Sec. 502. Limitation on law enforcement purchase of personal data from data brokers
2,112 words·~10 min read·
/bill/118/s/3961/is/section-502A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 2702 of title 18, United States Code, is amended by adding at the end the following: In this subsection and subsection (f)— the term covered governmental entity means a law enforcement agency of a governmental entity; the term covered organization means a person who— is not a governmental entity; and is not an individual; the term covered person means an individual who— is reasonably believed to be located inside the United States at the time of the creation of the covered personal data; or is a United States person, as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 ( 50 U.S.C. 1801 ); the term covered personal data means personal data relating to a covered person; the term electronic device has the meaning given the term computer in section 1030(e); the term lawfully obtained public data means personal data obtained by a particular covered organization that the covered organization— reasonably understood to have been voluntarily made available to the general public by the covered person; and obtained in compliance with all applicable laws, regulations, contracts, privacy policies, and terms of service; the term obtain in exchange for anything of value means to obtain by purchasing, to receive in connection with services being provided for monetary or nonmonetary consideration, or to otherwise obtain in exchange for consideration, including an access fee, service fee, maintenance fee, or licensing fee; and the term personal data — means data, derived data, or any unique identifier that is linked to, or is reasonably linkable to, an individual or to an electronic device that is linked to, or is reasonably linkable to, 1 or more individuals in a household; includes anonymized data that, if combined with other data, can be linked to, or is reasonably linkable to, an individual or to an electronic device that identifies, is linked to, or is reasonably linkable to 1 or more individuals in a household; and does not include— data that is lawfully available through Federal, State, or local government records or through widely distributed media; or a specific communication or transaction with a targeted individual who is not a covered person.
Subject to clauses
(ii)through (x), a covered governmental entity may not obtain in exchange for anything of value covered personal data if— the covered personal data is directly or indirectly obtained from a covered organization; or the covered personal data is derived from covered personal data that was directly or indirectly obtained from a covered organization. A covered governmental entity may obtain in exchange for something of value covered personal data as part of a larger compilation of data which includes personal data about persons who are not covered persons, if— the covered governmental entity is unable through reasonable means to exclude covered personal data from the larger compilation obtained; and the covered governmental entity minimizes any covered personal data from the larger compilation, in accordance with subsection (f). Clause
(i)shall not apply to covered personal data that is obtained by a covered governmental entity under a program established by an Act of Congress under which a portion of a penalty or a similar payment or bounty is paid to an individual who discloses information about an unlawful activity to the Government, such as the program authorized under section 7623 of the Internal Revenue Code of 1986 (relating to awards to whistleblowers in cases of underpayments or fraud). Clause
(i)shall not apply to covered personal data that is obtained by a covered governmental entity from a covered organization in accordance with compulsory legal process that— is established by a Federal or State statute; and provides for the reimbursement of costs of the covered organization that are incurred in connection with providing the record or information to the covered governmental entity, such as the reimbursement of costs under section 2706. Clause
(i)shall not apply to covered personal data about an employee of, or applicant for employment by, a covered governmental entity that is— obtained by the covered governmental entity for employment-related purposes; accessed and used by the covered governmental entity only for employment-related purposes; and destroyed at such time as the covered personal data is no longer needed for employment-related purposes. Clause
(i)shall not apply to covered personal data about a covered person that is— obtained by a covered governmental entity for purposes of conducting a background check of the covered person with the written consent of the covered person; accessed and used by the covered governmental entity only for background check-related purposes; and destroyed at such time as the covered personal data is no longer needed for background check-related purposes. Clause
(i)shall not apply to covered personal data that is obtained by a covered governmental entity if— the covered personal data is lawfully obtained public data; or the covered personal data is derived from covered personal data that solely consists of lawfully obtained public data. Clause
(i)shall not apply to covered personal data that is obtained by a covered governmental entity if there is a reasonable belief than an emergency exists involving an imminent threat of death or serious bodily harm to a covered person and the covered data is necessary to mitigate that threat, provided that— access to and use of the covered personal data is limited to addressing the threat; and the covered personal data is destroyed at such time as it is no longer necessary for such purpose. Clause
(i)shall not apply to covered personal data that is obtained by a covered governmental entity for the purpose of supporting compliance with collection limitations and minimization requirements imposed by statute, guidelines, procedures, or the Constitution of the United States, provided that— access to and use of the covered personal data is limited to such purpose; and the covered personal data is destroyed at such time as it is no longer necessary for such purpose. Clause
(i)shall not apply to covered personal data that is obtained by a covered governmental entity if— each covered person linked or reasonably linkable to the covered personal data, or, if such covered person is incapable of providing consent, a third party legally authorized to consent on behalf of the covered person, has provided consent to the acquisition and use of the data on a case-by-case basis; access to and use of the covered personal data is limited to the purposes for which the consent was provided; and the covered personal data is destroyed at such time as it is no longer necessary for such purposes. The limitation under subparagraph
