[Congressional Record Volume 167, Number 194 (Thursday, November 4, 2021)]
[Senate]
[Pages S7884-S7886]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4362. Mr. RUBIO submitted an amendment intended to be proposed to 
amendment SA 3867 submitted by Mr. Reed and intended to be proposed to 
the bill H.R. 4350, to authorize appropriations for fiscal year 2022 
for military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

       At the appropriate place, insert the following:

     SEC. ___. CONSUMER PROTECTIONS REGARDING COVERED FOREIGN 
                   SOFTWARE.

       (a) Consumer Warning and Acknowledgment for Download of 
     Covered Foreign Software.--
       (1) In general.--A software marketplace operator or an 
     owner of covered foreign software may not:
       (A) Permit a consumer to download covered foreign software 
     unless, before the download begins--
       (i) a warning that meets the requirements of paragraph (2) 
     is displayed to the consumer, separately from any privacy 
     policy, terms of service, or other notice; and
       (ii) the consumer is required to choose (by taking an 
     affirmative step such as clicking on a button) between the 
     options of--

       (I) acknowledging such warning and proceeding with the 
     download; or
       (II) cancelling the download.

       (B) Make available covered foreign software for download by 
     consumers unless the operator or owner has in place 
     procedures to ensure compliance with subparagraph (A).
       (2) Requirements for warning.--The requirements of this 
     paragraph are, with respect to a warning regarding covered 
     foreign software--
       (A) that the warning include--
       (i) the name of the covered foreign software;
       (ii) the name of each owner of the covered foreign 
     software, and, if applicable with respect to each such owner, 
     the name of the covered country--

       (I) under the laws of which such owner is organized;
       (II) in which such owner conducts its principal operations; 
     or
       (III) in which such owner is headquartered;

       (iii) the name of each controlling entity of the owner of 
     the covered foreign software, and if applicable with respect 
     to each such controlling entity, the name of the covered 
     country--

       (I) under the laws of which such entity is organized;
       (II) in which such entity conducts its principal 
     operations; or
       (III) in which such entity is headquartered;

       (iv) any enumerated risk to data privacy and security or 
     the censorship of speech associated with the laws and 
     practices of a covered country disclosed under this 
     subparagraph;
       (v) whether the owner of a covered foreign software, or any 
     controlling entity of such owner, has ever provided the data 
     of United States consumers, as it relates to such software, 
     to any law enforcement agency, intelligence agency, or other 
     government entity of a covered country; and
       (vi) a description of how to acknowledge the warning and 
     either proceed with or cancel the download;
       (B) that the warning be updated annually; and
       (C) such other requirements as the Commission, in 
     consultation with the Attorney General of the United States, 
     shall determine.
       (3) Liability of software owner.--If a software marketplace 
     operator permits a consumer to download covered foreign 
     software or makes covered foreign software available for 
     download in violation of paragraph (1), the operator shall 
     not be liable for a violation of such paragraph if the 
     operator reasonably relied on inaccurate information from the 
     owner of the covered foreign software in determining that the 
     software was not covered foreign software, and the owner of 
     the covered foreign software shall be considered to have 
     committed the violation of such paragraph.
       (b) Consumer Data Protections.--
       (1) Consumer data privacy practices.--
       (A) Consumer data report.--Not later than 30 days after the 
     date of enactment of this section (or in the case of covered 
     foreign software that is created after such date or software 
     that becomes covered foreign software after such date, 60 
     days after the date that such software is created or becomes 
     covered foreign software), and annually thereafter, an owner 
     of covered foreign software shall submit to the Commission 
     and the Attorney General of the United States a report that 
     includes a complete description of any consumer data privacy 
     practice of the owner as it relates to the data of United 
     States consumers, including--
       (i) the type of data of United States consumers being 
     accessed;
       (ii) a description of how such data is used by the owner;
       (iii) a description of any consumer data protection measure 
     in place that protects the rights and interests of United 
     States consumers;
       (iv) information regarding--

       (I) the number of requests from a law enforcement agency, 
     intelligence agency, or other government entity of a covered 
     country to disclose the consumer data of a person in the 
     United States; and

[[Page S7885]]

