[House Report 107-701]
[From the U.S. Government Publishing Office]
107th Congress Report
HOUSE OF REPRESENTATIVES
2d Session 107-701
======================================================================
FEDERAL AGENCY PROTECTION OF PRIVACY ACT
_______
September 30, 2002.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Sensenbrenner, from the Committee on the Judiciary, submitted the
following
R E P O R T
[To accompany H.R. 4561]
[Including cost estimate of the Congressional Budget Office]
The Committee on the Judiciary, to whom was referred the
bill (H.R. 4561) to amend title 5, United States Code, to
require that agencies, in promulgating rules, take into
consideration the impact of such rules on the privacy of
individuals, and for other purposes, having considered the
same, reports favorably thereon without amendment and
recommends that the bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 1
Background and Need for the Legislation.......................... 2
Hearings......................................................... 9
Committee Consideration.......................................... 9
Vote of the Committee............................................ 9
Committee Oversight Findings..................................... 9
Performance Goals and Objectives................................. 9
New Budget Authority and Tax Expenditures........................ 9
Congressional Budget Office Cost Estimate........................ 9
Constitutional Authority Statement............................... 11
Section-by-Section Analysis and Discussion....................... 11
Changes in Existing Law Made by the Bill, as Reported............ 12
Markup Transcript................................................ 17
Purpose and Summary
H.R. 4561, the ``Federal Agency Protection of Privacy
Act,'' preserves and promotes the privacy rights of all
Americans by requiring Federal agencies to assess and mitigate
the adverse privacy impact of rules noticed for public comment
pursuant to the Administrative Procedure Act \1\ (APA). H.R.
4561 helps safeguard privacy rights by requiring that rules
noticed for public comment by Federal agencies be accompanied
by an initial assessment of the rule's impact on personal
privacy interests, including the extent to which the proposed
rule provides notice of the collection of personally
identifiable information, the type of personally identifiable
information to be obtained, and the manner in which this
information will be collected, maintained, protected,
transferred, or disclosed by the Federal Government.
---------------------------------------------------------------------------
\1\ 5 U.S.C. Sec. 553 et seq. (2001).
---------------------------------------------------------------------------
The bill further provides that final rules be accompanied
by a final privacy impact analysis which details how the
issuing agency considered and responded to privacy concerns
raised by the public during the comment period and explains
whether the agency issuing the rule could have taken an
approach less burdensome to personal privacy. Of critical
importance, H.R. 4561 contains a provision for judicial review
to ensure agency compliance with its requirements. While
existing Federal statutes protect against the disclosure of
information already obtained by the Federal Government, the
Federal Agency Protection of Privacy Act provides the public
with prospective notice and an opportunity to comment on how
proposed Federal rules might affect personal privacy before
they become binding regulations.
Background and Need for the Legislation
PUBLIC CONCERNS
There is growing public anxiety toward the diminishing
sphere of personal privacy brought about by the rapid pace of
technological and social change. Many have decried the
perceived encroachment by outside entities into areas until
recently considered part of our private lives. Examples
include: facial recognition software linked to video cameras
that can identify individuals in public places; tracking
devices that monitor online activity; cameras that record our
movements at traffic intersections and whose photographs serve
as an exclusive basis for traffic fines and other penalties;
Government-mandated devices in cellular phones that record the
physical movements of their users; and the proliferation of
Global Position Satellite (GPS) technologies that can be used
to monitor a range of personal public and private activity.
The effort to create a Federal Department of Homeland
Security and America's ongoing war against terrorism has
heightened public sensitivity toward Government policies which
might intrude upon personal privacy interests. H.R. 4561 would
help address these concerns by ensuring that the privacy impact
of proposed regulations are considered by Federal agencies when
rules are noticed for public comment under the Administrative
Procedure Act.
GOVERNMENT COLLECTION OF PRIVATE INFORMATION
The compulsory nature of Government collection of
personally identifiable information raises serious concerns.
Unlike private entities, with which consumers voluntarily
interact, the Government often requires the disclosure of
personal information under penalty of law. The Government
collects and maintains large volumes of personally-identifiable
information. Much of this information is available to the
public. While the legitimacy of our judicial system is premised
on public access to court documents, this information might be
susceptible to misuse. For example, section 107 of the
Bankruptcy Code makes any filing in a bankruptcy case a matter
of public record.\2\ With bankruptcy records increasingly
available online, the potential for identity theft has greatly
multiplied. In addition, the Social Security card has been
widely adopted by both governments and the public as a standard
identifier. Social Security numbers are now used for tax
collection, credit and banking transactions, Federal Government
security, State-level record keeping, passport issuance, and
other purposes. Public transmission of this information further
heightens the potential for identity fraud, a growing problem
which impacted over 700 thousand Americans last year.\3\ While
the Identity Theft and Assumption Deterrence Act of 1998 \4\
was enacted to address this problem, persistent concerns remain
unaddressed.
---------------------------------------------------------------------------
\2\ 11 U.S.C. Sec. 107 (2002).
\3\ Identity Theft Resource Center, available at http://
www.idtheftcenter.org/.
\4\ Pub. L. No. 105-318, 112 Stat. 3007 (1998), codified at 18
U.S.C. Sec. 1028 (2001).
