OLL19293 S.L.C. 116TH CONGRESS 1ST SESSION S. ll To direct the Federal Trade Commission to require entities that use, store, or share personal information to conduct automated decision system impact assessments and data protection impact assessments. IN THE SENATE OF THE UNITED STATES llllllllll Mr. WYDEN (for himself and Mr. BOOKER) introduced the following bill; which was read twice and referred to the Committee on llllllllll A BILL To direct the Federal Trade Commission to require entities that use, store, or share personal information to conduct automated decision system impact assessments and data protection impact assessments. 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled, 3 4 SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Algorithmic Account- 5 ability Act of 2019’’. 6 SEC. 2. DEFINITIONS. 7 In this Act: OLL19293 S.L.C. 2 1 (1) AUTOMATED DECISION SYSTEM.—The term 2 ‘‘automated decision system’’ means a computational 3 process, including one derived from machine learn- 4 ing, statistics, or other data processing or artificial 5 intelligence techniques, that makes a decision or fa- 6 cilitates human decision making, that impacts con- 7 sumers. 8 9 (2) AUTOMATED SESSMENT.—The DECISION SYSTEM IMPACT AS- term ‘‘automated decision system 10 impact assessment’’ means a study evaluating an 11 automated decision system and the automated deci- 12 sion system’s development process, including the de- 13 sign and training data of the automated decision 14 system, for impacts on accuracy, fairness, bias, dis- 15 crimination, privacy, and security that includes, at a 16 minimum— 17 (A) a detailed description of the automated 18 decision system, its design, its training, data, 19 and its purpose; 20 (B) an assessment of the relative benefits 21 and costs of the automated decision system in 22 light of its purpose, taking into account rel- 23 evant factors, including— 24 (i) data minimization practices; OLL19293 S.L.C. 3 1 (ii) the duration for which personal 2 information and the results of the auto- 3 mated decision system are stored; 4 (iii) what information about the auto- 5 mated decision system is available to con- 6 sumers; 7 (iv) the extent to which consumers 8 have access to the results of the automated 9 decision system and may correct or object 10 11 to its results; and (v) the recipients of the results of the 12 automated decision system; 13 (C) an assessment of the risks posed by 14 the automated decision system to the privacy or 15 security of personal information of consumers 16 and the risks that the automated decision sys- 17 tem may result in or contribute to inaccurate, 18 unfair, biased, or discriminatory decisions im- 19 pacting consumers; and 20 (D) the measures the covered entity will 21 employ to minimize the risks described in sub- 22 paragraph (C), including technological and 23 physical safeguards. 24 (3) COMMISSION.—The term ‘‘Commission’’ 25 means the Federal Trade Commission. OLL19293 S.L.C. 4 1 2 3 (4) CONSUMER.—The term ‘‘consumer’’ means an individual. (5) COVERED ENTITY.—The term ‘‘covered en- 4 tity’’ means any person, partnership, or corporation 5 over which the Commission has jurisdiction under 6 section 5(a)(2) of the Federal Trade Commission 7 Act (15 U.S.C. 45(a)(2)) that— 8 (A) had greater than $50,000,000 in aver- 9 age annual gross receipts for the 3-taxable-year 10 period preceding the most recent fiscal year, as 11 determined in accordance with paragraphs (2) 12 and (3) of section 448(c) of the Internal Rev- 13 enue Code of 1986; 14 15 (B) possesses or controls personal information on more than— 16 (i) 1,000,000 consumers; or 17 (ii) 1,000,000 consumer devices; 18 (C) is substantially owned, operated, or 19 controlled by a person, partnership, or corpora- 20 tion that meets the requirements under sub- 21 paragraph (A) or (B); or 22 (D) is a data broker or other commercial 23 entity that, as a substantial part of its business, 24 collects, assembles, or maintains personal infor- 25 mation concerning an individual who is not a OLL19293 S.L.C. 5 1 customer or an employee of that entity in order 2 to sell or trade the information or provide third- 3 party access to the information. 4 (6) DATA PROTECTION IMPACT ASSESSMENT.— 5 The term ‘‘data protection impact assessment’’ 6 means a study evaluating the extent to which an in- 7 formation system protects the privacy and security 8 of personal information the system processes. 9 (7) HIGH-RISK AUTOMATED DECISION SYS- 10 TEM.