[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 3861 Introduced in Senate (IS)]
<DOC>
116th CONGRESS
2d Session
S. 3861
To establish privacy requirements for operators of infectious disease
exposure notification services.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 1, 2020
Ms. Cantwell (for herself and Mr. Cassidy) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To establish privacy requirements for operators of infectious disease
exposure notification services.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Exposure
Notification Privacy Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Public trust in automated exposure notification services.
Sec. 4. Voluntary participation and transparency.
Sec. 5. Data restrictions.
Sec. 6. Data deletion.
Sec. 7. Data security.
Sec. 8. Freedom of movement and nondiscrimination.
Sec. 9. Oversight.
Sec. 10. Enforcement.
SEC. 2. DEFINITIONS.
In this Act:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that clearly communicates the individual's
authorization for an act or practice, in response to a
specific request that--
(i) is provided to the individual in a
clear and conspicuous disclosure that is
separate from other options or acceptance of
general terms; and
(ii) includes a description of each act or
practice for which the individual's consent is
sought and--
(I) is written concisely and in
easy-to-understand language; and
(II) includes a prominent heading
that would enable a reasonable
individual to identify and understand
the act or practice.
(B) Express consent required.--Affirmative express
consent shall not be inferred from the inaction of an
individual or the individual's continued use of a
service or product.
(C) Voluntary.--Affirmative express consent shall
be freely given and nonconditioned.
(2) Aggregate data.--The term ``aggregate data'' means
information that relates to a group or category of individuals
that is not linked or reasonably linkable to any individual or
device that is linked or reasonably linkable to an individual,
provided that a platform operator or operator of an automated
exposure notification service--
(A) takes reasonable measures to safeguard the data
from reidentification;
(B) publicly commits in a conspicuous manner not to
attempt to reidentify or associate the data with any
individual or device linked or reasonably linkable to
an individual;
(C) processes the data for public health purposes
only; and
(D) contractually requires the same commitment for
all transfers of the data.
(3) Authorized diagnosis.--The term ``authorized
diagnosis'' means an actual, potential, or presumptive positive
diagnosis of an infectious disease confirmed by a public health
authority or a licensed health care provider.
(4) Automated exposure notification service.--
(A) In general.--The term ``automated exposure
notification service'' means a website, online service,
online application, mobile application, or mobile
operating system that is offered in commerce in the
United States and that is designed, in part or in full,
specifically to be used for, or marketed for, the
purpose of digitally notifying, in an automated manner,
an individual who may have become exposed to an
infectious disease (or the device of such individual,
or a person or entity that reviews such disclosures).
(B) Limitations.--Such term does not include--
(i) any technology that a public health
authority uses as a means to facilitate
traditional in-person, email, or telephonic
contact tracing activities, or any similar
technology that is used to assist individuals
to evaluate if they are experiencing symptoms
related to an infectious disease to the extent
the technology is not used as an automated
exposure notification service; or
(ii) any platform operator or service
provider that provides technology to facilitate
an automated exposure notification service to
the extent the technology acts only to
facilitate such services and is not itself used
as an automated exposure notification service.
(5) Collect; collection.--The terms ``collect'' and
``collection'' mean buying, renting, gathering, obtaining,
receiving, accessing, or otherwise acquiring covered data by
any means, including by passively or actively observing the
behavior of an individual.
(6) Covered data.--The term ``covered data'' means any
information that is--
(A) linked or reasonably linkable to any individual
or device linked or reasonably linkable to an
individual;
(B) not aggregate data; and
(C) collected, processed, or transferred in
connection with an automated exposure notification
service.
(7) Deceptive act or practice.--The term ``deceptive act or
practice'' means a deceptive act or practice in violation of
section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C.
45(a)(1)).
(8) Delete.--The term ``delete'' means destroying,
permanently erasing, or otherwise modifying covered data to
make such covered data permanently unreadable or indecipherable
and unrecoverable.
(9) Executive agency.--The term ``Executive agency'' has
the meaning given such term in section 105 of title 5, United
States Code.
(10) Indian tribe.--The term ``Indian tribe''--
(A) has the meaning given such term in section 4 of
the Indian Self-Determination and Education Assistance
Act (25 U.S.C. 5304); and
(B) includes a Native Hawaiian organization as
defined in section 6207 of the Elementary and Secondary
Education Act of 1965 (20 U.S.C. 7517).
