[Congressional Record Volume 167, Number 90 (Monday, May 24, 2021)]
[Senate]
[Pages S3364-S3366]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 1950. Mr. HAWLEY submitted an amendment intended to be proposed to 
amendment SA 1502 proposed by Mr. Schumer to the bill S. 1260, to 
establish a new Directorate for Technology and Innovation in the 
National Science Foundation, to establish a regional technology hub 
program, to require a strategy and report on economic security, 
science, research, innovation, manufacturing, and job creation, to 
establish a critical supply chain resiliency program, and for other 
purposes; which was ordered to lie on the table; as follows:

        At the appropriate place, insert the following:

     SEC. ___. IMPOSING DATA SECURITY REQUIREMENTS AND 
                   STRENGTHENING REVIEW OF FOREIGN INVESTMENTS 
                   WITH RESPECT TO CERTAIN TECHNOLOGY COMPANIES 
                   FROM FOREIGN COUNTRIES OF CONCERN.

       (a) Definitions.--In this section:
       (1) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (2) Country of concern.--
       (A) In general.--Subject to subparagraph (B)(iii), the term 
     ``country of concern'' means--
       (i) the People's Republic of China;
       (ii) the Russian Federation; and
       (iii) any other country designated by the Secretary of 
     State as being of concern with respect to the protection of 
     data privacy and security.
       (B) Designation of countries of concern.--Not later than 1 
     year after the date of enactment of this Act, and annually 
     thereafter, the Secretary of State shall--
       (i) review the status of data privacy and security 
     requirements (including by reviewing laws, policies, 
     practices, and regulations related to data privacy and 
     security) in each foreign country to determine--

       (I) whether it would pose a substantial risk to the 
     national security of the United States if the government of 
     such country gained access to the user data of citizens and 
     residents of the United States; and
       (II) whether there is a substantial risk that the 
     government of such country will, in a manner that fails to 
     afford similar respect for civil liberties and privacy as the 
     Constitution and laws of the United States, obtain user data 
     from companies that collect user data;

       (ii) designate each country that meets the criteria of 
     clause (i) as a country of concern; and
       (iii) remove the designation from any country that was 
     previously designated a country of concern (regardless of 
     whether such designation was pursuant to clause (i) or (ii) 
     of subparagraph (A) or was made by the Secretary of State 
     pursuant to clause (iii) of such subparagraph) if the 
     country--

       (I) no longer meets the criteria of clause (i); and
       (II) is not at substantial risk of meeting such criteria.

       (C) Regulations.--Not later than 90 days after the date of 
     the enactment of this Act, the Secretary of State shall 
     prescribe regulations--

[[Page S3365]]

