6bf.
 In Support of a Data Protection Board in the United States, Marc Rotenberg, p. 3.
 Id. at p. 7.
 In Support of a Data Protection Board in the United States, Marc Rotenberg, p. 7 citing The Computer and the Invasion of Privacy, Hearings before the Special Subcommittee on Invasion of Privacy of the Committee on Government Operations, House of Representatives, 89th Cong., 2d Sess. (1966) p. 6.
 In Support of a Data Protection Board in the United States, Marc Rotenberg, p. 9.
 Id. at p. 8.
 Id. at p. 11.
 Confronting A Data Privacy Crisis, Gillibrand Announces Landmark Legislation To Create A Data Protection Agency, 2/13/2020 @ https://www.gillibrand.senate.gov/news/press/release/confronting-a-data-privacy-crisis-gillibrand-announces-landmark-legislation-to-create-a-data-protection-agency
 In Support of a Data Protection Board in the United States, Marc Rotenberg, p. 11.