[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 5170 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 5170
To establish the Data Protection Agency.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
September 25, 2024
Mrs. Gillibrand introduced the following bill; which was read twice and
referred to the Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To establish the Data Protection Agency.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Protection Act of 2024''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``Agency'' means the Data Protection
Agency established under section 3.
(2) Anonymized data.--The term ``anonymized data'' means
information--
(A) that does not identify an individual; and
(B) with respect to which there is no reasonable
basis to believe that the information can be used on
its own or in combination with other reasonably
available information to identify an individual.
(3) Automated decision system.--The term ``automated
decision system'' means a computational process, including one
derived from machine learning, statistics, or other data
processing or artificial intelligence techniques, that
automates, analyzes, aids, or augments decisions.
(4) Biometric information.--The term ``biometric
information''--
(A) means information regarding the physiological
or biological characteristics of an individual that may
be used, singly or in combination with each other or
with other identifying data, to establish the identity
of an individual;
(B) includes--
(i) genetic data;
(ii) imagery of the iris, retina,
fingerprint, face, hand, palm, vein patterns,
and voice recordings, from which an identifier
template, such as a faceprint, a minutiae
template, or a voiceprint, can be extracted;
(iii) keystroke patterns or rhythms, gait
patterns or rhythms, and sleep, health, or
exercise data that contain identifying
information; and
(iv) any mathematical code, profile, or
algorithmic model derived from information
regarding the physiological or biological
characteristics of an individual;
(C) does not include information captured from a
patient in a health care setting for a medical purpose
or information collected, used, or stored for health
care treatment, payment, or operations under the Health
Insurance Portability and Accountability Act of 1996
(Public Law 104-191); and
(D) does not include an X-ray, roentgen process,
computed tomography, MRI, PET scan, mammography, or
other image or film of the human anatomy used to
diagnose, prognose, or treat an illness or other
medical condition or to further validate scientific
testing or screening.
(5) Collect.--The term ``collect''--
(A) means buying, renting, gathering, obtaining,
receiving, or accessing any personal data by any means;
and
(B) includes--
(i) receiving personal data from an
individual or device; and
(ii) creating, deriving, or inferring
personal data by analyzing data about an
individual or about groups of individuals
similar to the individual.
(6) Data aggregator.--The term ``data aggregator''--
(A) means any person that collects, uses, or
shares, in or affecting interstate commerce, an amount
of personal data that is not de minimis, as well as
entities related to that person by common ownership or
corporate control; and
(B) does not include an individual who collects,
uses, or shares personal data solely for non-commercial
reasons.
(7) Device.--The term ``device'' means any physical object
that--
(A) is capable of connecting to the internet or
other communication network; or
(B) has computer processing capabilities that can
collect, send, receive, or store data.
(8) Director.--The term ``Director'' means the Director of
the Data Protection Agency.
(9) Electronic data.--The term ``electronic data'' means
any information that is in an electronic or digital format or
any electronic or digital reference that contains information
about an individual or device.
(10) Federal privacy law.--The term ``Federal privacy law''
means the provisions of this Act, any other rule or order
prescribed by the Agency under this Act, and the following laws
(including any amendments made to such laws):
(A) Title V of the Gramm-Leach-Bliley Act (Public
Law 106-102; 113 Stat. 1338).
(B) The Fair Credit Reporting Act (15 U.S.C. 1681
et seq.).
(C) The Telemarketing and Consumer Fraud and Abuse
Prevention Act (15 U.S.C. 6101 et seq.).
(D) The Fair and Accurate Credit Transactions Act
of 2003 (Public Law 108-159; 117 Stat. 1952).
(E) The CAN-SPAM Act of 2003 (15 U.S.C. 7701 et
seq.).
(F) Sections 222, 227, 338(l), 631, and 705 of the
Communications Act of 1934 (47 U.S.C. 222, 227, 338(l),
551, 705).
(G) The Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6501 et seq.).
(H) The Right to Financial Privacy Act of 1978 (12
U.S.C. 3401 et seq.).
(I) The Identity Theft Assumption and Deterrence
Act of 1998 (Public Law 105-318; 117 Stat. 3007).
(J) The General Education Provisions Act (20 U.S.C.
1221 et seq.) (commonly known as the ``Family
Educational Rights and Privacy Act of 1974'').
(K) Section 552a of title 5, United States Code.
(L) The E-Government Act of 2002 (Public Law 107-
347; 116 Stat. 2899).
(M) The Computer Security Act of 1987 (40 U.S.C.
1441 note).
(N) The Employee Polygraph Protection Act of 1988
(29 U.S.C. 2001 et seq.).
(O) The Communications Assistance for Law
Enforcement Act (Public Law 103-414; 108 Stat. 4279).
(P) Sections 1028A, 1030, 1801, 2710, and 2721 and
chapter 119, of title 18, United States Code.
(Q) The Genetic Information Nondiscrimination Act
of 2008 (Public Law 110-233; 122 Stat. 881).
(R) The Taxpayer Browsing Protection Act (Public
Law 105-35; 111 Stat. 1104).
(S) The Privacy Protection Act of 1980 (42 U.S.C.
2000aa et seq.).
(T) The Cable Communications Policy Act of 1984
(Public Law 98-549; 98 Stat. 2779).
(U) The Do-Not-Call Implementation Act (Public Law
108-10; 117 Stat. 557).
(V) The Wireless Communications and Public Safety
Act of 1999 (Public Law 106-81; 113 Stat. 1286).
(W) Title XXX of the Public Health Service Act (42
U.S.C. 300jj et seq.).
(11) High-risk data practice.--The term ``high-risk data
practice'' means an action by a data aggregator that involves--
(A) the use of an automated decision system;
(B) the processing of data in a manner that
involves an individual's protected class, familial
status, lawful source of income, financial status such
as the individual's income or assets), veteran status,
criminal convictions or arrests, citizenship, past,
present, or future physical or mental health or
condition, psychological states, or any other factor
used as a proxy for identifying any of these
characteristics;
(C) a systematic processing of publicly accessible
data on a large scale;
(D) processing involving the use of new
technologies, or combinations of technologies, that
causes or materially contributes to privacy harm;
(E) decisions about an individual's access to a
product, service, opportunity, or benefit which is
based to any extent on automated decision system
processing;
(F) any profiling of individuals on a large scale;
(G) any processing of biometric information for the
purpose of uniquely identifying an individual, with the
exception of one-to-one biometric authentication;
(H) combining, comparing, or matching personal data
obtained from multiple sources;
(I) processing which involves an individual's
precise geolocation;
(J) the processing of personal data of children and
teens under 17 or other vulnerable individuals such as
the elderly, people with disabilities, and other groups
known to be susceptible for exploitation for marketing
purposes, profiling, or automated processing; or
(K) consumer scoring or other business practices
that pertain to the eligibility of an individual, and
related terms, rights, benefits, and privileges, for
employment (including hiring, firing, promotion,
demotion, and compensation), credit, insurance,
housing, education, professional certification, or the
provision of health care and related services.
(12) High-risk data practice impact evaluation.--The term
``high-risk data practice impact evaluation'' means a study
conducted after deployment of a high-risk data practice that
includes, at a minimum--
(A) an evaluation of a high-risk data practice's
accuracy, disparate impacts on the basis of protected
class, and privacy harms;
(B) an evaluation of the effectiveness of measures
taken to minimize risks as outlined in any prior high-
risk data practice risk assessments; and
(C) recommended measures to further minimize risks
to accuracy, disparate impacts on the basis of
protected class, and privacy harms.
