Sec. 114. Privacy-enhancing technology pilot program
889 words·~4 min read·
/bill/118/hr/8818/ih/section-114·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section, the term privacy-enhancing technology — means any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of information without substantially reducing the privacy and security of the information; and includes technologies with functionality similar to homomorphic encryption, differential privacy, zero-knowledge proofs, synthetic data generation, federated learning, and secure multi-party computation. Not later than 1 year after the date of the enactment of this Act, the Commission shall establish and carry out a pilot program to encourage private sector use of privacy-enhancing technologies for the purposes of protecting covered data to comply with section 109.
Under the pilot program established under subsection (b), the Commission shall— develop and implement a petition process for covered entities to request to be a part of the pilot program; and build an auditing system that leverages privacy-enhancing technologies to support the enforcement actions of the Commission. A covered entity wishing to be accepted into the pilot program established under subsection
(b)shall demonstrate to the Commission that the privacy-enhancing technologies to be used under the pilot program by the covered entity will establish data security practices that meet or exceed all or some of the requirements in section 109. If the covered entity demonstrates the privacy-enhancing technologies meet or exceed the requirements in section 109, the Commission may accept the covered entity to be a part of the pilot program. If the Commission does not accept a covered entity to be a part of the pilot program, the Commission shall provide an adequate response to the covered entity detailing why the covered entity was not accepted, and the covered entity may subsequently revise the petition of the covered entity to address any deficiencies indicated by the Commission in the response of the Commission to the covered entity. In carrying out the pilot program established under subsection (b), the Commission shall— receive input from private, public, and academic stakeholders; and develop ongoing public and private sector engagement, in consultation with the Secretary of Commerce, to disseminate voluntary, consensus-based resources to increase the integration of privacy-enhancing technologies in data collection, sharing, and analytics by the public and private sectors. The Commission shall terminate the pilot program established under subsection
(b)not later than 10 years after the commencement of the program. The Comptroller General of the United States shall conduct a study— to assess the progress of the pilot program established under subsection (b); to determine the effectiveness of using privacy-enhancing technologies at the Commission to support oversight of the data security practices of covered entities; and to develop recommendations to improve and advance privacy-enhancing technologies, including by improving communication and coordination between covered entities and the Commission to increase implementation of privacy-enhancing technologies by such entities and the Commission. Not later than 3 years after the date of the enactment of this Act, the Comptroller General shall brief the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the initial results of the study conducted under paragraph (1). Not later than 240 days after the date on which the briefing required by paragraph
(2)is conducted, the Comptroller General shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a final report setting forth the results of the study conducted under paragraph (1), including the recommendations developed under subparagraph
(C)of such paragraph. The Commission shall, on an ongoing basis, audit covered entities who have been accepted to be part of the pilot program established under subsection
(b)to determine whether such a covered entity is maintaining the use and implementation of privacy-enhancing technologies to secure covered data. If at any time the Commission determines that a covered entity accepted to be a part of the pilot program established under subsection
(b)is no longer maintaining the use of privacy-enhancing technologies, the Commission shall notify the covered entity of the determination of the Commission to withdraw approval for the covered entity to be a part of the pilot program and the basis for doing so. Not later than 180 days after the date on which a covered entity receives such notice, the covered entity may cure any alleged deficiency with the use of privacy-enhancing technologies and submit each proposed cure to the Commission. If the Commission determines that such cures eliminate alleged deficiencies with the use of privacy-enhancing technologies, the Commission may not withdraw the approval of the covered entity to be a part of the pilot program on the basis of such deficiencies. Any covered entity that petitions, and is accepted, to be part of the pilot program established under subsection (b), actively implements and maintains the use of privacy-enhancing technologies, and is determined by the Commission to be in compliance with the program shall— for any action under section 115 or 116 for a violation of section 109, be deemed to be in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies; and for any action under section 117 for a violation of section 109, be entitled to a rebuttable presumption that such entity is in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies.