[Congressional Record Volume 157, Number 156 (Tuesday, October 18, 2011)]
[Senate]
[Pages S6667-S6672]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mr. BINGAMAN (for himself and Mr. Udall of New Mexico):
S. 1730. A bill to permit Mexican nationals who legally enter the
United States with a valid border Crossing Card through specific ports
of entry in New Mexico to remain in southern New Mexico for up to 30
days, to the Committee on the Judiciary.
Mr. BINGAMAN. Mr. President, I rise today to introduce legislation,
along with Senator Tom Udall, aimed at increasing economic activity in
New Mexico communities situated along the U.S.-Mexico border.
Currently, Mexican nationals holding biometric Border Crossing Cards,
also known as Laser Visas, may travel up to 25 miles into the United
States for a period of up to 30 days. The purpose of this initiative is
to promote border commerce by allowing frequent, low-risk visitors to
travel to U.S. border communities to conduct business, visit family,
and shop.
Unfortunately, New Mexico has not benefited under this program to the
extent that other border states have. The three largest cities along
the New Mexico border--Las Cruces, Lordsburg, and Deming--are all
outside of the current 25-mile geographical limit, and Mexican
nationals with BCCs must acquire additional permits to visit these
cities.
In order to address a similar situation, an exception was made for
Arizona in 1999 to allow BCC holders to travel to Tucson. This change
resulted in increased economic activity without in any way jeopardizing
security. Tailoring the program to maximize its impact in the
respective border states is the right approach, and I fail to see why a
similar modification should not be made for New Mexico.
The legislation we are introducing today, the Southern New Mexico
Economic Development Act, would expand the geographic limit from 25
miles to 75 miles to permit visitors coming to New Mexico to reach the
larger cities in the southern part of the state. This change would
facilitate economic activity at a crucial time as border communities
are looking to increase tourism and create growth.
Changing this regulation wouldn't cost taxpayer money, it will
increase economic activity in communities that have been hit hard by
the economic downturn, and will do so in a manner consistent with our
border security efforts.
I look forward to working with my colleagues to pass this
legislation.
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the text of the bill was ordered to be
printed in the Record, as follows:
S. 1730
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Southern New Mexico Economic
Development Act''.
SEC. 2. TEMPORARY ADMITTANCE OF MEXICAN NATIONALS WITH BORDER
CROSSING CARDS.
The Secretary of Homeland Security shall permit a national
of Mexico, who enters the United States with a valid Border
Crossing Card (as described in section 212.1(c)(1)(i) of
title 8, Code of Federal Regulations, as in effect on the
date of the enactment of this Act), and who is admitted to
the United States at the Columbus, Santa Teresa, or Antelope
Wells port of entry in New Mexico, to remain in New Mexico
(within 75 miles of the international border between the
United States and Mexico) for a period not to exceed 30 days.
Mr. UDALL of New Mexico. Mr. President, I rise today to join Senator
Bingaman in introducing the Southern New Mexico Economic Development
Act, legislation that will bring additional business from Mexico to
cities and towns in southern New Mexico.
Our bill would increase economic opportunities for southern New
Mexico businesses by extending the distance that Mexicans who are
issued Border Crossing Cards, BCC, by the U.S. State Department can
travel in New Mexico without the need to obtain a Form I-94 and pay an
additional fee.
The BCC is a credit card-style document with many security features
and 10-year validity. BCCs are only issued to applicants who are
citizens and residents of Mexico. Applicants must meet the eligibility
standards for B1/B2 visas and undergo fingerprinting and an interview
at the U.S. Consulate and they must demonstrate that they have ties to
Mexico that would compel them to return after a temporary stay in the
United States.
Currently, BCC holders who are authorized to enter into the United
States can remain up to 30 days and travel no more than 25 miles beyond
the border, except in Arizona where they can travel up to 75 miles.
Those who wish to travel farther or remain longer must request an I-94
form, arrival/departure record, at the port of entry and pay a small
fee. Our bill would extend the distance BCC holders who enter the
United States from New Mexico ports of entry can travel within the
State from 25 miles to 75 miles.
Arizona provides a precedent for making this change. In 1999, the
border zone in Arizona was extended from 25 miles to 75 miles because
there were no large Arizona cities within 25 miles of the border. This
was done through the Federal rulemaking process. The extension was
designed to specifically include Tucson within the zone so that it
could get the economic benefit of BCC holders entering Arizona. Tucson
conducted a study indicating that, after implementation of this rule,
the commercial gain from Mexican visitors was estimated to reach $56.3
million a year.