       (i) establishing a process for a covered technology company 
     or country of concern to petition the Secretary to remove the 
     country of concern designation from a country that was 
     designated as such pursuant to subparagraph (B)(ii); and
       (ii) setting forth the procedures and criteria the 
     Secretary will use in identifying or removing countries under 
     subparagraphs (A)(iii) or (B)(iii).
       (3) Covered technology company.--The term ``covered 
     technology company'' means an entity that provides an online 
     data-based service such as a website or internet application 
     in or affecting interstate or foreign commerce and--
       (A) is organized under the laws of a country of concern;
       (B) in which foreign persons that are nationals of, or 
     companies that are organized under the laws of, countries of 
     concern have a plurality or controlling equity interest;
       (C) is a subsidiary company of an entity described in 
     subparagraph (A) or (B); or
       (D) is otherwise subject to the jurisdiction of a country 
     of concern in a manner that allows the country of concern to 
     obtain the user data of citizens and residents of the United 
     States without similar respect for civil liberties and 
     privacy as provided under the Constitution and laws of the 
     United States.
       (4) Facial recognition technology.--The term ``facial 
     recognition technology'' means technology that analyzes 
     facial features in still or video images and is used to 
     identify, or facilitate identification of, an individual 
     using facial physical characteristics.
       (5) Targeted advertising.--
       (A) In general.--The term ``targeted advertising'' means a 
     form of advertising where advertisements are displayed to a 
     user based on the user's traits, information from a profile 
     about the user that is created for the purpose of selling 
     advertisements, or the user's previous online or offline 
     behavior.
       (B) Limitation.--Such term shall not include advertising 
     chosen because of the context of the internet service, such 
     as--
       (i) advertising that is directed to a user based on the 
     content of the website, online service, online application, 
     or mobile application that the user is connected to; or
       (ii) advertising that is directed to a user by the operator 
     of a website, online service, online application, or mobile 
     application based on the search terms that the user used to 
     arrive at such website, service, or application.
       (6) User data.--The term ``user data'' means any 
     information obtained by an entity that provides a data-based 
     service such as a website or internet application that 
     identifies, relates to, describes, is capable of being 
     associated with, or could reasonably be linked with an 
     individual who is a citizen or resident of the United States 
     without regard to whether such information is directly 
     submitted by the individual to the entity, is derived by the 
     entity from the observed activity of the individual, or is 
     obtained by the entity by any other means.
       (b) Data Security Requirements for Covered Technology 
     Companies.--
       (1) In general.--The following requirements shall apply to 
     a covered technology company:
       (A) Minimal collection of data.--The company shall not 
     collect any more user data than is necessary for the 
     operation of the website, service, or application of the 
     company.
       (B) Prohibition on secondary uses.--The company shall not 
     use any user data collected under subparagraph (A) for any 
     purpose that is secondary to the operation of the website, 
     service, or application of the company, including providing 
     targeted advertising, unnecessarily sharing such data with a 
     third party, or unnecessarily facilitating facial recognition 
     technology.
       (C) Right to view and delete data.--The company shall allow 
     an individual to--
       (i) view any user data held by the company that relates to 
     the individual; and
       (ii) permanently delete any user data held by the company 
     that has been collected, directly or indirectly, from the 
     individual.
       (D) Prohibition on transfer to countries of concern.--The 
     company shall not transfer any user data or information 
     needed to decipher that data, such as encryption keys, to any 
     country of concern (including indirectly through a third 
     country that is not a country of concern).
       (E) Data storage requirement.--The company shall not store 
     any user data collected from citizens or residents of the 
     United States or information needed to decipher that data, 
     such as encryption keys, on a server or other data storage 
     device that is located outside of the United States or a 
     country that maintains an agreement with the United States to 
     share data with law enforcement agencies through a process 
     established by law.
       (F) Reporting requirement.--Not less frequently than 
     annually, the chief executive officer or equivalent officer 
     of the company shall submit, under penalty of perjury, a 
     report to the Commission, the Attorney General of the United 
     States, and the Attorney General of each State certifying 
     compliance with the requirements of this subsection.