(11) Operator of an automated exposure notification
service.--The term ``operator of an automated exposure
notification service'' means any person or entity that operates
an automated exposure notification service, other than a public
health authority, and that is--
(A) subject to the Federal Trade Commission Act (15
U.S.C. 41 et seq.); or
(B) described in section 10(a)(4).
(12) Platform operator.--The term ``platform operator''
means any person or entity other than a service provider who
provides an operating system that includes features supportive
of an automated exposure notification service and facilitates
the use or distribution of such automated exposure notification
service to the extent the technology is not used by the
platform operator as an automated exposure notification
service.
(13) Process.--The term ``process'' means any operation or
set of operations performed on covered data, including
collection, analysis, organization, structuring, retaining,
using, securing, or otherwise handling covered data.
(14) Public health authority.--The term ``public health
authority'' means an agency or authority of the United States,
a State, a territory, a political subdivision of a State or
territory, or an Indian tribe that is responsible for public
health matters as part of its official mandate, or a person or
entity acting under a grant of authority from or contract with
such public agency.
(15) Service provider.--The term ``service provider'' means
any person or entity, other than a platform operator, that
processes or transfers covered data in the course of performing
a service or function on behalf of, and at the direction of, a
platform operator, an operator of an automated exposure
notification service, or a public health authority, but only to
the extent that such processing or transfer relates to the
performance of such service or function.
(16) State.--The term ``State'' means any of the several
States, the District of Columbia, the Commonwealth of Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the
Commonwealth of the Northern Mariana Islands.
(17) Transfer.--The term ``transfer'' means to disclose,
release, share, disseminate, make available, allow access to,
sell, license, or otherwise communicate covered data by any
means to a nonaffiliated entity or person.
SEC. 3. PUBLIC TRUST IN AUTOMATED EXPOSURE NOTIFICATION SERVICES.
(a) Collaboration With Public Health.--An operator of an automated
exposure notification service shall collaborate with a public health
authority in the operation of such service.
(b) Diagnosis Information.--An operator of an automated exposure
notification service may not collect, process, or transfer an actual,
potential, or presumptive positive diagnosis of an infectious disease
as part of the automated exposure notification service, unless such
diagnosis is an authorized diagnosis.
(c) Accuracy and Reliability.--An operator of an automated exposure
notification service shall publish--
(1) guidance for the public on the functionality of the
service and how to interpret the notifications, including any
limitation with respect to the accuracy or reliability of the
exposure risk; and
(2) measures of the effectiveness of the service offered,
including adoption rates.
(d) Prevention of Deceptive Acts or Practices.--It shall be
unlawful for a platform operator or an operator of an automated
exposure notification service to engage in a deceptive act or practice
concerning an automated exposure notification service.
(e) Service Provider Requirement.--When a service provider has
actual knowledge that an operator of an automated exposure notification
service or a public health authority has engaged in an act or practice
that fails to adhere to the standards set forth in sections 3 through 8
of this Act, the service provider shall notify the automated exposure
notification service or the public health authority, as applicable, of
the potential violation or failure to adhere to such standards.
SEC. 4. VOLUNTARY PARTICIPATION AND TRANSPARENCY.
(a) Voluntary Participation.--
(1) Enrollment with affirmative express consent.--An
operator of an automated exposure notification service--
(A) may not enroll an individual in the automated
exposure notification service without the individual's
prior affirmative express consent; and
(B) shall provide an individual with a clear and
conspicuous means to withdraw affirmative express
consent to the individual's enrollment in the automated
exposure notification service.
(2) Right to identify a diagnosis.--An individual with an
authorized diagnosis shall determine whether the individual's
authorized diagnosis is processed as part of the automated
exposure notification service.
