[Congressional Record Volume 147, Number 63 (Wednesday, May 9, 2001)]
[Senate]
[Pages S4604-S4607]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. THOMPSON (for himself, Mr. Kohl, Mr. Voinovich, Mr. Levin, 
        Mr. Thurmond, Ms. Collins, and Mr. Fitzgerald):
  S. 851. A bill to establish a commission to conduct a study of 
government privacy practices, and for other purposes; to the Committee 
on Governmental Affairs.
  Mr. THOMPSON. Mr. President, I rise today to introduce the 
``Citizens' Privacy Commission Act of 2001.'' This legislation will 
establish an 11-member commission to examine how Federal, State, and 
local governments collect and use our personal information and to make 
recommendations to Congress as we consider how to map out government 
privacy protections for the future. The Citizens' Privacy Commission, 
whose members will include experts with a diversity of experiences, 
will look at the spectrum of privacy concerns involving Federal, State, 
and local government, from protecting citizens' genetic information, to 
guaranteeing the safe use of Social Security numbers, to ensuring 
confidentiality to citizens visiting government web sites.
  As we all know, Americans are increasingly concerned about the 
potential misuse of their personal information. A variety of measures 
intended to address the collection, use, and distribution of personal 
information by the private sector have been introduced in Congress. 
Recent events, however, suggest that government privacy practices 
warrant closer scrutiny. For example, details surfaced last summer 
about the FBI's new e-mail surveillance system--Carnivore. Civil 
libertarians and Internet users alike continue to question the 
legitimacy of this ``online wiretapping.''
  Also last summer, after the White House Office of National Drug 
Control Policy was found to be using ``cookies'' on Internet search 
engines, I requested that GAO investigate Federal agencies' use of 
these information-collection devices on their own Web sites. GAO only 
had time to investigate a small sample of Federal agency sites, but 
they found a number of unauthorized ``cookies,'' including one that was 
operated by a third-party private company on an agency Web site under 
an agreement that gave the private company co-ownership of the data 
collected on visitors to the site.
  As a follow-up to the GAO investigation, Congressman Jay Inslee and I 
worked together on an amendment to require all agency Inspectors 
General to report to Congress on each agency's Internet information-
collection practices. Fewer than half of the Inspectors General have 
completed their investigations, but the preliminary findings are cause 
for concern. In audits performed this past winter, sixteen Inspectors 
General identified sixty-four agency Web sites that were violating the 
privacy policies established by the last Administration by using 
information-collection devices called ``cookies'' without the required 
approval.
  Last fall, Congressmen Armey and Tauzin released a GAO report that 
revealed that 97 percent of the Web sites of Federal agencies, 
including the Federal Trade Commission, weren't in compliance with 
privacy standards that the FTC was advocating for private sector Web 
sites.
  On top of all these examples, there is the issue of computer security 
at Federal agencies, which has been notoriously lax for years. GAO and 
Federal agency Inspectors General report time and time again that 
sensitive information on citizens' health and financial records is 
vulnerable to hackers. Just this spring, GAO issued a report which 
explained how easily their investigators were able to hack into IRS 
computers and gain access to citizens' e-filed taxes. Not surprisingly, 
a recent poll shows that most Americans perceive government as the 
greatest threat to their personal privacy, above both the media and 
corporations.
  Last year, Senator Kohl and I sponsored the Senate companion bill to 
the Hutchinson-Moran Privacy Commission Act. This bill would have 
created a commission to study privacy issues in both the government and 
the private sector. The House bill failed a suspension vote by a narrow 
margin. There was a lack of consensus on whether a commission was 
warranted for the private sector issues being deliberated by the 
Congress. There was no disagreement, however, on the need for a 
commission to study the government's management of citizens' personal 
privacy. Many privacy advocates believe that the Privacy Act of 1974 
and other laws addressing government privacy practices need to be 
updated, but we need a better understanding of the extent of the 
problem and of what exactly needs to be done.