       (2) Exceptions.--
       (A) Exception for law enforcement and military.--The 
     requirements of subparagraphs (A) through (D) of paragraph 
     (1) shall not apply where data is collected, used, retained, 
     stored, or shared by a covered technology company solely for 
     the purpose of assisting a law enforcement or military agency 
     that is not affiliated with a country of concern.
       (B) Transfer of shared content.--The requirements of 
     subparagraphs (E) and (F) of paragraph (1) shall not apply to 
     user data that is content produced by a user for the purpose 
     of sharing with other users (such as social media posts, 
     emails, or data related to a transaction involving the user) 
     or information needed to decipher that data provided that the 
     transfer and any storage necessary to enact the transfer is 
     conducted solely to carry out the user's intent to share such 
     data with individual users in other countries and that 
     necessary storage occurs only on the intended recipient's 
     individual device.
       (3) Effective date.--The requirements of this subsection 
     shall take effect 90 days after the date of enactment of this 
     Act.
       (c) Data Security Requirements for Other Technology 
     Companies.--
       (1) In general.--The following requirements shall apply to 
     any company operating in or affecting interstate or foreign 
     commerce that provides a data-based service such as a website 
     or internet application but is not a covered technology 
     company:
       (A) Prohibition on transfer to countries of concern.--The 
     company shall not transfer any user data collected from an 
     individual in the United States or information needed to 
     decipher that data, such as encryption keys, to any country 
     of concern (including indirectly through a third country that 
     is not a country of concern).
       (B) Prohibition on storing data in countries of concern.--
     The company shall not store any user data collected from an 
     individual in the United States or information needed to 
     decipher that data, such as encryption keys, on a server or 
     other data storage device that is located in any country of 
     concern.
       (2) Exceptions.--
       (A) Exception for law enforcement and military.--The 
     requirements of paragraph (1) shall not apply where data is 
     collected, used, retained, stored, or shared by a covered 
     technology company solely for the purpose of assisting a law 
     enforcement or military agency that is not affiliated with a 
     country of concern.
       (B) Transfer of shared content.--The requirements of 
     paragraph (1) shall not apply to user data that is content 
     produced by a user for the purpose of sharing with other 
     users (such as social media posts, emails, or data related to 
     a transaction involving the user) or information needed to 
     decipher that data provided that the transfer and any storage 
     necessary to enact the transfer is conducted solely to carry 
     out the user's intent to share such data with individual 
     users in other countries and that necessary storage occurs 
     only on the intended recipient's individual device.
       (3) Effective date.--The requirements of this subsection 
     shall take effect 90 days after the date of enactment of this 
     Act.
       (d) Enforcement of Data Security Requirements.--
       (1) Enforcement by the commission.--
       (A) In general.--Except as otherwise provided, subsections 
     (b) and (c) shall be enforced by the Commission under the 
     Federal Trade Commission Act (15 U.S.C. 41 et seq.).
       (B) Unfair or deceptive acts or practices.--A violation of 
     subsection (b) or (c) shall be treated as a violation of a 
     rule defining an unfair or deceptive act or practice 
     prescribed under section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)).
       (C) Actions by the commission.--Except as otherwise 
     provided, the Commission shall prevent any person from 
     violating subsection (b) or (c) in the same manner, by the 
     same means, and with the same jurisdiction, powers, and 
     duties as though all applicable terms and provisions of the 
     Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
     incorporated into and made a part of this section, and any 
     person who violates such a subsection shall be subject to the 
     penalties and entitled to the privileges and immunities 
     provided in the Federal Trade Commission Act.
       (D) Authority preserved.--Nothing in this section shall be 
     construed to limit the authority of the Commission under any 
     other provision of law.
       (2) Criminal penalty.--
       (A) Offense.--It shall be unlawful to knowingly cause a 
     technology company to violate a requirement of subsection (b) 
     or (c).
       (B) Penalty.--Any person who violates subparagraph (A) 
     shall be imprisoned for not more than 5 years, fined under 
     title 18, United States Code, or both.
       (3) Enforcement by state attorneys general.--
       (A) In general.--
       (i) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that violates subsection (b) or (c), the State, as 
     parens patriae, may bring a civil action on behalf of the 
     residents of the State in a district court of the United 
     States or a State court of appropriate jurisdiction to--