(b) Notice of Covered Data Practices.--An operator of an automated
exposure notification service and a platform operator shall make
publicly and persistently available, in a conspicuous and readily
accessible manner, a privacy policy that provides a detailed and
accurate representation of that person or entity's covered data
collection, processing, and transfer activities in connection with such
person or entity's automated exposure notification service or the
facilitation of such service. Such privacy policy shall include, at a
minimum--
(1) the identity and the contact information of the person
or entity, including the contact information for the person or
entity's representative for privacy and covered data security
inquiries;
(2) each category of covered data the person or entity
collects and the limited allowable processing purposes for
which such covered data is collected in accordance with section
5;
(3) whether the person or entity transfers covered data for
the limited allowable purposes in section 5 and, if so, a
detailed description of the data transferred, the purpose of
the transfer, and the identity of the recipient of the
transfer;
(4) a description of the person or entity's covered data
minimization and retention policies;
(5) how an individual can exercise the individual rights
described in this title;
(6) a description of the person or entity's covered data
security policies; and
(7) the effective date of the privacy policy.
(c) Languages.--A person or entity shall make the privacy policy
required under this section available to the public in all of the
languages in which the person or entity provides, or facilitates the
provision of, an automated exposure notification service.
SEC. 5. DATA RESTRICTIONS.
(a) Collection and Processing Restrictions.--An operator of an
automated exposure notification service may not collect or process any
covered data--
(1) beyond the minimum amount necessary to implement an
automated exposure notification service for public health
purposes; or
(2) for any commercial purpose.
(b) Transfer Restrictions.--An operator of an automated exposure
notification service may not transfer any covered data, except--
(1) to provide notification of a potential exposure to an
individual who has enrolled in the automated exposure
notification service;
(2) to a public health authority for public health purposes
related to an infectious disease;
(3) to its service provider, by contract, to--
(A) perform system maintenance, debug systems, or
repair any error to ensure the functionality of the
automated exposure notification service, provided such
processing is limited to this purpose; or
(B) detect or respond to a security incident,
provide a secure environment, or maintain the safety of
the automated exposure notification service, provided
such process is limited to this purpose; or
(4) to comply with the establishment, exercise, or defense
of a legal claim.
(c) Further Restrictions.--
(1) In general.--It shall be unlawful for any person,
entity, or Executive agency to transfer covered data to any
Executive agency unless the information is transferred in
connection with an investigation or enforcement proceeding
under this Act.
(2) Prohibition.--An Executive agency may not process or
transfer covered data, except--
(A) for a public health purpose related to an
infectious disease; or
(B) in connection with an investigation or
enforcement proceeding under this Act.
(d) Research.--This section shall not be construed to prohibit data
collection, processing, or transfers to carry out research--
(1) conducted pursuant to the Federal policy for the
protection of human subjects under part 46 of title 45, Code of
Federal Regulations; or
(2) for the development, manufacture, or distribution of a
drug, biological product, or vaccine that relates to an
infectious disease conducted pursuant to part 50 of title 21,
Code of Federal Regulations.
SEC. 6. DATA DELETION.
(a) Deletion Upon Request.--Upon the request of an individual, an
operator of an automated exposure notification service shall delete, or
allow the individual to delete, all covered data of the individual that
is processed by the operator.
(b) Recurring Deletion.--An operator of an automated exposure
notification service shall delete the covered data of a participating
individual within 30 days of receipt of such covered data, on a rolling
basis, or at such times as is consistent with a standard published by a
public health authority within an applicable jurisdiction.
(c) Applicability to Service Providers.--An operator of an
automated exposure notification service shall instruct any service
provider to which the entity transfers covered data to delete such data
in accordance with the requirements of this subsection.
(d) Research.--This section shall not be construed to prohibit data
retention for public health research purposes consistent with the
requirements in section 5(d).
SEC. 7. DATA SECURITY.
(a) In General.--An operator of an automated exposure notification
service shall establish, implement, and maintain data security
practices to protect the confidentiality, integrity, availability, and
accessibility of covered data. Such covered data security practices
shall be consistent with standards generally accepted by experts in the
information security field.
(b) Specific Requirements.--Covered data security practices
required under subsection (a) shall include, at a minimum, the
following:
(1) Assess risks and vulnerabilities.--Identifying and
assessing any reasonably foreseeable risks to, and
vulnerabilities in, each system maintained by the person or
entity that processes or transfers covered data, including
unauthorized access to or risks to covered data, human and
technical vulnerabilities, access rights, and use of service
providers. Such activities shall include a plan to receive and
respond to unsolicited reports of risks and vulnerabilities by
entities and individuals, developing and testing systems for
monitoring the security of covered data, and resilience against
denial of service attacks and malicious disinformation.
