[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 3300 Introduced in Senate (IS)]
<DOC>
116th CONGRESS
2d Session
S. 3300
To establish a Federal data protection agency, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 13, 2020
Mrs. Gillibrand introduced the following bill; which was read twice and
referred to the Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To establish a Federal data protection agency, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) In General.--This Act may be cited as the ``Data Protection Act
of 2020''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings and purpose.
Sec. 3. Definitions.
Sec. 4. Establishment of the Data Protection Agency.
Sec. 5. Executive and administrative powers.
Sec. 6. Purpose, objectives, and functions of the Agency.
Sec. 7. Rulemaking authority.
Sec. 8. Specific agency authorities.
Sec. 9. Enforcement powers.
Sec. 10. Preservation of State law.
Sec. 11. Reports and information.
Sec. 12. Transfers of functions.
Sec. 13. Authorization of appropriations.
SEC. 2. FINDINGS AND PURPOSE.
(a) Findings.--Congress finds the following:
(1) Privacy is an important fundamental individual right
protected by the Constitution of the United States.
(2) The right of privacy is widely recognized in
international legal instruments that the United States has
endorsed, ratified, or promoted.
(3) The right to privacy protects the individual against
intrusions into seclusion, protects individual autonomy,
safeguards fair processing of data that pertains to the
individual, advances the just processing of data, and
contributes to respect for individual civil rights and
fundamental freedoms.
(4) Privacy protections not only protect and benefit the
individual, but they also advance other societal interests,
including the protection of marginalized and vulnerable groups
of individuals, the safeguarding of other foundational values
of our democracy, such as freedom of information, freedom of
speech, justice, and human ingenuity and dignity, as well as
the integrity of democratic institutions, including fair and
open elections.
(5) The privacy of an individual is directly affected by
the collection, maintenance, use, and dissemination of personal
data.
(6) The increasing digitalization of information and its
application in classifying individuals and groups of
individuals has greatly magnified the harm to individual
privacy that can occur from the collection, maintenance, use,
or dissemination of personal data.
(7) The opportunities for an individual to secure
employment, insurance, credit, and housing and the right to due
process and other legal protections are endangered by the
unrestricted collection, disclosure, processing, and misuse of
personal data.
(8) Information systems lacking privacy protection amplify
bias.
(9) In order to protect the privacy of individuals, it is
necessary and proper for Congress to regulate the collection,
maintenance, use, processing, storage, and dissemination of
information.
(b) Purpose.--The purpose of this Act is to establish a data
protection agency to--
(1) safeguard privacy, promote innovation, ensure
compliance with the law, and promote best practices;
(2) provide guidance on matters related to electronic data
storage, communication, and usage;
(3) provide the public with information and guidance on
privacy protections and fair information practices and
principles;
(4) oversee Federal agencies' implementation of section
552a of title 5, United States Code;
(5) promote implementation of fair information practices in
the public and private sector; and
(6) represent the United States in international forums.
SEC. 3. DEFINITIONS.
In this Act:
(1) Agency.--The term ``Agency'' means the Data Protection
Agency established under section 4.
(2) Covered entity.--The term ``covered entity'' means any
person that collects, processes, or otherwise obtains personal
data with the exception of an individual processing personal
data in the course of personal or household activity.
(3) Federal privacy law.--
(A) In general.--The term ``Federal privacy law''
means the provisions of this Act, the laws specified in
subparagraph (B), and any rule or order prescribed by
the Agency under this Act or pursuant to the
authorities transferred under this Act. Such term shall
not include the Federal Trade Commission Act (15 U.S.C.
41 et seq.).
(B) Specified laws.--The laws specified in this
subparagraph are the following laws (including any
amendments made by such laws):
(i) The Children's Online Privacy
Protection Act (15 U.S.C. 6501 et seq.).
(ii) The CAN-SPAM Act of 2003 (15 U.S.C
7701 et seq.).
(iii) The Do-Not-Call Implementation Act
(15 U.S.C. 6152 et seq.) and Public Law 108-82
(15 U.S.C. 6151).
(iv) The Fair Credit Reporting Act (15
U.S.C. 1681 et seq.).
(v) Title V of the Gramm-Leach-Bliley Act
(15 U.S.C. 6801 et seq.).
(vi) Subtitle D of the Health Information
Technology for Economic and Clinical Health Act
(42 U.S.C. 17921 et seq.).