       (I) enjoin that practice;
       (II) enforce compliance with such section;
       (III) on behalf of residents of the State, obtain damages, 
     statutory damages, restitution, or other compensation, each 
     of which shall be distributed in accordance with State law; 
     or
       (IV) obtain such other relief as the court may consider to 
     be appropriate.

[[Page S3366]]

       (ii) Notice.--

       (I) In general.--Before filing an action under clause (i), 
     the attorney general of the State involved shall provide to 
     the Commission--

       (aa) written notice of that action; and
       (bb) a copy of the complaint for that action.

       (II) Exemption.--

       (aa) In general.--Subclause (I) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subparagraph if the attorney general of 
     the State determines that it is not feasible to provide the 
     notice described in that subclause before the filing of the 
     action.
       (bb) Notification.--In an action described in item (aa), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Commission at the same time as 
     the attorney general files the action.
       (B) Intervention.--
       (i) In general.--On receiving notice under subparagraph 
     (A)(ii), the Commission shall have the right to intervene in 
     the action that is the subject of the notice.
       (ii) Effect of intervention.--If the Commission intervenes 
     in an action under subparagraph (A), it shall have the 
     right--

       (I) to be heard with respect to any matter that arises in 
     that action; and
       (II) to file a petition for appeal.

       (C) Construction.--For purposes of bringing any civil 
     action under subparagraph (A), nothing in this section shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (i) conduct investigations;
       (ii) administer oaths or affirmations; or
       (iii) compel the attendance of witnesses or the production 
     of documentary and other evidence.
       (D) Actions by the commission.--In any case in which an 
     action is instituted by or on behalf of the Commission for 
     violation of subsection (b) or (c), no State may, during the 
     pendency of that action, institute an action under 
     subparagraph (A) against any defendant named in the complaint 
     in the action instituted by or on behalf of the Commission 
     for that violation.
       (E) Venue; service of process.--
       (i) Venue.--Any action brought under subparagraph (A) may 
     be brought in--

       (I) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (II) a State court of competent jurisdiction.

       (ii) Service of process.--In an action brought under 
     subparagraph (A) in a district court of the United States, 
     process may be served wherever defendant--

       (I) is an inhabitant; or
       (II) may be found.

       (4) Private right of action.--
       (A) In general.--Any individual who suffers injury as a 
     result of an act, practice, or omission of a covered 
     technology company that violates subsection (b) may bring a 
     civil action against such company in any court of competent 
     jurisdiction.
       (B) Relief.--In a civil action brought under subparagraph 
     (A) in which the plaintiff prevails, the court may award such 
     plaintiff up to $1,000 for each day that such plaintiff was 
     affected by a violation of subsection (b) (up to a maximum of 
     $15,000 per each such violation per plaintiff).
       (e) Requirement for Approval of Committee on Foreign 
     Investment in the United States of Certain Transactions.--
     Section 721(b) of the Defense Production Act of 1950 (50 
     U.S.C. 4565(b)) is amended by adding at the end the 
     following:
       ``(9) Approval required for certain transactions.--
       ``(A) In general.--A covered transaction described in 
     subparagraph (C) is prohibited unless the Committee--
       ``(i) reviews the transaction under this subsection; and
       ``(ii) determines that the transaction does not pose a risk 
     to the national security of the United States.
       ``(B) Mitigation.--The Committee, or a lead agency on 
     behalf of the Committee, may negotiate, enter into or impose, 
     and enforce an agreement or condition under subsection (l)(3) 
     with any party to a covered transaction described in 
     subparagraph (C) to mitigate any risk to the national 
     security of the United States that arises as a result of the 
     covered transaction.
       ``(C) Covered transaction described.--A covered transaction 
     described in this subparagraph is a transaction that could 
     result in foreign control of a United States company--
       ``(i) that collects, sells, buys, or processes user data 
     and whose business consists substantially more of 
     transferring data than manufacturing, delivering, repairing, 
     or servicing physical goods or providing physical services; 
     or
       ``(ii) that operates a social media platform or website.
       ``(D) User data defined.--For purposes of subparagraph (C), 
     the term `user data' means any information obtained by an 
     entity that provides a data-based service such as a website 
     or internet application that identifies, relates to, 
     describes, is capable of being associated with, or could 
     reasonably be linked with an individual who is a citizen or 
     resident of the United States without regard to whether such 
     information is directly submitted by the individual to the 
     entity, is derived by the entity from the observed activity 
     of the individual, or is obtained by the entity by any other 
     means.''.
                                 ______