Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 8152 (Introduced in House) — To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 301

Sec. 301. Executive responsibility

617 words·~3 min read·/bill/117/hr/8152/ih/section-301

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder shall annually certify, in good faith, to the Commission, in a manner specified by the Commission by regulation under section 553 of title 5, United States Code, that the entity maintains— internal controls reasonably designed to comply with this Act; and reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s compliance with this Act. A certification submitted under subsection
(a)shall be based on a review of the effectiveness of a large data holder’s internal controls and reporting structures that is conducted by the certifying officers not more than 90 days before the submission of the certification. A covered entity and a service provider shall designate— 1 or more qualified employees as privacy officers; and 1 or more qualified employees (in addition to any employee designated under subparagraph (A)) as data security officers. An employee who is designated by a covered entity or a service provider as a privacy officer or a data security officer shall, at a minimum— implement a data privacy program and data security program to safeguard the privacy and security of covered data in compliance with the requirements of this Act; and facilitate the covered entity or service provider’s ongoing compliance with this Act. A large data holder shall designate at least 1 of the officers described in paragraph
(1)of this subsection to report directly to the highest official at the large data holder as a privacy protection officer who shall, in addition to the requirements in paragraph (2), either directly or through a supervised designee or designees— establish processes to periodically review and update the privacy and security policies, practices, and procedures of the large data holder, as necessary; conduct biennial and comprehensive audits to ensure the policies, practices, and procedures of the large data holder work to ensure the company is in compliance with all applicable laws and ensure such audits are accessible to the Commission upon such request; develop a program to educate and train employees about compliance requirements; maintain updated, accurate, clear, and understandable records of all privacy and data security practices undertaken by the large data holder; and serve as the point of contact between the large data holder and enforcement authorities. Not later than 1 year after the date of enactment of this Act or 1 year after the date that a covered entity or service provider first meets the definition of large data holder, whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the large data holder’s covered data collecting, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy. A privacy impact assessment required under paragraph
(1)shall be— reasonable and appropriate in scope given— the nature of the covered data collected, processed, and transferred by the large data holder; the volume of the covered data collected, processed, and transferred by the large data holder; and the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the large data holder; documented in written form and maintained by the large data holder unless rendered out of date by a subsequent assessment conducted under paragraph (1); and approved by the privacy protection officer designated in subsection (c)(3) of the large data holder. In assessing the privacy risks, including substantial privacy risks, the large data holder may include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, are used to secure covered data.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.