Sec. 110. Limitations and applicability

1,187 words·~5 min read·/bill/116/s/2968/is/section-110

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity shall not permit an individual to exercise a right described in sections 102 through 105(a) if— the covered entity cannot reasonably verify that the individual making the request to exercise the right is the individual whose covered data is the subject of the request or an individual authorized to make such a request on the individual’s behalf; or the covered entity reasonably believes that the request is made to interfere with a contract between the covered entity and another individual.

If a covered entity cannot reasonably verify that a request to exercise a right described in sections 102 through 105(a) is made by the individual whose covered data is the subject of the request (or an individual authorized to make such a request on the individual’s behalf), the covered entity shall request the provision of additional information necessary for the sole purpose of verifying the identity of the individual and shall not process or transfer such additional information for any other purpose.

A covered entity shall minimize the inconvenience to consumers relating to the verification or authentication of requests. A covered entity shall carry out the rights described in sections 102 through 105(a) free of charge.

(b)A covered entity may decline to comply with an individual’s request to exercise a right described in sections 102 through 105(b) if— complying with the request would be demonstrably impossible (for purposes of this paragraph, the receipt of a large number of verified requests, on its own, shall not be considered to render compliance with a request demonstrably impossible); complying with the request would prevent the covered entity from carrying out internal audits, performing accounting functions, processing refunds, or fulfilling warranty claims, provided that the covered data that is the subject of the request is not processed or transferred for any purpose other than such specific activities; the request is made to correct or delete publicly available information, and then only to the extent the data is publicly available information; complying with the request would impair the publication of newsworthy information of legitimate public concern to the public by a covered entity, or the processing or transfer of information by a covered entity for such purpose; complying with the request would impair the privacy of another individual or the rights of another to exercise free speech; or the covered entity processes or will process the data subject to the request for a specific purpose described in subsection

(d)of this section, and complying with the request would prevent the covered entity from using such data for such specific purpose. A covered entity may process or transfer covered data without the individual’s affirmative express consent for any of the following purposes, provided that the processing or transfer is reasonably necessary, proportionate, and limited to such purpose: To complete a transaction or fulfill an order or service specifically requested by an individual, such as billing, shipping, or accounting. To perform system maintenance, debug systems, or repair errors to ensure the functionality of a product or service provided by the covered entity. To detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service. To protect against malicious, deceptive, fraudulent, or illegal activity. To comply with a legal obligation or the establishment, exercise, or defense of legal claims. To prevent an individual from suffering harm where the covered entity believes in good faith that the individual is in danger of suffering death or serious physical injury. To effectuate a product recall pursuant to Federal or State law. To conduct scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or a similar oversight entity that meets standards promulgated by the Commission pursuant to section 553 of title 5, United States Code. Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations pursuant to section 553 of title 5, United States Code, identifying privacy protective requirements for the processing of biometric information for a purpose described in subparagraph

(C)or

(D)of paragraph (1). Such regulations shall include— strict data processing limitations, including a prohibition on the processing of biometric information unless the covered entity has a reasonable suspicion, after a specific criminal incident involving the covered entity, that the individual may engage in criminal activity; strict data transfer limitations, including a prohibition on the transfer of biometric information to a third party other than to comply with a legal obligation or to establish, exercise, or defend a legal claim; and strict transparency obligations, including requiring disclosures in a conspicuous and readily accessible manner regarding specific data processing and transfer activities. Nothing in this title shall apply to the publication of newsworthy information of legitimate public concern to the public by a covered entity, or to the processing or transfer of information by a covered entity for that purpose. A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act ( 42 U.S.C. 1320d et seq.), the Fair Credit Reporting Act ( 15 U.S.C. 1681 et seq.), the Family Educational Rights and Privacy Act ( 20 U.S.C. 1232g ; part 99 of title 34, Code of Federal Regulations), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note), and is in compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this title, except for section 107, with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this subsection. A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act ( 42 U.S.C. 1320d et seq.), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note), and is in compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 107 with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this subsection. The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations necessary to carry out the provisions of this title.

Connectionstraces to 5

Traces to 5 documents

U.S. Code

1 reference not yet in our index

42 USC 1320d–2

Citation graph

cites case law

Sec. 110

Limitations and applicability

Cite42 USC 1320d–2

Cites 6Cited by 0 across 0 sources