IN THE SENATE OF THE UNITED STATES
January 16, 2019
Mr. Rubio introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To impose privacy requirements on providers of internet services similar to the requirements imposed on Federal agencies under the Privacy Act of 1974.
This Act may be cited as the
American Data Dissemination Act of 2019 or the
In this Act—
the term agency has the meaning given the term in section 552a of title 5, United States Code;
the term appropriate committees of Congress means—
the Committee on Commerce, Science, and Transportation of the Senate; and
the Committee on Energy and Commerce of the House of Representatives;
the term collect means to buy, rent, gather, obtain, receive, or access information about an individual by any means, including by—
receiving information from the individual, either actively or passively; or
observing the behavior of the individual;
the term Commission means the Federal Trade Commission;
the term covered provider means a person that—
provides a service that uses the internet; and
in providing the service under subparagraph (A), collects records;
the term disclose means to release, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means;
the term maintain includes maintain, collect, use, disclose, or process;
the term Privacy Act of 1974 means section 552a of title 5, United States Code;
the term process means to perform an operation or set of operations on information or on sets of information, whether or not by automated means;
subject to subsection (b), the term record means any item, collection, or grouping of information about an individual that—
is maintained by a covered provider, including the education, financial transactions, medical history, and criminal or employment history of the individual; and
contains any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any—
name, social security number, date of birth, official driver's license or identification number issued by a State, alien registration number, government passport number, or employer or taxpayer identification number;
unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
unique electronic identification number, address, or routing code;
telecommunication identifying information or access device (as those terms are defined in section 1029(e) of title 18, United States Code); or
user-generated content; and
the term sell means to disclose information about an individual to another person for monetary or other valuable consideration.
Modification of definition
If the Commission promulgates regulations under section 4(a), the Commission may modify, at any time, the definition of the term record under subsection (a) of this section as necessary to conform to new Federal laws or regulations.
Recommended privacy requirements for providers of internet services
Not later than 180 days after the date of enactment of this Act, the Commission shall submit to the appropriate committees of Congress detailed recommendations for privacy requirements that Congress could impose on covered providers that would be substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974.
Subjects for recommendations
The recommendations under subsection (a) shall address the issues described in section 4.
Regulations imposing privacy requirements on providers of internet services
Not earlier than 1 year after the date on which the Commission submits detailed recommendations for privacy requirements under section 3(a), and not later than 15 months after that date, the Commission shall publish and submit to the appropriate committees of Congress proposed regulations to impose privacy requirements on covered providers that are substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974.
If a law imposing privacy requirements on covered providers that are substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974 is not enacted by the date that is 2 years after the date of enactment of this Act, the Commission shall, not later than 27 months after that date of enactment, promulgate final regulations that impose such privacy requirements.
In promulgating regulations under subsection (a), the Commission—
establish criteria for exempting certain small, newly formed covered providers from the requirements under the regulations, taking into account factors including—
the period of time during which the covered provider has been operating as a covered provider;
the annual revenue of the covered provider; and
the number of individuals about whom the covered provider collects records;
restrict disclosure of records maintained by covered providers;
an individual may request access to a record (or a portion thereof) maintained by a covered provider that relates to the individual; and
upon a request under clause (i), the covered provider shall—
provide the individual with access to the record (or the relevant portion thereof); or
if the covered provider so elects, delete the record (or the relevant portion thereof), subject to the requirements to keep and provide an accounting under subparagraph (G);
provide that if an individual demonstrates that a record relating to the individual is not accurate, relevant, timely, or complete (as those terms are defined by the Commission)—
the individual may request that the covered provider amend the record; and
upon a request under clause (i), the covered provider shall amend the record;
establish a process modeled on the process established under section 611(a) of the Fair Credit Reporting Act (15 U.S.C. 1681i(a))—
through which an individual and a covered provider may resolve a dispute under subparagraph (D) of this paragraph regarding the assertion that a record relating to the individual is not accurate, relevant, timely, or complete; and
that does not require the individual to incur any expense;
in accordance with accepted standards and in consultation with the Secretary of Commerce, establish a code of
fair information practices, for the secure collection, maintenance, and dissemination of records, with which a covered provider must comply;
require a covered provider, in a manner substantially similar, to the extent practicable, to the requirements applicable to agencies under section 552a(c) of title 5, United States Code, to—
keep an accounting of certain disclosures of records for a reasonable period of time, as determined by the Commission; and
make available to an individual, upon request, the accounting made under clause (i) of disclosures of records relating to the individual, unless the period of time described in that clause has expired; and
to the extent practicable, incorporate the exceptions under paragraphs (1) through (12) of section 552a(b) of title 5, United States Code; and
may promulgate regulations not described in paragraph (1) that are modeled on section 552a of title 5, United States Code, and the regulations promulgated under that section.
Application with other Federal laws
Exemption for persons subject to other Federal privacy laws
To the extent that a person is subject to a Federal privacy law described in paragraph (2) of this subsection, the regulations promulgated under subsection (a) shall not apply to the person with respect to any information or records governed by that Federal privacy law.
Other Federal privacy laws described
The Federal privacy laws described in this paragraph are as follows:
The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), as those regulations relate to—
a person described in section 1172(a) of the Social Security Act (42 U.S.C. 1320d–1(a)); or
transactions referred to in section 1173(a)(1) of the Social Security Act (42 U.S.C. 1320d–2(a)(1)).
Section 444 of the General Education Provisions Act (20 U.S.C. 1232g) (commonly referred to as the
Family Educational Rights and Privacy Act of 1974).
Section 552a of title 5, United States Code.
Children's Online Privacy Protection Act
In the case of a conflict between the regulations promulgated under subsection (a) of this section and the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) (and any regulations promulgated under that Act), the Commission shall determine which provision of law shall apply.
In the case of a conflict between the regulations promulgated under subsection (a) of this section and title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 et seq.) (and any regulations promulgated under that Act), the Commission shall determine which provision of law shall apply.
Unfair or deceptive acts or practices
A violation of a regulation promulgated under section 4(a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Powers of Commission
Except as provided in paragraph (3), if the Commission promulgates regulations under section 4(a), the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
Privileges and immunities
Except as provided in paragraph (3), any person who violates a regulation promulgated under section 4(a) shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or any jurisdictional limitation of the Commission, if the Commission promulgates regulations under section 4(a), the Commission shall also enforce this Act, in the same manner provided in paragraphs (1) and (2) of this subsection, with respect to common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and Acts amendatory thereof and supplementary thereto.
Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.
Effect on State laws
This Act, including any regulations promulgated under section 4(a), shall supersede any provision of the law of a State relating to a covered provider that is subject to such a regulation, to the extent that the provision relates to the maintenance of—
records covered by this Act; or
any other personally identifiable information or personal identification information.