       (II) a description of how such requests were handled; and

       (v) a description of any internal content moderation 
     practice of the owner as it relates to the data of consumers 
     in the United States, including any such practice that also 
     relates to consumers in another country.
       (B) Public accessibility.--Notwithstanding any other 
     provision of law, not later than 60 days after the receipt of 
     a report under subparagraph (A), the Attorney General of the 
     United States shall publish the information contained in such 
     report (except for any confidential material) in a publicly 
     accessible manner.
       (2) Consumer data disclosure practices.--
       (A) Effect of disclosure and censorship.--An owner of 
     covered foreign software may not collect or store data of 
     United States consumers, as it relates to such covered 
     foreign software, if such owner complies with any request 
     from a law enforcement agency, intelligence agency, or other 
     government entity of a covered country--
       (i) to disclose the consumer data of a person in the United 
     States; or
       (ii) to censor the online activity of a person in the 
     United States.
       (B) Report to federal trade commission and attorney general 
     of the united states.--Not later than 14 days after receiving 
     a request described in subparagraph (A), an owner of covered 
     foreign software shall submit to the Commission and the 
     Attorney General of the United States a report that includes 
     a description of such request.
       (C) Access to consumer data in subsidiaries.--Not later 
     than 1 year after the date of enactment of this section, the 
     Commission, in consultation with the Attorney General of the 
     United States, shall issue regulations to require an owner of 
     covered foreign software to implement consumer data 
     protection measures to ensure that any parent company in a 
     covered country may not access the consumer data collected 
     and stored, or otherwise held, by a subsidiary entity of such 
     parent company in a country that is not a covered country.
       (3) Prohibitions on storage, use, and sharing of consumer 
     data.--
       (A) Use, transfer, and storage of consumer data.--With 
     respect to the consumer data of any person in the United 
     States, an owner of covered foreign software may not--
       (i) use such data in a covered country;
       (ii) transfer such data to a covered country; or
       (iii) store such data outside of the United States.
       (B) Sharing of consumer data.--An owner of covered foreign 
     software may not share with, sell to, or otherwise disclose 
     to any other commercial entity the consumer data of any 
     person in the United States.
       (4) Censorship remedy.--In the case where an owner of 
     covered foreign software censors the online activity of a 
     person in the United States, such owner shall provide any 
     affected user with a means to appeal such censorship.
       (c) Nonapplication of Communications Decency Act 
     Protections.--Notwithstanding section 230 of the 
     Communications Act of 1934 (47 U.S.C. 230) (commonly known as 
     the ``Communications Decency Act''), an owner of a covered 
     foreign software shall not be considered a provider of an 
     interactive computer service for purposes of subsection (c) 
     of such section with respect to such covered foreign 
     software.
       (d) Enforcement by the Federal Trade Commission.--
       (1) Unfair or deceptive acts or practices.--A violation of 
     this section or a regulation promulgated thereunder shall be 
     treated as a violation of a rule defining an unfair or 
     deceptive act or practice under section 18(a)(1)(B) of the 
     Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
       (2) Powers of commission.--
       (A) In general.--The Commission shall enforce this section 
     and the regulations promulgated thereunder in the same 
     manner, by the same means, and with the same jurisdiction, 
     powers, and duties as though all applicable terms and 
     provisions of the Federal Trade Commission Act (15 U.S.C. 41 
     et seq.) were incorporated into and made a part of this 
     section. Any person who violates this section or a regulation 
     promulgated thereunder shall be subject to the penalties and 
     entitled to the privileges and immunities provided in the 
     Federal Trade Commission Act.
       (B) Additional relief.--In addition to the penalties 
     provided in the Federal Trade Commission Act (15 U.S.C. 41 et 
     seq.), if a court or the Commission (in a formal adjudicative 
     proceeding) determines that an owner of covered foreign 
     software violated this section or a regulation promulgated 
     thereunder, the court or the Commission shall prohibit the 
     owner from making such software available for sale or 
     download in the United States.
       (3) Regulations.--The Commission may promulgate regulations 
     under section 553 of title 5, United States Code, to carry 
     out this section.
       (4) Savings clause.--Nothing in this section shall be 
     construed to limit the authority of the Commission under any 
     other provision of law.
       (e) Criminal Offense.--
       (1) In general.--A software marketplace operator or an 
     owner of covered foreign software that knowingly violates 
     subsection (a) or (b) shall be fined $50,000 for each 
     violation.
       (2) Clarifications.--
       (A) Separate violation.--For purposes of paragraph (1), 
     each download by a consumer of a covered foreign software 
     that does not meet the requirements of subparagraph (A) of 
     subsection (a)(1) or is made available in violation of 
     subparagraph (B) of such subsection shall be treated as a 
     separate violation.
       (B) Individual offense.--An officer of a software 
     marketplace operator or of an owner of covered foreign 
     software who knowingly causes a violation of subsection 
     (a)(1) with the intent to conceal the fact that the software 
     is covered foreign software shall be fined under title 18, 
     United States Code.
       (3) Referral of evidence by the ftc.--Whenever the 
     Commission obtains evidence that a software marketplace 
     operator or owner of covered foreign software has engaged in 
     conduct that may constitute a violation of subsection (a) or 
     (b), the Commission shall transmit such evidence to the 
     Attorney General of the United States, who may institute 
     criminal proceedings under this subsection. Nothing in this 
     paragraph affects any other authority of the Commission to 
     disclose information.
       (f) Report to Congress.--Not later than 1 year after the 
     date of the enactment of this section, the Commission, in 
     consultation with the Attorney General of the United States, 
     shall submit to Congress a report on the implementation and 
     enforcement of this section.
       (g) Expansion of Covered Transactions Under the DPA.--
     Section 721(a)(4)(B)(iii)(III) of the Defense Production Act 
     of 1950 (50 U.S.C. 4565(a)(4)(B)(iii)(III)) is amended by 
     inserting ``or commercially available'' after ``sensitive''.
       (h) Express Preemption of State Law.--This section shall 
     supersede any provision of a law, regulation, or other 
     requirement of any State or political subdivision of a State 
     to the extent that such provision relates to the privacy or 
     security of consumer data or the downloading of covered 
     foreign software.
       (i) Definitions.--In this section:
       (1) Censor.--
       (A) In general.--The term ``censor'', with respect to the 
     online activity of a person in the United States, means--
       (i) to alter, delete, remove, or otherwise make 
     inaccessible user information without the consent of such 
     user; or
       (ii) to alter, delete, remove, deny, prevent, or otherwise 
     prohibit user activity without the consent of such user.
       (B) Exception.--Such term shall not include any action by 
     an owner of covered foreign software that is taken for the 
     purpose of restricting access to, or availability of, 
     material that the owner considers to be obscene, lewd, 
     lascivious, filthy, excessively violent, harassing, or 
     otherwise objectionable, whether or not such material is 
     constitutionally protected.
       (2) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (3) Covered country.--
       (A) In general.--Subject to subparagraph (B), the term 
     ``covered country'' means--
       (i) China, Russia, North Korea, Iran, Syria, Sudan, 
     Venezuela, or Cuba;
       (ii) any other country the government of which the 
     Secretary of State determines has provided support for 
     international terrorism pursuant to--