(vii) The Identity Theft Assumption and
Deterrence Act of 1998 (Pub. L. 105-318).
(viii) The Telemarketing and Consumer Fraud
and Abuse Prevention Act (15 U.S.C. 6101 et
seq.).
(ix) Section 227 of the Communications Act
of 1934 (47 U.S.C. 227) (commonly known as the
``Telephone Consumer Protection Act of 1991'').
(4) High-risk data practice.--The term ``high-risk data
practice'' means an action by a covered entity that involves--
(A) a systematic or extensive evaluation of
personal data that is based on automated processing,
including profiling, and on which decisions are based
that produce legal effects concerning the individual or
household or similarly significantly affect the
individual or household;
(B) sensitive data uses;
(C) a systemic monitoring of publicly accessible
data on a large scale;
(D) processing involving the use of new
technologies, or combinations of technologies, that
creates adverse consequences or potential adverse
consequences to an individual or society;
(E) decisions about an individual's access to a
product, service, opportunity, or benefit which is
based to any extent on automated processing;
(F) any profiling of individuals on a large scale;
(G) any processing of biometric data for the
purpose of uniquely identifying an individual;
(H) any processing of genetic data, other than data
processed by a health care professional for the purpose
of providing health care to the individual;
(I) combining, comparing, or matching personal data
obtained from multiple sources;
(J) processing the personal data of an individual
that has not been obtained directly from the
individual;
(K) processing which involves tracking an
individual's geolocation; or
(L) the use of personal data of children or other
vulnerable individuals for marketing purposes,
profiling, or automated processing.
(5) Personal data.--The term ``personal data'' means any
information that identifies, relates to, describes, is capable
of being associated with, or could reasonably be linked,
directly or indirectly, with a particular individual or device,
including--
(A) an identifier such as a real name, alias,
signature, date of birth, gender identity, sexual
orientation, marital status, physical characteristic or
description, postal address, telephone number, unique
personal identifier, military identification number,
online identifier, Internet Protocol address, email
address, account name, mother's maiden name, social
security number, driver's license number, passport
number, or other similar identifiers;
(B) information such as employment status,
employment history, or other professional or
employment-related information;
(C) bank account number, credit card number, debit
card number, insurance policy number, or any other
financial information;
(D) medical information, mental health information,
or health insurance information;
(E) commercial information, including records of
personal property, products or services purchased,
obtained, or considered, or other purchasing or
consuming histories or tendencies;
(F) characteristics of protected classes under
Federal law, including race, color, national origin,
religion, sex, age, or disability;
(G) biometric information;
(H) internet or other electronic network activity
information, including browsing history, search
history, content, and information regarding an
individual's interaction with an internet website,
mobile application, or advertisement;
(I) historical or real-time geolocation data;
(J) audio, electronic, visual, thermal, olfactory,
or similar information;
(K) education records;
(L) political information;
(M) password-protected digital photographs and
digital videos not otherwise available to the public;
(N) information on criminal convictions or arrests;
(O) information (such as an Internet Protocol
address or other similar identifier) that allows an
individual or device to be singled out for interaction,
even without identification of such individual or
device; and
(P) inferences drawn from any of the information
identified in this subparagraph to create a profile
about an individual reflecting the individual's
preferences, characteristics, psychological trends,
predispositions, behavior, attitudes, intelligence,
abilities, and aptitudes.
(6) Process.--The term ``process'' means to perform an
operation or set of operations on personal data, either
manually or by automated means, including but not limited to
collecting, recording, organizing, structuring, storing,
adapting or altering, retrieving, consulting, using, disclosing
by transmission, sorting, classifying, disseminating or
otherwise making available, aligning or combining, restricting,
erasing or destroying.
(7) Profile.--The term ``profile'' means the use of an
automated means to process data (including personal data and
other data) to derive, infer, predict, or evaluate information
about an individual or group, such as the processing of data to
analyze or predict an individual's identity, attributes,
interests, or behavior.
(8) Sensitive data use.--The term ``sensitive data use''
means--
(A) the processing of data in a manner that reveals
an individual's race, color, ethnicity, religion or
creed, national origin or ancestry, sex, gender, gender
identity, sexuality, sexual orientation, political
beliefs, trade union membership, familial status,
lawful source of income, financial status (such as the
individual's income or assets), veteran status,
criminal convictions or arrests, citizenship, past,
present, or future physical or mental health or
condition, psychological states, disability, geospatial
data, or any other factor used as a proxy for
identifying any of these characteristics; or
(B) the use of the biometric or genetic data of an
individual.