---------------------------------------------------------------------------
States also maintain large, comprehensive databases of
personal information, some of which are susceptible to
intrusion. In 1994, Congress enacted the Driver's Privacy
Protection Act \5\ after the murder of actress Rebecca Shaeffer
by an assailant who obtained her address from the California
Department of Motor Vehicles. While responsibility for this
crime lies squarely with the assailant, the Shaeffer case
highlights the potential vulnerability of personal information
in public records databases.
---------------------------------------------------------------------------
\5\ 18 U.S.C. Sec. 2721-2725 (2001).
---------------------------------------------------------------------------
Federal agencies collect and maintain large volumes of
personally-identifiable, private information in computer
databases. Much of this information is obtained from
individuals pursuant to regulations issued by Federal agencies
in accordance with their organic statutes and the procedural
requirements of the APA. While Federal agencies are required to
conduct a cost-benefit analysis of rules noticed for public
comment, privacy concerns often go unaddressed. Currently,
there is no requirement that agencies issuing rules in
accordance with the APA specifically examine the privacy
implications of rules they promulgate. As a result, agencies
are free to issue rules without considering how personally-
sensitive information may be stored, protected, and transmitted
among Federal agencies. The public is often uninformed about
the privacy impact of proposed rules. The following is a
summary of the major databases containing private information
currently operated by the Federal Government.
FEDERAL BUREAU OF INVESTIGATION ``BRADY LAW'' DATABASE
The Brady Handgun Violence Prevention Act \6\ requires
firearms dealers to submit information about prospective
firearms purchasers to the Department of Justice. Required
information includes the potential purchaser's name, sex, race,
date of birth, and State of residence. This information is then
cross-referenced with existing databases to prevent firearms
sales to convicted felons, fugitives from justice, and other
disqualified buyers. The Brady Law requires the National
Instant Check System to ``destroy all records'' relating to the
backgrounds of individuals cleared to purchase a firearm under
the law. In regulations implementing this legislation, however,
the FBI provided for an ``Audit Log'' of background checks.
This log is maintained for as long as 6 months after a firearm
transaction. Upon taking office, Attorney General Ashcroft
considerably shortened this time period. While some insist the
Audit Log might serve creditable auditing and oversight
purposes, the collection, storage, and dissemination of private
information relating to legal purchasers of firearms raise
considerable constitutional concerns.
---------------------------------------------------------------------------
\6\ Pub. L. No. 103-159 (1993), 107 Stat. 1536, codified at 18
U.S.C. Sec. 921 et seq. (2001).
---------------------------------------------------------------------------
ICANN ``WHOIS'' DATABASE
The ``Whois'' database consists of the names, e-mail
addresses, postal addresses, and telephone numbers for the
holders of the more than 24 million Internet domain names. The
Internet Corporation for Assigned Names and Numbers (ICANN),
which oversees Network Solutions, the record keeper of Internet
addresses and the domain registration companies, currently
requires disclosure of contact information for holders of
``.com,'' ``.net,'' and ``.org'' Internet addresses. Compulsory
disclosure of this information helps ensure the veracity of the
identity of website operators. This information can reduce
fraud, defamation, copyright infringements, and trademark
violations. While some contend this database is private or
quasi-governmental, ICANN exercises control of Network
Solutions and the Whois database under authority granted by the
U.S. Department of Commerce. It is thus best viewed as a
Government database.
VETERANS ADMINISTRATION COMPUTER SYSTEM
The Veterans Administration (VA) maintains detailed records
that facilitate the management of its finances, the oversight
of its employees, and the delivery of health care benefits to
military veterans and their families. The VA has not taken
sufficient steps to protect electronic data that it maintains.
Poor management of personal information by the VA has led to
invasions of the privacy of those who receive treatment in VA
facilities. Testimony received by the House Veterans Affairs
Committee revealed that a security company hired by the VA's
Office of Inspector General easily entered and gained control
over VA computer system.\7\ Poor computer security has also
produced fraud and financial mismanagement, permitting VA
employees to write more than $1.2 million in fraudulent benefit
checks from 1998 to 2001.\8\ While ameliorative steps have been
taken by the agency, concerns about the security of this
information persist.
---------------------------------------------------------------------------
\7\ VA Computer Security, 2000, Hearings Before the House Comm. on
Veterans' Affairs, Subcomm. on Oversight and Investigations, 106th
Cong. (2000) (statement of Michael Slachta, Jr. Assistant Inspector
General for Auditing Office of Inspector General Department of Veterans
Affairs Va's Information Security Program).
\8\ Id. (statement of Joel C. Willemsen, Director of Civil Agencies
Information Systems Accounting and Information Management Division).
---------------------------------------------------------------------------
HEALTH CARE FINANCING ADMINISTRATION ``OASIS'' DATABASE
In 1999, the Health Care Financing Administration announced
a final effective date for the mandatory use, collection,
encoding, and transmission of OASIS data for all Medicare and
Medicaid patients receiving skilled services.\9\ OASIS is the
acronym for ``Outcome and Assessment Information Set.''
---------------------------------------------------------------------------
\9\ Privacy Act of 1974, Report of New System, 64 Fed. Reg. 32,992
(1999).
