Social media and remote computing service providers requirement to report to the attorney general

A bill for an act

relating to commerce; requiring social media and remote computing service

providers to report to the attorney general; establishing responsibilities for the

attorney general; requiring the preservation of data; establishing penalties;

proposing coding for new law in Minnesota Statutes, chapter 325M.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

new text begin

[325M.40] DEFINITIONS.

new text end

new text begin

Subdivision 1.

new text end

new text begin

Scope.

new text end

new text begin

For the purposes of sections 325M.40 to 325M.44, the following

terms have the meanings given.

new text end

new text begin

Subd. 2.

new text end

new text begin

Actual knowledge.

new text end

new text begin

"Actual knowledge" means a provider possesses, controls,

or has custody over information that a reasonable person would deem sufficient to provide

the provider with knowledge. Actual knowledge includes information received by law

enforcement or credible reports within 48 hours of receipt. The fact that a provider fails to

follow up on information in the provider's possession, custody, or control does not absolve

the provider of actual knowledge.

new text end

new text begin

Subd. 3.

new text end

new text begin

Geographic identifying information.

new text end

new text begin

"Geographic identifying information"

means (1) an area code or zip code that a user, subscriber, or customer provides or that is

stored or obtained by the provider, and (2) any information indicating whether a virtual

private network was used.

new text end

new text begin

Subd. 4.

new text end

new text begin

Provider.

new text end

new text begin

"Provider" means a person or entity that provides access to a social

media platform or a remote computing service.

new text end

new text begin

Subd. 5.

new text end

new text begin

Remote computing service.

new text end

new text begin

"Remote computing service" means a service that

provides computer storage or processing services to the public using an electronic

communications system.

new text end

new text begin

Subd. 6.

new text end

new text begin

Social media platform.

new text end

new text begin

"Social media platform" has the meaning given in

section 325M.31, paragraph (j).

new text end

new text begin

Subd. 7.

new text end

new text begin

User.

new text end

new text begin

"User" has the meaning given in section 325M.31, paragraph (l).

new text end

Sec. 2.

new text begin

[325M.41] DUTY TO REPORT.

new text end

new text begin

Subdivision 1.

new text end

new text begin

Actual knowledge.

new text end

new text begin

(a) A provider must submit a report to the attorney

general if the provider has actual knowledge that a crime is being or has been committed

and the crime involves creating, manufacturing, distributing, dispensing, selling, or possessing

with the intent to manufacture, distribute, or dispense:

new text end

new text begin

(1) fentanyl;

new text end

new text begin

(2) methamphetamine;

new text end

new text begin

(3) a counterfeit substance, including a counterfeit substance purporting to be a

prescription drug; or

new text end

new text begin

(4) an actual or purported prescription pain medication or prescription stimulant by an

individual or entity that is not authorized to prescribe the pain medication or stimulant,

including an individual or entity that falsely claims to be a practitioner.

new text end

new text begin

(b) A provider must submit the report to the attorney general within 60 days after the

date the provider obtains actual knowledge.

new text end

new text begin

Subd. 2.

new text end

new text begin

Reasonable belief.

new text end

new text begin

A provider may submit a report to the attorney general if

the provider has reasonable belief that a crime is being or has been committed and the crime

involves creating, manufacturing, distributing, dispensing, selling, or possessing with the

intent to manufacture, distribute, or dispense:

new text end

new text begin

(1) fentanyl;

new text end

new text begin

(2) methamphetamine;

new text end

new text begin

(3) a counterfeit substance, including a counterfeit substance purporting to be a

prescription drug; or

new text end

new text begin

(4) an actual or purported prescription pain medication or prescription stimulant by an

individual or entity that is not authorized to prescribe the pain medication or stimulant,

including an individual or entity that falsely claims to be a practitioner.

new text end

new text begin

Subd. 3.

new text end

new text begin

Content of the report.

new text end

new text begin

(a) A provider who submits a report to the attorney

general under this section must include in the report:

new text end

new text begin

(1) the provider's mailing address, telephone number, facsimile number, and electronic

mailing address; and

new text end

new text begin

(2) information relating to the account involved in the commission of a crime under

subdivision 1, including:

new text end

new text begin

(i) name;

new text end

new text begin

(ii) address;

new text end

new text begin

(iii) electronic mailing address;

new text end

new text begin

(iv) user or account identification;

new text end

new text begin

(v) internet protocol address;

new text end

new text begin

(vi) screen names or monikers used for the account or other accounts associated with

the account user; and

new text end

new text begin

(vii) other identifying information.

