[Congressional Record Volume 148, Number 130 (Monday, October 7, 2002)]
[House]
[Pages H7030-H7033]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                              {time}  1315
                FEDERAL AGENCY PROTECTION OF PRIVACY ACT

  Mr. SENSENBRENNER. Mr. Speaker, I move to suspend the rules and pass 
the bill (H.R. 4561) to amend title 5, United States Code, to require 
that agencies, in promulgating rules, take into consideration the 
impact of such rules on the privacy of individuals, and for other 
purposes.
  The Clerk read as follows:

                               H.R. 4561

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Federal Agency Protection of 
     Privacy Act''.

     SEC. 2. REQUIREMENT THAT AGENCY RULEMAKING TAKE INTO 
                   CONSIDERATION IMPACTS ON INDIVIDUAL PRIVACY.

       (a) In General.--Title 5, United States Code, is amended by 
     adding after section 553 the following new section:

     ``Sec. 553a. Privacy impact analysis in rulemaking

       ``(a) Initial Privacy Impact Analysis.--
       ``(1) In general.--Whenever an agency is required by 
     section 553 of this title, or any other law, to publish a 
     general notice of proposed rulemaking for any proposed rule, 
     or publishes a notice of proposed rulemaking for an 
     interpretative rule involving the internal revenue laws of 
     the United States, the agency shall prepare and make 
     available for public comment an initial privacy impact 
     analysis. Such analysis shall describe the impact of the 
     proposed rule on the privacy of individuals. The initial 
     privacy impact analysis or a summary shall be signed by the 
     senior agency official with primary responsibility for 
     privacy policy and be published in the Federal Register at 
     the time of the publication of a general notice of proposed 
     rulemaking for the rule.
       ``(2) Contents.--Each initial privacy impact analysis 
     required under this subsection shall contain the following:
       ``(A) A description and assessment of the extent to which 
     the proposed rule will impact the privacy interests of 
     individuals, including the extent to which the proposed 
     rule--
       ``(i) provides notice of the collection of personally 
     identifiable information, and specifies what personally 
     identifiable information is to be collected and how it is to 
     be collected, maintained, used, and disclosed;
       ``(ii) allows access to such information by the person to 
     whom the personally identifiable information pertains and 
     provides an opportunity to correct inaccuracies;
       ``(iii) prevents such information, which is collected for 
     one purpose, from being used for another purpose; and
       ``(iv) provides security for such information.
       ``(B) A description of any significant alternatives to the 
     proposed rule which accomplish the stated objectives of 
     applicable statutes and which minimize any significant 
     privacy impact of the proposed rule on individuals.
       ``(b) Final Privacy Impact Analysis.--
       ``(1) In general.--Whenever an agency promulgates a final 
     rule under section 553 of this title, after being required by 
     that section or any other law to publish a general notice of 
     proposed rulemaking, or promulgates a final interpretative 
     rule involving the internal revenue laws of the United 
     States, the agency shall prepare a final privacy impact 
     analysis, signed by the senior agency official with primary 
     responsibility for privacy policy.
       ``(2) Contents.--Each final privacy impact analysis 
     required under this subsection shall contain the following:
       ``(A) A description and assessment of the extent to which 
     the final rule will impact the privacy interests of 
     individuals, including the extent to which the proposed 
     rule--
       ``(i) provides notice of the collection of personally 
     identifiable information, and specifies what personally 
     identifiable information is to be collected and how it is to 
     be collected, maintained, used, and disclosed;
       ``(ii) allows access to such information by the person to 
     whom the personally identifiable information pertains and 
     provides an opportunity to correct inaccuracies;
       ``(iii) prevents such information, which is collected for 
     one purpose, from being used for another purpose; and
       ``(iv) provides security for such information.
       ``(B) A summary of the significant issues raised by the 
     public comments in response to the initial privacy impact 
     analysis, a summary of the assessment of the agency of such 
     issues, and a statement of any changes made in the proposed 
     rule as a result of such issues.
       ``(C) A description of the steps the agency has taken to 
     minimize the significant privacy impact on individuals 
     consistent with the stated objectives of applicable statutes, 
     including a statement of the factual, policy, and legal 
     reasons for selecting the alternative adopted in the final 
     rule and why each one of the other significant alternatives 
     to the rule considered by the agency which affect the privacy 
     interests of individuals was rejected.
       ``(3) Availability to public.--The agency shall make copies 
     of the final privacy impact analysis available to members of 
     the public and shall publish in the Federal Register such 
     analysis or a summary thereof.