---------------------------------------------------------------------------
Medicare and Medicaid recipients are required to submit
highly detailed and personal medical information in accordance
with this regulation. A cursory review of OASIS ``data sets''
reveals their breadth. Patients are required to submit their
name, Social Security number, residence, birth date, gender,
payment sources for health care, past and recent medical
treatment, current condition, medical risk factors, living
arrangements, residential safety hazards, the identity of those
who have assisted or are currently assisting the patient, the
patient's vision and speech status, and a host of other data.
While information concerning a patient's history ensures the
delivery of the proper medical care, the public must be assured
that adequate safeguards exist to protect this highly personal
information.
FEDERAL BUREAU OF INVESTIGATION ``CODIS'' DATABASE
CODIS, the Combined DNA Index System, was established by
Congress in 1994.\10\ It gives Federal funds to States that
assist the FBI in collecting DNA information. By 1998, all 50
States had passed laws requiring local police departments to
collect DNA samples. CODIS was intended to help Federal law
enforcement collect information about convicted sex offenders.
Since its inception, some have called for considerable
expansion of the database. While modern technology plays an
increasingly important and necessary part in modern law
enforcement, steps must also be taken to ensure the security of
this information.
---------------------------------------------------------------------------
\10\ DNA Analysis Backlog Elimination Act of 2000, Pub. L. No. 106-
546, 114 Stat. 2726 (2000).
---------------------------------------------------------------------------
THE CENSUS
The Constitution authorizes the Federal Government to
``enumerate'' persons in order to apportion congressional
representatives among the States.\11\ To accomplish this
purpose, the Government needs only to know how many individuals
reside at a given residence. This question appears on the first
page of the census. The remaining questions which appear on the
census long form require Americans to provide information which
has little or nothing to do with apportioning electoral votes.
The current census form requires all Americans to provide
detailed information concerning income, modes of
transportation, family status, ethnicity, and other personal
data. Census forms also ask detailed questions about
employment, the number of household toilets, and the annual
cost of electricity, gas, water, and other municipal services.
Responding to the census is not optional, it is required under
penalty of Federal law. For this reason, all questions beyond
those needed for apportionment are a threat to the privacy of
Americans who do not wish to have information about their lives
and habits collected and catalogued. In addition, the potential
misuse of this information raises significant privacy concerns.
---------------------------------------------------------------------------
\11\ U.S. CONST., art. 1, Sec. 8, cl. 2.
---------------------------------------------------------------------------
TREASURY DEPARTMENT ``FINCEN'' DATABASE
The Financial Crimes Enforcement Network (FinCEN), is a
network of databases and financial records maintained by the
Federal Government. Housed within the Treasury Department,
FinCEN contains data compiled from 21,000 depository
institutions and 200,000 nonbank financial institutions. Banks,
casinos, brokerage firms and money transmitters all must file
reports with FinCEN if cash transactions exceed $10,000.
The Bank Secrecy Act authorizes the Treasury Department to
require financial institutions to maintain records of personal
financial transactions that ``have a high degree of usefulness
in criminal, tax and regulatory investigations and
proceedings.'' \12\ It also authorizes the Treasury Department
to require any financial institution to report any ``suspicious
transaction relevant to a possible violation of law or
regulation.'' \13\ This is done secretly, without the consent
or knowledge of bank customers, any time a financial
institution decides that a transaction is ``suspicious.'' The
reports are made available electronically to every U.S.
Attorney's Office and to 59 law enforcement agencies, including
the FBI, Secret Service, and Customs Service. A law enforcement
agency does not have to be suspicious of an actual crime before
it accesses a report, and no court order, warrant, subpoena, or
even written request is needed. While this information serves
legitimate law enforcement objectives, the security of this
information should be maintained.
---------------------------------------------------------------------------
\12\ 12 U.S.C. Sec. 951 (2002).
\13\ Bank Secrecy Act of 1970, 31 U.S.C. Sec. Sec. 5311-5330
(2002).
---------------------------------------------------------------------------
HEALTH AND HUMAN SERVICES ``NEW HIRES'' DATABASE
The Personal Responsibility and Work Opportunity
Reconciliation Act of 1996 \14\ requires the Secretary of
Health and Human Services to develop a National Directory of
recently employed ``New Hires.'' This directory contains
information on all newly hired employees, quarterly wage
reports, and unemployment insurance claims in the United
States. The National Directory of New Hires is maintained by
the Federal Office of Child Support Enforcement in the
Administration for Children and Families at the U.S. Department
of Health and Human Services, and is located at the Social
Security Administration's National Computer Center.
---------------------------------------------------------------------------
\14\ Pub. L. No. 104-193, 109 Stat. 961 (1996) (codified in
scattered sections of 42 U.S.C.).
---------------------------------------------------------------------------
This database has helped States locate parents who evade
their child support obligations. However, it has also been
employed for purposes which exceed its original scope.\15\ The
National Directory of New Hires has already been expanded to
track down defaulters on student loans.\16\ Additional
expansions have been proposed that would give State
unemployment insurance officials access to the database. A
centralized database containing detailed personal information
on every working American raises considerable privacy concerns.
---------------------------------------------------------------------------
\15\ Solveig Singleton, How Big Brother Began, Cato Institute (Nov.
25, 1997), available at: http://www.cato.org/dailys/11-25-97.html.
\16\ See Greg Langois, Fed. Computer Week, ``Education Touts New
Loan Default Tool,'' Sept. 24, 2001, available at: http://www.fcw.com/
fcw/articles/2001/0924/news-edu-09-24-01.asp.
