New Senate Privacy Bill Targets Employment Data

February 14, 2020

Senator Kirsten Gillibrand (D-NY) unveiled a draft privacy measure that would establish a Data Protection Agency to aggressively regulate the processing of personal data, including “employment-related information.”

Employment data in the crosshairs:  The Data Protection Act of 2020 defines "personal data" as, among other things, "information such as employment status, employment history, or other professional or employment-related information."  Further, the Data Protection Agency would regulate “business practices that pertain to the eligibility of an individual for rights, benefits, or privileges in employment (including hiring, firing, promotion, demotion, and compensation).”

The Data Protection Agency would have the authority to enforce federal privacy laws and issue regulations.  As part of its enforcement, the agency would be able to commence a civil action to seek “all appropriate legal and equitable relief including a permanent or temporary injunction as permitted by law.”

The agency “may require reports and conduct examinations” of any company with annual gross revenues exceeding $25 million merely for the purposes of:

  • “Obtaining information about activities subject to [federal data privacy laws] and the associated compliance systems or procedures” of such a company;

  • "Detecting and assessing associated risks to individuals and groups of individuals"; and

  • "Requiring and overseeing ex-ante impact assessments and ex-post outcome audits of high-risk data practices to advance fair and just data practices.”

The measure would not preempt state laws.  If passed, companies would have to additionally comply with any state or local privacy law, such as the California Consumer Privacy Act.

The scoop:  The measure has not yet been introduced, and it is not clear whether it will receive any support.  Regardless, its mere introduction highlights the vulnerability of employment data to being swept up into the intensifying efforts to regulate consumer data, where a stronger case for regulation has been made.