       (I) section 1754(c)(1)(A) of the Export Control Reform Act 
     of 2018 (50 U.S.C. 4318(c)(1)(A));
       (II) section 620A of the Foreign Assistance Act of 1961 (22 
     U.S.C. 2371);
       (III) section 40 of the Arms Export Control Act (22 U.S.C. 
     2780); or
       (IV) any other provision of law; and

       (iii) any other country designated by the Attorney General 
     of the United States based on findings that such country's 
     control over potentially dangerous software poses an undue or 
     unnecessary risk to the national security of the United 
     States or to the safety and security of United States 
     persons.
       (B) Process.--
       (i) Advance notice to congress.--The Attorney General of 
     the United States shall not designate a country under 
     subparagraph (A)(iii) (or revoke such a designation under 
     clause (iii)) unless the Attorney General of the United 
     States--

       (I) provides not less than 30 days notice prior to making 
     such designation or revocation to--

       (aa) the Committee on Energy and Commerce of the House of 
     Representatives;
       (bb) the Permanent Select Committee on Intelligence of the 
     House of Representatives;
       (cc) the Committee on Commerce, Science, and Transportation 
     of the Senate; and
       (dd) the Select Committee on Intelligence of the Senate; 
     and

       (II) upon request, provides an in-person briefing to each 
     such Committee during the 30-day notice period.

       (ii) Notice and publication of designation.--Upon 
     designating a country under subparagraph (A)(iii), the 
     Attorney General of the United States shall transmit a 
     notification of the designation to the Commission, and shall 
     publish such notification. Such designation shall become 
     effective on the day that is 60 days after the date on which 
     such notification is transmitted and published.
       (iii) Revocation of designation.--The designation of a 
     country under subparagraph (A) may only be revoked by the 
     Attorney General of the United States.
       (4) Covered foreign software.--
       (A) In general.--The term ``covered foreign software'' 
     means any of the following:
       (i) Software that is owned or, directly or indirectly, 
     controlled by a person described in subparagraph (B).

[[Page S7886]]

       (ii) Software that stores data of United States consumers 
     in a covered country.
       (B) Persons described.--A person described in this 
     subparagraph is--
       (i) a person (other than an individual)--

       (I) that is organized under the laws of a covered country;
       (II) the principal operations of which are conducted in a 
     covered country; or
       (III) that is headquartered in a covered country; or

       (ii) a person (other than an individual) that is, directly 
     or indirectly, controlled by a person described in clause 
     (i).
       (5) Mobile application.--The term ``mobile application'' 
     means a software program that runs on the operating system of 
     a smartphone, tablet computer, or similar mobile electronic 
     device.
       (6) Software.--The term ``software'' means any computer 
     software program, including a mobile application.
       (7) Software marketplace operator.--The term ``software 
     marketplace operator'' means a person who, for a commercial 
     purpose, operates an online store or marketplace through 
     which software is made available for download by consumers in 
     the United States.
                                 ______