Bill Summary – FastDemocracy

HOUSE DOCKET, NO. 3847            FILED ON: 2/19/2021
 HOUSE . . . . . . . . . . . . . . . No.
                           The Commonwealth of Massachusetts
                                               _________________
                                                PRESENTED BY:
                                 David M. Rogers and Andres X. Vargas
                                               _________________
To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
        Court assembled:
        The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
                                       An Act relative to data privacy.
                                            _______________
                                                  PETITION OF:
NAME:                                         DISTRICT/ADDRESS:                                  DATE ADDED:
David M. Rogers                               24th Middlesex                                     2/19/2021
                                                      1 of 1
                                   HOUSE DOCKET, NO. 3847           FILED ON: 2/19/2021
      HOUSE . . . . . . . . . . . . . . . No.
     [Pin Slip]
                                The Commonwealth of Massachusetts
                                                      _______________
                                    In the One Hundred and Ninety-Second General Court
                                                        (2021-2022)
                                                      _______________
     An Act relative to data privacy.
              Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
     of the same, as follows:
          SECTION 1. The General Laws are hereby amended by inserting after chapter 93K the
  following chapter:-
          CHAPTER 93L. Data Accountability and Transparency Agency.
          Section 1. Definitions.
          For purpose of this chapter, the following words and terms shall have the following
  meanings:
          “Affiliate”, means any person that controls, is controlled by, or is under common control
  with another person.
          “Agency”, means the Massachusetts Data Accountability and Transparency Agency
 established in section 5.
                                                          1 of 37
        “Anonymized Data”, means information that has been proven to not identify, relate to,
 describe, reference, be capable of being associated with, or be linked or reasonably linkable to a
 particular individual or device.
        “Automated Decision System”, means a computational process, including one derived
 from machine learning, statistics, or other data processing or artificial intelligence techniques,
 that makes a decision, or facilitates human decision-making.
        “Automated decision system impact evaluation”, means a study conducted after
 deployment of an automated decision system that includes, at a minimum—(a) an evaluation of
 an automated decision system’s accuracy, bias on the basis of protected class, and impact on
 privacy on individuals or groups of individuals; (b) an evaluation of the effectiveness of
 measures taken to minimize risks as outlined in any prior automated decision system risk
 assessments; and (c) recommended measures to further minimize risks to accuracy, bias on the
 basis of protected class, and privacy on individuals or groups of individuals.
        “Automated decision system risk assessment”, means a study evaluating an automated
 decision system and the automated decision system’s development process, including the design
 and training data of the automated decision system, for potential risks to accuracy, bias,
 discrimination, and privacy on individuals or groups of individuals that includes, at a
 minimum—(a) a detailed description of the automated decision system, including—(i) its design
 and methodologies; (ii) training data characteristics; (iii) data; and (iv) purpose; (b) an
 assessment of the automated decision system governance in light of its purpose, potential
 unintended consequences, and taking into account relevant factors, including—(i) the duration
 and methods for which personal data and the results of the automated decision system are stored;
                                                    2 of 37
 (ii) what information about the automated decision system (including inputs, features, and
 results) is available to individuals; and (iii) the recipients of the results of the automated decision
 system; (c) an assessment of the risks posed by the automated decision system—(i) poses to
 individuals or groups of individuals of privacy harm; and (ii) may result in or contribute to in
 accurate, biased, or discriminatory decisions impacting individuals or groups of individuals; (D)
 the measures a data aggregator will employ to minimize the risks described in subparagraph (C),
 including technological and physical safeguards.
         “Collect”, (a) means buying, renting, gathering, obtaining, receiving, or accessing any
 personal data by any means; and (b) includes—(i) receiving personal data from an individual or
 device; and (ii) creating, deriving, or inferring personal data by observing the behavior of an
 individual.
         “Commissioner,” means the Commissioner of the Massachusetts Data Accountability and
 Transparency Agency.
         “Covered individual”, means an applicant, current or former employee, contractor,
 subcontractor, grantee, or agent of a data aggregator or service provider.
         “Data Aggregator”, means (a) any person that collects, uses, or shares an amount of
 personal data that is not de minimis; and (b) does not include an individual who collects, uses, or
 shares personal data solely for personal reasons.
         “Device”, means any physical object that— (a) is capable of connecting to the internet or
 other communication network; or (b) has computer processing capabilities that can collect, send,
 receive, or store data.
                                                     3 of 37
         “Electronic data”, means any information that is in an electronic or digital format or any
 electronic or digital reference that contains information about an individual or device.
