/ 06.19.2020

The DATA Act: Proposed Federal Data Privacy Law

By Mark Rasch & Brett Krantz

On June 18, Ohio Senator Sherrod Brown proposed legislation before Congress to create a comprehensive federal data privacy law. The bill, the Data Accountability and Transparency Act (DATA) of 2020, would be among the only comprehensive federal laws relating to data privacy, rather than protecting data privacy on a “sectoral” basis.

Current federal data privacy laws focus on things like health information, banking information, phone, cable or credit reporting information, but they do not cover information in a general sense. Current federal and state privacy laws often rely on the consent of the data subject, which permits the collection and use of data, if the data subject has in some way (often through click-through contracts or unmanageable contract terms) consented to the use of the data.

The DATA Act imposes restrictions on the use of personal data, particularly by data brokers, often irrespective of the consent of the data subject. The bill, if passed and signed into law, would ban the collection, use or sharing of personal data unless specifically allowed by law. The statute defines “personal data” as electronic data that could be linked or reasonably linkable to an individual, household or device, or could be used to determine that an individual or household is part of a protected class. This is similar to the definition of “personal information” used in both the European GDPR regulations and the California CCPA privacy laws.

The DATA Act would, in most instances, prohibit “data aggregators” using facial recognition technology or using data obtained from such technology, and defines such aggregators as “any person that collects, uses, or shares an amount of personal data that is not de minimis” but “does not include an individual who collects, uses, or shares personal data solely for personal reasons.”  The bill also would prohibit the use of personal data to improperly discriminate in housing, employment, credit, insurance, and public accommodations.

The DATA Act would impose new restrictions on the use of Artificial Intelligence (AI) or Machine Learning (ML) algorithms, and would mandate that those who use decision-making algorithms, must provide transparency and accountability reports. They must also test that system for bias or disparate impact on protected classes of individuals.

The legislation would also create a new, independent federal agency dedicated to protecting privacy and preventing discrimination resulting from the use of private data, and would create both private rights of action and empower State Attorney’s General to enforce the provision of the law. Finally, the proposal would require CEO’s certification of compliance with the Act and contains potential criminal and civil penalties for CEO’s and Boards of Directors.

If you have any questions regarding the DATA Act or other aspects of data privacy law, reach out to Mark Rasch at 301.547.6925 or mdr@kjk.com, or Brett Krantz at 216.736.7238 or bk@kjk.com.

 

KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.