---------------------------------------------------------------------------
INTER-AGENCY TRANSFER OF PERSONAL INFORMATION
While Federal agencies individually collect a wealth of
personal information, this information is often shared with
other Federal agencies in a manner which compounds the risks of
unauthorized disclosure. According to a report prepared by
Privacilla.org entitled ``Government Exchange and Merger of
Citizens' Personal Information is Systematic and Routine,''
Federal agencies routinely share personally-identifiable
information with other Federal agencies without the knowledge
or consent of those whose information is being exchanged.\17\
The report cites 47 specific instances between September 1999
and February 2001 when Federal agencies announced their
intention to exchange personal data and combine it into their
own databases.\18\ The transfer of personal information between
and among Federal agencies without the consent of those in
question heightens concern that personal information could be
utilized for a purpose inconsistent with that for which it was
originally obtained.
---------------------------------------------------------------------------
\17\ Report available at: http://www.privacilla.org/releases/
Government--Data--Merger.html
\18\ Id. at 1.
---------------------------------------------------------------------------
GOVERNMENT USE AND MISUSE OF PERSONALLY-IDENTIFIABLE INFORMATION
GAO Studies of Government Federal Government Privacy Practices
A series of General Accounting Office (GAO) reports have
demonstrated the vulnerability of personal information
maintained in several Federal databases. On September 5, 2000,
the GAO released a study that revealed that Federal agencies
largely ignore Office of Management and Budget guidelines on
the maintenance of computer websites.\19\ In a survey of online
privacy protections at Government-run websites, the GAO found
that 23 of the 70 agencies it surveyed had disclosed personal
information gathered from websites to third parties, mostly
other Government agencies. At least four agencies had shared
information with private entities.
---------------------------------------------------------------------------
\19\ Internet Privacy: Agencies' Efforts to Implement OMB's Privacy
Policy, Report of the General Accounting Office, September 5, 2000,
available at: http://www.gao.gov/new.items/gg00191.pdf.
---------------------------------------------------------------------------
On September 6, 2000, the GAO issued a second study which
concluded that security practices at Federal Government
agencies are fraught with weaknesses.\20\ The study concluded
that ``information security weaknesses place enormous amounts
of confidential data, ranging from personal and tax to
proprietary business information, at risk of inappropriate
disclosure.'' \21\
---------------------------------------------------------------------------
\20\ Information Security: Serious and Widespread Risks Persist At
Federal Agencies, Report of the General Accounting Office, Sept. 6,
2000, available at: http://www.gao.gov/news items/ai00295.pdf.
\21\ Id. at 7.
---------------------------------------------------------------------------
Finally, a third GAO study, released on September 12, 2000,
found that a staggering 97 percent of Federal websites did not
adhere to the principles of notice, choice, access, and
security that the Federal Trade Commission has imposed on
private-sector websites.\22\ This study is particularly
significant because while consumers may freely decide whether
to disclose information to private, commercial entities, the
compulsory nature of Government collection of personal
information forecloses this option.
---------------------------------------------------------------------------
\22\ Internet Privacy: Comparison of Federal Agency Practices With
FTC's Fair Information Principles, Report of the General Accounting
Office, September 12, 2000, available at: http://www.gao.gov/new.items/
ai00296r.pdf.
---------------------------------------------------------------------------
The vulnerability of private information collected and
maintained by the Federal Government is clearly established and
well-documented. A legislative solution is a necessary first
step toward addressing this pervasive problem.
FEDERAL AGENCY PROTECTION OF PRIVACY ACT (FAPPA)
On April 24, 2002, Subcommittee on Commercial and
Administrative Law Chairman Bob Barr introduced H.R. 4561.
Original cosponsors included: Subcommittee Ranking Member
Melvin Watt (D-NC); Rep. George W. Gekas (R-PA); Rep. Gerrold
Nadler (D-NY); and Rep. Steve Chabot (R-OH). Since its
introduction, Judiciary Committee Chairman F. James
Sensenbrenner, Jr. (R-WI), Ranking Member John Conyers, Jr. (D-
MI), and several other Committee Members have joined as
cosponsors. While H.R. 4561 makes no substantive demands on
Federal agencies with respect to privacy, it would ensure that
Federal agencies consider the privacy implications of proposed
rules and regulations when they are noticed for public comment.
Specifically, FAPPA would help ensure Federal agencies consider
ways to: (1) protect the individual privacy rights of all
Americans; (2) safeguard personal information collected and
maintained by the Federal Government; and (3) indicate how
personally-identifiable information will be used by the Federal
Government; and (4) specify if and how this information will be
disseminated among Federal agencies or State governments. The
Federal Agency Protection of Privacy Act seeks to improve the
regulatory process and protect Americans from unjustified or
unintended invasions of privacy, by:
Lensuring Federal agencies consider the impact
of proposed regulations on individual privacy;
Lrequiring agencies to include an initial
privacy impact analysis with proposed regulations that
are circulated for public notice and comment;
Lrequiring agencies, after the notice and
comment period, to include a final privacy impact
analysis that describes the steps that were taken to
minimize the significant privacy impact of proposed
regulations and that justifies the alternative with
respect to privacy that was chosen by the agency;
Lpermitting judicial review of the adequacy of
an agency's final privacy impact, similar to that
provided by the Regulatory Flexibility Act for small
businesses; and
Lrequiring agencies to periodically review
rules that have either a significant privacy impact on
individuals or a privacy impact on a significant number
or individuals.
H.R. 4561 does not unduly burden agencies in the
development and issuance of proposed rules, because:
Lit would require a privacy impact analysis
only when an agency is already required to publish a
general notice of proposed rulemaking; and
Lan agency would not be required to do
anything that it presumably had not already done, i.e.
consider the consequences of the proposed rule. It
would only have to publicly articulate how its proposed
rule would effect privacy interests.
Hearings
The Subcommittee on Commercial and Administrative Law held
1 day of hearings on H.R. 4561 on May 1, 2002. Testimony was
received from an ideologically-diverse panel comprised of the
following witnesses: Lori Waters, Executive Director, the Eagle
Forum; Gregory Nojeim, Associate Director and Chief Legislative
Counsel, American Civil Liberties Union; James Harper, Editor,
Privacilla.com, and Adjunct Fellow, Progress & Freedom
Foundation; and Edward Mierzwinski, Consumer Program Director,
United States Public Interest Group.
Committee Consideration
On July 9, 2002, the Subcommittee on Commercial and
Administrative Law met in open session and ordered favorably
reported the bill H.R.4561, without amendment by voice vote, a
quorum being present. On September 10, 2002, the Committee met
in open session and ordered favorably reported the bill H.R.
4561 without amendment by voice vote, a quorum being present.
Vote of the Committee
There were no recorded votes on H.R. 4561.
Committee Oversight Findings
In compliance with clause 3(c)(1) of rule XIII of the Rules
of the House of Representatives, the Committee reports that the
findings and recommendations of the Committee, based on
oversight activities under clause 2(b)(1) of rule X of the
Rules of the House of Representatives, are incorporated in the
descriptive portions of this report.
Performance Goals and Objectives
H.R. 4561 does not authorize funding. Therefore, clause
3(c) of rule XIII of the Rules of the House of Representatives
is inapplicable. H.R. 4561 protects the privacy rights of all
Americans by requiring that Federal agencies assess, consider,
and inform the public about the privacy impact of rules noticed
for public comment under the Administrative Procedure Act.
New Budget Authority and Tax Expenditures
Clause 3(c)(2) of House rule XIII is inapplicable because
this legislation does not provide new budgetary authority or
increased tax expenditures.
Congressional Budget Office Cost Estimate
In compliance with clause 3(c)(3) of rule XIII of the Rules
of the House of Representatives, the Committee sets forth, with
respect to the bill, H.R. 4561, the following estimate and
comparison prepared by the Director of the Congressional Budget
Office under section 402 of the Congressional Budget Act of
1974:
U.S. Congress,
Congressional Budget Office,
Washington, DC, September 10, 2002.
Hon. F. James Sensenbrenner, Jr., Chairman,
Committee on the Judiciary,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 4561, the Federal
Agency Protection of Privacy Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford, who can be reached at 226-2860.
Sincerely,
Dan L. Crippen, Director.
Enclosure
cc:
Honorable John Conyers, Jr.
Ranking Member
H.R. 4561--Federal Agency Protection of Privacy Act.
H.R. 4561 would require Federal agencies to analyze
proposed regulations to determine their impact on the privacy
of individuals. H.R. 4561 also would require agencies issuing
rules with a potentially significant impact on individual
privacy to ensure that individuals have been given ample
opportunity to participate in such rulemakings. Finally,
agencies would have to review existing rules to consider
impacts on the privacy of individuals at least every 10 years.
CBO estimates that implementing H.R. 4561 would have no
significant effect on Federal spending. Based on a review on
the number and types of agency rules published in recent years,
we expect the privacy of individuals is of concern for less
than 2 percent of the rules published annually. H.R. 4561 would
add to the existing regulatory procedures for considering
impacts on the privacy of individuals that are already
performed by agencies under the Privacy Act of 1974, the
Paperwork Reduction Act, and current Office of Management and
Budget requirements concerning information collected from the
public. Based on information from some agencies that would be
affected by the bill, we expect that implementing this bill
would not require significant additional efforts by rulemaking
agencies. Thus, its implementation would not have a significant
cost.
H.R. 4561 also could affect direct spending by increasing
the administrative costs of rulemaking agencies that receive no
annual appropriations; therefore, pay-as-you-go procedures
would apply. CBO estimates, however, that any increase in
direct spending would not be significant. The bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act and would not affect the budgets
of State, local, or tribal governments.
The CBO staff contact for this estimate is Matthew
Pickford, who can be reached at 226-2860. This estimate was
approved by Peter H. Fontaine, Deputy Assistant Director for
Budget Analysis.
Constitutional Authority Statement
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the Committee finds the authority for
this legislation in article I, section 8, clause 14 of the
Constitution.
Section-by-Section Analysis and Discussion
Section 1. Short Title
The title of this bill is the ``Federal Agency Protection
of Privacy Act.''
Section 2. Requirement that Agency Rulemaking Take Into Consideration
Impacts on Individual Privacy
This section amends the Administrative Procedure Act to
require agencies to provide an initial privacy impact analysis
when publishing rules requiring notice and comment under 5
U.SC. Sec. 553 or other laws. The analysis must describe the
impact of the proposed rule or IRS interpretive statement on
individual privacy and be signed by the senior agency official
with primary responsibility for privacy policy and be published
in the Federal Register at the time the rule is published.