(9) Transfer date.--The term ``transfer date'' means the
date that is 1 year after the date of enactment of this Act.
SEC. 4. ESTABLISHMENT OF THE DATA PROTECTION AGENCY.
(a) Establishment.--
(1) In general.--There is established in the Executive
branch an agency to be known as the ``Data Protection Agency''
which shall regulate the processing of personal data.
(2) Status.--The Agency shall be an independent
establishment (as defined in section 104 of title 5, United
States Code).
(b) Director and Deputy Director.--
(1) In general.--There is established a position of the
Director of the United States Data Protection Agency (referred
to in this Act as the ``Director''), who shall serve as the
head of the Agency.
(2) Appointment.--Subject to paragraph (3), the Director
shall be appointed by the President, by and with the advice and
consent of the Senate.
(3) Qualification.--The President shall nominate the
Director from among members of the public at large who are well
qualified for service on the Agency by virtue of their
knowledge and expertise in--
(A) technology;
(B) protection of personal data;
(C) civil rights and liberties;
(D) law;
(E) social sciences; and
(F) business.
(4) Compensation.--
(A) In general.--The Director shall be compensated
at the rate prescribed for level II of the Executive
Schedule under section 5313 of title 5, United States
Code.
(B) Conforming amendment.--Section 5313 of title 5,
United States Code, is amended by inserting after the
item relating to the Federal Transit Administrator the
following new item:
``Director of the United States Data Protection Agency.''.
(5) Deputy director.--There is established the position of
Deputy Director, who shall--
(A) be appointed by the Director; and
(B) serve as acting Director in the absence or
unavailability of the Director.
(c) Term.--
(1) In general.--The Director shall serve for a term of 5
years.
(2) Expiration of term.--An individual may serve as
Director after the expiration of the term for which appointed,
until a successor has been appointed and qualified.
(3) Removal for cause.--The President may remove the
Director for inefficiency, neglect of duty, or malfeasance in
office.
(d) Service Restriction.--No Director or Deputy Director may engage
in any other employment during the period of service of such person as
Director or Deputy Director.
(e) Offices.--The principal office of the Agency shall be in the
District of Columbia. The Director may establish regional offices of
the Agency.
SEC. 5. EXECUTIVE AND ADMINISTRATIVE POWERS.
(a) Powers of the Agency.--The Director is authorized to establish
the general polices of the Agency with respect to all executive and
administrative functions, including--
(1) the establishment of rules for conducting the general
business of the Agency, in a manner not inconsistent with this
Act;
(2) to bind the Agency and enter into contracts;
(3) directing the establishment and maintenance of
divisions or other offices within the Agency, in order to carry
out the responsibilities of the Agency under this Act and
Federal privacy law, and to satisfy the requirements of other
applicable law;
(4) to coordinate and oversee the operation of all
administrative, enforcement, and research activities of the
Agency;
(5) to adopt and use a seal;
(6) to determine the character of and the necessity for the
obligations and expenditures of the Agency;
(7) the appointment and supervision of personnel employed
by the Agency;
(8) the distribution of business among personnel appointed
and supervised by the Director and among administrative units
of the Agency;
(9) the use and expenditure of funds;
(10) implementing this Act and the Federal privacy laws
through rules, orders, guidance, interpretations, statements of
policy, examinations, and enforcement actions; and
(11) performing such other functions as may be authorized
or required by law.
(b) Delegation of Authority.--The Director may delegate to any duly
authorized employee, representative, or agent any power vested in the
Agency by law.
(c) Autonomy of Agency Regarding Recommendations and Testimony.--No
officer or agency of the United States shall have any authority to
require the Director or any other officer of the Agency to submit
legislative recommendations, or testimony or comments on legislation,
to any officer or agency of the United States for approval, comments,
or review prior to the submission of such recommendations, testimony,
or comments to the Congress, if such recommendations, testimony, or
comments to the Congress include a statement indicating that the views
expressed therein are those of the Director or such officer, and do not
necessarily reflect the views of the President.
SEC. 6. PURPOSE, OBJECTIVES, AND FUNCTIONS OF THE AGENCY.
(a) Purpose.--The Agency shall seek to protect individuals' privacy
and limit the collection, disclosure, processing, and misuse of
individuals' personal data by covered entities, and is authorized to
exercise its authorities under this Act for such purposes.