[[Page H7031]]

       ``(c) Procedure for Waiver or Delay of Completion.--An 
     agency head may waive or delay the completion of some or all 
     of the requirements of subsections (a) and (b) to the same 
     extent as the agency head may, under section 608, waive or 
     delay the completion of some or all of the requirements of 
     sections 603 and 604, respectively.
       ``(d) Procedures for Gathering Comments.--When any rule is 
     promulgated which may have a significant privacy impact on 
     individuals, or a privacy impact on a substantial number of 
     individuals, the head of the agency promulgating the rule or 
     the official of the agency with statutory responsibility for 
     the promulgation of the rule shall assure that individuals 
     have been given an opportunity to participate in the 
     rulemaking for the rule through techniques such as--
       ``(1) the inclusion in an advance notice of proposed 
     rulemaking, if issued, of a statement that the proposed rule 
     may have a significant privacy impact on individuals, or a 
     privacy impact on a substantial number of individuals;
       ``(2) the publication of a general notice of proposed 
     rulemaking in publications of national circulation likely to 
     be obtained by individuals;
       ``(3) the direct notification of interested individuals;
       ``(4) the conduct of open conferences or public hearings 
     concerning the rule for individuals, including soliciting and 
     receiving comments over computer networks; and
       ``(5) the adoption or modification of agency procedural 
     rules to reduce the cost or complexity of participation in 
     the rulemaking by individuals.
       ``(e) Periodic Review of Rules.--
       ``(1) In general.--Each agency shall carry out a periodic 
     review of the rules promulgated by the agency that have a 
     significant privacy impact on individuals, or a privacy 
     impact on a substantial number of individuals. Under such 
     periodic review, the agency shall determine, for each such 
     rule, whether the rule can be amended or rescinded in a 
     manner that minimizes any such impact while remaining in 
     accordance with applicable statutes. For each such 
     determination, the agency shall consider the following 
     factors:
       ``(A) The continued need for the rule.
       ``(B) The nature of complaints or comments received from 
     the public concerning the rule.
       ``(C) The complexity of the rule.
       ``(D) The extent to which the rule overlaps, duplicates, or 
     conflicts with other Federal rules, and, to the extent 
     feasible, with State and local governmental rules.
       ``(E) The length of time since the rule was last reviewed 
     under this subsection.
       ``(F) The degree to which technology, economic conditions, 
     or other factors have changed in the area affected by the 
     rule since the rule was last reviewed under this subsection.
       ``(2) Plan required.--Each agency shall carry out the 
     periodic review required by paragraph (1) in accordance with 
     a plan published by such agency in the Federal Register. Each 
     such plan shall provide for the review under this subsection 
     of each rule promulgated by the agency not later than 10 
     years after the date on which such rule was published as the 
     final rule and, thereafter, not later than 10 years after the 
     date on which such rule was last reviewed under this 
     subsection. The agency may amend such plan at any time by 
     publishing the revision in the Federal Register.
       ``(3) Annual publication.--Each year, each agency shall 
     publish in the Federal Register a list of the rules to be 
     reviewed by such agency under this subsection during the 
     following year. The list shall include a brief description of 
     each such rule and the need for and legal basis of such rule 
     and shall invite public comment upon the determination to be 
     made under this subsection with respect to such rule.
       ``(f) Judicial Review.--
       ``(1) In general.--For any rule subject to this section, an 
     individual who is adversely affected or aggrieved by final 
     agency action is entitled to judicial review of agency 
     compliance with the requirements of subsections (b) and (c) 
     in accordance with chapter 7. Agency compliance with 
     subsection (d) shall be judicially reviewable in connection 
     with judicial review of subsection (b).
       ``(2) Jurisdiction.--Each court having jurisdiction to 
     review such rule for compliance with section 553, or under 
     any other provision of law, shall have jurisdiction to review 
     any claims of noncompliance with subsections (b) and (c) in 
     accordance with chapter 7. Agency compliance with subsection 
     (d) shall be judicially reviewable in connection with 
     judicial review of subsection (b).
       ``(3) Limitations.--
       ``(A) An individual may seek such review during the period 
     beginning on the date of final agency action and ending 1 
     year later, except that where a provision of law requires 
     that an action challenging a final agency action be commenced 
     before the expiration of 1 year, such lesser period shall 
     apply to an action for judicial review under this subsection.
       ``(B) In the case where an agency delays the issuance of a 
     final privacy impact analysis pursuant to subsection (c), an 
     action for judicial review under this section shall be filed 
     not later than--
       ``(i) 1 year after the date the analysis is made available 
     to the public; or
       ``(ii) where a provision of law requires that an action 
     challenging a final agency regulation be commenced before the 
     expiration of the 1-year period, the number of days specified 
     in such provision of law that  is after the date the analysis 
     is made available to the public.
       ``(4) Relief.--In granting any relief in an action under 
     this subsection, the court shall order the agency to take 
     corrective action consistent with this section and chapter 7, 
     including, but not limited to--
       ``(A) remanding the rule to the agency; and
       ``(B) deferring the enforcement of the rule against 
     individuals, unless the court finds that continued 
     enforcement of the rule is in the public interest.
       ``(5) Rule of construction.--Nothing in this subsection 
     shall be construed to limit the authority of any court to 
     stay the effective date of any rule or provision thereof 
     under any other provision of law or to grant any other relief 
     in addition to the requirements of this subsection.
       ``(6) Record of agency action.--In an action for the 
     judicial review of a rule, the privacy impact analysis for 
     such rule, including an analysis prepared or corrected 
     pursuant to paragraph (4), shall constitute part of the 
     entire record of agency action in connection with such 
     review.
       ``(7) Exclusivity.--Compliance or noncompliance by an 
     agency with the provisions of this section shall be subject 
     to judicial review only in accordance with this subsection.
       ``(8) Savings clause.--Nothing in this subsection bars 
     judicial review of any other impact statement or similar 
     analysis required by any other law if judicial review of such 
     statement or analysis is otherwise permitted by law.
       ``(g) Definition.--For purposes of this section, the term 
     `personally identifiable information' means information that 
     can be used to identify an individual, including such 
     individual's name, address, telephone number, photograph, 
     social security number or other identifying information. It 
     includes information about such individual's medical or 
     financial condition.''.
       (b) Periodic Review Transition Provisions.--
       (1) Initial plan.--For each agency, the plan required by 
     subsection (e) of section 553a of title 5, United States Code 
     (as added by subsection (a)), shall be published not later 
     than 180 days after the date of the enactment of this Act.
       (2) In the case of a rule promulgated by an agency before 
     the date of the enactment of this Act, such plan shall 
     provide for the periodic review of such rule before the 
     expiration of the 10-year period beginning on the date of the 
     enctment of this Act. For any such rule, the head of the 
     agency may provide for a 1-year extension of such period if 
     the head of the agency, before the expiration of the period, 
     certifies in a statement published in the Federal Register 
     that reviewing such rule before the expiration of the period 
     is not feasible. The head of the agency may provide for 
     additional 1-year extensions of the period pursuant to the 
     preceding sentence, but in no event may the period exceed 15 
     years.
       (c) Congressional Review.--Section 801(a)(1)(B) of title 5, 
     United States Code, is amended--
       (1) by redesignating clauses (iii) and (iv) as clauses (iv) 
     and (v), respectively; and
       (2) by inserting after clause (ii) the following new 
     clause:
       ``(iii) the agency's actions relevant to section 553a;''.
       (d) Clerical Amendment.--The table of sections at the 
     beginning of chapter 5 of title 5, United States Code, is 
     amended by adding after the item relating to section 553 the 
     following new item:

``553a. Privacy impact analysis in rulemaking.''.

  The SPEAKER pro tempore (Mr. Aderholt). Pursuant to the rule, the 
gentleman from Wisconsin (Mr. Sensenbrenner) and the gentleman from 
Virginia (Mr. Scott) each will control 20 minutes.
  The Chair recognizes the gentleman from Wisconsin (Mr. 
Sensenbrenner).


                             General Leave

  Mr. SENSENBRENNER. Mr. Speaker, I ask unanimous consent that all 
Members may have 5 legislative days within which to revise and extend 
their remarks and include extraneous material on the bill currently 
under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Wisconsin?
  There was no objection.
  Mr. SENSENBRENNER. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I rise in support of H.R. 4561, the Federal Agency 
Protection of Privacy Act. Throughout my tenure as chairman of the 
Committee on the Judiciary, I have worked to strike a proper balance 
between laws designed to preserve the safety and security of Americans 
and those which needlessly compromise our civil liberties. The Federal 
Agency Protection of Privacy Act helps preserve this balance.
  H.R. 4561 requires that rules noticed by Federal agencies for public 
comment under the Administrative Procedure Act be accompanied by an 
initial

[[Page H7032]]

privacy impact assessment which explains how the proposed rule will 
affect personal privacy. The issuing agency would then receive public 
views on the privacy impact of the proposed rule and issue a final 
privacy impact analysis which explains how the Federal agency will 
obtain, utilize, and safeguard personally identifiable information.
  Importantly, the bill contains a judicial review provision to ensure 
that Federal agencies adhere to its requirements. In this respect H.R. 
4561 mirrors regulatory enhancements to the Regulatory Flexibility Act, 
which require Federal agencies to consider the potential impact of 
proposed legislation and regulations on small businesses. Furthermore, 
unlike existing Federal statutes which protect against the unauthorized 
disclosure of personal information obtained by the Federal Government, 
the Federal Agency Protection of Privacy Act prospectively ensures that 
Federal agencies consider the privacy impact of proposed rules before 
they become binding Federal regulations.
  This bill reflects a spirit of commitment to privacy rights by 
providing the American public a mechanism which simply requires an 
agency to give advanced notice and opportunity to comment on how rules 
issued by Federal agencies will affect their personal privacy. As such, 
it reaffirms our fidelity to the fundamental civil liberties cherished 
by all Americans.
  Mr. Speaker, this measure enjoys broad bipartisan support on the 
Committee on the Judiciary and is endorsed by as diverse a group of 
organizations ranging from the American Civil Liberties Union to the 
National Rifle Association. I urge my colleagues to support the bill.
  Mr. Speaker, I reserve the balance of my time.
  Mr. SCOTT. Mr. Speaker, I yield myself such time as I may consume.
  I rise in support of H.R. 4561, the Federal Agency Protection of 
Privacy Act. I believe this legislation will improve the regulatory 
process and protect Americans from unjustified or unintended invasions 
of privacy. Individuals are required to provide detailed personal 
information while conducting a variety of everyday activities including 
credit card purchases, Internet usage, medical care, financial 
transactions, and the delivery of basic government services. Public 
transmission of this information further heightens the potential of 
identity fraud, a growing problem which impacted more than 700,000 
Americans last year.
  While the Identity Theft and Assumption Deterrence Act of 1988 was 
enacted to address this problem, the FBI stated that identity theft 
remains America's fastest-growing white collar crime. Under this 
legislation, Federal agencies must consider the impact of proposed 
regulations on individual privacy. They will be required to include an 
initial privacy impact analysis with proposed regulations that are 
circulated for public notice and final privacy impact analysis that 
describes the steps that were taken to minimize the significant privacy 
impact of proposed regulations and justifies any alternative with 
respect to privacy that was chosen by the agency. In addition, the bill 
provides judicial review of the adequacy of an agency's final privacy 
impact, similar to that provided by the Regulatory Flexibility Act for 
small businesses. Essentially, the bill requires agencies to take 
responsibility for privacy concerns of individual citizens.
  At a time when identity theft and misuse of personal information is 
rampant, increasing this bill will go a long way in protecting the 
American citizens from victimization. That is why it is supported by 
broad bipartisan, diverse political and philosophical organizations, 
such as the ones the chairman mentioned. I support the legislation and 
strongly urge my colleagues to support it.
  Mr. BARR of Georgia. Mr. Speaker, on April 21, 2002, I introduced 
H.R. 4561, the ``Federal Agency Protection of Privacy Act.'' I was 
pleased to be joined by several cosponsors on the Subcommittee on 
Commercial and Administrative Law, including the distinguished Ranking 