(13) High-risk data practice risk assessment.--The term
``high-risk data practice risk assessment'' means a study
evaluating a high-risk data practice and the high-risk data
practice's development process, including the design and
training data of the high-risk data practice, if applicable,
for likelihood and severity of risks to accuracy, bias,
discrimination, and privacy harms that includes, at a minimum--
(A) a detailed description of the high-risk data
practice, including--
(i) its design and methodologies;
(ii) training data characteristics;
(iii) data; and
(iv) purpose;
(B) an assessment of the relative benefits and
costs of the high-risk data practice in light of its
purpose, potential unintended consequences, and taking
into account relevant factors, including--
(i) data minimization practices;
(ii) the duration and methods for which
personal data and the results of the high-risk
data practice are stored;
(iii) what information about the high-risk
data practice is available to individuals;
(iv) the extent to which individuals have
access to the results of the high-risk data
practice and may correct or object to its
results; and
(v) the recipients of the results of the
high-risk data practice;
(C) an assessment of the risks of privacy harm
posed by the high-risk data practice and the risks that
the high-risk data practice may result in or contribute
to inaccurate, biased, or discriminatory decisions
impacting individuals or groups of individuals;
(D) the decision to accept, reject, or mitigate and
minimize risks and the measures a data aggregator will
employ including to minimize the risks described in
subparagraph (C), including technological and physical
safeguards;
(E) an assessment of the environmental footprint on
the development and use system in terms of carbon
emissions; and
(F) any potential or permitted use of the outputs
of the high-risk data for other decisions or purposes
such as advertising targeting.
(14) Individual.--The term ``individual'' means a natural
person.
(15) Person.--The term ``person'' means an individual, a
local, State, or Federal governmental entity, a partnership, a
company, a corporation, an association (incorporated or
unincorporated), a trust, an estate, a cooperative
organization, another entity, or any other organization or
group of such entities acting in concert.
(16) Personal data.--The term ``personal data'' means
electronic data that, alone or in combination with other data--
(A) identifies, relates to, describes, is capable
of being associated with, or could reasonably be
linked, directly or indirectly, with a particular
individual, household, or device; or
(B) could be used to determine that an individual
or household is part of a protected class.
(17) Precise geolocation.--The term ``precise geolocation''
means any data that is derived from a device and that is used
or intended to be used to locate an individual within a
geographic area that is equal to or less than the area of a
circle with a radius of one thousand, eight hundred and fifty
(1,850) feet.
(18) Privacy harm.--The term ``privacy harm'' means an
adverse consequence, or a potential adverse consequence, to an
individual, a group of individuals, or society caused, in whole
or in part, by the collection, processing, or sharing of
personal data, including--
(A) direct or indirect financial loss or economic
harm, including financial loss or economic harm arising
from fraudulent activities or data security breaches;
(B) physical harm, harassment, or a threat to an
individual or property;
(C) psychological harm, including anxiety,
embarrassment, fear, other trauma, stigmatization,
reputational harm, or the revealing or exposing of an
individual, or a characteristic of an individual, in an
unexpected way;
(D) an adverse outcome or decision, including
relating to the eligibility of an individual for the
rights, benefits, or privileges in credit and insurance
(including the denial of an application or obtaining
less favorable terms), housing, education, professional
certification, employment (including hiring, firing,
promotion, demotion, and compensation), or the
provision of health care and related services;
(E) discrimination, including both differential
treatment on the basis of a protected class and
disparate impact on a protected class;
(F) the chilling of free expression or action of an
individual, or society generally, due to perceived or
actual pervasive and excessive collection, processing,
or sharing of personal data;
(G) the use of information technology to covertly
influence an individual's decision-making, by targeting
and exploiting decision-making vulnerabilities; and
(H) any other adverse consequence, or potential
adverse consequence, prohibited by or defined by
Federal privacy laws; provisions of Federal civil
rights laws related to the processing of personal
information; provisions of Federal consumer protection
laws related to the processing of personal information;
the First Amendment; and other constitutional rights
protecting privacy.
(19) Process.--The term ``process'' means to perform an
operation or set of operations on personal data, either
manually or by automated means, including collecting,
recording, organizing, structuring, storing, adapting or
altering, retrieving, consulting, using, disclosing by
transmission, sorting, classifying, disseminating or otherwise
making available, aligning or combining, restricting, erasing
or destroying.
(20) Profile.--The term ``profile'' means the use of an
automated decision system to process data (including personal
data and other data) to derive, infer, predict or evaluate
information abou