(b) Functions.--The primary functions of the agency are--
(1) providing leadership and coordination to the efforts of
all Federal departments and agencies to enforce all Federal
statutes, Executive orders, regulations and policies which
involve privacy or data protection;
(2) maximizing effort, promoting efficiency, and
eliminating conflict, competition, duplication, and
inconsistency among the operations, functions, and
jurisdictions of Federal departments and agencies responsible
for privacy or data protection, data protection rights and
standards, and fair information practices and principles;
(3) providing active leadership, guidance, education, and
appropriate assistance to private sector businesses, and
organizations, groups, institutions, and individuals regarding
privacy, data protection rights and standards, and fair
information practices and principles;
(4) requiring and overseeing ex-ante impact assessments and
ex-post outcomes audits of high-risk data practices by covered
entities to advance fair and just data practices;
(5) examining the social, ethical, economic, and civil
rights impacts of high-risk data practices and propose
remedies;
(6) ensuring that privacy practices and processing are
fair, just, and comply with fair information practices;
(7) ensuring fair contract terms in the market, including
the prohibition of ``pay-for-privacy provisions'' and ``take-
it-or leave it'' terms of service;
(8) promoting privacy enhancing techniques, such as privacy
by design and data minimization techniques;
(9) collecting, researching, and responding to consumer
complaints;
(10) initiating a formal public rulemaking process at the
Agency before any new high-risk data practice or other related
profiling technique can be implemented;
(11) reviewing and approving new high-risk techniques or
applications, giving special consideration to minors and
sensitive data uses;
(12) regulating consumer scoring and other business
practices that pertain to the eligibility of an individual for
rights, benefits, or privileges in employment (including
hiring, firing, promotion, demotion, and compensation), credit
and insurance (including denial of an application or obtaining
less favorable terms), housing, education, professional
certification, or the provision of health care and related
services;
(13) developing model privacy, data protection, and fair
information practices, standards, guidelines, policies, and
routine uses for use by the private sector;
(14) issuing rules, orders, and guidance implementing
Federal privacy law;
(15) upon written request, providing appropriate assistance
to the private sector in implementing privacy, data protection,
and fair information practices, principles, standards,
guidelines, policies, or routine uses of privacy and data
protection, and fair information; and
(16) enforce other privacy statutes and rules as authorized
by Congress.
SEC. 7. RULEMAKING AUTHORITY.
(a) In General.--The Agency is authorized to exercise its
authorities under this Act and Federal privacy law to administer,
enforce, and otherwise implement the provisions of this Act and Federal
privacy law.
(b) Rulemaking, Orders, and Guidance.--
(1) General authority.--The Director may prescribe rules
and issue orders and guidance, as may be necessary or
appropriate to enable the Agency to administer and carry out
the purposes and objectives of this Act and Federal privacy
law, and to prevent evasions thereof.
(2) Regulations.--The Agency may issue such regulations,
after notice and comment in accordance with section 553 of
title 5, United States Code, as may be necessary to carry out
this Act.
(3) Standards for rulemaking.--In prescribing a rule under
the Federal privacy laws--
(A) the Agency shall consider--
(i) the potential benefits and costs to
individuals or groups of individuals; and
(ii) the impact of proposed rules on
individuals or groups of individuals;
(B) the Agency may provide that a rule shall only
apply to a subcategory of covered entities, as defined
by the Agency; and
(C) the Agency shall consult with civil society
groups and members of the public.
(c) Monitoring.--In order to support its rulemaking and other
functions, the Agency shall monitor for risks to individuals in the
collection, disclosure, processing, and misuse of personal data.
SEC. 8. SPECIFIC AGENCY AUTHORITIES.
(a) Supervision of Very Large Covered Entities.--
(1) In general.--This subsection shall apply to any covered
entity that satisfies one or more of the following thresholds:
(A) The entity has annual gross revenues that
exceed $25,000,000.
(B) The entity annually buys, receives for the
covered entity's commercial purposes, sells, or
discloses for commercial purposes, alone or in
combination, the personal information of 50,000 or more
individuals, households, or devices.
(C) The entity derives 50 percent or more of its
annual revenues from the sale of personal data.
