The U.S. Urgently Needs a Data Protection Agency

BACKGROUND

The United States is one of the few democracies in the world that does not have a federal data protection agency. The United States was once a global leader on privacy. The Fair Credit Reporting Act, passed in 1970, was viewed at the time as the first modern privacy law—a response to the growing automation of personal data in the United States.

But today, Europe has surpassed the United States in protecting consumer data. The EU’s General Data Protection Regulation (GDPR) provides data protection rights for individuals, strengthening mandated data protection requirements, and imposing significant legal responsibilities on entities handling personal data. No similar protections exist in U.S. law. U.S. companies are leaders in technology, and the U.S. government should be a leader in technology policy.

There is an urgent need for leadership from the United States on data protection. Virtually every other advanced economy has recognized the need for an independent agency to address the challenges of the digital age. Current law and regulatory oversight in the United States is woefully inadequate to meet the challenges.

As the data breach epidemic reaches unprecedented levels, the need for an effective, independent data protection agency has never been greater. An independent agency can more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information. An independent agency would also be staffed with personnel who possess the requisite expertise to regulate the field of data security.

Our current privacy laws are woefully out of date and fail to provide the necessary protections for our modern age. We also now face threats from foreign adversaries that target the personal data stored in U.S. companies and U.S. government agencies. The U.S. urgently needs a Data Protection Agency. Because data can’t protect itself.

WHY DOES THE U.S. NEED A DATA PROTECTION AGENCY?

  • The U.S. is the only OECD country without a Data Protection Agency.
  • The FTC has failed to enforce its own orders. 
    • The FTC failed to enforce the consent order against Google even after the FTC chair warned that Google’s consolidation of Internet services would be bad for consumers
    • The FTC failed to enforce the consent order against Facebook even after repeated violations, including the transfer of user data to Cambridge Analytica, were widely known
  • The FTC has failed to block mergers that stifled competition and innovation. 
    • The FTC approved Google’s acquisition of DoubleClick
    • The FTC approved Google’s acquisition of Nest
    • The FTC approved Facebook’s acquisition of WhatsApp and Instagram
  • The FTC has failed to impose fines even when it could. For example, Uber was found twice in violation of a consent order and the FTC imposed no fines. 
    • In contrast, EU antitrust authorities fined Facebook $122 million for making false representations, and German competition authorities recently cited privacy concerns to block Facebook’s integration of WhatsApp and Instagram user data.
  • The FTC has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties.
  • Over the last decade, because of the FTC’s failure to act, the problem has grown dramatically from cookie tracking to ubiquitous, cross-device mass surveillance of individuals and communities.

A Data Protection Agency Would:

    • Safeguard the personal data of individuals; prevent, remediate, and reduce discrimination and disparate impacts through the processing of personal data; and limit the collection, use, and sharing of personal data
    • Oversee high-risk data practices, ensuring data processing and algorithms are fair, just, non- deceptive, and non-discriminatory
    • Examine the social, ethical, economic, and civil rights impacts of data collection practices and propose remedies
    • Promulgate rules to protect the privacy and security of personal data