SEC. 114. PRIVACY-ENHANCING TECHNOLOGY PILOT PROGRAM.
(a) Privacy-Enhancing Technology Defined.—In this section, the term “privacy-enhancing technology”—
(1) means any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of information without substantially reducing the privacy and security of the information; and
(2) includes technologies with functionality similar to homomorphic encryption, differential privacy, zero-knowledge proofs, synthetic data generation, federated learning, and secure multi-party computation.
(b) Establishment.—Not later than 1 year after the date of the enactment of this Act, the Commission shall establish and carry out a pilot program to encourage private sector use of privacy-enhancing technologies for the purposes of protecting covered data to comply with section 109.
(c) Purposes.—Under the pilot program established under subsection (b), the Commission shall—
(1) develop and implement a petition process for covered entities to request to be a part of the pilot program; and
(2) build an auditing system that leverages privacy-enhancing technologies to support the enforcement actions of the Commission.
(d) Petition Process.—A covered entity wishing to be accepted into the pilot program established under subsection (b) shall demonstrate to the Commission that the privacy-enhancing technologies to be used under the pilot program by the covered entity will establish data security practices that meet or exceed all or some of the requirements in section 109. If the covered entity demonstrates the privacy-enhancing technologies meet or exceed the requirements in section 109, the Commission may accept the covered entity to be a part of the pilot program. If the Commission does not accept a covered entity to be a part of the pilot program, the Commission shall provide an adequate response to the covered entity detailing why the covered entity was not accepted, and the covered entity may subsequently revise the petition of the covered entity to address any deficiencies indicated by the Commission in the response of the Commission to the covered entity.
(e) Requirements.—In carrying out the pilot program established under subsection (b), the Commission shall—
(1) receive input from private, public, and academic stakeholders; and
(2) develop ongoing public and private sector engagement, in consultation with the Secretary of Commerce, to disseminate voluntary, consensus-based resources to increase the integration of privacy-enhancing technologies in data collection, sharing, and analytics by the public and private sectors.
(f) Conclusion Of Pilot Program.—The Commission shall terminate the pilot program established under subsection (b) not later than 10 years after the commencement of the program.(g) Study Required.—
(1) IN GENERAL.—The Comptroller General of the United States shall conduct a study—
(A) to assess the progress of the pilot program established under subsection (b);
(B) to determine the effectiveness of using privacy-enhancing technologies at the Commission to support oversight of the data security practices of covered entities; and
(C) to develop recommendations to improve and advance privacy-enhancing technologies, including by improving communication and coordination between covered entities and the Commission to increase implementation of privacy-enhancing technologies by such entities and the Commission.
(2) INITIAL BRIEFING.—Not later than 3 years after the date of the enactment of this Act, the Comptroller General shall brief the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the initial results of the study conducted under paragraph (1).
(3) FINAL REPORT.—Not later than 240 days after the date on which the briefing required by paragraph (2) is conducted, the Comptroller General shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a final report setting forth the results of the study conducted under paragraph (1), including the recommendations developed under subparagraph (C) of such paragraph.
(h) Audit Of Covered Entities.—The Commission shall, on an ongoing basis, audit covered entities who have been accepted to be part of the pilot program established under subsection (b) to determine whether such a covered entity is maintaining the use and implementation of privacy-enhancing technologies to secure covered data.
(i) Withdrawal From The Pilot Program.—If at any time the Commission determines that a covered entity accepted to be a part of the pilot program established under subsection (b) is no longer maintaining the use of privacy-enhancing technologies, the Commission shall notify the covered entity of the determination of the Commission to withdraw approval for the covered entity to be a part of the pilot program and the basis for doing so. Not later than 180 days after the date on which a covered entity receives such notice, the covered entity may cure any alleged deficiency with the use of privacy-enhancing technologies and submit each proposed cure to the Commission. If the Commission determines that such cures eliminate alleged deficiencies with the use of privacy-enhancing technologies, the Commission may not withdraw the approval of the covered entity to be a part of the pilot program on the basis of such deficiencies.
(j) Limitations On Liability.—Any covered entity that petitions, and is accepted, to be part of the pilot program established under subsection (b), actively implements and maintains the use of privacy-enhancing technologies, and is determined by the Commission to be in compliance with the program shall—
(1) for any action under section 115 or 116 for a violation of section 109, be deemed to be in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies; and
(2) for any action under section 117 for a violation of section 109, be entitled to a rebuttable presumption that such entity is in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies.SEC. 115. ENFORCEMENT BY FEDERAL TRADE COMMISSION.
(a) New Bureau.—
(1) IN GENERAL.—Subject to the availability of appropriations, the Commission shall establish, within the Commission, a new bureau comparable in structure, size, organization, and authority to the existing bureaus within the Commission related to consumer protection and competition.