However, in Texas, New Mexico, and California, the border zone limit
remains 25 miles. This doesn't hurt Texas and California since El Paso,
San Diego, and many smaller towns in those states are within the 25
mile zone. However, like Arizona, New Mexico does not have a city
within 25 miles of the border. This means BCC holders cannot travel to
southern New Mexico cities like Las Cruces, Deming, and Lordsburg
without additional paperwork and paying a fee. Because of this, many
visitors face the inconvenience
[[Page S6668]]
of having to drive all the way to Juarez and enter the U.S. at an El
Paso port of entry, despite living closer to a port of entry in New
Mexico.
Extending the zone can be done through rulemaking, as it was with
Arizona, and I am happy to work with Secretary Napolitano and CBP
Commissioner Bersin to make that happen. However, if we are unable to
resolve this issue through rulemaking, I believe it will be necessary
to push for passage of the legislation we are introducing today.
There is strong support from elected officials and the business
community in southern New Mexico for extending the border zone to 75
miles. Just recently, Luna County Commissioner Jay Spivey worked with
State Senator John Arthur Smith and Representative Dona Irwin to
introduce a Joint Memorial calling on DHS to extend the border zone to
75 miles. The Memorial unanimously passed both houses of the New Mexico
state legislature in September.
This is fundamentally an issue of fairness--New Mexico should have
the same opportunities the other three Border States enjoy because of
the economic benefits of BCC holders visiting their cities.
______
By Mr. AKAKA:
S. 1732. A bill to amend section 552a of title 5, United States Code
(commonly referred to as the Privacy Act), the E-Government Act of 2002
(Public Law 107-347), and chapters 35 and 36 of title 44, United States
Code, and other provisions of law to modernize and improve Federal
privacy laws; to the Committee on Homeland Security and Governmental
Affairs.
Mr. AKAKA. Mr. President, today I am introducing the Privacy Act
Modernization for the Information Age Act of 2011.
In 1974, Congress enacted the Privacy Act to protect Americans'
personal information from improper disclosure by the Federal
government. Broadly, the Privacy Act requires that government agencies
allow individuals to see any records an agency keeps on him or her,
with some exceptions for security and law enforcement, limits the
extent to which the government may share data with and agencies and
third parties, allows individuals to access and correct their records,
requires agencies to provide notice of what data is collected and how
it is used and to keep records of disclosures, and provides individuals
the ability to enforce their rights under the act.
With the expansion of technology and the proliferation of personally
identifiable information in the hands of government agencies, the risk
of losing, abusing, or misusing information has grown exponentially. In
particular, over the last 10 years security needs have created pressure
on agencies to use existing personal information in new ways, not
contemplated when the information was collected. The growth in the
business of buying and selling individuals' information also raises new
questions about the extent to which the Privacy Act applies to these
sources of data on individuals used by the government. Meanwhile, there
have been few updates to the Privacy Act, leaving it better suited to
file cabinets and clunky 30 year old databases than the modern
information technology systems in use at agencies today.
In 2008, the Government Accountability Office, GAO, released a report
that I requested entitled, ``Privacy: Alternatives Exist for Enhancing
Protection of Personally Identifiable Information'', GAO-08-536. GAO
later testified about its findings at a Homeland Security and
Governmental Affairs Committee hearing where it identified issues in
three main areas that could be enhanced: applying privacy protections
consistently to all Federal collection and use of personal information;
ensuring that collection and use of personally identifiable information
is limited to a stated purpose; and establishing effective mechanisms
for informing the public about privacy protections.
After examining these recommendations and consulting with outside
privacy experts, working groups, and privacy and civil liberties
advocates, I am introducing the Privacy Act Modernization for the
Information Age Act of 2011. This bill addresses the issues raised by
GAO, adds stronger privacy leadership at the Office of Management and
Budget to ensure effective execution of the Privacy Act, and extends
authority for privacy officers to investigate possible violations of
privacy laws.
This bill updates the Privacy Act in several ways. It simplifies some
of the definitions to apply them to modern information technology
management ideas that were in their infancy in 1974. It also tightens
requirements for agency controls and maintenance of records to ensure
their use is authorized, and that personally identifiable information
is not misused.
Agencies would also be more accountable to the public in protecting
information. Notifications of systems with personally identifiable
information would be more relevant, transparent, and accessible,
allowing Americans to know which agencies may have what information
about them and in what systems. Importantly, the bill would create a
centralized privacy website containing System of Records Notices and
other related privacy information.
If civil or criminal violations of the Privacy Act do occur, the
penalties have been updated to reflect similar penalties in other laws.
The bill would also clarify Congress's intent in the statutory damages
provision in the Privacy Act by overturning Doe v. Chao, in which the
Supreme Court, I believe wrongly, held that an individual has to show
actual damages resulted from an intentional or willful improper
disclosure of personal information in order to receive an award.
