Establishes the Data Protection Agency to regulate high-risk data practices, requiring assessments and evaluations of AI systems. Oversees compliance with Federal privacy laws, emphasizing non-discrimination, privacy harm prevention, and transparency in automated decision-making. Conducts audits, enforces laws, supervises large data aggregators, and collaborates with other agencies for consistent regulation.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding federal statute enacted by Congress establishing a regulatory agency with enforcement powers, mandatory compliance requirements, civil penalties, and judicial enforcement mechanisms.
The document has good coverage of approximately 10-12 subdomains, with strong focus on discrimination and bias (1.1, 1.3), privacy compromise (2.1), AI system security (2.2), misinformation (3.1), malicious actors (4.1, 4.3), overreliance (5.1), power centralization (6.1), governance (6.5), and lack of robustness/transparency (7.3, 7.4). Coverage is concentrated in discrimination prevention, privacy protection, and AI system oversight domains.
The Act governs AI use across virtually all economic sectors through its broad regulation of 'data aggregators' and 'automated decision systems'. It explicitly addresses high-risk data practices in Finance and Insurance, Health Care, Educational Services, Professional Services, and Public Administration. The cross-sectoral approach regulates any entity collecting personal data above specified thresholds, making it applicable to most industries.
The document primarily focuses on the Deploy and Operate and Monitor stages, with significant coverage of Verify and Validate through mandatory risk assessments and impact evaluations. It addresses the entire lifecycle of AI systems (automated decision systems) through comprehensive oversight requirements, but emphasizes post-deployment monitoring, ongoing compliance, and ex-ante/ex-post evaluation processes.
The document explicitly covers AI systems through its definition and regulation of 'automated decision systems'. It does not use terms like frontier AI, general purpose AI, foundation models, or generative AI. It does not specify compute thresholds or distinguish between open-weight and closed models. The focus is on automated decision systems broadly, regardless of their specific AI architecture or capability level.
United States Congress (Senate and House of Representatives)
The document is a federal bill proposed by Congress, as indicated by the enacting clause and legislative format. It establishes a new federal regulatory agency.
Data Protection Agency (and its Director); Federal Trade Commission (for certain provisions); State attorneys general; State regulators; Attorney General of the United States (for criminal proceedings)
The Act establishes the Data Protection Agency as the primary enforcement body with comprehensive powers including rulemaking, supervision, investigation, and civil enforcement. It also preserves enforcement authority for state attorneys general and coordinates with other federal agencies.
Data Protection Agency; Office of Civil Rights (within the Agency); Research unit (within the Agency); Inspector General; Congress (through semi-annual hearings and reports)
The Act establishes comprehensive monitoring mechanisms through the Agency's supervisory powers, dedicated research and civil rights offices, complaint tracking systems, and mandatory reporting to Congress.
Data aggregators (defined as entities with annual gross revenues exceeding $25,000,000 or that annually collect, use, or share personal data of 50,000 or more individuals, households, or devices); Service providers
The Act explicitly targets 'data aggregators' and 'service providers' that collect, process, or share personal data. These entities include those developing and deploying AI systems (automated decision systems) and managing data infrastructure.
15 subdomains (5 Good, 10 Minimal)