[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 2471 Introduced in Senate (IS)]

  2d Session
                                 S. 2471

To regulate the transmission of personally identifiable information to 
                 foreign affiliates and subcontractors


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 20, 2004

 Mrs. Clinton introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
To regulate the transmission of personally identifiable information to 
                 foreign affiliates and subcontractors

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Safeguarding Americans From 
Exporting Identification Data Act'' or the ``SAFE-ID Act''.

SEC. 2. DEFINITIONS.

    As used in this Act, the following definitions shall apply:
            (1) Business enterprise.--The term ``business enterprise'' 
        means--
                    (A) any organization, association, or venture 
                established to make a profit;
                    (B) any health care business;
                    (C) any private, nonprofit organization; or
                    (D) any contractor, subcontractor, or potential 
                subcontractor of an entity described in subparagraph 
                (A), (B), or (C).
            (2) Health care business.--The term ``health care 
        business'' means any business enterprise or private, nonprofit 
        organization that collects or retains personally identifiable 
        information about consumers in relation to medical care, 
        including--
                    (A) hospitals;
                    (B) health maintenance organizations;
                    (C) medical partnerships;
                    (D) emergency medical transportation companies;
                    (E) medical transcription companies;
                    (F) banks that collect or process medical billing 
                information; and
                    (G) subcontractors, or potential subcontractors, of 
                the entities described in subparagraphs (A) through 
                (F).
            (3) Personally identifiable information.--The term 
        ``personally identifiable information'' includes information 
        such as--
                    (A) name;
                    (B) postal address;
                    (C) financial information;
                    (D) medical records;
                    (E) date of birth;
                    (F) phone number;
                    (G) e-mail address;
                    (H) social security number;
                    (I) mother's maiden name;
                    (J) password;
                    (K) state identification information; and
                    (L) driver's license number.

SEC. 3. TRANSMISSION OF INFORMATION.

    (a) Prohibition.--A business enterprise may not disclose personally 
identifiable information regarding a resident of the United States to 
any foreign branch, affiliate, subcontractor, or unaffiliated third 
party located in a foreign country unless--
            (1) the business enterprise provides the notice of privacy 
        protections described in sections 502 and 503 of the Gramm-
        Leach-Bliley Act (15 U.S.C. 6802 and 6803) or required by the 
        regulations promulgated pursuant to section 264(c) of the 
        Health Insurance Portability and Accountability Act of 1996 (42 
        U.S.C. 1320d-2 note), as appropriate;
            (2) the business enterprise complies with the safeguards 
        described in section 501(b) of the Gramm-Leach-Bliley Act (15 
        U.S.C. 6801(b)), as appropriate;
            (3) the consumer is given the opportunity, before the time 
        that such information is initially disclosed, to object to the 
        disclosure of such information to such foreign branch, 
        affiliate, subcontractor, or unaffiliated third party; and
            (4) the consumer is given an explanation of how the 
        consumer can exercise the nondisclosure option described in 
        paragraph (3).
    (b) Health Care Businesses.--A health care business may not 
terminate an existing relationship with a consumer of health care 
services to avoid the consumer from objecting to the disclosure under 
subsection (a)(3).
    (c) Effect on Business Relationship.--
            (1) Nondiscrimination.--A business enterprise may not 
        discriminate against or deny an otherwise qualified consumer a 
        financial product or a health care service because the consumer 
        has objected to the disclosure under subsection (a)(3).
            (2) Products and services.--A business enterprise shall not 
        be required to offer or provide a product or service through 
        affiliated entities or jointly with nonaffiliated business 
        enterprises.
            (3) Incentives and discounts.--Nothing in this subsection 
        is intended to prohibit a business enterprise from offering 
        incentives or discounts to elicit a specific response to the 
        notice required under subsection (a).
    (d) Liability.--
            (1) In general.--A business enterprise that knowingly and 
        directly transfers personally identifiable information to a 
        foreign branch, affiliate, subcontractor, or unaffiliated third 
        party shall be liable to any person suffering damages resulting 
        from the improper storage, duplication, sharing, or other 
        misuse of such information by the transferee.
            (2) Civil action.--An injured party under paragraph (1) may 
        sue in law or in equity in any court of competent jurisdiction 
        to recover the damages sustained as a result of a violation of 
        this section.
    (e) Rulemaking.--The Chairman of the Federal Trade Commission shall 
promulgate regulations through which the Chairman may enforce the 
provisions of this section and impose a civil penalty for a violation 
of this section.

SEC. 4. PRIVACY FOR CONSUMERS OF HEALTH SERVICES.

    The Secretary of Health and Human Services shall revise the 
regulations promulgated pursuant to section 264(c) of the Health 
Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 
note) to require a covered entity (as defined under such regulations) 
that outsources protected health information (as defined under such 
regulations) outside the United States to include in such entity's 
notice of privacy protections--
            (1) notification that the covered entity outsources 
        protected health information to business associates (as defined 
        under such regulations) for processing outside the United 
        States;
            (2) a description of the privacy laws of the country to 
        which the protected health information will be sent;
            (3) any additional risks and consequences to the privacy 
        and security of protected health information that arise as a 
        result of the processing of such information in a foreign 
        country;
            (4) additional measures the covered entity is taking to 
        protect the protected health information outsourced for 
        processing outside the United States;
            (5) notification that the protected health information will 
        not be outsourced outside the United States if the consumer 
        objects; and
            (6) a certification that--
                    (A) the covered entity has taken reasonable steps 
                to identify the locations where protected health 
                information is outsourced by such business associates;
                    (B) attests to the privacy and security of the 
                protected health information outsourced for processing 
                outside the United States; and
                    (C) states the reasons for the determination by the 
                covered entity that the privacy and security of such 
                information is maintained.

SEC. 5. PRIVACY FOR CONSUMERS OF FINANCIAL SERVICES.

    Section 503(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)) is 
amended--
            (1) in paragraph (3), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (4), by striking the period at the end and 
        inserting ``; and''; and
            (3) by adding at the end the following:
            ``(5) if the financial institution outsources nonpublic 
        personal information outside the United States--
                    ``(A) information informing the consumer in simple 
                language--
                            ``(i) that the financial institution 
                        outsources nonpublic personal information to 
                        entities for processing outside the United 
                        States;
                            ``(ii) of the privacy laws of the country 
                        to which nonpublic personal information will be 
                        sent;
                            ``(iii) of any additional risks and 
                        consequences to the privacy and security of an 
                        individual's nonpublic personal information 
                        that arise as a result of the processing of 
                        such information in a foreign country; and
                            ``(iv) of the additional measures the 
                        financial institution is taking to protect the 
                        nonpublic personal information outsourced for 
                        processing outside the United States; and
                    ``(B) a certification that--
                            ``(i) the financial institution has taken 
                        reasonable steps to identify the locations 
                        where nonpublic personal information is 
                        outsourced by such entities;
                            ``(ii) attests to the privacy and security 
                        of the nonpublic personal information 
                        outsourced for processing outside the United 
                        States; and
                            ``(iii) states the reasons for the 
                        determination by the institution that the 
                        privacy and security of such information is 
                        maintained.''

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect on the expiration of the date which is 
90 days after the date of enactment of this Act.
                                 <all>