new text end

new text begin

(b) A provider who submits a report to the attorney general under this section may

include in the report:

new text end

new text begin

(1) information relating to when and how a user, subscriber, or customer of a provider

uploaded, transmitted, or received content relating to the report, or when and how content

relating to the report was reported to or discovered by the provider, including a date, time

stamps, and time zone;

new text end

new text begin

(2) information relating to the geographic location of the involved individual or website,

including but not limited to the internet protocol address, verified address, or one form of

geographic identifying information;

new text end

new text begin

(3) data, including symbols, photos, videos, icons, or direct messages, relating to activity

involving the facts or circumstances described in subdivisions 1 and 2;

new text end

new text begin

(4) the complete communication containing the information of the crime described in

subdivisions 1 and 2, including:

new text end

new text begin

(i) data or information regarding the transmission of the communication; and

new text end

new text begin

(ii) data or other digital files contained in or attached to the communication; or

new text end

new text begin

(5) information submitted to the provider by a user, subscriber, or customer alleging

facts or circumstances under subdivision 2, if the provider has a reasonable belief that the

alleged facts or circumstances exist.

new text end

new text begin

Subd. 4.

new text end

new text begin

Protection of privacy.

new text end

new text begin

(a) This section does not authorize a provider to:

new text end

new text begin

(1) monitor users, subscribers, or customers;

new text end

new text begin

(2) monitor the content of a user's, subscriber's, or customer's communication;

new text end

new text begin

(3) affirmatively search, screen, or scan for facts or circumstances described in subdivision

1;

new text end

new text begin

(4) establish whether the provider had actual knowledge because the provider failed to

engage in additional verification or investigation. A provider is obligated to verify or

investigate information received by law enforcement or a third party within 48 hours of

receiving the information; or

new text end

new text begin

(5) use end-to-end encryption.

new text end

new text begin

(b) This section does not require a provider to decrypt encrypted communications.

new text end

new text begin

Subd. 5.

new text end

new text begin

Data privacy.

new text end

new text begin

A report received by a law enforcement agency under section

325M.42 is criminal investigative data subject to section 13.82, subdivision 7.

new text end

new text begin

Subd. 6.

new text end

new text begin

Prohibition on submission.

new text end

new text begin

(a) A state or local law enforcement officer acting

in an official capacity is prohibited from arranging for another individual to submit a report

to a provider on behalf of the officer under this section.

new text end

new text begin

(b) The contents of a provider's report made under this section and evidence derived

from the report must not be received in evidence in a trial, hearing, or other proceeding in

or before a court, department, officer, agency, regulatory body, legislative committee, or

other authority of the state or a political subdivision of the state if the provider report resulted

from an action prohibited by paragraph (a).

new text end

new text begin

Subd. 7.

new text end

new text begin

Exemptions.

new text end

new text begin

This section does not apply to a provider of:

new text end

new text begin

(1) broadband internet access service, as defined in Code of Federal Regulations, title

47, section 8.1(b); or

new text end

new text begin

(2) text messaging service, as defined in United States Code, title 47, section 227(e)(8).

new text end

new text begin

Subd. 8.

new text end

new text begin

Immunity.

new text end

new text begin

A provider who submits a report in good faith to the attorney general

under this section is immune from civil and criminal liability that may otherwise result from

the submission, unless the provider knowingly submitted false information.

new text end

Sec. 3.

new text begin

[325M.42] ATTORNEY GENERAL RESPONSIBILITIES.

new text end

new text begin

Subdivision 1.

new text end

new text begin

Attorney general responsibilities.

new text end

new text begin

(a) Upon receiving a report submitted

under section 325M.41, the attorney general must conduct a preliminary review of the report.

new text end

new text begin

(b) Upon completing the preliminary review, the attorney general must:

new text end

new text begin

(1) determine whether the report facially contains sufficient information to warrant

further investigation and conduct further investigation of the report, including but not limited

to making the report available to federal, state, or local law enforcement agencies involved

in the investigation of crimes described in section 325M.41; or

new text end

new text begin

(2) conclude that no further investigative steps are warranted or possible, or that

insufficient evidence exists to make a determination, and close the report.

new text end

new text begin

(c) The attorney general may designate law enforcement agencies to which the attorney

general may send a report under paragraph (b), clause (1).

new text end

new text begin

Subd. 2.

new text end

new text begin

Data minimization.