Member Mel Watt, and Representatives Chabot, Gekas, Nadler, and Green. 
Since its introduction, the bill has garnered the support of an 
additional 37 members of Congress, including Judiciary Committee 
Chairman F. James Sensenbrenner, Jr., Ranking Member John Conyers, and 
several other distinguished members of Congress.
  It is clear that this bill's many cosponsors do not agree on every 
issue. In fact, many observers have been particularly impressed by the 
political diversity of its legislative sponsors. The same can be said 
of the bill's noncongressional supporters, which include groups ranging 
from the National Rifle Association to the Electronic Privacy 
Information Center--from the Eagle Forum to the American Civil 
Liberties Union.
  Supporters share a commitment to protecting the privacy cherished by 
American citizens--a value increasingly imperiled in an information age 
in which personal information is captured and compiled, manipulated and 
misused, bought and sold in ways unimagined just a few years ago. The 
sphere of privacy, which Justice Brandeis eloquently described as the 
``right to be let alone,'' is not only rapidly diminishing, it is 
increasingly penetrable. Special care is necessary to ensure that 
personal information remains personal, absent a sound reason to treat 
it otherwise.
  This value is neither Republican or Democratic; liberal or 
conservative, it is an American value.
  The Federal Agency Protection of Privacy Act takes the first--
necessary--step toward protecting the privacy of information collected 
by the federal government, by requiring that rules noticed for public 
comment by federal agencies be accompanied by an assessment of the 
rule's impact on personal privacy interests, including the extent to 
which the proposed rule provides notice of the collection of personally 
identifiable information, what information will be obtained, and how 
this informational will be collected, protected, maintained, used and 
disclosed.
  H.R. 4561 further provides that final rules be accompanied by a final 
privacy impact analysis, which indicates how the issuing agency 
considered and responded to privacy concerns raised by the public, and 
explains whether the agency could have taken an approach less 
burdensome to personal privacy.
  Unlike existing laws protecting against the disclosure of information 
already obtained by the federal government, the Federal Agency 
Protection of Privacy Act provides prospective notice of a proposed 
rule's effect on privacy before it becomes a binding regulation.
  While some have decried the loss of personal privacy by private 
companies, it must be emphasized government alone has the authority to 
compel the disclosure of personal information; and unlike a private 
commercial gatherer of personal data, the government can put you in 
jail based on what it uncovers. For this reason, the government has an 
obligation to exercise greater responsibility when enacting policies 
which undermine privacy rights. An earlier version of this measure was 
introduced last Congress by Representative Chabot, a fellow member of 
the Committee on the Judiciary, and a strong defender of privacy 
rights.
  Importantly, H.R. 4561 permits individuals adversely affected by an 
agency's failure to follow its provisions to seek judicial review 
pursuant to the provisions of the Administrative Procedure Act.
  In this respect, the bill tracks amendments to the Regulatory 
Flexibility Act championed by Representative Gekas, which provide for 
judicial review of rules issued without regard to their impact on small 
businesses. Mr. Speaker, I can say, without hesitation, privacy is no 
less important to American citizens than regulatory burdens are to 
American businesses, and this measure reflects this recognition.
  Earlier in the Congress, the Judiciary Committee played a central 
role in House consideration of the Department of Homeland Security. 
Several pro-privacy provisions which I authorized, including the 
creation of a Privacy Officer at the new Department, and a prohibition 
against the creation of national identification cards were reported by 
the Judiciary Committee and adopted by the Select Committee on Homeland 
Security. While I continue to support the creation of a federal 
department dedicated to homeland security, we must continue to ensure 
the privacy rights of all Americans are not needlessly compromised by 
the government, and the Federal Agency Protection of Privacy Act helps 
maintain this vigilance.
  Finally, I want to emphasize H.R. 4561 will not unduly burden 
regulators nor will it hinder law enforcement. The Federal Agency 
Protection of Privacy Act will apply the best antiseptic--sunshine--to 
the federal rulemaking process by securing the public's right to know 
about how rules will affect their personal privacy. It also ensure that 
citizens have the opportunity not only to critique the substance of a 
rule, but to do so with an understanding of the reasoning and 
justification upon which the rule was predicated by the federal 
government.
  Mr. Speaker, recent polls reflect growing public unease about the 
diminishing sphere of privacy brought about by rapid technological and 
social change. The Federal Agency Protection of Privacy Act helps 
address these