(2) Supervision.--The Agency may require reports and
conduct examinations on a periodic basis of covered entities
described in paragraph (1) for purposes of--
(A) assessing compliance with the requirements of
Federal privacy laws;
(B) obtaining information about the activities
subject to such laws and the associated compliance
systems or procedures of such entities;
(C) detecting and assessing associated risks to
individuals and groups of individuals; and
(D) requiring and overseeing ex-ante impact
assessments and ex-post outcome audits of high-risk
data practices to advance fair and just data practices.
(b) Prohibiting Unfair or Deceptive Acts and Practices.--
(1) In general.--The Agency may take any action authorized
under this Act to prevent a covered entity from committing or
engaging in an unfair or deceptive act or practice (as defined
by the Agency under this subsection) in connection with the
collection, disclosure, processing, and misuse of personal
data.
(2) Rulemaking.--The Agency may prescribe rules applicable
to a covered entity identifying as unlawful, unfair, or
deceptive acts or practices in connection with the collection,
disclosure, processing, and misuse of personal data. Rules
under this section may include requirements for the purpose of
preventing such acts or practices.
(3) Unfairness.--
(A) In general.--The Agency shall have no authority
under this section to declare an act or practice in
connection with the collection, disclosure, processing,
and misuse of personal data to be unlawful on the
grounds that such act or practice is unfair, unless the
Agency has a reasonable basis to conclude that--
(i) the act or practice causes or is likely
to cause substantial injury to consumers which
is not reasonably avoidable by consumers; and
(ii) such substantial injury is not
outweighed by countervailing benefits to
consumers or to competition.
(B) Consideration of public policies.--In
determining whether an act or practice is unfair, the
Agency may consider established public policies as
evidence to be considered with all other evidence. Such
public policy considerations may not serve as a primary
basis for such determination.
(c) Response to Consumer Complaints and Inquiries.--
(1) Timely regulator response to consumers.--The Agency
shall establish, in consultation with the appropriate Federal
regulatory agencies, reasonable procedures to provide a timely
response to consumers, in writing where appropriate, to
complaints against, or inquiries concerning, a covered entity,
including--
(A) steps that have been taken by the regulator in
response to the complaint or inquiry of the consumer;
(B) any responses received by the regulator from
the covered entity; and
(C) any follow-up actions or planned follow-up
actions by the regulator in response to the complaint
or inquiry of the consumer.
(2) Timely response to regulator by covered entity.--A
covered entity subject to supervision and primary enforcement
by the Agency pursuant to this Act shall provide a timely
response to the Agency, in writing where appropriate,
concerning a consumer complaint or inquiry, including--
(A) steps that have been taken by the covered
entity to respond to the complaint or inquiry of the
consumer;
(B) responses received by the covered entity from
the consumer; and
(C) follow-up actions or planned follow-up actions
by the covered entity to respond to the complaint or
inquiry of the consumer.
(3) Routing complaints to states.--To the extent
practicable, State agencies may receive appropriate complaints
from the systems established by the Agency under this
subsection, if--
(A) the State agency system has the functional
capacity to receive calls or electronic reports routed
by the Agency systems;
(B) the State agency has satisfied any conditions
of participation in the system that the Agency may
establish, including treatment of personal information
and sharing of information on complaint resolution or
related compliance procedures and resources; and
(C) participation by the State agency includes
measures necessary to provide for protection of
personal information that conform to the standards for
protection of the confidentiality of personal
information and for data integrity and security that
apply to Federal agencies.
SEC. 9. ENFORCEMENT POWERS.
(a) Joint Investigations.--The Agency or, where appropriate, an
Agency investigator, may engage in joint investigations and requests
for information, as authorized under this Act.
(b) Subpoenas.--
(1) In general.--The Agency or an Agency investigator may
issue subpoenas for the attendance and testimony of witnesses
and the production of relevant papers, books, documents, or
other material in connection with hearings under this Act.
(2) Failure to obey.--In the case of contumacy or refusal
to obey a subpoena issued pursuant to this paragraph and served
upon any person, the district court of the United States for
any district in which such person is found, resides, or
transacts business, upon application by the Agency or an Agency
investigator and after notice to such person, may issue an
order requiring such person to appear and give testimony or to
appear and produce documents or other material.
(3) Contempt.--Any failure to obey an order of the court
under this subsection may be punished by the court as a
contempt thereof.
(c) Litigation Authority.--
(1) In general.--If any covered entity violates a Federal
privacy law, the Agency may commence a civil action against
such covered entity to impose a civil penalty or to seek all
appropriate legal and equitable relief including a permanent or
temporary injunction as permitted by law.
