[Congressional Record Volume 148, Number 58 (Thursday, May 9, 2002)]
[Senate]
[Pages S4153-S4155]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. CLELAND:
  S. 2492. A bill to amend title 5, United States Code, to require that 
agencies, in promulgating rules, take into consideration the impact of 
such rules on the privacy of individuals, and for other purposes; to 
the Committee on Governmental Affairs.
  Mr. CLELAND. Mr. President, I rise today to introduce legislation, 
the Federal Agency Protection of Privacy Act, that will require Federal 
agencies to carefully consider the impact of proposed regulations on 
individual privacy. In the aftermath of the terrorist attacks of 
September 11, we are being forced to fight a new kind of war; a war in 
which we have not only physical battlefields, but battlefields of 
principle.
  Not only must we have troops on the ground protecting our physical 
well-being, but we must also insure that we protect the American way of 
life. Ours is a country based on individual rights--rights to pursue 
life, liberty, and happiness, as Thomas Jefferson mentioned in the 
manner in which each of us sees fit.
  While we are obligated, as a Government, to protect the physical 
safety of the American people, we also are obligated to remember our 
history, our struggles, and the principles for which our great Nation 
stands. While we enhance and strengthen our investigatory tools and 
physical arsenal, we cannot allow the terrorists to prevail in 
undermining our civil liberties.

  Therefore, today, I am introducing the Federal Agency Protection of 
Privacy Act in the Senate as companion legislation to H.R. 4561, which 
was introduced by Representative Bob Barr, a long-time champion of 
civil liberties in the U.S. Congress. It will impose a mandate that 
when Federal agencies are required to publish a general notice of 
proposed rulemaking, they must publish an accompanying ``privacy impact 
statement.'' This initial privacy

[[Page S4154]]

impact statement, written in terms which all of us can understand, 
would be subject to public notice and comment. After receiving 
and evaluating any comments, the agency would then be required to 
include a final privacy impact statement with the regulation.

  These initial and final privacy impact statements would include: the 
type of information to be collected and how it would be used; 
mechanisms through which individuals could correct inaccuracies in the 
collected information; assurances that the information would not be 
used for a purpose other than initially specified; and a description of 
how the information will be secured by the agency. For example, the 
Financial Crime Enforcement Network of the Department of the Treasury 
has proposed a rule implementing provisions of the USA PATRIOT Act of 
2001 which would encourage financial institutions and Federal law 
enforcement agencies to share information in order to identify and 
deter money laundering and terrorist activity. While I fully support 
the Patriot Act and recognize the benefits of such a rule, the 
sensitivity of such information necessitates that we insure that the 
agency consider the ramifications of such an invasion on an 
individual's privacy. The American people must know specifically how 
this financial information would be used and how it would be protected. 
The purpose, importance, and timeliness of this legislation have 
brought together a wide variety of supporting organizations, ranging 
from the American Civil Liberties Union to the National Rifle 
Association to Public Citizen.

  While I have been and continue to be a strong supporter of the war on 
terrorism, I am also well aware that we face a multi-faceted enemy. My 
experience has taught me that diverse threats necessitate diverse 
responses. We have planned for our offensives on the ground and in the 
air, and we have begun to mount a stronger homeland defense. But our 
efforts will be incomplete and will indeed run the risk of undermining 
all else we may accomplish in the fight against terrorism if we neglect 
to mount a successful defense of the American way. I believe that this 
legislation is necessary to protect the American people from attacks 
seen and unseen, and I encourage other Senators to join me in 
protecting the liberties for which I know we all stand.

  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2492

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Federal Agency Protection of 
     Privacy Act''.

     SEC. 2. REQUIREMENT THAT AGENCY RULEMAKING TAKE INTO 
                   CONSIDERATION IMPACTS ON INDIVIDUAL PRIVACY.

       (a) In General.--Title 5, United States Code, is amended by 
     adding after section 553 the following:

     ``Sec. 553a. Privacy impact analysis in rulemaking

       ``(a) Initial Privacy Impact Analysis.--
       ``(1) In general.--Whenever an agency is required by 
     section 553 of this title, or any other law, to publish a 
     general notice of proposed rulemaking for any proposed rule, 
     or publishes a notice of proposed rulemaking for an 
     interpretative rule involving the internal revenue laws of 
     the United States, the agency shall prepare and make 
     available for public comment an initial privacy impact 
     analysis. Such analysis shall describe the impact of the 
     proposed rule on the privacy of individuals. The initial 
     privacy impact analysis or a summary shall be signed by the 
     senior agency official with primary responsibility for 
     privacy policy and be published in the Federal Register at 
     the time of the publication of a general notice of proposed 
     rulemaking for the rule.
       ``(2) Contents.--Each initial privacy impact analysis 
     required under this subsection shall contain the following:
       ``(A) A description and assessment of the extent to which 
     the proposed rule will impact the privacy interests of 
     individuals, including the extent to which the proposed 
     rule--
       ``(i) provides notice of the collection of personally 
     identifiable information, and specifies what personally 
     identifiable information is to be collected and how it is to 
     be collected, maintained, used, and disclosed;
       ``(ii) allows access to such information by the person to 
     whom the personally identifiable information pertains and 
     provides an opportunity to correct inaccuracies;
       ``(iii) prevents such information, which is collected for 
     one purpose, from being used for another purpose; and
       ``(iv) provides security for such information.
       ``(B) A description of any significant alternatives to the 
     proposed rule which accomplish the stated objectives of 
     applicable statutes and which minimize any significant 
     privacy impact of the proposed rule on individuals.
       ``(b) Final Privacy Impact Analysis.--
       ``(1) In general.--Whenever an agency promulgates a final 
     rule under section 553 of this title, after being required by 
     that section or any other law to publish a general notice of 
     proposed rulemaking, or promulgates a final interpretative 
     rule involving the internal revenue laws of the United 
     States, the agency shall prepare a final privacy impact 
     analysis, signed by the senior agency official with primary 
     responsibility for privacy policy.
       ``(2) Contents.--Each final privacy impact analysis 
     required under this subsection shall contain the following:
       ``(A) A description and assessment of the extent to which 
     the final rule will impact the privacy interests of 
     individuals, including the extent to which the proposed 
     rule--
       ``(i) provides notice of the collection of personally 
     identifiable information, and specifies what personally 
     identifiable information is to be collected and how it is to 
     be collected, maintained, used, and disclosed;
       ``(ii) allows access to such information by the person to 
     whom the personally identifiable information pertains and 
     provides an opportunity to correct inaccuracies;
       ``(iii) prevents such information, which is collected for 
     one purpose, from being used for another purpose; and
       ``(iv) provides security for such information.
       ``(B) A summary of the significant issues raised by the 
     public comments in response to the initial privacy impact 
     analysis, a summary of the assessment of the agency of such 
     issues, and a statement of any changes made in the proposed 
     rule as a result of such issues.
       ``(C) A description of the steps the agency has taken to 
     minimize the significant privacy impact on individuals 
     consistent with the stated objectives of applicable statutes, 
     including a statement of the factual, policy, and legal 
     reasons for selecting the alternative adopted in the final 
     rule and why each one of the other significant alternatives 
     to the rule considered by the agency which affect the privacy 
     interests of individuals was rejected.
       ``(3) Availability to public.--The agency shall make copies 
     of the final privacy impact analysis available to members of 
     the public and shall publish in the Federal Register such 
     analysis or a summary thereof.
       ``(c) Procedure for Waiver or Delay of Completion.--An 
     agency head may waive or delay the completion of some or all 
     of the requirements of subsections (a) and (b) to the same 
     extent as the agency head may, under section 608, waive or 
     delay the completion of some or all of the requirements of 
     sections 603 and 604, respectively.
       ``(d) Procedures for Gathering Comments.--When any rule is 
     promulgated which may have a significant privacy impact on 
     individuals, or a privacy impact on a substantial number of 
     individuals, the head of the agency promulgating the rule or 
     the official of the agency with statutory responsibility for 
     the promulgation of the rule shall assure that individuals 
     have been given an opportunity to participate in the 
     rulemaking for the rule through techniques such as--
       ``(1) the inclusion in an advance notice of proposed 
     rulemaking, if issued, of a statement that the proposed rule 
     may have a significant privacy impact on individuals, or a 
     privacy impact on a substantial number of individuals;
       ``(2) the publication of a general notice of proposed 
     rulemaking in publications of national circulation likely to 
     be obtained by individuals;
       ``(3) the direct notification of interested individuals;
       ``(4) the conduct of open conferences or public hearings 
     concerning the rule for individuals, including soliciting and 
     receiving comments over computer networks; and
       ``(5) the adoption or modification of agency procedural 
     rules to reduce the cost or complexity of participation in 
     the rulemaking by individuals.
       ``(e) Periodic Review of Rules.--
       ``(1) In general.--Each agency shall carry out a periodic 
     review of the rules promulgated by the agency that have a 
     significant privacy impact on individuals, or a privacy 
     impact on a substantial number of individuals. Under such 
     periodic review, the agency shall determine, for each such 
     rule, whether the rule can be amended or rescinded in a 
     manner that minimizes any such impact while remaining in 
     accordance with applicable statutes. For each such 
     determination, the agency shall consider the following 
     factors:
       ``(A) The continued need for the rule.
       ``(B) The nature of complaints or comments received from 
     the public concerning the rule.
       ``(C) The complexity of the rule.
       ``(D) The extent to which the rule overlaps, duplicates, or 
     conflicts with other Federal rules, and, to the extent 
     feasible, with State and local governmental rules.