(2) Preventive and corrective action.--Taking preventive
and corrective action to mitigate any risks or vulnerabilities
to covered data identified by the person or entity, which may
include implementing administrative, technical, or physical
safeguards or changes to covered data security practices or the
architecture, installation, or implementation of network or
operating software.
(3) Breach notification.--Maintaining plans for responding
to security incidents involving covered data and, in the most
expedient time possible, consistent with the legitimate needs
of law enforcement, notifying any individual whose data is
subject to a security breach, as well as the Federal Trade
Commission, of the breach, the data involved, any reasonably
foreseeable impacts of the breach for individuals whose data is
subject to the breach, the steps individuals may take to
mitigate those impacts, and the measures the operator of the
automated exposure notification service is taking to prevent a
future incident. An operator of an automated exposure
notification service shall require its service providers to
provide notice to the operator of the automated exposure
notification service of any breach of the security of the
covered data immediately following the discovery of the breach.
(c) Interference Prohibited.--It shall be unlawful for any person
or entity to transmit signals with the intent to cause an automated
exposure notification service to produce inaccurate notifications or to
otherwise interfere with the intended functioning of such a service.
SEC. 8. FREEDOM OF MOVEMENT AND NONDISCRIMINATION.
It shall be unlawful for any person or entity to segregate,
discriminate against, or otherwise make unavailable to an individual or
class of individuals the goods, services, facilities, privileges,
advantages, or accommodations of any place of public accommodation (as
such term is defined in section 301 of the Americans With Disabilities
Act of 1990 (42 U.S.C. 12181)), based on covered data collected or
processed through an automated exposure notification service or an
individual's choice to use or not use an automated exposure
notification service.
SEC. 9. OVERSIGHT.
(a) In General.--Section 1061 of the Intelligence Reform and
Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee) is amended--
(1) in subsection (c)--
(A) in paragraph (1), by inserting ``or to respond
to health-related epidemics'' after ``from terrorism'';
and
(B) in paragraph (2), by inserting ``or to respond
to health-related epidemics'' after ``against
terrorism''; and
(2) in subsection (d)--
(A) in paragraph (1), by inserting ``or to respond
to health-related epidemics'' after ``from terrorism''
each place it appears; and
(B) in paragraph (2)--
(i) in subparagraph (B), by striking
``and'' at the end;
(ii) in subparagraph (C), by striking the
period at the end and inserting ``; and''; and
(iii) by adding at the end the following:
``(D) the collection, use, storage, and sharing of
covered data by Federal, State, or local government in
connection with responding to a Federal declaration of
a public health emergency to ensure that privacy and
civil liberties are protected.''.
(b) Reports.--Section 1061(e) of the Intelligence Reform and
Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee(e)) is amended by
adding at the end the following:
``(3) Report on covid-19 mitigation activities.--Not later
than 1 year after the date of enactment of this paragraph, the
Board shall issue a report, which shall be publicly available
to the greatest extent possible, assessing the impact on
privacy and civil liberties of Government activities in
response to the public health emergency related to the
Coronavirus 2019 (COVID-19), and making recommendations for how
the Government should mitigate the threats posed by such
emergency.
``(4) Reports on public health emergency response.--Not
later than 1 year after any Federal emergency or disaster
declaration related to public health, or not later than 1 year
after the termination of such declaration, the Board shall
issue a report, which shall be publicly available to the
greatest extent possible, assessing the impact on privacy and
civil liberties of Government activities in response to such
emergency or disaster, and making recommendations for how the
Government should mitigate the threats posed by such emergency
or disaster.''.
SEC. 10. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act shall be treated as a violation of a rule defining an
unfair or deceptive act or practice prescribed under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--Except as provided in paragraphs
(3) and (4) of this subsection, the Federal Trade
Commission (referred to in this Act as the
``Commission'') shall enforce this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act shall be subject to the penalties and
entitled to the privileges and immunities provided in
the Federal Trade Commission Act.
(C) Effect on other laws.--Nothing in this Act
shall be construed to limit the authority of the
Commission under any other provision of law.