(2) Representation.--The Agency may act in its own name and
through its own attorneys in enforcing any provision of this
Act, rules thereunder, or any other law or regulation, or in
any action, suit, or proceeding to which the Agency is a party.
(3) Compromise of actions.--The Agency may compromise or
settle any action if such compromise is approved by the court.
(4) Notice to the attorney general.--
(A) In general.--When commencing a civil action
under Federal privacy law, or any rule thereunder, the
Agency shall notify the Attorney General.
(B) Notice and coordination.--
(i) Notice of other actions.--In addition
to any notice required under subparagraph (A),
the Agency shall notify the Attorney General
concerning any action, suit, or proceeding to
which the Agency is a party.
(ii) Coordination.--In order to avoid
conflicts and promote consistency regarding
litigation of matters under Federal law, the
Attorney General and the Agency shall consult
regarding the coordination of investigations
and proceedings, including by negotiating an
agreement for coordination by not later than
180 days after the transfer date. The agreement
under this clause shall include provisions to
ensure that parallel investigations and
proceedings involving the Federal privacy laws
are conducted in a manner that avoids conflicts
and does not impede the ability of the Attorney
General to prosecute violations of Federal
criminal laws.
(iii) Rule of construction.--Nothing in
this subparagraph shall be construed to limit
the authority of the Agency under this Act,
including the authority to interpret Federal
privacy law.
(5) Forum.--Any civil action brought under this Act may be
brought in a United States district court or in any court of
competent jurisdiction of a state in a district in which the
defendant is located or resides or is doing business, and such
court shall have jurisdiction to enjoin such person and to
require compliance with any Federal privacy law.
(6) Time for bringing action.--
(A) In general.--Except as otherwise permitted by
law or equity, no action may be brought under this Act
more than 3 years after the date of discovery of the
violation to which an action relates.
(B) Limitations under other federal laws.--
(i) In general.--An action arising under
this Act does not include claims arising solely
under the Federal privacy laws.
(ii) Agency authority.--In any action
arising solely under a Federal privacy law, the
Agency may commence, defend, or intervene in
the action in accordance with the requirements
of that provision of law, as applicable.
(iii) Transferred authority.--In any action
arising solely under laws for which authorities
were transferred under this Act, the Agency may
commence, defend, or intervene in the action in
accordance with the requirements of that
provision of law, as applicable.
(d) Relief Available.--
(1) Jurisdiction.--The court (or the Agency, as the case
may be) in an action or adjudication proceeding brought under
Federal privacy law, shall have jurisdiction to grant any
appropriate legal or equitable relief with respect to a
violation of Federal privacy law, including a violation of a
rule or order prescribed under a Federal privacy law.
(2) Relief.--Relief under this section may include, without
limitation--
(A) rescission or reformation of contracts;
(B) refund of moneys;
(C) restitution;
(D) disgorgement or compensation for unjust
enrichment;
(E) payment of damages or other monetary relief;
(F) public notification regarding the violation,
including the costs of notification;
(G) limits on the activities or functions of the
covered entity; and
(H) civil money penalties, as set forth more fully
in subsection (f).
(3) No exemplary or punitive damages.--Nothing in this
subsection shall be construed as authorizing the imposition of
exemplary or punitive damages.
(e) Recovery of Costs.--In any action brought by the Agency, a
State attorney general, or any State regulator to enforce any Federal
privacy law, the Agency, the State attorney general, or the State
regulator may recover its costs in connection with prosecuting such
action if the Agency, the State attorney general, or the State
regulator is the prevailing party in the action.
(f) Civil Money Penalty in Court and Administrative Actions.--
(1) In general.--Any person that violates, through any act
or omission, any provision of Federal privacy law shall forfeit
and pay a civil penalty pursuant to this subsection.
(2) Penalty amounts.--
(A) First tier.--For any violation of a law, rule,
or final order or condition imposed in writing by the
Agency, a civil penalty may not exceed $5,000 for each
day during which such violation or failure to pay
continues.
(B) Second tier.--Notwithstanding subparagraph (A),
for any person that recklessly engages in a violation
of a Federal privacy law, a civil penalty may not
exceed $25,000 for each day during which such violation
continues.
(C) Third tier.--Notwithstanding subparagraphs (A)
and (B), for any person that knowingly violates a
Federal privacy law, a civil penalty may not exceed
$1,000,000 for each day during which such violation
continues.