  Federal, State, and local governments collect, use, and distribute a 
large quantity of personal information for legitimate purposes. Yet 
because governments operate under different incentives and under a 
different legal relationship than the private sector, they may pose 
unique privacy problems. Unlike businesses, governments collect 
personal information under the force of law. Furthermore, governments 
do not face the market incentives that can discourage information 
collection or sharing. With the power and authority of government and 
the breadth of information it collects comes the potential for mistakes 
or abuse. The risk of privacy violations could also threaten to 
undermine the public's confidence in e-Government, our effort to make 
government more accessible and responsive to citizens through the 
Internet. In fact, according to a recent Pew Internet and American Life 
report, only 31 percent of Americans say they trust the government to 
do the right thing most of the time or all of the time.
  The last Federal privacy commission operated over 25 years ago, from 
1975 to 1977. Since then, there have been enormous leaps in technology. 
Today, a few keystrokes on a computer hooked up to the Internet can 
produce a quantity of information that was unimaginable in 1975. The 
question we must answer today is the same question Congress addressed 
in 1975: ``How can government achieve the correct balance between 
protecting personal privacy and allowing appropriate uses of 
information?'' The technological advances and other changes that have 
occurred since the 1970's, however, demand a reevaluation of the 
government privacy protections that we currently have in place. While 
we have passed laws laying out a framework for the Federal government, 
it is time to reassess the laws designed to safeguard citizens' privacy 
in light of the current state of technology.
  The Citizens' Privacy Commission will help us find the balance 
between protecting the privacy of individuals

[[Page S4605]]

and permitting specific and appropriate uses of personal information 
for legitimate and necessary government purposes. The Commission will 
be directed to study a wide variety of issues relating to personal 
privacy and the government, including the collection, use, and 
distribution of personal information by Federal, State, and local 
governments, as well as current legislative and regulatory efforts to 
respond to privacy problems in the government. In the course of its 
examination of these issues, the Commission will also be required to 
hold at least three field hearings around the country and to set up a 
Web site to facilitate public participation and public comment. After 
18 months of study, the Commission will submit a report to Congress on 
its findings, including any recommendations for legislation to reform 
or augment current laws. The Commission's report will be available for 
consideration by the next Congress.
  It is my hope that we all can work together to pass the Citizens' 
Privacy Commission Act of 2001 to help us make informed and thoughtful 
decisions to protect the privacy of the American people. I would like 
to thank Senator Kohl, who has worked with me on a privacy commission 
bill for some time, as well as Senators Voinovich, Levin, Thurmond, 
Collins, and Fitzgerald for joining us as cosponsors. I urge my 
colleagues to support this important legislation.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                 S. 851

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Citizens' Privacy Commission 
     Act of 2001''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) Americans are increasingly concerned about their civil 
     liberties and the security, collection, use, and distribution 
     of their personal information by government, including 
     medical records and genetic information, educational records, 
     health records, tax records, library records, driver's 
     license numbers, and other records.
       (2) The shift from a paper based government to an 
     information technology reliant government calls for a 
     reassessment of the most effective way to balance personal 
     privacy and information use, keeping in mind the potential 
     for unintended effects on technology development and privacy 
     needs.
       (3) Concerns have been raised about the adequacy of 
     existing government privacy laws and the adequacy of their 
     enforcement in light of new technologies.

     SEC. 3. ESTABLISHMENT.

       There is established a commission to be known as the 
     ``Citizens' Privacy Commission'' (in this Act referred to as 
     the ``Commission'').

     SEC. 4. DUTIES OF COMMISSION.

       (a) Study.--The Commission shall conduct a study of issues 
     relating to protection of individual privacy and the 
     appropriate balance to be achieved between protecting 
     individual privacy and allowing appropriate uses of 
     information, including the following:
       (1) The collection, use, and distribution of personal 
     information by Federal, State, and local governments.
       (2) Current efforts and proposals to address the 
     collection, use, and distribution of personal information by 
     Federal and State governments, including--
       (A) existing statutes and regulations relating to the 
     protection of individual privacy, including section 552a of 
     title 5, United States Code (commonly referred to as the 
     Privacy Act of 1974) and section 552 of that title (commonly 
     referred to as the Freedom of Information Act); and
       (B) privacy protection efforts undertaken by the Federal 
     Government, State governments, foreign governments, and 
     international governing bodies.
       (3) The extent to which individuals in the United States 
     can obtain redress for privacy violations by government.
       (b) Field Hearings.--The Commission shall conduct at least 
     3 field hearings in different geographical regions of the 
     United States.
       (c) Report.--
       (1) In general.--Not later than 18 months after the 
     appointment of all members of the Commission--
       (A) a majority of the members of the Commission shall 
     approve a report; and
       (B) the Commission shall submit the approved report to the 
     Congress and the President.
       (2) Contents.--The report shall include a detailed 
     statement of findings, conclusions, and recommendations 
     regarding government collection, use and disclosure of 
     personal information, including the following:
       (A) Findings on potential threats posed to individual 
     privacy.
       (B) Analysis of purposes for which sharing of information 
     is appropriate and beneficial to the public.
       (C) Analysis of the effectiveness of existing statutes, 
     regulations, technology advances, third-party verification, 
     and market forces in protecting individual privacy.
       (D) Recommendations on whether additional legislation or 
     regulation is necessary, and if so, specific suggestions on 
     proposals to reform or augment current laws and regulations 
     relating to citizens' privacy.
       (E) Analysis of laws, regulations, or proposals which may 
     impose unreasonable costs or burdens, raise constitutional 
     concerns, or cause unintended harm in other policy areas, 
     such as security, law enforcement, medical research and 
     treatment, employee benefits, or critical infrastructure 
     protection.
       (F) Cost analysis of legislative or regulatory changes 
     proposed in the report.
       (G) Recommendations on non-legislative solutions to 
     individual privacy concerns, including new technology, 
     education, best practices, and third party verification.
       (H) Recommendations on alternatives to government 
     collection of information, including private sector 
     retention.
       (I) Review of the effectiveness and utility of third-party 
     verification.
       (d) Additional Report.--Together with the report under 
     subsection (c), the Commission shall submit to the Congress 
     and the President any additional report of dissenting 
     opinions or minority views by a member of the Commission.
       (e) Interim Report.--The Commission may submit to the 
     Congress and the President an interim report approved by a 
     majority of the members of the Commission.

     SEC. 5. MEMBERSHIP.

       (a) Number and Appointment.--The Commission shall be 
     composed of 11 members appointed as follows:
       (1) 2 members appointed by the President.
       (2) 2 members appointed by the Majority Leader of the 
     Senate.
       (3) 2 members appointed by the Minority Leader of the 
     Senate.
       (4) 2 members appointed by the Speaker of the House of 
     Representatives.
       (5) 2 members appointed by the Minority Leader of the House 
     of Representatives.
       (6) 1 member, who shall serve as Chairperson of the 
     Commission, appointed jointly by the President, the Majority 
     Leader of the Senate, the Minority Leader of the Senate, the 
     Speaker of the House of Representatives, and the Minority 
     Leader of the House of Representatives.
       (b) Diversity of Views.--The appointing authorities under 
     subsection (a) shall seek to ensure that the membership of 
     the Commission has a diversity of experiences and expertise 
     on the issues to be studied by the Commission, such as views 
     and experiences of Federal, State, and local governments, the 
     media, the academic community, consumer groups, public policy 
     groups and other advocacy organizations, civil liberties 
     experts, and business and industry (including small business, 
     the information technology industry, the health care 
     industry, and the financial services industry).
       (c) Date of Appointment.--The appointment of the members of 
     the Commission shall be made not later than 30 days after the 
     date of the enactment of this Act.
       (d) Terms.--Each member of the Commission shall be 
     appointed for the life of the Commission.
       (e) Vacancies.--A vacancy in the Commission shall be filled 
     in the same manner in which the original appointment was 
     made.
       (f) Compensation; Travel Expenses.--Members of the 
     Commission shall serve without pay, but shall receive travel 
     expenses, including per diem in lieu of subsistence, in 
     accordance with sections 5702 and 5703 of title 5, United 
     States Code.
       (g) Quorum.--A majority of the members of the Commission 
     shall constitute a quorum, but a lesser number may hold 
     hearings.
       (h) Meetings.--
       (1) In general.--The Commission shall meet at the call of 
     the Chairperson or a majority of its members.
       (2) Initial meeting.--Not later than 45 days after the date 
     of the enactment of this Act, the Commission shall hold its 
     initial meeting.

     SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS.

       (a) Director.--
       (1) In general.--Not later than 40 days after the date of 
     enactment of this Act, the Chairperson of the Commission 
     shall appoint a Director without regard to the provisions of 
     title 5, United States Code, governing appointments to the 
     competitive service.
       (2) Pay.--The Director shall be paid at the rate payable 
     for level III of the Executive Schedule established under 
     section 5314 of such title.
       (b) Staff.--The Director may appoint staff as the Director 
     determines appropriate.
       (c) Applicability of Certain Civil Service Laws.--
       (1) In general.--The staff of the Commission shall be 
     appointed without regard to the provisions of title 5, United 
     States Code, governing appointments in the competitive 
     service.
       (2) Pay.--The staff of the Commission shall be paid in 
     accordance with the provisions of chapter 51 and subchapter 
     III of chapter 53 of that title relating to classification 
     and General Schedule pay rates, but at rates not in excess of 
     the maximum rate for grade GS-15 of the General Schedule 
     under section 5332 of that title.
       (d) Experts and Consultants.--The Director may procure 
     temporary and intermittent

[[Page S4606]]

     services under section 3109(b) of title 5, United States 
     Code.
       (e) Staff of Federal Agencies.--
       (1) In general.--Upon request of the Director, the head of 
     any Federal department or agency may detail, on a 
     reimbursable basis, any of the personnel of that department 
     or agency to the Commission to assist it in carrying out this 
     Act.
       (2) Notification.--Before making a request under this 
     subsection, the Director shall give notice of the request to 
     each member of the Commission.

     SEC. 7. POWERS OF COMMISSION.

       (a) Hearings and Sessions.--The Commission may, for the 
     purpose of carrying out this Act, hold hearings, sit and act 
     at times and places, take testimony, and receive evidence as 
     the Commission considers appropriate. The Commission may 
     administer oaths or affirmations to witnesses appearing 
     before it.
       (b) Powers of Members and Agents.--Any member or agent of 
     the Commission may, if authorized by the Commission, take any 
     action which the Commission is authorized to take by this 
     section.
       (c) Obtaining Official Information.--
       (1) In general.--Except as provided in paragraph (2), if 
     the Chairperson of the Commission submits a request to a 
     Federal department or agency for information necessary to 
     enable the Commission to carry out this Act, the head of that 
     department or agency shall furnish that information to the 
     Commission.
       (2) Exception for national security.--If the head of that 
     department or agency determines that it is necessary to guard 
     that information from disclosure to protect the national 
     security interests of the United States, the head shall not 
     furnish that information to the Commission.
       (d) Website.--The Commission shall establish a website to 
     facilitate public participation and the submission of public 
     comments.
       (e) Mails.--The Commission may use the United States mails 
     in the same manner and under the same conditions as other 
     departments and agencies of the United States.
       (f) Administrative Support Services.--Upon the request of 
     the Director, the Administrator of General Services shall 
     provide to the Commission, on a reimbursable basis, the 
     administrative support services necessary for the Commission 
     to carry out this Act.
       (g) Gifts and Donations.--The Commission may accept, use, 
     and dispose of gifts or donations of services or property to 
     carry out this Act, but only to the extent or in the amounts 
     provided in advance in appropriation Acts.
       (h) Contracts.--The Commission may contract with and 
     compensate persons and government agencies for supplies and 
     services, without regard to section 3709 of the Revised 
     Statutes (41 U.S.C. 5).
       (i) Subpoena Power.--
       (1) In general.--The Commission may issue subpoenas 
     requiring the attendance and testimony of witnesses and the 
     production of any evidence relating to any matter that the 
     Commission is empowered to investigate by section 4. The 
     attendance of witnesses and the production of evidence may be 
     required by such subpoena from any place within the United 
     States and at any specified place of hearing within the 
     United States.
       (2) Failure to obey a subpoena.--If a person refuses to 
     obey a subpoena issued under paragraph (1), the Commission 
     may apply to a United States district court for an order 
     requiring that person to appear before the Commission to give 
     testimony, produce evidence, or both, relating to the matter 
     under investigation. The application may be made within the 
     judicial district where the hearing is conducted or where 
     that person is found, resides, or transacts business. Any 
     failure to obey the order of the court may be punished by the 
     court as civil contempt.
       (3) Service of subpoenas.--The subpoenas of the Commission 
     shall be served in the manner provided for subpoenas issued 
     by a United States district court under the Federal Rules of 
     Civil Procedure for the United States district courts.
       (4) Service of process.--All process of any court to which 
     application is made under paragraph (2) may be served in the 
     judicial district in which the person required to be served 
     resides or may be found.

     SEC. 8. PRIVACY PROTECTIONS.

       (a) Destruction or Return of Information Required.--Upon 
     the conclusion of the matter or need for which individually 
     identifiable information was disclosed to the Commission, the 
     Commission shall either destroy the individually identifiable 
     information or return it to the person or entity from which 
     it was obtained, unless the individual that is the subject of 
     the individually identifiable information has authorized its 
     disclosure.
       (b) Disclosure of Information Prohibited.--The Commission--
       (1) shall protect individually identifiable information 
     from improper use; and
       (2) may not disclose such information to any person, 
     including the Congress or the President, unless the 
     individual that is the subject of the information has 
     authorized such a disclosure.
       (c) Proprietary Business Information and Financial 
     Information.--The Commission shall protect from improper use, 
     and may not disclose to any person, proprietary business 
     information and proprietary financial information that may be 
     viewed or obtained by the Commission in the course of 
     carrying out its duties under this Act.
       (d) Individually Identifiable Information Defined.--In this 
     section, the term ``individually identifiable information'' 
     means any information, whether oral or recorded in any form 
     or medium, that identifies an individual, or with respect to 
     which there is a reasonable basis to believe that the 
     information can be used to identify an individual.