—The 11 tem’’ means an automated decision system that— term ‘‘high-risk automated decision sys- 12 (A) taking into account the novelty of the 13 technology used and the nature, scope, context, 14 and purpose of the automated decision system, 15 poses a significant risk— 16 17 (i) to the privacy or security of personal information of consumers; or 18 (ii) of resulting in or contributing to 19 inaccurate, unfair, biased, or discrimina- 20 tory decisions impacting consumers; 21 (B) makes decisions, or facilitates human 22 decision making, based on systematic and ex- 23 tensive evaluations of consumers, including at- 24 tempts to analyze or predict sensitive aspects of 25 their lives, such as their work performance, eco- OLL19293 S.L.C. 6 1 nomic situation, health, personal preferences, 2 interests, behavior, location, or movements, 3 that— 4 (i) alter legal rights of consumers; or 5 (ii) otherwise significantly impact con- 6 sumers; 7 (C) involves the personal information of a 8 significant number of consumers regarding 9 race, color, national origin, political opinions, 10 religion, trade union membership, genetic data, 11 biometric data, health, gender, gender identity, 12 sexuality, sexual orientation, criminal convic- 13 tions, or arrests; 14 15 (D) systematically monitors a large, publicly accessible physical place; or 16 (E) meets any other criteria established by 17 the Commission in regulations issued under sec- 18 tion 3(b)(1). 19 (8) HIGH-RISK INFORMATION SYSTEM.—The 20 term ‘‘high-risk information system’’ means an in- 21 formation system that— 22 (A) taking into account the novelty of the 23 technology used and the nature, scope, context, 24 and purpose of the information system, poses a OLL19293 S.L.C. 7 1 significant risk to the privacy or security of per- 2 sonal information of consumers; 3 (B) involves the personal information of a 4 significant number of consumers regarding 5 race, color, national origin, political opinions, 6 religion, trade union membership, genetic data, 7 biometric data, health, gender, gender identity, 8 sexuality, sexual orientation, criminal convic- 9 tions, or arrests; 10 11 (C) systematically monitors a large, publicly accessible physical place; or 12 (D) meets any other criteria established by 13 the Commission in regulations issued under sec- 14 tion 3(b)(1). 15 (9) INFORMATION 16 SYSTEM.—The term ‘‘infor- mation system’’— 17 (A) means a process, automated or not, 18 that involves personal information, such as the 19 collection, recording, organization, structuring, 20 storage, alteration, retrieval, consultation, use, 21 sharing, disclosure, dissemination, combination, 22 restriction, erasure, or destruction of personal 23 information; and 24 25 (B) does not include automated decision systems. OLL19293 S.L.C. 8 1 (10) PERSONAL INFORMATION.—The term 2 ‘‘personal information’’ means any information, re- 3 gardless of how the information is collected, in- 4 ferred, or obtained that is reasonably linkable to a 5 specific consumer or consumer device. 6 (11) STORE.—The term ‘‘store’’— 7 (A) means the actions of a person, part- 8 nership, or corporation to retain information; 9 and 10 (B) includes actions to store, collect, as- 11 semble, possess, control, or maintain informa- 12 tion. 13 (12) USE.—The term ‘‘use’’ means the actions 14 of a person, partnership, or corporation in using in- 15 formation, including actions to use, process, or ac- 16 cess information. 17 18 SEC. 3. DATA PROTECTION AUTHORITY. (a) ACTS PROHIBITED.—It is unlawful for any cov- 19 ered entity to— 20 21 (1) violate a regulation promulgated under subsection (b); or 22 (2) knowingly provide substantial assistance to 23 any person, partnership, or corporation whose ac- 24 tions violate subsection (b). 25 (b) REGULATIONS.— OLL19293 S.L.C. 9 1 (1) IN GENERAL.—Not later than 2 years after 2 the date of enactment of this section, the Commis- 3 sion shall promulgate regulations, in accordance with 4 section 553 of title 5, United States Code, that— 5 (A) require each covered entity to conduct 6 automated decision system impact assessments 7 of— 8 (i) existing high-risk automated deci- 9 sion systems, as frequently as the Commis- 10 sion determines is necessary; and 11 12 (ii) new high-risk automated decision systems, prior to implementation; 13 provided that a covered entity may evaluate 14 similar high-risk automated decision systems 15 that present similar risks in a single assess- 16 ment; 17 18 (B) require each covered entity to conduct data protection impact assessments of— 19 (i) existing high-risk information sys- 20 tems, as frequently as the Commission de- 21 termines is necessary; and 22 23 (ii) new high-risk information systems, prior to implementation; OLL19293 S.L.C. 10 1 provided that a covered entity may evaluate 2 similar high-risk information systems that 3 present similar risks in a single assessment; 4 (C) require each covered entity to conduct 5 the impact assessments under subparagraphs 6 (A) and (B), if reasonably possible, in consulta- 7 tion with external third parties, including inde- 8 pendent auditors and independent technology 9 experts; and 10 (D) require each covered entity to reason- 11 ably address in a timely manner the results of 12 the impact assessments under subparagraphs 13 (A) and (B). 