Sec. 203. Individual data ownership and control
1,517 words·~7 min read·
/bill/117/hr/8152/ih/section-203·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Subject to subsections
(b)and (c), a covered entity shall provide an individual, after receiving a verified request from the individual, with the right to— access— the covered data, except covered data in back-up or archival systems, of the individual in a human-readable format that a reasonable individual can understand and download from the internet, that is collected, processed, or transferred by the covered entity or any service provider of the covered entity within the 24 months preceding the request; the name of any third party and the categories of any service providers to whom the covered entity has transferred for consideration the covered data of the individual, as well as the categories of sources from which the covered data was collected; and a description of the purpose for which the covered entity transferred the covered data of the individual to a third party or service provider; correct any verifiably material inaccuracy or materially incomplete information with respect to the covered data of the individual that is processed by the covered entity and instruct the covered entity to notify any third party, or service provider to which the covered entity transferred such covered data of the corrected information; delete covered data of the individual that is processed by the covered entity and instruct the covered entity to notify any third party, or service provider to which the covered entity transferred such covered data of the individual’s deletion request; and to the extent technically feasible, export covered data to the individual or directly to another entity, except for derived data, of the individual that is processed by the covered entity without licensing restrictions that limit such transfers, in— a human-readable format that a reasonable individual can understand and download from the internet; and a portable, structured, interoperable, and machine-readable format. A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual rights under this section through— through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy, decision making, or choice to exercise any such rights. Subject to subsections
(d)and (e)(1) each request shall be completed by any— large data holder within 45 days of verification of such request from an individual; covered entity that is not considered a large data holder or a covered entity described in section 209 within 60 days of verification of such request from an individual; or covered entity as described in section 209 within 90 days of verification of such request from an individual. A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering the complexity and number of the individual’s requests, so long as the covered entity informs the individual of any such extension within the initial 45-day response period, together with the reason for the extension. A covered entity— shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and with respect to— the first 2 times that an individual exercises any right described in subsection
(a)in any 12-month period, shall allow the individual to exercise such right free of charge; and any time beyond the initial 2 times described in subparagraph (A), may allow the individual to exercise such right for a reasonable fee for each request. A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity— cannot reasonably verify that the individual making the request to exercise the right is the individual whose covered data is the subject of the request or an individual authorized to make such a request on the individual’s behalf; reasonably believes that the request is made to interfere with a contract between the covered entity and another individual; determines that the exercise of the right would require access to or correction of another individual’s sensitive covered data; or reasonably believes that the exercise of the right would require the covered entity to engage in an unfair or deceptive practice under section 5 of the Federal Trade Commission Act ( 15 U.S.C. 45 ). If a covered entity cannot reasonably verify that a request to exercise a right described in subsection
(a)is made by the individual whose covered data is the subject of the request (or an individual authorized to make such a request on the individual’s behalf), the covered entity— may request that the individual making the request to exercise the right provide any additional information necessary for the sole purpose of verifying the identity of the individual; and shall not process or transfer such additional information for any other purpose. A covered entity may decline to comply with a request to exercise a right described in subsection (a), in whole or in part, that would— require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is not processed or transferred by the covered entity for any purpose other than completing such transaction; be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing the inability to comply with the request; require the covered entity to attempt to re-identify de-identified data; result in the release of trade secrets, or other privileged, or confidential business information; require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete; interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity, or enforce valid contracts; violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United States; prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose of preventing covered data of an individual who has submitted a deletion request and requests that the covered entity no longer collect, process, or transfer such data; fall within an exception enumerated in the regulations promulgated by the Commission pursuant to paragraph (D); or with respect to requests for deletion— unreasonably interfere with the provision of products or services by the covered entity to another person it currently serves; delete covered data that relates to a public figure and for which the requesting individual has no reasonable expectation of privacy; delete covered data reasonably necessary to perform a contract between the covered entity and the individual; delete covered data that the covered entity needs to retain in order to comply with professional ethical obligations; or delete covered data that the covered entity reasonably believes may be evidence of unlawful activity or an abuse of the covered entity’s products or services. In a circumstance that would allow a denial pursuant to paragraph (A), a covered entity shall partially comply with the remainder of the request if it is possible and not unduly burdensome to do so. For purposes of this paragraph, the receipt of a large number of verified requests, on its own, shall not be considered to render compliance with a request demonstrably impossible. The Commission may, by regulation as described in subsection (f), establish additional permissive exceptions necessary to protect the rights of individuals, alleviate undue burdens on covered entities, prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or as otherwise necessary to fulfill the purposes of this section. In creating such exceptions, the Commission should consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities. Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553 of title 5, United States Code ( 5 U.S.C. 553 ), as necessary to establish processes by which covered entities are to comply with the provisions of this section. Such regulations shall take into consideration— the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, service provider, third party, or third-party collecting entity; the sensitivity of covered data collected, processed, or transferred by the covered entity; the volume of covered data collected, processed, or transferred by the covered entity; and the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates. A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten languages with the most users in the United States, according to the most recent U.S. Census, if the covered entity provides service in such language. The mechanisms by which a covered entity enables individuals to make requests under this section shall be readily accessible and usable by with disabilities.
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources