[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 2312 Introduced in Senate (IS)]






108th CONGRESS
  2d Session
                                S. 2312

To regulate the transmission of personally identifiable information to 
                 foreign affiliates and subcontractors.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 8, 2004

  Mrs. Clinton (for herself and Mr. Dayton) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To regulate the transmission of personally identifiable information to 
                 foreign affiliates and subcontractors.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``SAFE-ID Act'' or the ``SAFE-ID 
Act''.

SEC. 2. DEFINITIONS.

    As used in this Act, the following definitions shall apply:
            (1) Business enterprise.--The term ``business enterprise'' 
        means any organization, association, or venture established to 
        make a profit.
            (2) Country with adequate privacy protection.--The term 
        ``country with adequate privacy protection'' means a country 
        that has been certified by the Federal Trade Commission as 
        having a legal system that provides adequate privacy protection 
        for personally identifiable information.
            (3) Health care business.--The term ``health care 
        business'' means any business enterprise or private, nonprofit 
        organization that collects or retains personally identifiable 
        information about consumers in relation to medical care, 
        including--
                    (A) hospitals;
                    (B) health maintenance organizations;
                    (C) medical partnerships;
                    (D) emergency medical transportation companies;
                    (E) medical transcription companies;
                    (F) banks that collect or process medical billing 
                information; and
                    (G) subcontractors, or potential subcontractors, of 
                the entities described in subparagraphs (A) through 
                (F).
            (4) Personally identifiable information.--The term 
        ``personally identifiable information'' includes, but is not 
        limited to, information such as--
                    (A) name;
                    (B) postal address;
                    (C) financial information;
                    (D) medical records;
                    (E) date of birth;
                    (F) phone number;
                    (G) e-mail address;
                    (H) social security number;
                    (I) mother's maiden name;
                    (J) password;
                    (K) state identification information; and
                    (L) driver's license number.

SEC. 3. TRANSMISSION OF INFORMATION.

    (a) In General.--A business enterprise may transmit personally 
identifiable information regarding a citizen of the United States to 
any foreign affiliate or subcontractor located in a country that is a 
country with adequate privacy protection.
    (b) Consent Required.--A business enterprise may not transmit 
personally identifiable information regarding a citizen of the United 
States to any foreign affiliate or subcontractor located in a country 
that is a country without adequate privacy protection unless--
            (1) the business enterprise discloses to the citizen that 
        the country to which the information will be transmitted does 
        not have adequate privacy protection;
            (2) the business enterprise obtains consent from the 
        citizen, before a consumer relationship is established or 
        before the effective date of this Act, to transmit such 
        information to such foreign affiliate or subcontractor; and
            (3) the consent referred to in paragraph (2) is renewed by 
        the citizen within 1 year before such information is 
        transmitted.
    (c) Liability.--A business enterprise shall be liable for any 
damages arising from the improper storage, duplication, sharing, or 
other misuse of personally identifiable information by the business 
enterprise or by any of its foreign affiliates or subcontractors that 
received such information from the business enterprise.
    (d) Rulemaking.--The Chairman of the Federal Trade Commission shall 
promulgate regulations through which the Chairman may enforce the 
provisions of this section and impose a fine for a violation of this 
section.

SEC. 4. HEALTH CARE INFORMATION.

    (a) In General.--A health care business shall be liable for any 
damages arising from the improper storage, duplication, sharing, or 
other misuse of personally identifiable information by the business 
enterprise or by any of its foreign affiliates or subcontractors that 
received such information from the business enterprise.
    (b) No Opt Out Provision.--A health care business may not terminate 
an existing relationship with a consumer of health care services to 
avoid the consent requirement under section 3(b).
    (c) Rulemaking.--The Secretary of Health and Human Services shall 
promulgate regulations through which the Secretary may enforce the 
provisions of this section and impose a fine for the violation of this 
section.

SEC. 5. CERTIFICATION.

    (a) In General.--Not later than 6 months after the date of 
enactment of this Act, the Federal Trade Commission shall--
            (1) certify those countries that have legal systems that 
        provide adequate privacy protection for personally identifiable 
        information; and
            (2) make the list of countries certified under paragraph 
        (1) available to the general public.
    (b) Certification Criteria.--In determining whether a country 
should be certified under this section, the Federal Trade Commission 
shall consider the adequacy of the country's infrastructure for 
detecting, evaluating, and responding to privacy violations.
    (c) European Union Data Protection Directive.--A country that has 
comprehensive privacy laws that meet the requirements of the European 
Union Data Protection Directive shall be certified under this section 
unless the Federal Trade Commission determines that such laws are not 
commonly enforced within such country.

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect on the expiration of the date which is 
90 days after the date of enactment of this Act.
                                 <all>