     SEC. 9. BUDGET ACT COMPLIANCE.

       Any new contract authority authorized by this Act shall be 
     effective only to the extent or in the amounts provided in 
     advance in appropriation Acts.

     SEC. 10. TERMINATION.

       The Commission shall terminate 30 days after submitting a 
     report under section 4(c).

     SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

       (a) In General.--There are authorized to be appropriated to 
     the Commission $3,000,000 to carry out this Act.
       (b) Availability.--Any sums appropriated pursuant to the 
     authorization in subsection (a) shall remain available until 
     expended.

  Mr. KOHL. Mr. President, I rise today to introduce the ``Citizens' 
Privacy Commission Act'' with my colleague, Senator Fred Thompson. 
Privacy has become an issue of paramount importance in this era of 
electronic commerce, advanced communications, and far-reaching business 
conglomerates. Our challenge is to clearly define privacy concerns and 
decide how best to protect privacy as technology and the economy move 
forward. However, even as we consider privacy guidelines for the 
private sector, the government should follow the highest privacy 
standards and demonstrate not only that they are preferable, but that 
they work.
  The measure we introduce today would create a Commission to examine 
how the various levels of government collect, use and share information 
about citizens. Although the recent privacy debate has been focused on 
online privacy and how the private sector collects and sells personally 
identifiable information, the government should not be overlooked. All 
levels of government have their own websites that are as capable of 
collecting sensitive information. There is also concern that the 
Privacy Act of 1974, which regulates how the government can collect, 
use and share personal information, is not being enforced or properly 
adhered to by federal government agencies. Furthermore, there is 
evidence that some government websites continue to collect information 
through the use of ``cookies'' in direct violation of former President 
Clinton's June 2000 executive order forbidding them to do so absent a 
``compelling reason'' to do so.
  Our proposal is simple, and its goals are modest and meaningful. 
Specifically, our measure creates an 11 member, bipartisan panel to 
study data collection practices, privacy protection standards, and 
existing privacy laws that apply to government collection and use of 
personal information. We also ask the Commission to examine pending 
privacy initiatives before Congress. Furthermore, we ask the Commission 
to determine if federal legislation is needed, and what impact new 
privacy laws would be. Finally, we direct the Commission to detail its 
findings and recommendations in a Final Report to be issued 18 months 
after enactment.
  There is ample precedent for this Commission. In the mid-1970's, the 
privacy debate focused on government collection and misuse of personal 
data. Ultimately, Congress enacted the Freedom of Information Act, the 
Privacy Act, and the Privacy Study Commission. Since that time, 
however, very little attention has been paid to genuine concerns about 
government use of sensitive personal information. Having passed 
critical legislation in the 1970s, many people felt satisfied that the 
issue was taken care of. Unfortunately, we have grown lax about 
policing ourselves in this area. This bill will right the course and 
change that. In fact, this legislation provides us with the opportunity 
to establish a model of privacy protection. The intellectual capital 
created by the work of this Commission will help us set a responsible 
example for the private sector.
  Privacy protection is a unique struggle, cutting across the public 
and private sector and involving virtually every sector of our nation's 
economy. Perhaps there is no possibility of a universal principle 
defining necessary privacy protections. But the federal government has 
an unparalleled opportunity to try to craft a set of guidelines for 
privacy protection that can serve as a model. We believe the time

[[Page S4607]]

has come for Congress to enact reasonable and thoughtful privacy 
legislation. This legislation is a sensible first step in that process.
  In closing, let me be clear that this bill is neither a ploy to 
prevent the enactment of more specific privacy proposals, nor a 
stalling tactic to suspend discussion of privacy protection until the 
Commission publishes its final report. Rather, this legislation is a 
both a genuine effort to gather information on this increasingly 
complex topic and a plan to accomplish something positive in this 
field. This is legislation that can and should be passed by the 
Congress. Therefore, I truly hope we can move quickly to enact this 
measure into law, so that the Commission can get to work as soon as 
possible.
                                 ______