new text end

new text begin

The attorney general must take reasonable measures to:

new text end

new text begin

(1) limit the storage of a report submitted under section 325M.41 and the report's contents

to the amount that is necessary to investigate the crimes described in section 325M.41; and

new text end

new text begin

(2) store a report submitted under section 325M.41 and the report's contents only as long

as is reasonably necessary to investigate the crimes described in section 325M.41 or make

a report available to other agencies under subdivision 1, paragraph (b), clause (1). After

fulfilling the duties under this clause, the attorney general must delete the report and the

report's contents unless preserving a report has future evidentiary value.

new text end

new text begin

Subd. 3.

new text end

new text begin

Annual report.

new text end

new text begin

The attorney general must publish an annual report regarding

the reports received under section 325M.41. The report under this subdivision must include

the number of reports received:

new text end

new text begin

(1) from providers;

new text end

new text begin

(2) by providers on whose social media platform or remote computing service the crime

for which there are facts or circumstances occurred;

new text end

new text begin

(3) by the subsidiary of a provider, if any;

new text end

new text begin

(4) that led to convictions in cases investigated by the attorney general;

new text end

new text begin

(5) that lacked actionable information;

new text end

new text begin

(6) in which the facts or circumstances of a crime were discovered through:

new text end

new text begin

(i) content moderation conducted by a human; or

new text end

new text begin

(ii) a nonhuman method, including the use of an algorithm, machine learning, or other

means;

new text end

new text begin

(7) that are made available to federal law enforcement agencies;

new text end

new text begin

(8) that are made available to law enforcement agencies; and

new text end

new text begin

(9) that are made available to local law enforcement agencies.

new text end

new text begin

The report under this subdivision must include the number of requests submitted by the

attorney general to providers to continue preserving the contents of a report or other data

described in section 325M.43.

new text end

Sec. 4.

new text begin

[325M.43] PRESERVATION.

new text end

new text begin

Subdivision 1.

new text end

new text begin

Request to preserve content.

new text end

new text begin

A completed report submitted by a provider

to the attorney general under section 325M.41 must be treated as a request to preserve the

contents provided in the report and data or other digital files that are reasonably accessible

and may provide context or additional information about the reported material or person

for 90 days after submission to the attorney general.

new text end

new text begin

Subd. 2.

new text end

new text begin

Limitations on extension of preservation period.

new text end

new text begin

(a) The attorney general

must not submit a request to a provider to continue preserving the contents of a report or

other data beyond the required preservation period under subdivision 1 unless the attorney

general has an active or pending investigation involving the user, subscriber, or customer

account at issue in the report.

new text end

new text begin

(b) Paragraph (a) does not preclude another federal, state, or local law enforcement

agency from seeking continued preservation of the contents of a report or other data.

new text end

new text begin

Subd. 3.

new text end

new text begin

Notification to user.

new text end

new text begin

A provider must not notify the provider's user, subscriber,

or customer of a preservation request described in subdivision 1 unless:

new text end

new text begin

(1) the provider has notified the attorney general of the provider's intent to provide the

notice; and

new text end

new text begin

(2) 45 business days have elapsed since the date the notification under clause (1) occurred.

new text end

new text begin

Subd. 4.

new text end

new text begin

Protection of preserved materials.

new text end

new text begin

A provider preserving materials under this

section must maintain the materials in a secure location and take appropriate steps to limit

access to the materials by the provider's agents or employees to only the access necessary

to comply with the requirements of this section.

new text end

Sec. 5.

new text begin

[325M.44] ENFORCEMENT; PENALTIES.

new text end

new text begin

Subdivision 1.

new text end

new text begin

Failure to submit a report.

new text end

new text begin

A provider that knowingly fails to submit

a required report under section 325M.41, subdivision 1, is subject to a civil penalty of up

to $200,000 for an initial violation and up to $400,000 for each subsequent violation.

new text end

new text begin

Subd. 2.

new text end

new text begin

Incomplete or false report.

new text end

new text begin

(a) A provider may be subject to a civil penalty

in an amount not less than $50,000 and not greater than $100,000 if the provider knowingly

submits a report that:

new text end

new text begin

(1) contains materially false information; or

new text end

new text begin

(2) fails to provide the required information under section 325M.41, subdivision 3,

paragraph (a), that is reasonably available to the provider.

new text end

new text begin

(b) Before an enforcement action is filed for a violation of paragraph (a), clause (2), the

attorney general must provide a written notice to the provider that the report is deficient

and provide a reasonable period of time for the provider to cure the deficiency.

new text end

new text begin

Subd. 3.

new text end

new text begin

Attorney general enforcement.

new text end

new text begin

The attorney general may enforce this section

and sections 325M.40 to 325M.43.

new text end