         “Facial recognition technology”, means an automated or semiautomated process that
 assists in identifying or verifying an individual based on the characteristics of the face of an
 individual.
         “Individual”, means a natural person.
         “Intentional interaction”, means an interaction in which an individual engages in 1 or
 more actions to demonstrate that the individual intends to interact with a data aggregator.
         “Journalism”, means the gathering, preparing, collecting, photographing, recording,
 writing, editing, reporting, or publishing of news or information that concerns local, national, or
 international events or other matters of public interest for dissemination to the public; and
 includes the collection or use of personal data about a public individual or official, or that
 otherwise concerns matters of public interest, for dissemination to the public.
         “Person”, means an individual, a local, State, or Federal governmental entity, a
 partnership, a company, a corporation, an association (incorporated or unincorporated), a trust,
 an estate, a cooperative organization, another entity, or any other organization or group of such
 entities acting in concert.
         “Personal data”, means electronic data that, alone or in combination with other data—(A)
 could be linked or reasonably linkable to an individual, household, or device; or (B) could be
 used to determine that an individual or household is part of a protected class.
                                                     4 of 37
        ‘‘Privacy harm’’ means an adverse consequence, or a potential adverse consequence, to
 an individual, a group of individuals, or society caused, or potentially caused, in whole or in part,
 by the collection, use, or sharing of personal data, including—(a) direct or indirect financial loss
 or economic harm, including financial loss or economic harm arising from fraudulent activities
 or data security breaches; (b) physical harm, harassment, or a threat to an individual or property;
 (c) psychological harm, including anxiety, embarrassment, fear, other trauma, stigmatization,
 reputational harm, or the revealing or exposing of an individual, or a characteristic of an
 individual, in an unexpected way; (d) an adverse outcome or decision, including relating to the
 eligibility of an individual for the rights, benefits, or privileges in credit and insurance (including
 the denial of an application or obtaining less favorable terms), housing, education, professional
 certification, employment (including hiring, firing, promotion, demotion, and compensation), or
 the provision of health care and related services; (e) discrimination or the otherwise unfair or
 unethical differential treatment with respect to an individual, including in a manner that is
 prohibited under Section 9 of this chapter; (f) the interference with, or the surveillance of,
 activities that are protected by the First Amendment to the Constitution of the United States; (g)
 the chilling of free expression or action of an individual, or society generally, due to perceived or
 actual pervasive and excessive collection, use, or sharing of personal data; (h) the impairment of
 the autonomy of an individual or society generally; and (i) any harm fairly traceable to an
 invasion of privacy tort; and (j) any other adverse consequence, or potential adverse
 consequence, consistent with the provisions of this Act, as determined by the Director.
        “Protected class”, means the actual or perceived race, color, ethnicity, national origin,
 religion, sex, gender, gender identity, sexual orientation, familial status, biometric information,
 lawful source of income, or disability of an individual or a group of individuals.
                                                     5 of 37
        “Public accommodation’’ means any type of business considered a place of public
 accommodation pursuant to section 201(b) of the Civil Rights Act of 1964 (42 U.S.C. 2000a(b))
 or section 301(7) of the Americans with Disabilities Act of 1990 (42 U.S.C. 12181(7)) or a
 business that offers goods or services through the internet to the general public.
        “Service provider”, means a data aggregator that collects, uses, or shares personal data
 only on behalf of another data aggregator in order to carry out a permissible purpose.
        “Share”, means disseminating, making available, transferring, or otherwise
 communicating orally, in writing, or by electronic or other means, personal data, except for as
 required under section 9 of this chapter.
        “Use”, means to perform an operation or a set of operations on personal data, either
 manually or by automated means, after the collection of the data, including—(a) the analysis,
 organization, storage, retention, or maintenance of the data; and (b) the derivation or inference of
 information from the personal data.
        “Verifiable request”, means a request that a data aggregator can reasonably verify is
 made—(a) by an individual; (b) by an individual on behalf of the individual’s minor child; or (c)
 by a person registered with the Secretary of State authorized by the individual to act on the
 individual’s behalf.
        Section 2. Massachusetts Data Accountability and Transparency Agency.
        (a) There shall be a Massachusetts Data Accountability and Transparency Agency which
 shall consist of one commissioner who shall exercise supervision and control over the agency,
 whom shall be appointed by a majority vote of the treasurer and receiver-general, the governor,
                                                    6 of 37
 and the attorney general and shall have a background in technology; protection of personal data;
 civil rights and liberties; law; social sciences; and business.