(A)shall apply without regard to whether the covered organization possessing the covered personal data is the covered organization that initially obtained or collected, or is the covered organization that initially received the disclosure of, the covered personal data. An agency of a governmental entity that is not a covered governmental entity may not provide to a covered governmental entity covered personal data that was obtained in a manner that would violate paragraph
(2)if the agency of a governmental entity were a covered governmental entity, unless the covered governmental entity would have been permitted to obtain the covered personal data under an exception set forth in paragraph (2)(A). Covered personal data obtained by or provided to a covered governmental entity in violation of paragraph
(2)or (3), and any evidence derived therefrom, may not be used, received in evidence, or otherwise disseminated by, on behalf of, or upon a motion or other action by a covered governmental entity in any investigation by or in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof. Nothing in subparagraph
(A)shall be construed to limit the use of covered personal data by a covered person aggrieved of a violation of paragraph
(2)or
(3)in connection with any action relating to such a violation. The Attorney General shall adopt specific procedures that are reasonably designed to minimize the acquisition and retention, and to restrict the querying, of covered personal data, and prohibit the dissemination of information derived from covered personal data. The procedures adopted under paragraph
(1)shall require covered governmental entities to exhaust all reasonable means— to exclude covered personal data that is not subject to 1 or more of the exceptions set forth in clauses
(iii)through
(x)of subsection (e)(2)(A) from the data obtained; and to remove and delete covered personal data described in subparagraph
(A)not subject to 1 or more exceptions set forth in clauses
(iii)through
(x)of subsection (e)(2)(A) after a compilation is obtained and before operational use of the compilation or inclusion of the compilation in a dataset intended for operational use. The procedures adopted under paragraph
(1)shall require that, if a covered governmental entity identifies covered personal data in a compilation described in clause
(ii)of subsection (e)(2)(A) not subject to 1 or more exceptions set forth in clauses
(iii)through
(x)of such subsection, the covered governmental entity shall promptly destroy the covered personal data and any dissemination of information derived from the covered personal data shall be prohibited. Except as provided in subparagraphs
(B)and (C), no officer or employee of a covered governmental entity may conduct a query of personal data, including personal data already subjected to minimization, in an effort to find records of or about a particular covered person. Subparagraph
(A)shall not apply to a query related to a particular covered person if— such covered person is the subject of a court order or emergency authorization issued under this title that would authorize the covered governmental entity to compel the production of the covered personal data, during the effective period of that order; the purpose of the query is to retrieve information obtained by a covered governmental entity under a program established by an Act of Congress under which a portion of a penalty or a similar payment or bounty is paid to an individual who discloses information about an unlawful activity to the Government, such as the program authorized under section 7623 of the Internal Revenue Code of 1986 (relating to awards to whistleblowers in cases of underpayments or fraud), provided that any covered personal data accessed through such query is used only for such purpose; the purpose of the query is to retrieve information about an employee of, or applicant for employment by, a covered governmental entity that has been obtained by the covered governmental entity for employment-related purposes, provided that any covered personal data accessed through such query is used only for such purposes; the purpose of the query is to retrieve information obtained by a covered governmental entity for purposes of conducting a background check of the covered person with the written consent of the covered person, provided that any covered personal data accessed through such query is used only for such purposes; the purpose of the query is to retrieve, and the query is reasonably designed to retrieve, only lawfully obtained public data, and only lawfully obtained public data is accessed and used as a result of the query; the officer or employee of a covered governmental entity carrying out the query has a reasonable belief that an emergency exists involving an imminent threat of death or serious bodily harm, and in order to prevent or mitigate that threat, the query must be conducted before a court order can, with due diligence, be obtained, provided that any covered personal data accessed through such query is used only for such purpose; the query is conducted for the purpose of supporting compliance with collection limitations and minimization requirements imposed by statute, guidelines, procedures, or the Constitution of the United States, provided that any covered personal data accessed through such query is used only for such purpose; or such covered person or, if such covered person is incapable of providing consent, a third party legally authorized to consent on behalf of the covered person has consented to the query, provided that any use of covered personal data accessed through such query is limited to the purposes for which the consent was provided. For a query of a compilation of data obtained under subsection (e)(2)(A)(ii)— each query shall be reasonably designed to exclude personal data of covered persons, unless the query is subject to an exception set forth in subparagraph (B); and any personal data of covered persons returned pursuant to a query that is not subject to an exception set forth in clauses
(ii)through
(iii)of subsection (e)(2)(A) shall not be reviewed and shall immediately be destroyed. .
Connectionstraces to 1
Traces to 1 document
U.S. Code
Citation graph
cites case law
Sec. 502
Limitation on law enforcement purchase of personal data from data brokers
Cites 1Cited by 0 across 0 sources