My bill also builds on important new privacy protections introduced
in the E-Government Act of 2002, which established a requirement for a
Privacy Impact Assessment on certain new systems developed at agencies
that contain personally identifiable information. It also codifies the
term ``personally identifiable information,'' which has been defined by
the Office of Management and Budget, OMB, for years in conjunction with
the Privacy Act. This will let us focus on protecting personally
identifiable information rather than defining it.
The Privacy Act Modernization for the Information Age Act of 2011
would expand a successful tool given to the Department of Homeland
Security, DHS, Chief Privacy Officer, CPO, to other major agency CPOs.
In 2008, I championed the POWER Act, which gave the DHS CPO the
authority to investigate possible violations of privacy laws if an
Inspector General declines to investigate. I am pleased to say this
authority has not been abused, and in fact has been used only once at
DHS where its Inspector General inadvertently experienced a minor data
breach, and the CPO investigated the issue. This is a useful tool that
I believe other privacy offices overseeing massive amounts of
personally identifiable information could benefit from.
Finally, my bill would create a strong Federal Chief Privacy Officer,
FCPO, at OMB as well as a government-wide Chief Privacy Officers
Council, to fill the wide gaps in government-wide privacy leadership
and ensure consistent development of policies and guidance on the
Privacy Act across agencies. The FCPO position existed under President
Clinton, but it has not been replicated by subsequent administrations.
I have been impressed with DHS's leadership on privacy issues, thanks
to tools we have put into law and the resources we have provided. It is
equally important to enhance government-wide leadership through the
FCPO and the Chief Privacy Officers Council, which will create a better
environment to share ideas across agencies.
This bill would be an important step forward in modernizing how
government agencies execute their obligations to protect the personal
information provided to them by all Americans. With the proliferation
of data about every one of us online, and possibly creeping into
government databases, we need more transparency so the average person
has a place to go to learn about what information the government is
keeping and how they can access that information. I urge my colleagues
to support this effort and to continue to work with me and the Homeland
Security and Governmental Affairs Committee to produce legislation to
improve Federal privacy before this Congress adjourns.
[[Page S6669]]
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the text of the bill was ordered to be
printed in the Record, as follows:
S. 1732
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Privacy Act Modernization
for the Information Age Act of 2011''.
SEC. 2. AMENDMENTS TO THE PRIVACY ACT.
(a) Definitions.--Section 552a (a) of title 5, United
States Code, (commonly referred to as the Privacy Act), is
amended--
(1) in paragraph (4), by striking ``that is maintained by
an agency, including, but not limited to, his'' and inserting
``, including'';
(2) by striking paragraph (5) and inserting the following:
``(5) the term `system of records' means a group of any
records maintained by, or otherwise under the control of any
agency that is used for any authorized purpose by or on
behalf of the agency;''.
(3) by striking paragraph (7) and inserting the following:
``(7) the term `routine use' means, with respect to the
disclosure of a record, the use of such record for a purpose
which, as determined by the agency, is compatible with the
purpose for which it was collected and is appropriate and
reasonably necessary for the efficient and effective conduct
of Government;''.
(4) in paragraph (8)(A)(i)--
(A) by striking ``two or more automated systems of records
or a system of records with non-Federal records'' and
inserting ``data from a system of records'';
(B) in subclause (I), by inserting ``or State'' after
``Federal''; and
(C) in subclause (II), by inserting ``or State'' after
``Federal''.
(b) Conditions of Disclosure.--Section 552a(b) of title 5,
United States Code, is amended--
(1) in paragraph (1), by inserting ``that is consistent
with, and related to, any purpose described under subsection
(e)(2)(D) of this section'' before the semicolon;
(2) in paragraph (3), by striking ``(e)(4)(D)'' and
inserting ``(e)(2)(D)(iv) or subsection (v)'';
(3) in paragraph (6), by inserting ``or for records
management inspections authorized by statute'' before the
semicolon;
(4) in paragraph (7), by inserting ``, notwithstanding any
requirements of a routine use as defined under subsection
(a)(7),'' before ``to another agency'';
(5) in paragraph 8, by striking ``upon such disclosure
notification is transmitted to the last known address of such
individual'' and inserting ``a reasonable attempt to notify
the individual is made promptly after the disclosure''; and
(6) by striking paragraph (9) and inserting the following:
``(9)(A) to either House of Congress;
``(B) to the extent of matter within its jurisdiction, any
committee or subcommittee thereof, any joint committee of
Congress or subcommittee of any such joint committee; or
``(C) to the office of a Member of Congress when that
office is requesting records about a specific individual on
behalf of that individual in response to a written request
for assistance by that individual;''.
(c) Accounting of Certain Disclosures.--Section 552a(c) of
title 5, United States Code, is amended by inserting
``whether in an electronic or other format'' after ``system
of records under its control''.
(d) Agency Requirements.--Section 552a of title 5, United
States Code, is amended by striking subsection (e) and
inserting the following:
``(e) Agency Requirements.--
``(1) Authorized purpose.--No agency shall use a record
except for an authorized purpose and as maintained in a
system of records under this section.
