Introducing the Proposed U.S. Federal Privacy Bill: “DATA 2020”

On June 18th, 2020, U.S. Senator Sherrod Brown (D-OH), ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, proposed the Data Accountability and Transparency Act of 2020 (“DATA 2020”). DATA 2020 would arguably constitute the broadest and most comprehensive federal privacy law in the United States to date. The draft Bill arrives amid increased pressure on the U.S. government to implement a federal privacy regulation to go further in protecting the privacy of individuals in the U.S. With the European Union’s implementation of the General Data Protection Regulation (“GDPR”) in May 2018, and the implementation of the California Consumer Privacy Act (“CCPA”) in January 2020, there have been consistent calls from privacy advocates for a federal-level privacy regulation in the U.S. The proposed DATA 2020 Bill could be an answer to these calls, enabling individuals to have more visibility and control over their data. 

Scope of Proposed Bill

Per Senator Brown, DATA 2020 aims to provide every American the power to hold corporations and the government responsible for how they collect, use, and protect personal data, and to ensure provisions around data minimization and security, strong individual rights, civil rights protections, and corporate accountability. 

DATA 2020 refers to in-scope entities as “data aggregators,” defined as any person or entity that collects, uses, or shares an amount of personal data that is not de minimis (i.e., “minimal” or “trivial”), and that is used for any purposes beyond personal use. DATA 2020 would issue a general ban on the collecting, using, or sharing of personal data by data aggregators and their service providers, except for the following “permissible purposes”:

  • Providing a good or service requested by an individual

  • Journalism and free expression online

  • Public and peer-reviewed research when anonymized data does not suffice

  • Employment

  • Due process, legal claims, and as mandated by Federal, State, or local law

  • Detection and response to security incidents 

  • Exigent circumstances by first responders.

Proposed Requirements

In addition to ensuring that the collection, use, and sharing of personal data is only done in accordance with one of the permissible purposes listed above, the proposed Bill would mandate the following:  

  • The use of personal data to discriminate in housing, employment, credit, insurance, and public accommodations shall be prohibited; 
  • Anyone using automated decision-making algorithms will be required to provide new accountability reports to a newly created independent federal agency for rulemaking, supervisory, and enforcement purposes; 
  • The use of facial recognition technology shall be banned; 
  • Individuals shall be provided with the following rights:    
  • Right to Access and Portability;
  • Right to Transparency;
  • Right to Accuracy and Correction;
  • Right to Deletion;
  • Right to Object to Claimed Permissible Purpose; and,
  • Right to a Human Review of Automated Decisions.
  • Privacy notices are to be provided to individuals, and should include:
  • A description of an individual’s rights under the Bill;
  • A description of the personal data that the data aggregator collects, uses, or shares;
  • The specific sources from which personal data is collected;
  • A description of the sources from which personal data is collected;
  • The permissible purposes for which personal data is collected, used, or shared;
  • The affiliates, service providers, or third parties with which the data aggregator shares personal data, and the permissible purpose for such sharing;
  • A description of the length of time for which personal data is retained; and,
  • If personal data is collected and retained as anonymized data, a description of the techniques and methods used to create the anonymized data. 

Many of the proposed requirements in DATA 2020 are reminiscent of similar requirements in the GDPR and CCPA, in that they require organizations to clearly communicate privacy practices through notices, use personal data for clearly defined purposes, comply with consumer rights, and establish privacy and security measures to protect personal data. 

However, perhaps the most surprising and controversial requirement is the general ban of facial recognition technology.

While facial recognition is still an emerging technology, major US-based companies may have been engaged in actively finding new ways to leverage this technology, including in the travel, retail, and healthcare industries. DATA 2020 intends to alleviate potential concerns that facial recognition technology could be used by organizations and governments to conduct surveillance on citizens without their consent and in ways that violate privacy from a civil rights standpoint. Senator Brown’s proposal to eliminate this technology altogether may yet create obstacles and challenges for the Bill to overcome. 

Oversight and Enforcement 

DATA 2020 would establish a new, independent agency to be known as the “Data Accountability and Transparency Agency” that would have rule-making, supervisory, and enforcement authority, granting it the ability to issue civil penalties for violations and to maintain a dedicated Office of Civil Rights to protect individuals from discrimination.

Of particular interest to US-based organizations will be that DATA 2020 also calls for the CEO or the highest-ranking officer to annually attest compliance. There are provisions that would require data aggregators to establish, maintain, and periodically evaluate internal privacy and data protection controls, as well as to conduct testing and other “sufficient oversight” to be able to attest to compliance with DATA 2020 by the data aggregator and their service providers. The implications of these requirements for organizations will be the need to have implemented a well-organized privacy program with defined and documented privacy and data security controls and governance processes, including a robust third-party risk management program. These requirements may, therefore, see organizations placing increased reliance on independent privacy and security audits, typically performed by internal audit departments or qualified third parties to test the effectiveness of the privacy program. 

DATA 2020 further proposes that data aggregators submit to the Agency an annual report that identifies the lifecycle of personal data and the applicable service providers with whom data is shared. The Data Accountability and Transparency Agency could also have the power to request similar information related to data processing activities, and associated “compliance systems or procedures”, specifically from data aggregators with annual gross revenues in excess of $25 million, or that are annually collecting, using, or sharing the personal data of 50,000 or more individuals, households, or devices.  These requirements, coupled with the proposed individual rights and privacy notice requirements, would compel data aggregators of all sizes to perform a thorough information mapping to understand and document the activities that process personal data, including related third-party service providers, IT systems, and controls. 

With regard to enforcement and penalties, DATA 2020 includes a provision for private right of action, including against government organizations. This also includes three civil penalty tiers: 

  1. For any violation of the law, a civil penalty that may not exceed $5,000 for each day during which such violation or failure to pay continues;
  2. For recklessly engaging in a violation of the Bill or any Federal privacy law, a civil penalty that may not exceed $25,000 for each day during which such violation continues, and 
  3. For knowingly violating the Bill or any Federal privacy law, a civil penalty that may not exceed $1 million for each day during which such violation continues. 

Furthermore, DATA 2020 provides for criminal and civil penalties specifically for the CEO and Board of Directors of data aggregators, which could result in 10 years imprisonment, and civil fines of up to $10,000,000.       

Conclusion

While the timeline and the level of challenge to the passage of DATA 2020 are not clear at this point, any future success for the Bill would almost certainly lead to a new set of standards for data protection across the U.S., and solidify Privacy’s place on the boardroom agenda. The introduction of DATA 2020 would require organizations to develop or re-evaluate their privacy programs and practices, including all related governance, documentation, and independent audit programs. However, for many organizations that currently fall under the scope of existing privacy regulations such as GDPR or CCPA, future alignment with DATA 2020 may leverage existing compliance efforts. In the interim, all organizations should keep an eye on the development of DATA 2020. As things continue to evolve, there may be a need to educate senior leadership teams on the impact this could have and the required investments in privacy, security, and third-party risk management programs. 

Interested in talking more about privacy and data protection? Get in touch with us.