Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

Code · BILL · 119th Congress · H.R. 8014 (Introduced in House) — To provide for individual rights relating to privacy of personal information, to establish privacy and security requi... · Sec. 204

Sec. 204. Disclosing to entities not subject to United States jurisdiction or not compliant with this Act

948 words·~4 min read·/bill/119/hr/8014/ih/section-204·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity may not intentionally disclose personal information to any entity that— is not subject to the jurisdiction of the United States; or is not in compliance with all requirements of this Act. Notwithstanding subsection (a), a covered entity may disclose personal information where that personal information is limited to an identifier created primarily for the purpose of sending or receiving electronic communications and the sole purpose of disclosing is to send or receive an electronic communication at the request of the individual whose personal information is being disclosed.
Notwithstanding subsection (a), a covered entity may disclose personal information to another covered entity (the receiving covered entity) that is not subject to the jurisdiction of the United States if either— the receiving covered entity has entered into an agreement, as described in subsection (e), with the Digital Privacy Agency, and— the covered entity has a reasonable belief that the receiving covered entity is sufficiently solvent to compensate victims or pay fines for violations of this Act; a contract between the covered entity and receiving covered entity requires that the receiving covered entity complies with this Act, and the covered entity has reason to believe the receiving covered entity is compliant with this Act; and a contract between the covered entity and the receiving covered entity prohibits the receiving covered entity from using the disclosed personal information for any purpose other than provided in the contract; or the covered entity has— entered into an agreement with the receiving covered entity that— requires the receiving covered entity to comply with this Act; prohibits the receiving covered entity from using the disclosed personal information for any purpose other than provided in the contract; requires the receiving covered entity to indemnify the covered entity against violations of this Act committed by the receiving covered entity for any amount the covered entity is unable to pay of a judgment for such violation; grants the covered entity the authority to audit, including physical access to electronic devices and data, the receiving covered entity’s compliance with this Act and the contract; and requires the receiving covered entity to assist the covered entity in responding to and complying with any court orders, Digital Privacy Agency orders, or the exercising of an individual’s rights under this Act; actual knowledge that the receiving covered entity is in compliance with this Act and not using personal information contrary to their agreement; actual knowledge that the receiving covered entity is sufficiently solvent to compensate victims or pay fines for violations of this Act; an auditing and compliance program to ensure the receiving covered entity’s continued compliance with this Act and contract terms; filed with the Digital Privacy Agency the terms of said contract, proof of its actual knowledge of the receiving covered entity’s compliance with this Act and contract terms, and documents detailing its auditing and compliance program for approval and publication by the Digital Privacy Agency; and entered into an agreement with the Digital Privacy Agency where the covered entity agrees to accept, respond to, or comply with a court order, Digital Privacy Agency order, or request by an individual regarding actions taken by the receiving covered entity with respect to covered information it has disclosed.
For the purposes of subsection (c)(2), the covered entity shall be jointly liable for a violation of this Act by the receiving covered entity regarding the personal information the covered entity disclosed, except where the covered entity was the first to notify the Digital Privacy Agency of the violation, in which case, it shall be severally liable. Where the covered entity should reasonably have known of a violation of this Act by the receiving covered entity and fails to disclose the violation to the Digital Privacy Agency, each day of continuance of the failure to report such violation shall be treated as a separate violation.
Upon the request of a covered entity not subject to the jurisdiction of the United States, the Digital Privacy Agency shall enter into an agreement with the covered entity that includes, but is not limited to, the following conditions: The principal place of business for the covered entity must be in a country that allows for the domestication of a United States court decision for civil fines payable to a government entity and injunctive relief. Where a foreign court refuses to enforce a United States court decision under this Act, the agreement, and all other agreements with covered entities with a principal place of business in the same jurisdiction, shall be void.
The covered entity agrees to comply with this Act. The covered entity agrees to be subject to this Act with choice of venue being a United States court. The covered entity agrees to comply with Digital Privacy Agency investigative requests or orders, and United States court orders or decisions under this Act. The covered entity consents to United States Federal court personal jurisdiction for the sole purpose of enforcing this Act. Where enforcement of the decision requires the use of a foreign court, the covered entity agrees to pay reasonable attorney fees necessary to enforce the judgment.
A default judgment, failure to comply with Digital Privacy Agency investigative requests or orders, or failure to comply with United States court orders or decisions shall result in the immediate termination of the agreement. Nothing in this section shall be construed to require the localization of processing or maintaining personal information by a covered entity to within the United States, or limit internal disclosing of personal information within a covered entity or to subsidiary or corporate affiliate of such covered entity, regardless of the country in which the covered entity will process, disclose, or maintain that personal information.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.