# Digital Privacy & Free Speech Protection Act (DPSPA) **118th Congress, 2nd Session** **H.R. _____ / S. _____** --- **A BILL** To safeguard digital privacy rights, protect free expression online, and prevent government overreach in digital spaces while ensuring national security through lawful means. *Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,* ## Section 1. Short Title This Act may be cited as the "Digital Privacy & Free Speech Protection Act" or "DPSPA". ## Section 2: Purpose and Definitions ### 1.1 Purpose This Act aims to safeguard digital privacy rights, protect free expression online, and prevent government overreach in digital spaces while ensuring national security through lawful means. ### 1.2 Definitions - **Digital Content**: Any form of information, communication, or expression shared through electronic means - **Content Moderation**: The practice of monitoring and regulating user-generated content - **Government Agency**: Any federal, state, or local government entity, including contractors acting on their behalf - **Encrypted Communication**: Data transmitted using NIST-approved end-to-end encryption protocols that meet or exceed FIPS 140-3 standards - **Personal Data**: Information that identifies or could reasonably be linked to an individual, including: - Direct identifiers (name, SSN, email) - Biometric data (fingerprints, facial scans, voice prints) - Behavioral data (browsing history, location data) - Derived data (inferred preferences, predicted behaviors) - Aggregate data that could be de-anonymized - **Imminent National Security Threat**: A specific, articulable threat of: - Terrorist activity with clear evidence of planning or preparation - Critical infrastructure cyberattack with evidence of imminent execution - Foreign state actor activities presenting immediate risk to national security - Does NOT include: protests, civil disobedience, or protected speech ## Section 2: Government Limitations ### 2.1 Content Moderation Restrictions - Federal agencies are prohibited from: - Directing private companies to remove legal content - Using funding or contracts to influence content moderation - Creating "back-channel" pressure systems for content removal - Exception: Content directly related to imminent national security threats with judicial oversight ### 2.2 Surveillance Limitations - Government agencies must: - Obtain a warrant before accessing any encrypted communications - Provide notice to individuals within 30 days of surveillance (unless extended by court order) - Destroy collected data within 90 days if not relevant to an active investigation - Prohibited practices: - Mass collection of metadata without judicial oversight - Use of facial recognition without probable cause - Compelling companies to create encryption backdoors ## Section 3: Corporate Responsibilities ### 3.1 Transparency Requirements Companies must: - Publish quarterly reports detailing: - Government requests for user data - Content removal requests from government entities - AI moderation systems and their decision criteria - Notify users within 24 hours of sharing their data with government agencies (unless prohibited by court order) ### 3.2 Data Protection Standards - Mandatory implementation of: - End-to-end encryption for private communications - Data minimization practices - Regular security audits - User-controlled privacy settings - Prohibited from: - Selling user data to government agencies without explicit consent - Using personal data for unauthorized purposes ## Section 4: AI and Algorithmic Transparency ### 4.1 AI Content Moderation Companies must: - Clearly label all AI-moderated content decisions - Provide human review options for appealing AI decisions - Maintain public documentation of AI moderation criteria - Submit to annual third-party audits of AI systems ### 4.2 Algorithm Disclosure - Public disclosure required for: - Content recommendation systems - Search result ranking criteria - Ad targeting mechanisms - User profiling methods ## Section 5: Enforcement and Penalties ### 5.1 Oversight - Creates Digital Rights Oversight Board (DROB) to: - Monitor compliance - Investigate violations - Issue guidance and regulations - Coordinate with other regulatory agencies - Establishes clear jurisdiction: - Primary authority over digital privacy and speech issues - Cooperative framework with FTC on consumer protection - Coordinated authority with FCC on communications - Deference to FBI/DHS on verified national security matters - Independent funding through: - Congressional appropriations - Violation penalties - Technology company assessments ### 5.2 Penalties - Civil penalties calculated as the greater of: - $10 million per violation - 4% of global annual revenue - Double the economic benefit from the violation - Criminal penalties for willful violations: - Up to 10 years imprisonment for government officials - Up to 5 years for corporate officers - Up to 15% of global annual revenue for corporations - Private right of action: - Statutory damages of $1,000 per violation - Actual damages - Punitive damages for willful violations - Attorney fees for successful claims - Whistleblower protections and rewards ## Section 6: User Rights and Protections ### 6.1 Digital Rights Users have the right to: - Access, correct, and delete their personal data - Opt out of AI-driven content moderation - Choose end-to-end encryption for communications - Appeal content moderation decisions - Receive compensation for privacy violations ### 6.2 Educational Requirements - Mandates digital literacy programs in public schools - Requires platforms to provide clear privacy tutorials - Establishes public awareness campaigns about digital rights ## Section 7: National Security Safeguards ### 7.1 Emergency Provisions - Allows temporary suspension of specific provisions during: - Formally declared national emergencies - Immediate threats to national security as defined in Section 1.2 - Requires: - Initial judicial review within 72 hours - Ongoing judicial review every 7 days - Concurrent notification to: - Congressional Intelligence Committees - Privacy and Civil Liberties Oversight Board - Digital Rights Oversight Board - Public disclosure within 48 hours of threat resolution - Limitations: - Maximum initial suspension period of 14 days - Extensions require supermajority Congressional approval - Cannot suspend entire act, only specific provisions - Must use least restrictive means necessary - Regular public reporting on scope and necessity ### 7.2 Oversight and Accountability - Establishes independent review panel for emergency actions - Requires quarterly reports to Congress - Mandates public hearings on any emergency provisions used ## Section 8: Implementation Timeline ### 8.1 Phased Implementation - Tiered implementation based on company size and resources: Tier 1 (Large Companies - >$1B annual revenue): - 90 days: Formation of oversight board - 180 days: Corporate transparency requirements - 1 year: Full AI disclosure requirements - 18 months: Complete implementation Tier 2 (Medium Companies - $100M-$1B annual revenue): - 180 days: Formation of oversight board - 1 year: Corporate transparency requirements - 18 months: Full AI disclosure requirements - 2 years: Complete implementation Tier 3 (Small Companies - <$100M annual revenue): - 1 year: Formation of oversight board - 18 months: Corporate transparency requirements - 2 years: Full AI disclosure requirements - 30 months: Complete implementation - Technical assistance program for smaller companies - Hardship exemptions available with oversight board approval ### 8.2 Review and Updates - Annual review of effectiveness - Biennial updates to technical standards - Regular public comment periods ## Section 9: Biometric Surveillance Restrictions ### 9.1 Facial Recognition Moratorium 1. **Government Facial Recognition Ban** - Complete prohibition on government facial recognition in public spaces - Exceptions only for: * Airport security (with judicial oversight) * Border security (with privacy protections) * Active criminal investigations (with warrant requirement) - Criminal penalties for unauthorized government facial recognition use 2. **Private Sector Facial Recognition Restrictions** - Explicit written consent required before any facial recognition use - Opt-out mechanisms that cannot affect service quality - Clear signage required wherever facial recognition is deployed - Right to know when facial recognition has been used on an individual ### 9.2 Biometric Data Protection 1. **Enhanced Biometric Safeguards** - Encryption requirements for all stored biometric data - Automatic deletion of biometric data after purpose completion - Prohibition on selling or sharing biometric data without explicit consent - Right to biometric data portability and deletion 2. **Biometric Processing Limitations** - Minimal data collection principle for biometric systems - Purpose limitation requirements for biometric data use - Prohibition on biometric data use for insurance or employment discrimination - Regular audits of biometric data processing systems ### 9.3 Anonymous Communication Protection 1. **Right to Anonymous Speech** - Constitutional protection for anonymous online communication - Prohibition on mandatory identity verification for general internet use - Protection for anonymizing technologies and services - Anti-retaliation provisions for anonymous speech 2. **Anonymity Technology Protection** - Legal protection for developers and operators of anonymity tools - Prohibition on criminalizing or restricting anonymity software - Right to use anonymizing technologies without discrimination - Protection for anonymous payment methods for legitimate purposes ### 9.4 International Data Transfer Protections 1. **Cross-Border Data Safeguards** - Adequacy determinations required for international data transfers - Enhanced protections for transfers to authoritarian regimes - Standard contractual clauses for international business transfers - Emergency suspension authority for high-risk jurisdictions 2. **Foreign Government Access Restrictions** - Prohibition on providing data to foreign governments without due process - Notice requirements for lawful foreign government data requests - Right to challenge foreign government data access requests - Annual transparency reports on foreign government data requests