
	

115 SRES 523 IS: Encouraging companies to apply privacy protections included in the General Data Protection Regulation of the European Union to citizens of the United States.
U.S. Senate
2018-05-24
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		III
		115th CONGRESS
		2d Session
		S. RES. 523
		IN THE SENATE OF THE UNITED STATES
		
			May 24, 2018
			Mr. Markey (for himself, Mr. Durbin, Mr. Sanders, and Mr. Blumenthal) submitted the following resolution; which was referred to the Committee on Commerce, Science, and Transportation
		
		RESOLUTION
		Encouraging companies to apply privacy protections included in the General Data Protection
			 Regulation of the European Union to citizens of the United States.
	
	
 Whereas the European Union has enacted the General Data Protection Regulation (referred to in this preamble as the GDPR), which provides the 508,000,000 residents of the European Union with significant new privacy protections;
 Whereas the GDPR takes effect on May 25, 2018; Whereas the rules of the GDPR will apply to many entities in the United States that serve users and customers in both Europe and the United States;
 Whereas the GDPR requires that— (1)data processors have a legal basis for processing the data of users; and
 (2)opt-in, freely given, specific, informed, and unambiguous consent from users is a primary legal basis;
 Whereas polling shows that people in the United States are increasingly concerned about their privacy and the security of their personal information;
 Whereas recent data breaches and privacy invasions affecting millions of people in the United States underscore the need for enhanced privacy protection in the United States; and
 Whereas people in the United States have a right to privacy, and entities that control and process the data of people in the United States have an obligation to protect that data: Now, therefore, be it
		
	
 That the Senate encourages entities covered by the General Data Protection Regulation of the European Union (referred to in this resolving clause as the GDPR), including edge providers, broadband providers, and data brokers—
 (1)to provide the people of the United States with the privacy protections included in the GDPR in a manner consistent with existing laws and rights in the United States, including the First Amendment; and
 (2)to include in the protections described in paragraph (1)— (A)the requirement that—
 (i)data processors (as described in the GDPR) have a legal basis for processing the data of users; (ii)opt-in, freely given, specific, informed, and unambiguous consent from users be a primary legal basis for purposes of clause (i);
 (iii)data processors design their systems in a way that— (I)minimizes the processing of data to only what is necessary for the specific purpose stated to the individual; and
 (II)by default, protects personal information from being used for other purposes; (iv)entities processing the data of children institute special protections, particularly with reference to the use of the data of children for marketing purposes;
 (v)data processors and controllers (as described in the GDPR) ensure compliance with relevant privacy rules; and
 (vi)data processors implement appropriate oversight over third party data processors; and (B)the right of an individual—
 (i)to revoke consent for data processing at any time; (ii)to not be subject to automated decisionmaking, including profiling, without human intervention if the decisionmaking has legal or otherwise significant effects on the individual;
 (iii)to know which entities have access to the data of the individual and how that data is being used; (iv)to correct the data of the individual if it is inaccurate or incomplete; and
 (v)to obtain and reuse the data of the individual for the purposes of the individual across other services.
					
