Draft Legislation
Establishes citizens as the primary trustees of their own personal data. Imposes binding fiduciary duties on all government actors who handle that data. Provides a private right of action citizens can enforce directly against government without depending on agency enforcement discretion.
Government handles your data the way a lawyer handles client confidences: with loyalty, with care, and without using it against you. If it does not, you can sue directly, without petitioning the agency first. PDTA is the statute that gives the constitutional relationship its legal teeth.
Every natural person is designated as the primary trustee over their own personal data, with overriding authority to manage, access, correct, and control its use. This trusteeship is inalienable and may not be waived, contracted away, or extinguished by any government action or private agreement.
Government entities serve as limited secondary fiduciaries, authorized only to endorse or verify factual claims using cryptographic methods, without creating or maintaining centralized identity repositories. Secondary fiduciaries may not repurpose data beyond the original justified purpose without fresh, explicit authorization from the data subject.
Secondary fiduciaries must adhere to the duties of loyalty, care, confidentiality, and impartiality. The duty of loyalty prohibits using personal data for any purpose that serves the fiduciary's own interests at the expense of the data subject, including unauthorized sharing with law enforcement or commercial partners.
Citizens have enforceable rights to access comprehensive logs of all data interactions; to veto any proposed data use and revoke authorization within 72 hours; to demand correction and deletion; to delegate authority to trusted agents; and to receive an intelligible explanation of any adverse automated decision.
The structural feature that distinguishes PDTA from every framework that preceded it. Citizens enforce fiduciary obligations directly against government, without depending on agency enforcement discretion. Prior privacy law imposed duties enforceable by government against citizens. PDTA reverses the direction.
Secondary fiduciaries must implement data sequestration consistent with VIDA Section 8, provide citizens with a secure individual-controlled portal for accessing immutable audit trails, and maintain Zero Trust Architecture for all systems handling personal data.
PDTA explicitly rejects both consent and ownership as organizing frameworks for the government-citizen data relationship. Consent is structurally impossible when citizens cannot exit the relationships that generate data collection. Ownership is legally incoherent because personal data constitutes a commons of unownable facts. The fiduciary framework addresses the actual harm: not who owns the data, but what duties govern those who hold it and what remedies are available when those duties are breached.
Fair Information Practice Principles have been policy in the United States since 1973. Fifty-three years of voluntary frameworks have produced the same pattern: an agency declares compliance, then agency discretion defines what compliance means. The only pattern that breaks this dynamic is a private right of action combined with a clearly defined legal duty. PDTA provides both. Citizens may bring suit directly for violations of the fiduciary duties established by this Act without exhausting administrative remedies or depending on agency enforcement discretion.
This section, added in the May 2026 current draft, is the most significant structural revision in PDTA. Prior drafts defined the duty of loyalty as a general obligation to act in the best interests of the data subject, a formulation that, however well-intentioned, is difficult for citizens to enforce because it requires proving that an agency’s conduct conflicted with their interests in some open-ended sense. Agencies can defend general best-interests claims by pointing to administrative necessity, public benefit, or the absence of demonstrable harm.
Section 4B replaces this with seven specific, binary, objectively verifiable obligations derived from the Fair Information Practice Principles: purpose specification, data minimization, purpose sequestration, use limitation, prohibition on unauthorized disclosure, retention limitation, and transparency. Each obligation is defined precisely enough that compliance is a question of fact rather than judgment. Breach of any single obligation is breach of the duty of loyalty, regardless of the agency’s purpose or the absence of identified harm.
The enforcement standard is equally precise. No showing of harm is required. No showing of intent is required. The government entity bears the burden of demonstrating compliance in all proceedings. Four categories of conduct are designated as per se breach, requiring no further factual inquiry: collection without a written purpose specification; retention in a structure accessible beyond the specific defined purpose; disclosure to any unauthorized party; and failure to delete within the required period. The binary standard is more protective than a general best-interests standard, not less, because it removes the agency’s ability to substitute its own judgment for the specific obligations the statute imposes.
The complete draft legislation is available to download as a Word document or to read directly on Google Drive. Critiques identifying specific incoherence in any provision should be directed to the scholarship address.
The most useful engagement is precise: a specific provision that does not do what it claims, a statutory requirement that is technically unimplementable, or a constitutional argument that a court has already rejected in a relevant context.