[[Page S4155]]

       ``(E) The length of time since the rule was last reviewed 
     under this subsection.
       ``(F) The degree to which technology, economic conditions, 
     or other factors have changed in the area affected by the 
     rule since the rule was last reviewed under this subsection.
       ``(2) Plan required.--Each agency shall carry out the 
     periodic review required by paragraph (1) in accordance with 
     a plan published by such agency in the Federal Register. Each 
     such plan shall provide for the review under this subsection 
     of each rule promulgated by the agency not later than 10 
     years after the date on which such rule was published as the 
     final rule and, thereafter, not later than 10 years after the 
     date on which such rule was last reviewed under this 
     subsection. The agency may amend such plan at any time by 
     publishing the revision in the Federal Register.
       ``(3) Annual publication.--Each year, each agency shall 
     publish in the Federal Register a list of the rules to be 
     reviewed by such agency under this subsection during the 
     following year. The list shall include a brief description of 
     each such rule and the need for and legal basis of such rule 
     and shall invite public comment upon the determination to be 
     made under this subsection with respect to such rule.
       ``(f) Judicial Review.--
       ``(1) In general.--For any rule subject to this section, an 
     individual who is adversely affected or aggrieved by final 
     agency action is entitled to judicial review of agency 
     compliance with the requirements of subsections (b) and (c) 
     in accordance with chapter 7. Agency compliance with 
     subsection (d) shall be judicially reviewable in connection 
     with judicial review of subsection (b).
       ``(2) Jurisdiction.--Each court having jurisdiction to 
     review such rule for compliance with section 553, or under 
     any other provision of law, shall have jurisdiction to review 
     any claims of noncompliance with subsections (b) and (c) in 
     accordance with chapter 7. Agency compliance with subsection 
     (d) shall be judicially reviewable in connection with 
     judicial review of subsection (b).
       ``(3) Limitations.--
       ``(A) An individual may seek such review during the period 
     beginning on the date of final agency action and ending 1 
     year later, except that where a provision of law requires 
     that an action challenging a final agency action be commenced 
     before the expiration of 1 year, such lesser period shall 
     apply to an action for judicial review under this subsection.
       ``(B) In the case where an agency delays the issuance of a 
     final privacy impact analysis pursuant to subsection (c), an 
     action for judicial review under this section shall be filed 
     not later than--
       ``(i) 1 year after the date the analysis is made available 
     to the public; or
       ``(ii) where a provision of law requires that an action 
     challenging a final agency regulation be commenced before the 
     expiration of the 1-year period, the number of days specified 
     in such provision of law that is after the date the analysis 
     is made available to the public.
       ``(4) Relief.--In granting any relief in an action under 
     this subsection, the court shall order the agency to take 
     corrective action consistent with this section and chapter 7, 
     including, but not limited to--
       ``(A) remanding the rule to the agency; and
       ``(B) deferring the enforcement of the rule against 
     individuals, unless the court finds that continued 
     enforcement of the rule is in the public interest.
       ``(5) Rule of construction.--Nothing in this subsection 
     shall be construed to limit the authority of any court to 
     stay the effective date of any rule or provision thereof 
     under any other provision of law or to grant any other relief 
     in addition to the requirements of this subsection.
       ``(6) Record of agency action.--In an action for the 
     judicial review of a rule, the privacy impact analysis for 
     such rule, including an analysis prepared or corrected 
     pursuant to paragraph (4), shall constitute part of the 
     entire record of agency action in connection with such 
     review.
       ``(7) Exclusivity.--Compliance or noncompliance by an 
     agency with the provisions of this section shall be subject 
     to judicial review only in accordance with this subsection.
       ``(8) Savings clause.--Nothing in this subsection bars 
     judicial review of any other impact statement or similar 
     analysis required by any other law if judicial review of such 
     statement or analysis is otherwise permitted by law.
       ``(g) Definition.--In this section, the term `personally 
     identifiable information'--
       ``(1) means information that can be used to identify an 
     individual, including such individual's name, address, 
     telephone number, photograph, social security number or other 
     identifying information; and
       ``(2) includes information about such individual's medical 
     or financial condition.''.
       (b) Periodic Review Transition Provisions.--
       (1) Initial plan.--For each agency, the plan required by 
     subsection (e) of section 553a of title 5, United States Code 
     (as added by subsection (a)), shall be published not later 
     than 180 days after the date of enactment of this Act.
       (2) Prior rules.--In the case of a rule promulgated by an 
     agency before the date of the enactment of this Act, such 
     plan shall provide for the periodic review of such rule 
     before the expiration of the 10-year period beginning on the 
     date of the enactment of this Act. For any such rule, the 
     head of the agency may provide for a 1-year extension of such 
     period if the head of the agency, before the expiration of 
     the period, certifies in a statement published in the Federal 
     Register that reviewing such rule before the expiration of 
     the period is not feasible. The head of the agency may 
     provide for additional 1-year extensions of the period 
     pursuant to the preceding sentence, but in no event may the 
     period exceed 15 years.
       (c) Congressional Review.--Section 801(a)(1)(B) of title 5, 
     United States Code, is amended--
       (1) by redesignating clauses (iii) and (iv) as clauses (iv) 
     and (v), respectively; and
       (2) by inserting after clause (ii) the following new 
     clause:
       ``(iii) the agency's actions relevant to section 553a;''.
       (d) Clerical Amendment.--The table of sections at the 
     beginning of chapter 5 of title 5, United States Code, is 
     amended by adding after the item relating to section 553 the 
     following:

``553a. Privacy impact analysis in rulemaking.''.
                                 ______