14 (2) OPTIONAL PUBLICATION OF IMPACT AS- 15 SESSMENTS.—The 16 paragraphs (A) and (B) may be made public by the 17 covered entity at its sole discretion. 18 (c) PREEMPTION impact assessments under sub- OF PRIVATE CONTRACTS.—It shall 19 be unlawful for any covered entity to commit the acts pro20 hibited in subsection (a), regardless of specific agreements 21 between entities or consumers. 22 23 (d) ENFORCEMENT BY THE COMMISSION.— (1) UNFAIR OR DECEPTIVE ACTS OR PRAC- 24 TICES.—A 25 as a violation of a rule defining an unfair or decep- violation of subsection (a) shall be treated OLL19293 S.L.C. 11 1 tive act or practice under section 18(a)(1)(B) of the 2 Federal 3 57a(a)(1)(B)). Trade 4 (2) POWERS 5 (A) IN Commission Act (15 U.S.C. OF THE COMMISSION.— GENERAL.—The Commission shall 6 enforce this section in the same manner, by the 7 same means, and with the same jurisdiction, 8 powers, and duties as though all applicable 9 terms and provisions of the Federal Trade 10 Commission Act (15 U.S.C. 41 et seq.) were in- 11 corporated into and made a part of this section. 12 (B) PRIVILEGES AND IMMUNITIES.—Any 13 person who violates subsection (a) shall be sub- 14 ject to the penalties and entitled to the privi- 15 leges and immunities provided in the Federal 16 Trade Commission Act (15 U.S.C. 41 et seq.). 17 (C) AUTHORITY PRESERVED.—Nothing in 18 this section shall be construed to limit the au- 19 thority of the Commission under any other pro- 20 vision of law. 21 22 (e) ENFORCEMENT BY STATES.— (1) IN GENERAL.—If the attorney general of a 23 State has reason to believe that an interest of the 24 residents of the State has been or is being threat- 25 ened or adversely affected by a practice that violates OLL19293 S.L.C. 12 1 subsection (a), the attorney general of the State 2 may, as parens patriae, bring a civil action on behalf 3 of the residents of the State in an appropriate dis- 4 trict court of the United States to obtain appro- 5 priate relief. 6 7 8 (2) RIGHTS OF COMMISSION.— (A) NOTICE (i) IN TO COMMISSION.— GENERAL.—Except as provided 9 in clause (iii), the attorney general of a 10 State, before initiating a civil action under 11 paragraph (1), shall provide written notifi- 12 cation to the Commission that the attorney 13 general intends to bring such civil action. 14 (ii) CONTENTS.—The notification re- 15 quired under clause (i) shall include a copy 16 of the complaint to be filed to initiate the 17 civil action. 18 (iii) EXCEPTION.—If it is not feasible 19 for the attorney general of a State to pro- 20 vide the notification required under clause 21 (i) before initiating a civil action under 22 paragraph (1), the attorney general shall 23 notify the Commission immediately upon 24 instituting the civil action. OLL19293 S.L.C. 13 1 2 (B) INTERVENTION BY COMMISSION.—The Commission may— 3 (i) intervene in any civil action 4 brought by the attorney general of a State 5 under paragraph (1); and 6 (ii) upon intervening— 7 (I) be heard on all matters aris- 8 ing in the civil action; and 9 (II) file petitions for appeal of a 10 11 decision in the civil action. (3) INVESTIGATORY POWERS.—Nothing in this 12 subsection may be construed to prevent the attorney 13 general of a State from exercising the powers con- 14 ferred on the attorney general by the laws of the 15 State to conduct investigations, to administer oaths 16 or affirmations, or to compel the attendance of wit- 17 nesses or the production of documentary or other 18 evidence. 19 20 21 (4) VENUE; SERVICE OF PROCESS.— (A) VENUE.—Any action brought under paragraph (1) may be brought in— 22 (i) the district court of the United 23 States that meets applicable requirements 24 relating to venue under section 1391 of 25 title 28, United States Code; or OLL19293 S.L.C. 14 1 (ii) another court of competent juris- 2 diction. 3 (B) SERVICE OF PROCESS.—In an action 4 brought under paragraph (1), process may be 5 served in any district in which— 6 7 8 9 (i) the defendant is an inhabitant, may be found, or transacts business; or (ii) venue is proper under section 1391 of title 28, United States Code. 10 (5) ACTIONS 11 (A) IN BY OTHER STATE OFFICIALS.— GENERAL.—In addition to a civil 12 action brought by an attorney general under 13 paragraph (1), any other officer of a State who 14 is authorized by the State to do so may bring 15 a civil action under paragraph (1), subject to 16 the same requirements and limitations that 17 apply under this subsection to civil actions 18 brought by attorneys general. 19 (B) SAVINGS PROVISION.—Nothing in this 20 subsection may be construed to prohibit an au- 21 thorized official of a State from initiating or 22 continuing any proceeding in a court of the 23 State for a violation of any civil or criminal law 24 of the State. OLL19293 S.L.C. 15 1 2 SEC. 4. NO PREEMPTION. Nothing in this Act may be construed to preempt any 3 State law.