(3) Independent litigation authority.--Notwithstanding
section 16 of the Federal Trade Commission Act (15 U.S.C. 56),
the Commission may commence, defend, or intervene in, and
supervise the litigation of, any civil action under this Act
(including an action to collect a civil penalty) and any appeal
of such action in its own name by any of its attorneys
designated by it for such purpose. The Commission shall notify
the Attorney General of any such action and may consult with
the Attorney General with respect to any such action or request
the Attorney General on behalf of the Commission to commence,
defend, or intervene in any such action.
(4) Nonprofit organizations and communications common
carriers.--Notwithstanding section 4, 5(a)(2), or 6 of the
Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or
any other jurisdictional limitation of the Commission, the
Commission shall also enforce this Act in the same manner
provided in paragraphs (1), (2), and (3) of this subsection,
with respect to--
(A) any organization not organized to carry on
business for the organization's own profit or that of
the organization's members; and
(B) common carriers subject to the Communications
Act of 1934 (47 U.S.C. 151 et seq.) and all Acts
amendatory thereof and supplementary thereto.
(b) Enforcement by State Attorneys General.--
(1) In general.--If the chief law enforcement officer of a
State, or an official or agency designated by a State, has
reason to believe that any person has violated or is violating
this Act, the attorney general, official, or agency of the
State, in addition to any authority it may have to bring an
action in State court under its consumer protection law, may
bring a civil action in any appropriate United States district
court or in any other court of competent jurisdiction,
including a State court, to--
(A) enjoin further such violation by such person;
(B) enforce compliance with this Act;
(C) obtain civil penalties; and
(D) obtain damages, restitution, or other
compensation on behalf of residents of the State.
(2) Notice and intervention by the ftc.--The attorney
general of a State shall provide prior written notice of any
action under paragraph (1) to the Commission and provide the
Commission with a copy of the complaint in the action, except
in any case in which such prior notice is not feasible, in
which case the attorney general shall serve such notice
immediately upon instituting such action. The Commission shall
have the right--
(A) to intervene in the action;
(B) upon so intervening, to be heard on all matters
arising therein; and
(C) to file petitions for appeal.
(3) Relationship with state law claims.--If the attorney
general of a State has authority to bring an action under State
law directed at any act or practice that also violates this
Act, the attorney general may assert the State law claim and a
claim under this Act in the same civil action.
(c) State Law Preservation.--Nothing in this Act shall be construed
to preempt, displace, or supplant any State law, rule, regulation, or
requirement, including--
(1) any consumer protection law of general applicability
such as any law regulating deceptive, unfair, or unconscionable
practices;
(2) any health privacy or infectious disease law;
(3) any civil rights law;
(4) any law that governs the privacy rights or other
protections of employees, employee information, or students or
student information;
(5) any law that addresses notification requirements in the
event of a covered data breach;
(6) contract or tort law;
(7) any criminal law governing fraud, theft, unauthorized
access to information or unauthorized use of information,
malicious behavior, and similar provisions, and any law of
criminal procedure;
(8) any law specifying a remedy or a cause of action to an
individual; or
(9) any public safety or sector-specific law unrelated to
privacy or security.
(d) Preservation of Common Law or Statutory Causes of Action for
Civil Relief.--Nothing in this Act, nor any amendment, standard, rule,
requirement, assessment, law, or regulation promulgated under this Act,
shall be construed to preempt, displace, or supplant any Federal or
State common law right or remedy, or any statute creating a remedy for
civil relief, including any cause of action for personal injury,
wrongful death, property damage, or other financial, physical,
reputational, or psychological injury based in negligence, strict
liability, products liability, failure to warn, an objectively
offensive intrusion into the private affairs or concerns of the
individual, or any other legal theory of liability under any Federal or
State common law, or any State statutory law.
(e) Severability.--If any provision of this Act, or the application
thereof to any person or entity or circumstance, is held invalid, the
remainder of this Act and the application of such provision to other
persons or entities not similarly situated or to other circumstances
shall not be affected by the invalidation.
(f) Authorization of Appropriations.--There are authorized to be
appropriated such sums as are necessary to carry out this Act and the
amendments made by this Act.
(g) Effective Date.--This Act and the amendments made by this Act
shall take effect on the date of the enactment of this Act.
<all>