The initial privacy impact analysis must contain: a
description and assessment of the rule's impact on personal
privacy interests, including the extent to which the proposed
rule provides notice of the collection of personally
identifiable information; what information will be obtained,
how it is to be collected, maintained, used and disclosed. The
initial statement must also provide the person to whom the
personal information pertains an opportunity to correct
inaccuracies, prevent the information from being used for
another purpose, provide security for such information, and
contain a description of any significant alternatives to the
proposed rule that would advance its goals while protecting
private information.
This section also requires an agency to issue a final
privacy impact analysis to accompany rules published for notice
and comment under 5 U.S.C. Sec. 553 or issued by the IRS. The
final statement must be signed by the senior agency official
responsible for privacy policy, and contain an assessment of
the extent to which the final rule will impact the privacy of
individuals, including the degree to which the proposed rule:
provides notice of the collection of private information,
specifies what information is to be collected, maintained and
disclosed, allows access and opportunity to correct
inaccuracies to the person whose information is obtained,
prevents this information from being used for another purpose,
and provides security for this information.
This statement must contain a summary of the significant
issues raised by the public comments in response to the initial
privacy analysis, a summary of the assessment of the agency,
and a statement of any changes made in the proposed rule. This
statement must also contain a description of the steps the
agency has taken to minimize the significant privacy impact on
individuals consistent with the objective of the rules and
applicable statutes, including a Statement of the factual and
legal basis for selection of the final rule as well as other
alternatives that might have a less adverse impact on privacy.
The final privacy impact analysis shall be made available to
the public and published in the Federal Register.
This section also provides heads of agencies authority to
waive or delay the completion of the final privacy impact
analysis in specified circumstances. It further provides for
procedures designed to ensure that the public adequately
participates in the rulemaking process by including in the
advance notice of proposed rulemaking, a statement that the
proposed rule may have a significant impact on personal
privacy, or a privacy impact on a substantial number of
individuals, the publication of a general notice of proposed
rulemaking in national publications, direct notification of
affected individuals, and the adoption of agency procedural
rules to reduce the cost and complexity of participation in the
rulemaking by individuals.
In addition, this section requires that agencies conduct
periodic reviews of rules having a significant privacy impact
to determine whether the rule can be amended or rescinded in a
manner that minimizes any such impact while remaining
accordance with applicable statutes. In making this
determination, the agency should examine the need for the rule,
the nature of complaints or comments received from the public
concerning the rule, the complexity of the rule, the extent to
which the rule is duplicative, the length of time since the
rule was last reviewed, and changing technology. Each agency is
required to carry out its periodic reviews in accordance with a
plan published in the Federal Register, and each rule shall be
examined no later than 10 years after its finalization. The
agency in question shall annually publish a list of all rules
to be reviewed.
Of critical importance, this section allows individuals
adversely affected by a final agency action to seek judicial
review of agency compliance with the requirements of this
legislation. Jurisdiction is conferred upon all courts which
currently have jurisdiction over 5 U.S.C. Sec. 553. There are
limitations on this standing. For example, an individual is
permitted to challenge the rule only after the rule has been in
existence for 1 year, unless otherwise specified. In the case
where an agency delays the issuance of a final privacy impact
analysis, an action for judicial review under this section
shall be filed not later than 1 year after the date the
analysis is made public, unless otherwise specified.
In granting relief under this section, a court may remand
the rule to the agency, or defer the enforcement of the rule
unless the court finds the rule is in the public interest. This
section also contains a savings clause, which permits judicial
review of other privacy-related claims if otherwise not
prohibited.
This section defines personally identifiable information as
data that can be used to identify an individual, including the
individual's name, address, telephone number, photograph,
Social Security number, other identifying information. This
definition encompasses information related to medical or
financial condition. Finally, this section amends the
Congressional Review Act to permit Congress to strike agency
rules inconsistent with the requirements of this legislation.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italics, existing law in which no change
is proposed is shown in roman):
TITLE 5, UNITED STATES CODE
* * * * * * *
PART I--THE AGENCIES GENERALLY
* * * * * * *
CHAPTER 5--ADMINISTRATIVE PROCEDURE
SUBCHAPTER I--GENERAL PROVISIONS
Sec.
500. Administrative practice; general provisions.
* * * * * * *
SUBCHAPTER II--ADMINISTRATIVE PROCEDURE
551. Definitions.
* * * * * * *
553a. Privacy impact analysis in rulemaking.
* * * * * * *
SUBCHAPTER II--ADMINISTRATIVE PROCEDURE
* * * * * * *
Sec. 553a. Privacy impact analysis in rulemaking
(a) Initial Privacy Impact Analysis.--
(1) In general.--Whenever an agency is required by
section 553 of this title, or any other law, to publish
a general notice of proposed rulemaking for any
proposed rule, or publishes a notice of proposed
rulemaking for an interpretative rule involving the
internal revenue laws of the United States, the agency
shall prepare and make available for public comment an
initial privacy impact analysis. Such analysis shall
describe the impact of the proposed rule on the privacy
of individuals. The initial privacy impact analysis or
a summary shall be signed by the senior agency official
with primary responsibility for privacy policy and be
published in the Federal Register at the time of the
publication of a general notice of proposed rulemaking
for the rule.
