Now is the time for a US data protection agency

The United States is one of the few developed countries in the world without a Data Protection Agency. The practical consequence is that U.S. consumers experience the highest levels of data breach, financial fraud, and identity theft in the world. And U.S. businesses remain the target of cyber-attack by criminals and foreign adversaries, putting our identities and personal information at risk.

Last week, the Department of Justice announced that the Chinese military was behind the 2017 Equifax hack of 147 million American’s sensitive personal information, including their social security numbers. Unless Congress acts now, the threats to consumer privacy, democratic institutions, and national security will only increase. The United States urgently needs a Data Protection Agency.

Thankfully, last week, Sen. Kirsten Gillibrand (D-N.Y.) introduced legislation to create an effective, independent Data Protection Agency. The Data Protection Act creates an agency that can utilize its resources to police the current widespread exploitation of consumers’ personal information and would be staffed with personnel who possess the requisite experience to regulate the field of data security.

Congress needs to create a Data Protection Agency because the Federal Trade Commission is failing to protect privacy. Even Federal Trade Commission Chairman Joseph Simons conceded the agency lacked effective authority to safeguard consumer privacy, saying in congressional testimony “on the privacy side, we have a hundred year old statute that was not in any way designed or anticipating the privacy issues that we face today.”

The Federal Trade Commission’s failure to effectively protect our privacy is becoming increasingly obvious. It was the Federal Trade Commission that allowed Facebook to access the personal data of WhatsApp users—a text-messaging service that attracted users specifically because of strong commitments to privacy—by not enforcing prior commitments. The agency only approved the merger after the companies promised not to change WhatsApp users’ privacy settings. Two years later, Facebook announced that it would acquire the personal information of WhatsApp users. The Federal Trade Commission did nothing.

Even enforcement actions the Federal Trade Commission has touted as successes were failures.  The day the FTC’s $5 billion settlement with Facebook in the wake of the Cambridge Analytica scandal was announced, the social media giant’s stock price went up. Not only was the fine a drop in the bucket to Facebook, but the settlement did nothing to change the business practices that led to the Cambridge Analytica breach. The FTC had an opportunity but failed to protect American’s privacy yet again.

The United States confronts a privacy crisis. The Federal Trade Commission has failed to protect consumers. The system is broken. Given the enormity of the challenge, the United States would be best served to do what other democratic countries have done and create a dedicated Data Protection Agency. Congress should act quickly to enact the Data Protection Act.

Caitriona Fitzgerald is Policy Director and Chief Technology Officer of the Electronic Privacy Information Center (EPIC) in Washington, D.C. Mary Stone Ross is Associate Director of the Electronic Privacy Information Center (EPIC) and the former President of Californians for Consumer Privacy, where she helped to draft the ballot initiative that led to the California Consumer Privacy Act.