(3) Mitigating factors.--In determining the amount of any
penalty assessed under paragraph (2), the Agency or the court
shall take into account the appropriateness of the penalty with
respect to--
(A) the size of financial resources and good faith
of the person charged;
(B) the gravity of the violation or failure to pay;
(C) the severity of the risks to or losses of the
individual or group of individuals affected by the
violation;
(D) the history of previous violations; and
(E) such other matters as justice may require.
(4) Authority to modify or remit penalty.--The Agency may
compromise, modify, or remit any penalty which may be assessed
or had already been assessed under paragraph (2). The amount of
such penalty, when finally determined, shall be exclusive of
any sums owed by the covered entity to the United States in
connection with the costs of the proceeding, and may be
deducted from any sums owing by the United States to the
covered entity charged.
(5) Notice and hearing.--No civil penalty may be assessed
under this subsection with respect to a violation of any
Federal privacy law, unless--
(A) the Agency gives notice and an opportunity for
a hearing to the person accused of the violation; or
(B) the appropriate court has ordered such
assessment and entered judgment in favor of the Agency.
(g) Referrals for Criminal Proceedings.--If the Agency obtains
evidence that any person, domestic or foreign, has engaged in conduct
that may constitute a violation of Federal criminal law, the Agency
shall transmit such evidence to the Attorney General of the United
States, who may institute criminal proceedings under appropriate law.
Nothing in this section affects any other authority of the Agency to
disclose information.
(h) Data Protection Relief Fund.--
(1) Establishment of relief fund.--There is established in
the Treasury of the United States a separate fund to be known
as the ``Data Protection Relief Fund'' (referred to in this
subsection as the ``Relief Fund'').
(2) Deposits.--
(A) Deposits from the agency.--The Agency shall
deposit into the Relief Fund the amount of any civil
penalty obtained against any covered entity in any
judicial or administrative action the Agency commences
to enforce this Act, a regulation promulgated under
this Act, or a Federal privacy law.
(B) Deposits from the attorney general.--The
Attorney General of the United States shall deposit
into the Relief Fund the amount of any civil penalty
obtained against any covered entity in any judicial or
administrative action the Attorney General commences on
behalf of the Agency to enforce this Act, a regulation
promulgated under this Act, or a Federal privacy law.
(3) Use of fund amounts.--Notwithstanding section 3302 of
title 31, United States Code, amounts in the Relief Fund shall
be available to the Agency, without fiscal year limitation, to
provide redress, payments or compensation, or other monetary
relief to individuals affected by an act or practice for which
civil penalties have been obtained under this Act. To the
extent that individuals cannot be located or such redress,
payments or compensation, or other monetary relief are
otherwise not practicable, the Agency may use such funds for
the purpose of consumer or business education relating to data
protection or for the purpose of engaging in technological
research that the Agency considers necessary to enforce this
Act and Federal privacy laws.
(4) Amounts not subject to apportionment.--Notwithstanding
any other provision of law, amounts in the Relief Fund shall
not be subject to apportionment for purposes of chapter 15 of
title 31, United States Code, or under any other authority.
SEC. 10. PRESERVATION OF STATE LAW.
(a) Relation to State Law.--
(1) Rule of construction.--This Act may not be construed as
annulling, altering, or affecting, or exempting any person
subject to the provisions of this title from complying with,
the statutes, regulations, orders, or interpretations in effect
in any State, except to the extent that any such provision of
law is inconsistent with the provisions of this title, and then
only to the extent of the inconsistency.
(2) Greater protection under state law.--For purposes of
this paragraph, a statute, regulation, order, or interpretation
in effect in any State is not inconsistent with the provisions
of this title if the protection that such statute, regulation,
order, or interpretation affords to individuals is greater than
the protection provided under this Act. A determination
regarding whether a statute, regulation, order, or
interpretation in effect in any State is inconsistent with the
provisions of this title may be made by the Agency on its own
motion or in response to a nonfrivolous petition initiated by
any interested person.
(b) Relation to Other Provisions of Federal Privacy Laws That
Relate to State Law.--No provision of this Act shall be construed as
modifying, limiting, or superseding the operation of any provision of a
Federal privacy law that relates to the application of a law in effect
in any State with respect to such Federal law.