         (b) The commissioner shall serve in that capacity for a term of five years and until a
 successor shall be appointed. The commissioner shall be eligible for reappointment; provided,
 however that no commissioner shall serve more than 10 years. An individual appointed to fill the
 vacancy of commissioner shall be appointed in a like manner.
         (c) The commissioner shall be a resident of the commonwealth within 90 days of
 appointment and, while serving as commissioner, shall not: (i) hold, or be a candidate for,
 federal, state or local elected office; (ii) hold an appointed office in a federal, state or local
 government; or (iii) serve as an official in a political party. The commissioner shall receive a
 salary equal to the salary of the secretary of administration and finance under section 4 of chapter
 7. The commissioner shall devote their full time and attention to the duties of their office and
 shall hold no other employment.
         (d) The treasurer and receiver-general, the governor, and the attorney general may
 remove the commissioner, by a majority vote, if the commissioner: (i) is guilty of malfeasance in
 office; (ii) substantially neglects the duties of a commissioner; (iii) is unable to discharge the
 powers and duties of the office; (iv) commits gross misconduct; or (v) is convicted of a felony.
 Before removal, the commissioner shall be provided with a written statement of the reason for
 removal and shall have an opportunity to be heard.
         (e) The commissioner, through the agency, shall have all the powers necessary or
 convenient to carry out and effectuate its purposes including, but not limited to, the power to: (i)
 appoint officers, hire employees and make such divisions or other offices among employees of
                                                       7 of 37
 the agency; (ii) establish and amend a plan of organization that it considers expedient; (iii)
 execute all instruments necessary or convenient for accomplishing the purposes of this chapter;
 (iv) enter into agreements or other transactions with a person, including, but not limited to, a
 public entity or other governmental instrumentality or authority in connection with its powers
 and duties under this chapter; (v) appear on its own behalf before boards, commissions,
 departments or other agencies of municipal, state or federal government; (vi) apply for and
 accept subventions, grants, loans, advances and contributions of money, property, labor or other
 things of value from any source, to be held, used and applied for its purposes; (vii) provide and
 pay for advisory services and technical assistance as may be necessary in its judgment to carry
 out this chapter and fix the compensation of persons providing such services or assistance; (viii)
 prepare, publish and distribute, with or without charge as the commissioner may determine, such
 studies, reports, bulletins and other materials as the commissioner considers appropriate; (ix)
 gather facts and information applicable to the agency’s obligations; (x) conduct investigations
 into covered entities, including data aggregators and service providers; (xi) impose fees and
 fines, as authorized by this chapter and penalties and sanctions for a violation of this chapter or
 any regulations promulgated by the agency; (xii) collect fees under this chapter; (xiii) conduct
 adjudicatory proceedings and promulgate regulations in accordance with chapter 30A and may
 adopt regulations and establish procedures that include electronic communications, by which a
 request to receive notice shall be made and the method by which timely notice may be given;
 (xiv) refer cases for criminal prosecution to the appropriate federal, state or local authorities; (xv)
 maintain an official internet website for the agency; (xvi) monitor any federal activity regarding
 data privacy; (xvii) delegate to any employee, representative, or agent any powers vested in the
 agency by law; (xviii) adopt and use a seal; (xix) use and expend funds; (xx) implement this
                                                     8 of 37
 chapter through orders, guidance documents, interpretations, statements of policy, examinations,
 investigations, joint investigations, and enforcement actions; (xxi) monitor risks to individuals or
 groups of individuals in collection, use, and sharing of personal data and report risks to the
 public; and (xxii) perform such other functions as may be authorized or required by law.
        (f) The commissioner shall file an annual report with the secretary of the executive office
 of administration and finance, the clerks of the senate and the house of representatives, and the
 senate and house committees on ways and means: (i) listing the number of employees of the
 agency, the salaries and titles of each employee, the source of funding for the salaries of said
 employees and the projected date when federal funds for such positions are expected to
 terminate; (ii) listing and describing grant programs of the department funded by the federal
 government, including the amount of funding by grant; (iii) listing and describing other programs
 of the agency; and (iv) any other amounts to be spent by category and grantee. Such reports shall
 be filed annually on or before December thirty-first and shall refer to activities planned for the
 subsequent calendar year. The commissioner shall also file with said committees an annual
 report detailing all expenditures in the agency by the division, identified by categories of projects
 and grantees under each category, together with all available documentation resulting