[[Page H7033]]

concerns by providing the American public with a modest, although 
necessary mechanism which requires federal agencies to give advance 
notice, and an opportunity to comment, on how rules issued by federal 
agencies will affect their personal privacy.
  Mr. Speaker, throughout my tenure in Congress, I have striven to keep 
faith with my sworn obligation to protect and preserve the Constitution 
of the United States. This precious document, which secures our 
fundamental rights and liberties, will endure as a charter of freedom 
only as long as there are those with the fidelity to live by it and the 
courage to defend it. Of the several philosophical foundations which 
undergird the Bill of Rights, the right to privacy provides a central, 
organizing principle which gives content to the substantive protections 
contained in our Founding document.
  I believe I have done my part to uphold this body's sacred obligation 
to preserve the sanctity of our Constitution, and urge my colleagues to 
do the same by supporting the Federal Agency Protection of Privacy Act.
  Mr. SCOTT. Mr. Speaker, I yield back the balance of my time.
  Mr. SENSENBRENNER. Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Wisconsin (Mr. Sensenbrenner) that the House suspend the 
rules and pass the bill, H.R. 4561.
  The question was taken; and (two-thirds having voted in favor 
thereof) the rules were suspended and the bill was passed.
  A motion to reconsider was laid on the table.

                          ____________________