(c) Preservation of Enforcement Powers of States.--The attorney
general (or the equivalent thereof) of any State may bring a civil
action in the name of such State in any district court of the United
States in that State or in State court that is located in that State
and that has jurisdiction over the defendant, to enforce provisions of
this title or regulations issued under this Act, and to secure remedies
under provisions of this title or remedies otherwise provided under
other law. A State regulator may bring a civil action or other
appropriate proceeding to enforce the provisions of this title or
regulations issued under this Act with respect to any entity that is
State-chartered, incorporated, licensed, or otherwise authorized to do
business under State law (except as provided in paragraph (2)), and to
secure remedies under provisions of this title or remedies otherwise
provided under other provisions of law with respect to such an entity.
(d) Preservation of State Authority.--
(1) State claims.--No provision of this section shall be
construed as altering, limiting, or affecting the authority of
a State attorney general or any other regulatory or enforcement
agency or authority to bring an action or other regulatory
proceeding arising solely under the law in effect in that
State.
(2) State consumer protection, privacy, and data
regulators.--No provision of this title shall be construed as
altering, limiting, or affecting the authority of a State
consumer protection, data protection, or privacy agency (or any
agency or office performing like functions) under State law to
adopt rules, initiate enforcement proceedings, or take any
other action with respect to a person regulated by such
commission or authority.
SEC. 11. REPORTS AND INFORMATION.
(a) Reports Required.--Not later than 6 months after the date of
the enactment of this Act, and every 6 months thereafter, the Director
shall submit a report to the President and to the Committee on Energy
and Commerce, the Committee on the Judiciary, and the Committee on
Appropriations of the House of Representatives and the Committee on
Commerce, Science, and Transportation, the Committee on the Judiciary,
and the Committee on Appropriations of the Senate, and shall publish
such report on the website of the Agency.
(b) Contents.--Each report required by subsection (a) shall
include--
(1) a discussion of the significant problems faced by
individuals with respect to the privacy or security of personal
information;
(2) a justification of the budget request of the Agency for
the preceding year, unless a justification for such year was
included in the preceding report submitted under such
subsection;
(3) a list of the significant rules and orders adopted by
the Agency, as well as other significant initiatives conducted
by the Agency, during the preceding 6-month period and the plan
of the Agency for rules, orders, or other initiatives to be
undertaken during the upcoming 6-month period;
(4) an analysis of complaints about the privacy or security
of personal information that the Agency has received and
collected in the database described in section 8 during the
preceding 6-month period;
(5) a list, with a brief statement of the issues, of the
public enforcement actions to which the Agency was a party
during the preceding 6-month period; and
(6) an assessment of significant actions by State attorneys
general or State agencies relating to this Act or the rules
prescribed under this Act during the preceding 6-month period.
SEC. 12. TRANSFERS OF FUNCTIONS.
(a) Federal Trade Commission.--The authority of the Federal Trade
Commission under a Federal privacy law specified in section 3(3)(B) to
prescribe rules, issue guidelines, or conduct a study or issue a report
mandated under such law shall be transferred to the Agency on the
transfer date. Nothing in this title shall be construed to require a
mandatory transfer of any employee of the Federal Trade Commission.
(b) Agency Authority.--
(1) In general.--The Agency shall have all powers and
duties under the Federal privacy laws to prescribe rules, issue
guidelines, or to conduct studies or issue reports mandated by
such laws, that were vested in the Federal Trade Commission on
the day before the transfer date.
(2) Federal trade commission act.--The Agency may enforce a
rule prescribed under the Federal Trade Commission Act (45
U.S.C. 41 et seq.) by the Federal Trade Commission with respect
to the collection, disclosure, processing, and misuse of
personal data.
(c) Authority of the Federal Trade Commission.--No provision of
this title shall be construed as modifying, limiting, or otherwise
affecting the authority of the Federal Trade Commission (including its
authority with respect to very large entities described in section
8(a)(1)) under the Federal Trade Commission Act or any other law, other
than the authority under a Federal privacy law to prescribe rules,
issue official guidelines, or conduct a study or issue a report
mandated under such law.
(d) Authority of the Consumer Financial Protection Bureau.--No
provision of this title shall be construed as modifying, limiting, or
otherwise affecting the authority of the Consumer Financial Protection
Bureau under the Dodd-Frank Wall Street Reform and Consumer Protection
Act (Public Law 111-203) or any other law.
SEC. 13. AUTHORIZATION OF APPROPRIATIONS.
For fiscal year 2020 and each subsequent fiscal year, there are
authorized to be appropriated to the Agency such sums as may be
necessary to carry out this Act.
<all>