S5579-118

1. Short title This Act may be cited as the Auto Data Privacy and Autonomy Act.

2. Definitions In this Act: The term Commission means the Federal Trade Commission. The term covered vehicle means a motor vehicle or a vehicle primarily used for farming or construction. The term Director means the Director of the National Institute of Standards and Technology. The term motor vehicle has the same meaning given such term in section 30102(a) of title 49, United States Code, and includes a motor vehicle trailer. The term operator data means— all electronic data generated or processed onboard a covered vehicle, such as data generated by sensors, receivers, computer processing units, or other vehicle components; and data stored in a covered vehicle generated by the user of such covered vehicle. The term personally identifiable information means information that— directly identifies an individual such as the name, address, social security number or other identifying number or code, telephone number, or email address of an individual; indirectly identifies an individual such as the gender, race, or date of birth of an individual; or reveals the physical location or internet activity of an individual. The term Secretary means the Secretary of Transportation. The term secure means, with respect to the interface for access and control of operator data described in section 4(c), designed to prevent malicious or unauthorized use or access of such data. The term technology-neutral means, with respect to the interface for access and control of operator data described in section 4(c), designed without preference or prejudice towards any technology or service used to access and control such data by a covered vehicle owner, and not contingent on ownership or licensing of proprietary technologies by a covered vehicle owner or manufacturer. The term user preference means any choice with respect to a configurable setting of a covered vehicle made by or for the benefit of the owner or user of such covered vehicle.

3. Operator data privacy and security A manufacturer of a covered vehicle may not, with respect to the covered vehicle of a covered vehicle owner that is manufactured by such manufacturer— access operator data, unless— the covered vehicle owner affirmatively consents to such manufacturer accessing such data and such consent— is freely given; is informed, specific, and unambiguous; is in writing; and may be easily withdrawn; or such data is accessed solely to improve covered vehicle performance or safety; sell, lease, or otherwise share operator data, unless— required to do so— pursuant to a lawfully executed warrant; pursuant to a court order that provides the covered vehicle owner notice of the order and at least 48 hours to object and request a hearing; or to facilitate an emergency response; or expressly permitted to do so by the covered vehicle owner or, in the event of the death or incapacity of such person, the next of kin of such owner; or sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable information of a United States citizen or lawful permanent resident to the following: The Democratic People’s Republic of Korea. The People’s Republic of China. The Russian Federation. The Islamic Republic of Iran. The Bolivarian Republic of Venezuela. Not later than 180 days after the date of the enactment of this Act, the Commission shall submit to Congress a report that describes, with respect to operator data— the types of such data that a manufacturer of a covered vehicle accesses; the individuals and entities, other than a manufacturer of a covered vehicle, that access such data; the Federal or State government entities that access such data and how such entities use such data; the individuals and entities to whom such data may be sold or otherwise shared; the foreign governments to whom such data may be sold or otherwise shared and how such data is used by such foreign governments; the cybersecurity capabilities and risks associated with covered vehicles; and occurrences of such data being compromised, including the prevalence of such occurrences and any entities with ties to foreign governments associated with such occurrences. In completing the report required under paragraph (1), the Commission shall consult with— the Attorney General; the Secretary of Homeland Security; the Secretary of Transportation; and the Federal Communications Commission.

4. Operator data access A manufacturer of a covered vehicle shall provide to a covered vehicle owner access to, and control of, operator data— at no cost beyond the purchase price of such vehicle; without any restriction or limitation, consistent with subsection (c); and without a requirement that the covered vehicle owner— pay a fee or purchase a license to decrypt operator data; or use a device provided by such manufacturer to access and use operator data. To facilitate the access and control of operator data described in subsection (a), a manufacturer of a covered vehicle shall enable the operation of open application programming interfaces that— facilitate deletion of all data stored in a covered vehicle generated by the user of such covered vehicle; and enable the setting of any user preference by the covered vehicle owner or another user of the covered vehicle. The manufacturer of a covered vehicle shall provide to a covered vehicle owner the access and control required by subsection (a) by means of a technology-neutral and secure interface that meets the standards set by the Commission pursuant to section 5.

5. Standards Not later than 180 days after the date of enactment of this Act, the Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the current practices employed for operator data generation, storage, transmission, and cybersecurity. Not later than 1 year after the date on which the Commission submits the report under subsection (a), the Commission shall, in coordination with the Director, relevant industry stakeholders, including manufacturers of covered vehicles and covered vehicle owners, and with other agencies as necessary, establish 1 or more standards for the technology-neutral, standards-based, secure interface required by section 4(c). Not later than 5 years after the date on which the Commission, in coordination with the Director, establishes the standards required under subsection (b), and not less frequently than once every 5 years thereafter, the Commission shall review and revise such standards as appropriate.

6. Enforcement A violation of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.). Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.

7. Relation to other laws This Act supersedes any statute, rule, requirement, or other legal obligation of a State or political subdivision thereof, or any Federal law or regulation, that relates to the requirements in this Act.

8. Disclosure of confidential business information Except as provided in section 4, nothing in this Act shall require a manufacturer of a covered vehicle to divulge confidential business information (as that term is defined in section 512.3(c) of title 49, Code of Federal Regulations).

9. Effective date This Act shall take effect on the date that is 3 months after the date of enactment of this Act.

10. No new appropriations The Commission shall carry out this Act using unobligated funds appropriated to the Commission and available as of the date of the enactment of this Act.