(2) MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the authority of the Commission under this title and related authorities.
(3) STAFF.—
(A) IN GENERAL.—In staffing the bureau established under this subsection, the Commission shall ensure the allocation of full time employees or full time employee equivalents that include attorneys, economists, investigators, technologists, and mental health professionals with experience in the well-being of children and teens.
(B) TECHNOLOGIST DEFINED.—For the purposes of this paragraph, the term “technologist” means an individual with training and expertise with respect to technology, including state-of-the art information technology, network or data security, hardware or software development, privacy-enhancing technologies, cryptography, computer science, data science, advertising technology, web tracking, machine learning, and other related fields and applications.
(4) TIMELINE.—The bureau established under this subsection shall be established, staffed, and fully operational not later than 180 days after the date of the enactment of this Act.
(b) Enforcement By Commission.—
(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this title or a regulation promulgated under this title shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) POWERS OF COMMISSION.—
(A) IN GENERAL.—Except as provided in paragraph (3) or otherwise provided in this title, the Commission shall enforce this title and the regulations promulgated under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this title.
(B) PRIVILEGES AND IMMUNITIES.—Any entity that violates this title or a regulation promulgated under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(3) COMMON CARRIERS AND NONPROFITS.—Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44; 45(a)(2); 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this title, and the regulations promulgated under this title, in the same manner provided in paragraphs (1) and (2) of this subsection with respect to—
(A) common carriers subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.); and
(B) organizations not organized to carry on business for their own profit or that of their members.
(4) PENALTY OFFSET FOR STATE OR INDIVIDUAL ACTIONS.—Any amount that a court orders an entity to pay in an action brought under this subsection shall be offset by any amount a court has ordered the entity to pay in an action brought against the entity for the same violation under section 116 or 117.
(5) PRIVACY AND SECURITY VICTIMS RELIEF FUND.—
(A) ESTABLISHMENT OF VICTIMS RELIEF FUND.—There is established in the Treasury of the United States a separate fund to be known as the “Privacy and Security Victims Relief Fund” (in this paragraph referred to as the “Victims Relief Fund”).
(B) DEPOSITS.—The Commission or the Attorney General of the United States, as applicable, shall deposit into the Victims Relief Fund the amount of any civil penalty obtained in any civil action the Commission, or the Attorney General on behalf of the Commission, commences to enforce this title or a regulation promulgated under this title.
(C) USE OF FUND AMOUNTS.—
(i) AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, damages, payments or compensation, or other monetary relief to persons affected by an act or practice for which civil penalties, other monetary relief, or any other forms of relief (including injunctive relief) have been ordered in a civil action or administrative proceeding the Commission commences, or in any civil action the Attorney General of the United States commences on behalf of the Commission, to enforce this title or a regulation promulgated under this title.
(ii) OTHER PERMISSIBLE USES.—To the extent that individuals cannot be located or such redress, damages, payments or compensation, or other monetary relief are otherwise not practicable, the Commission may use amounts in the Victims Relief Fund for the purpose of—
(I) consumer or business education relating to data privacy or data security; or
(II) engaging in technological research that the Commission considers necessary to implement this title, including promoting privacy-enhancing technologies that promote compliance with this title.
(D) CALCULATION.—Any amount that the Commission provides to a person as redress, payments or compensation, or other monetary relief under subparagraph (C) with respect to a violation by an entity shall be offset by any amount the person received from an action brought against the entity for the same violation under section 116 or 117.
(E) RULE OF CONSTRUCTION.—Amounts collected and deposited in the Victims Relief Fund may not be construed to be Government funds or appropriated monies and may not be subject to apportionment for the purpose of chapter 15 of title 31, United States Code, or under any other authority.(c) Report.—
(1) IN GENERAL.—Not later than 4 years after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report describing investigations conducted during the prior year with respect to violations of this title, including—
(A) the number of such investigations the Commission commenced;
(B) the number of such investigations the Commission closed with no official agency action;
(C) the disposition of such investigations, if such investigations have concluded and resulted in official agency action; and
(D) for each investigation that was closed with no official agency action, the industry sectors of the covered entities subject to each investigation.
(2) PRIVACY PROTECTIONS.—A report required under paragraph (1) may not include the identity of any person who is the subject of an investigation or any other information that identifies such a person.
(3) ANNUAL PLAN.—Not later than 540 days after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a plan for the next calendar year describing the projected activities of the Commission under this title, including—
(A) the policy priorities of the Commission and any changes to the previous policy priorities of the Commission;
(B) any rulemaking proceedings projected to be commenced, including any such proceedings to amend or repeal a rule;
(C) any plans to develop, update, or withdraw guidelines or guidance required under this title;
(D) any plans to restructure the Commission; and
(E) projected dates and timelines, or changes to projected dates and timelines, associated with any of the requirements under this title.