(2) Contents.--Each initial privacy impact analysis
required under this subsection shall contain the
following:
(A) A description and assessment of the
extent to which the proposed rule will impact
the privacy interests of individuals, including
the extent to which the proposed rule--
(i) provides notice of the
collection of personally identifiable
information, and specifies what
personally identifiable information is
to be collected and how it is to be
collected, maintained, used, and
disclosed;
(ii) allows access to such
information by the person to whom the
personally identifiable information
pertains and provides an opportunity to
correct inaccuracies;
(iii) prevents such information,
which is collected for one purpose,
from being used for another purpose;
and
(iv) provides security for such
information.
(B) A description of any significant
alternatives to the proposed rule which
accomplish the stated objectives of applicable
statutes and which minimize any significant
privacy impact of the proposed rule on
individuals.
(b) Final Privacy Impact Analysis.--
(1) In general.--Whenever an agency promulgates a
final rule under section 553 of this title, after being
required by that section or any other law to publish a
general notice of proposed rulemaking, or promulgates a
final interpretative rule involving the internal
revenue laws of the United States, the agency shall
prepare a final privacy impact analysis, signed by the
senior agency official with primary responsibility for
privacy policy.
(2) Contents.--Each final privacy impact analysis
required under this subsection shall contain the
following:
(A) A description and assessment of the
extent to which the final rule will impact the
privacy interests of individuals, including the
extent to which the proposed rule--
(i) provides notice of the
collection of personally identifiable
information, and specifies what
personally identifiable information is
to be collected and how it is to be
collected, maintained, used, and
disclosed;
(ii) allows access to such
information by the person to whom the
personally identifiable information
pertains and provides an opportunity to
correct inaccuracies;
(iii) prevents such information,
which is collected for one purpose,
from being used for another purpose;
and
(iv) provides security for such
information.
(B) A summary of the significant issues
raised by the public comments in response to
the initial privacy impact analysis, a summary
of the assessment of the agency of such issues,
and a statement of any changes made in the
proposed rule as a result of such issues.
(C) A description of the steps the agency
has taken to minimize the significant privacy
impact on individuals consistent with the
stated objectives of applicable statutes,
including a statement of the factual, policy,
and legal reasons for selecting the alternative
adopted in the final rule and why each one of
the other significant alternatives to the rule
considered by the agency which affect the
privacy interests of individuals was rejected.
(3) Availability to public.--The agency shall make
copies of the final privacy impact analysis available
to members of the public and shall publish in the
Federal Register such analysis or a summary thereof.
(c) Procedure for Waiver or Delay of Completion.--An agency
head may waive or delay the completion of some or all of the
requirements of subsections (a) and (b) to the same extent as
the agency head may, under section 608, waive or delay the
completion of some or all of the requirements of sections 603
and 604, respectively.
(d) Procedures for Gathering Comments.--When any rule is
promulgated which may have a significant privacy impact on
individuals, or a privacy impact on a substantial number of
individuals, the head of the agency promulgating the rule or
the official of the agency with statutory responsibility for
the promulgation of the rule shall assure that individuals have
been given an opportunity to participate in the rulemaking for
the rule through techniques such as--
(1) the inclusion in an advance notice of proposed
rulemaking, if issued, of a statement that the proposed
rule may have a significant privacy impact on
individuals, or a privacy impact on a substantial
number of individuals;
(2) the publication of a general notice of proposed
rulemaking in publications of national circulation
likely to be obtained by individuals;
(3) the direct notification of interested
individuals;
(4) the conduct of open conferences or public
hearings concerning the rule for individuals, including
soliciting and receiving comments over computer
networks; and
(5) the adoption or modification of agency
procedural rules to reduce the cost or complexity of
participation in the rulemaking by individuals.
(e) Periodic Review of Rules.--
(1) In general.--Each agency shall carry out a
periodic review of the rules promulgated by the agency
that have a significant privacy impact on individuals,
or a privacy impact on a substantial number of
individuals. Under such periodic review, the agency
shall determine, for each such rule, whether the rule
can be amended or rescinded in a manner that minimizes
any such impact while remaining in accordance with
applicable statutes. For each such determination, the
agency shall consider the following factors:
(A) The continued need for the rule.
(B) The nature of complaints or comments
received from the public concerning the rule.
(C) The complexity of the rule.
(D) The extent to which the rule overlaps,
duplicates, or conflicts with other Federal
rules, and, to the extent feasible, with State
and local governmental rules.
(E) The length of time since the rule was
last reviewed under this subsection.
(F) The degree to which technology,
economic conditions, or other factors have
changed in the area affected by the rule since
the rule was last reviewed under this
subsection.
(2) Plan required.--Each agency shall carry out the
periodic review required by paragraph (1) in accordance
with a plan published by such agency in the Federal
Register. Each such plan shall provide for the review
under this subsection of each rule promulgated by the
agency not later than 10 years after the date on which
such rule was published as the final rule and,
thereafter, not later than 10 years after the date on
which such rule was last reviewed under this
subsection. The agency may amend such plan at any time
by publishing the revision in the Federal Register.
