New York Sen. Gillibrand Proposes Knowledge Safety Company to Regulate Assortment, Sharing of Private Info | Harris Seaside PLLC
[co-author: Alicia Nakhjavan, Law Clerk]
One cynical online commenter once wrote of the data collection practices of the online news site Digg: “If you don’t pay for it, you are not the customer; You are the product that is being sold. “
This applies to almost all websites and social media platforms that people use on a daily basis. We happily accept “cookies” from websites to keep track of our contact information, credit card information, browsing history, and other data, and to provide large technology companies with all kinds of valuable and actionable personal information. However, we may not know how our personal information is used or shared. For large technology companies, our information is their product. That is why they make their platforms free and so attractive and tempting to us.
Many governments believe that data subjects are giving too much information or regretting what information they have already given. Many believe that there is a possibility that the personal data of a data subject could be misused in order to discriminate against individuals through automated processing or, for example, to communicate something to a potential employer that they would otherwise not have access to via the conventional employment process.
The best-known regulation for this is the European General Data Protection Regulation (GDPR). Similar measures are being introduced in other nations and states, such as the California Consumer Privacy Act (CCPA).
There are very few federal regulations in the United States, with most of the safeguards coming from the Federal Trade Commission. The FTC’s actions focus less on how companies use the information they have collected or purchased, and more on circumstances where privacy has been less than presented – usually following a data breach.
To address these concerns about how data subjects are used, US Senator Kirsten Gillibrand of New York recently introduced the 2021 Data Protection Act. When this bill is passed, the Data Protection Authority would be created. The agency’s purpose is to protect the privacy of individuals, to limit the collection, processing and disclosure of personal data, and to reduce discrimination and differential treatment on the basis of “protected class”. As proposed, the Data Protection Authority will be responsible for regulating high risk data practices and the collection, processing and disclosure of personal data. The agency will also be responsible for promoting equal opportunities and non-discriminatory processing of personal data.
Who does the data protection act apply to?
The entities most restricted by this agency are data aggregators. The aggregators collect, use, or share large amounts of personal data. Under this bill, aggregators must have gross annual sales greater than $ 25 million or collect, use, or disclose the personal information of 50,000 or more people, households, or devices annually. If any of these criteria are met, the agency may periodically investigate the aggregator or require the aggregator to submit reports so that the agency can effectively oversee the aggregator and ensure its compliance with federal data protection laws.
The 2021 Data Protection Act would apply to companies other than aggregators as well, but more so by providing guidance, guidance and education on data protection rights and data protection standards.
What does the data protection act prohibit?
The draft law aims to reduce discrimination in data processing based on the “protected class”. A protected class refers to the race, ethnicity, religion, gender, sexual orientation, marital status, biometric and genetic information, or disability of a person or group. The Agency aims to achieve this by enacting legislation that exposes discriminatory acts and practices related to the collection, processing and disclosure of personal data and preventing aggregators from engaging in these practices.
In order to enforce this, data aggregators are prohibited from failing to comply with the rules or regulations established by the agency. They are also prohibited from identifying a person using anonymised data. Anonymized data is information that does not identify a specific person. If a person is materially helping an aggregator break federal data protection laws, it will also be determined that that person has broken the law.
The agency has investigative powers and can prosecute individuals or data aggregators who they believe have violated the law. The investigation will be carried out by a lawyer or investigator employed by the agency. The investigator will determine whether the aggregator or the individual has committed illegal behavior and may impose fines if violations are found. The fines are either used to finance a victim assistance fund or, if individual victims can be identified, to provide direct compensation.
If a person is of the opinion that there has been a violation of the Federal Data Protection Act, they can submit a complaint to a body set up by the agency. The unit will be responsible for setting up a toll-free telephone line, website and publicly accessible database for people to report potential violations. The unit is also responsible for following up and responding to complaints.
How does the data protection act relate to federal and state law?
The Data Protection Act of 2021 clarifies that this draft law does not affect or exempt persons from complying with state law, unless state law contradicts this law. The agency checks whether a state law is incompatible with the data protection law. The draft law also does not affect the scope of other federal data protection laws. This is unfortunate, as many authors hoped that federal law would pre-empt state laws and provide potential relief from the patchwork of various state laws that are in effect or pending in various state legislatures. If passed, this will be another compliance program that requires skillful navigation by compliance experts.
How does the data protection act compare to the GDPR?
The General Data Protection Regulation (GDPR) is the EU’s data protection and security law. The GDPR applies to anyone who offers goods or services or who processes personal data of EU citizens or citizens. The GDPR doesn’t just apply to personal or household activities, or to organizations with fewer than 250 employees. In this regard, it is similar to the Data Protection Act of 2021, as neither applies to non-commercial activities.
The Data Protection Act and the GDPR also have similar goals to protect the privacy of the individual and to prevent discrimination. The Data Protection Act refers directly to the importance of preventing discrimination that arises from data processing. The GDPR also states that individuals may not be discriminated against on the basis of automated processing alone, but provides three exceptions: (1) if the decision is necessary for the conclusion or performance of a contract, (2) if the decision is made by union or Member State law or (3) if the decision is based on the express consent of the person. Unlike the GDPR, the Data Protection Act does not provide for any exceptions to the provisions against discrimination.
How could these regulations affect your business?
The 2021 Data Protection Act aims to protect individual privacy and prevent discrimination. When the law passes, it will add another layer on top of the many data protection regulations companies already have to adhere to. The introduction of more federal data protection regulations underscores the ongoing battle between the desire of individuals to use the free services of large companies without compromising their privacy versus the incentive of large companies to use free services so that they can better track, understand, and market consumers can.
Compliance with data protection laws remains a challenging and risky endeavor. State and national governments routinely enact new privacy and security laws, forcing companies to either implement individual programs for different data subjects or develop a program that complies with all or many of the laws – at least as long as they do not conflict.