June 25, 2021
Senator Gillibrand’s (D-NY) Data Protection Act of 2021 includes HR data and would create an independent agency to enforce data protection measures, a different approach than the bulk of data privacy bills being considered in Congress.
The bill establishes a Data Protection Agency that would “regulate high-risk data practices and the collection, processing, and sharing of personal data,” including personal data, and “prevent, remediate, and reduce discrimination and disparate impacts through the processing of personal data,” among other things.
Doubling up: On the surface, it appears the DPA’s mission would partially overlap with that of the Equal Employment Opportunity Commission, though the extent of such overlap is unclear. The proposed agency’s purview extends to “any unlawful, unfair, deceptive, abusive, or discriminatory acts or practices in connection with the collection, processing, or sharing of personal data.” The bill states, “The agency shall coordinate with… the Equal Employment Opportunity Commission… to promote consistent regulatory treatment of personal data.” The Act also provides for joint investigations with the EEOC and other agencies.
Periodic reports and examinations: The agency would require reports and conduct examinations on a periodic basis of employers with annual revenues that exceed $25 million or that annually collect, use, or share the personal data of 50,000 or more individuals, households, or devices. A review of privacy and data protection implications would be automatically triggered in case of a merger.
Enforcement: The agency may commence a civil action to impose a civil penalty or seek all appropriate legal and equitable relief, including a permanent or temporary injunction. Penalties may reach up to $1,000,000 per day for each day a violation continues. There is a five-year statute of limitations.
Looking ahead: With several data privacy bills in play, Sen. Gillibrand’s approach has garnered limited support in the past, but its potential impact on business is worth noting. In addition, given that its provisions seem to include areas already covered by federal law and enforced by other agencies, the bill raises several questions as to the necessity of these provisions.