[Congressional Record Volume 164, Number 86 (Thursday, May 24, 2018)]
[Senate]
[Page S2937]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




     SENATE RESOLUTION 523--ENCOURAGING COMPANIES TO APPLY PRIVACY 
 PROTECTIONS INCLUDED IN THE GENERAL DATA PROTECTION REGULATION OF THE 
            EUROPEAN UNION TO CITIZENS OF THE UNITED STATES

  Mr. MARKEY (for himself, Mr. Durbin, Mr. Sanders, and Mr. Blumenthal) 
submitted the following resolution; which was referred to the Committee 
on Commerce, Science, and Transportation:

                              S. Res. 523

       Whereas the European Union has enacted the General Data 
     Protection Regulation (referred to in this preamble as the 
     ``GDPR''), which provides the 508,000,000 residents of the 
     European Union with significant new privacy protections;
       Whereas the GDPR takes effect on May 25, 2018;
       Whereas the rules of the GDPR will apply to many entities 
     in the United States that serve users and customers in both 
     Europe and the United States;
       Whereas the GDPR requires that--
       (1) data processors have a legal basis for processing the 
     data of users; and
       (2) opt-in, freely given, specific, informed, and 
     unambiguous consent from users is a primary legal basis;

       Whereas polling shows that people in the United States are 
     increasingly concerned about their privacy and the security 
     of their personal information;
       Whereas recent data breaches and privacy invasions 
     affecting millions of people in the United States underscore 
     the need for enhanced privacy protection in the United 
     States; and
       Whereas people in the United States have a right to 
     privacy, and entities that control and process the data of 
     people in the United States have an obligation to protect 
     that data: Now, therefore, be it
       Resolved, That the Senate encourages entities covered by 
     the General Data Protection Regulation of the European Union 
     (referred to in this resolving clause as the ``GDPR''), 
     including edge providers, broadband providers, and data 
     brokers--
       (1) to provide the people of the United States with the 
     privacy protections included in the GDPR in a manner 
     consistent with existing laws and rights in the United 
     States, including the First Amendment; and
       (2) to include in the protections described in paragraph 
     (1)--
       (A) the requirement that--
       (i) data processors (as described in the GDPR) have a legal 
     basis for processing the data of users;
       (ii) opt-in, freely given, specific, informed, and 
     unambiguous consent from users be a primary legal basis for 
     purposes of clause (i);
       (iii) data processors design their systems in a way that--

       (I) minimizes the processing of data to only what is 
     necessary for the specific purpose stated to the individual; 
     and
       (II) by default, protects personal information from being 
     used for other purposes;

       (iv) entities processing the data of children institute 
     special protections, particularly with reference to the use 
     of the data of children for marketing purposes;
       (v) data processors and controllers (as described in the 
     GDPR) ensure compliance with relevant privacy rules; and
       (vi) data processors implement appropriate oversight over 
     third party data processors; and
       (B) the right of an individual--
       (i) to revoke consent for data processing at any time;
       (ii) to not be subject to automated decisionmaking, 
     including profiling, without human intervention if the 
     decisionmaking has legal or otherwise significant effects on 
     the individual;
       (iii) to know which entities have access to the data of the 
     individual and how that data is being used;
       (iv) to correct the data of the individual if it is 
     inaccurate or incomplete; and
       (v) to obtain and reuse the data of the individual for the 
     purposes of the individual across other services.

                          ____________________