(3) Annual publication.--Each year, each agency
shall publish in the Federal Register a list of the
rules to be reviewed by such agency under this
subsection during the following year. The list shall
include a brief description of each such rule and the
need for and legal basis of such rule and shall invite
public comment upon the determination to be made under
this subsection with respect to such rule.
(f) Judicial Review.--
(1) In general.--For any rule subject to this
section, an individual who is adversely affected or
aggrieved by final agency action is entitled to
judicial review of agency compliance with the
requirements of subsections (b) and (c) in accordance
with chapter 7. Agency compliance with subsection (d)
shall be judicially reviewable in connection with
judicial review of subsection (b).
(2) Jurisdiction.--Each court having jurisdiction
to review such rule for compliance with section 553, or
under any other provision of law, shall have
jurisdiction to review any claims of noncompliance with
subsections (b) and (c) in accordance with chapter 7.
Agency compliance with subsection (d) shall be
judicially reviewable in connection with judicial
review of subsection (b).
(3) Limitations.--
(A) An individual may seek such review
during the period beginning on the date of
final agency action and ending 1 year later,
except that where a provision of law requires
that an action challenging a final agency
action be commenced before the expiration of 1
year, such lesser period shall apply to an
action for judicial review under this
subsection.
(B) In the case where an agency delays the
issuance of a final privacy impact analysis
pursuant to subsection (c), an action for
judicial review under this section shall be
filed not later than--
(i) 1 year after the date the
analysis is made available to the
public; or
(ii) where a provision of law
requires that an action challenging a
final agency regulation be commenced
before the expiration of the 1-year
period, the number of days specified in
such provision of law that is after the
date the analysis is made available to
the public.
(4) Relief.--In granting any relief in an action
under this subsection, the court shall order the agency
to take corrective action consistent with this section
and chapter 7, including, but not limited to--
(A) remanding the rule to the agency; and
(B) deferring the enforcement of the rule
against individuals, unless the court finds
that continued enforcement of the rule is in
the public interest.
(5) Rule of construction.--Nothing in this
subsection shall be construed to limit the authority of
any court to stay the effective date of any rule or
provision thereof under any other provision of law or
to grant any other relief in addition to the
requirements of this subsection.
(6) Record of agency action.--In an action for the
judicial review of a rule, the privacy impact analysis
for such rule, including an analysis prepared or
corrected pursuant to paragraph (4), shall constitute
part of the entire record of agency action in
connection with such review.
(7) Exclusivity.--Compliance or noncompliance by an
agency with the provisions of this section shall be
subject to judicial review only in accordance with this
subsection.
(8) Savings clause.--Nothing in this subsection
bars judicial review of any other impact statement or
similar analysis required by any other law if judicial
review of such statement or analysis is otherwise
permitted by law.
(g) Definition.--For purposes of this section, the term
``personally identifiable information'' means information that
can be used to identify an individual, including such
individual's name, address, telephone number, photograph,
social security number or other identifying information. It
includes information about such individual's medical or
financial condition.
* * * * * * *
CHAPTER 8--CONGRESSIONAL REVIEW OF AGENCY RULEMAKING
* * * * * * *
Sec. 801. Congressional review
(a)(1)(A) * * *
(B) On the date of the submission of the report under
subparagraph (A), the Federal agency promulgating the rule
shall submit to the Comptroller General and make available to
each House of Congress--
(i) * * *
* * * * * * *
(iii) the agency's actions relevant to section
553a;
[(iii)] (iv) the agency's actions relevant to
sections 202, 203, 204, and 205 of the Unfunded
Mandates Reform Act of 1995; and
[(iv)] (v) any other relevant information or
requirements under any other Act and any relevant
Executive orders.
* * * * * * *
Markup Transcript
BUSINESS MEETING
TUESDAY, SEPTEMBER 10, 2002
House of Representatives,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 10:00 a.m., in
Room 2141, Rayburn House Office Building, Hon. F. James
Sensenbrenner, Jr. [chairman of the Committee] presiding.
Chairman Sensenbrenner. The Committee will be in order, and
a working quorum is present.
* * * * * * *
The next item on the agenda is the adoption of H.R.4561,
the ``Federal Agency Protection of Privacy Act.'' The chair
recognizes the gentleman from Georgia, Mr. Barr, for a motion.
Mr. Barr. Mr. Chairman, the Subcommittee on Commercial and
Administrative Law reports favorably the bill H.R.4561 and
moves its favorable recommendation to the full House.
Chairman Sensenbrenner. Without objection, H.R.4561 will be
considered as read and open for amendment at any point.
[The bill, H.R.4561, follows:]
Chairman Sensenbrenner. The chair again makes the same
admonition about opening statements. Without objection, all
opening statements will appear in the record at this point.
Chairman Sensenbrenner. Are there amendments? If there are
no amendments, the chair notes the presence of a reporting
quorum.
The question occurs on the motion to report the bill H.R.
4561 favorably. All in favor say aye.
Opposed, no. The ayes appear to have it. The ayes have it.
The motion to report favorably is adopted. Without objection,
the bill will be reported to the House favorably in the form of
a single amendment in the nature of a substitute.
Without objection, the Chairman is authorized to move to go
to conference pursuant to House rules.
Without objection, the staff is directed to make any
technical and conforming changes and all Members will be given
2 days, pursuant to House rules, in which to submit additional
dissenting, supplemental or minority views.
