[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. Res. 523 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
S. RES. 523

  Encouraging companies to apply privacy protections included in the 
General Data Protection Regulation of the European Union to citizens of 
                           the United States.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 24, 2018

 Mr. Markey (for himself, Mr. Durbin, Mr. Sanders, and Mr. Blumenthal) 
submitted the following resolution; which was referred to the Committee 
                on Commerce, Science, and Transportation

_______________________________________________________________________

                               RESOLUTION


 
  Encouraging companies to apply privacy protections included in the 
General Data Protection Regulation of the European Union to citizens of 
                           the United States.

Whereas the European Union has enacted the General Data Protection Regulation 
        (referred to in this preamble as the ``GDPR''), which provides the 
        508,000,000 residents of the European Union with significant new privacy 
        protections;
Whereas the GDPR takes effect on May 25, 2018;
Whereas the rules of the GDPR will apply to many entities in the United States 
        that serve users and customers in both Europe and the United States;
Whereas the GDPR requires that--

    (1) data processors have a legal basis for processing the data of 
users; and

    (2) opt-in, freely given, specific, informed, and unambiguous consent 
from users is a primary legal basis;

Whereas polling shows that people in the United States are increasingly 
        concerned about their privacy and the security of their personal 
        information;
Whereas recent data breaches and privacy invasions affecting millions of people 
        in the United States underscore the need for enhanced privacy protection 
        in the United States; and
Whereas people in the United States have a right to privacy, and entities that 
        control and process the data of people in the United States have an 
        obligation to protect that data: Now, therefore, be it
    Resolved, That the Senate encourages entities covered by the 
General Data Protection Regulation of the European Union (referred to 
in this resolving clause as the ``GDPR''), including edge providers, 
broadband providers, and data brokers--
            (1) to provide the people of the United States with the 
        privacy protections included in the GDPR in a manner consistent 
        with existing laws and rights in the United States, including 
        the First Amendment; and
            (2) to include in the protections described in paragraph 
        (1)--
                    (A) the requirement that--
                            (i) data processors (as described in the 
                        GDPR) have a legal basis for processing the 
                        data of users;
                            (ii) opt-in, freely given, specific, 
                        informed, and unambiguous consent from users be 
                        a primary legal basis for purposes of clause 
                        (i);
                            (iii) data processors design their systems 
                        in a way that--
                                    (I) minimizes the processing of 
                                data to only what is necessary for the 
                                specific purpose stated to the 
                                individual; and
                                    (II) by default, protects personal 
                                information from being used for other 
                                purposes;
                            (iv) entities processing the data of 
                        children institute special protections, 
                        particularly with reference to the use of the 
                        data of children for marketing purposes;
                            (v) data processors and controllers (as 
                        described in the GDPR) ensure compliance with 
                        relevant privacy rules; and
                            (vi) data processors implement appropriate 
                        oversight over third party data processors; and
                    (B) the right of an individual--
                            (i) to revoke consent for data processing 
                        at any time;
                            (ii) to not be subject to automated 
                        decisionmaking, including profiling, without 
                        human intervention if the decisionmaking has 
                        legal or otherwise significant effects on the 
                        individual;
                            (iii) to know which entities have access to 
                        the data of the individual and how that data is 
                        being used;
                            (iv) to correct the data of the individual 
                        if it is inaccurate or incomplete; and
                            (v) to obtain and reuse the data of the 
                        individual for the purposes of the individual 
                        across other services.
                                 <all>