HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Senator Gillibrand Proposes Data Protection Act and Creation of Federal Data Protection Agency

Senator Kirsten Gillibrand has introduced a new Senate bill – the Data Protection Act – to create new standards for data privacy and give consumers more rights over their personal data. Currently, consumer data is collected and used by a vast number of companies. That personal information has, in many cases, been collected without the knowledge of consumers and is being exploited for profit.

The California Consumer Privacy Act (CCPA) has given Californian consumers greater rights over their personal data, but most U.S. consumers can do little about the collection, use, and sale of their personal data.

Sen. Gillibrand’s Data Protection Act is intended to bring the protection of [consumer] privacy and freedom into the digital age.” The Data Protection Act calls for the creation of a new consumer watchdog agency – the Data Protection Agency (DPA) – which will be tasked with protecting the data of consumers, safeguarding their privacy, and ensuring data practices are fair and transparent. The Director of the DPA would be appointed by the president, confirmed by the Senate, and would serve a 5-year term.

The DPA would have the power to define, arbitrate, and enforce data protection rules created by Congress or the DPA itself, and would be authorized to impose civil monetary penalties on entities found to have violated consumer privacy and grant injunctive relief and equitable remedies.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The DPA would receive complaints from consumers, conduct investigations, and inform the public on data protection issues, including sharing the findings of investigations into companies that are misusing consumer data. The DPA would also be tasked with advising Congress on emerging privacy and technology issues and would represent the United States at international data privacy forums.

The DPA would promote data protection and privacy innovation across the public and private sector, assist with the development of  Privacy Enhancing Technologies (PETs) to limit or eliminate the collection of personal data, and take action to prevent “pay-for-privacy” and “take-it-or-leave-it” provisions in service contracts.

The Data Protection Act would also help to address privacy gaps for health data not covered by HIPAA, such as the health data collected by fitness trackers and wellness apps. Data collected by these apps could be used for any number of purposes. “Let’s say that you enjoy working out and monitor your heart rate on a fitness app,” suggests Sen. Gillibrand. “The company that built the app now has access to your personal information. Do you have any idea what exactly they are allowed to do with it? Perhaps they could sell that data to your health insurance company — who could, in turn, charge you more if they think that you don’t exercise enough.”

Sen. Gillibrand explained that the United States is the only OECD member that does not have a federal data protection agency to ensure the personal data of consumers is not being misused and to take action when it is.

“Data has been called ‘the new oil,’” said Sen. Gillibrand. “Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences.”

The Data Protection Act has been endorsed by several technology, privacy and civil rights organizations, including Public Citizen, Color of Change, Center for Digital Democracy, Consumer Federation of America, Consumer Action, and the Electronic Privacy Information Center.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.