``(2) Requirements.--Each agency shall--
``(A) maintain in its records only such information about
an individual as is relevant and necessary to accomplish any
specified purpose of the agency required to be accomplished
by statute or by executive order of the President, and only
retain such information as long as is necessary to fulfill
that purpose or as otherwise required by law;
``(B) collect information to the greatest extent
practicable directly from the subject individual when the
information may result in adverse determinations about an
individual's rights, benefits, and privileges;
``(C) inform each individual whom it asks to supply
information creating a record, at the time the information is
requested--
``(i) the authority (whether granted by statute or by
executive order of the President) which authorizes the
solicitation of the information and whether disclosure of
such information is voluntary or required to receive a right,
benefit, or privilege;
``(ii) the principal purpose or purposes for which the
information is intended to be used;
``(iii) the routine uses which may be made of the
information, as published under subparagraph (D)(iv);
``(iv) any effects on that individual of not providing all
or any part of the requested information;
``(v) the procedures and contact information for accessing
or correcting such information; and
``(vi) a reference to learning how such information will be
used or disclosed, including the simplest access to the
current system of records notice;
``(D) subject to the provisions of subparagraph (K),
publish in the Federal Register, make broadly accessible to
the public through a centralized website maintained by the
Office of Management and Budget, and link to such centralized
website from each agency's website, upon establishment or
revision a notice of the existence and character of the
system of records, which notice shall include--
``(i) the name and location of the system;
``(ii) the categories of individuals on whom records are
maintained in the system;
``(iii) the categories of records maintained in the system;
``(iv) any purpose for which the information is intended to
be used, including each routine use;
``(v) the legal authority for any purpose for which the
information is utilized granted by statute, executive order,
or other authorization;
``(vi) the policies and practices of the agency regarding
storage, retrievability, access controls, retention, and
disposal of the records;
``(vii) the title and business address of the agency
official who is responsible for the system of records;
``(viii) the agency procedures whereby an individual can be
notified at his request if the system of records contains a
record pertaining to him, how he can gain access to such a
record, or contest its content; and
``(ix) the sources of records in the system;
``(E) to the greatest extent practicable, ensure that all
records, including records from a third party source, which
are used by the agency in making any determination about an
individual are of such accuracy, relevance, timeliness, and
completeness as is reasonably necessary to assure fairness to
the individual in the determination, and upon request of the
individual, provide documentation of the same;
``(F) prior to disseminating any record about an individual
to any person other than an agency, unless the dissemination
is made pursuant to subsection (b)(2) of this section, make
reasonable efforts to assure that such records are accurate,
complete, timely, and relevant for agency purposes;
``(G) maintain no record describing how any individual
exercises rights guaranteed by the First Amendment unless
expressly authorized by statute or by the individual about
whom the record is maintained or unless pertinent to, and
within the scope of, an authorized law enforcement activity;
``(H) make reasonable efforts to notify an individual as
promptly as practicable after the agency receives compulsory
legal process for any record on the individual, unless that
notification is prohibited by law or court order;
``(I) establish rules of conduct for persons involved in
the design, development, operation, or maintenance of any
system of records, or in maintaining any record, and instruct
each such person with respect to such rules and the
requirements of this section, including any other rules and
procedures adopted pursuant to this section and the penalties
for noncompliance;
``(J) establish appropriate administrative, technical, and
physical safeguards to insure the security and
confidentiality of records and to protect against any
anticipated threats or hazards to their security or integrity
which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom
information is maintained;
``(K) in regards to the establishment or revision of a
system of records under subparagraph (D)--
``(i) at least 30 days prior to creation or modification of
a system of records, publish the entire text of the proposed
system of records notice in the Federal Register and on the
centralized website established under subparagraph (D);
``(ii) provide an opportunity for interested persons to
submit written or electronic data, views, or arguments to the
agency regarding the proposed system of records notice;
``(iii) within 180 days after publication of a proposed
system of records notice, publish on the centralized website
established under subparagraph (D), a response to the
comments received, along with notice of whether the system of
records notice as published has taken effect; and
``(iv) provide a link to the centralized website from the
website of the agency,
unless the Director of the Office of Management and Budget,
through the Federal Chief Privacy Officer grants an
exception, and that exception is published promptly in the
Federal Register and on the centralized website established
under subparagraph (D), including a link from the agency's
website;
``(L) if such agency is a recipient agency or a source
agency in a matching program with a non-Federal agency, with
respect to any establishment or revision of a matching
program, at least 30 days prior to conducting such program,
publish in the Federal Register notice of such establishment
or revision;
``(M) shall--
``(i) maintain an inventory on the number and scope of the
systems of records of that agency in a manner that clearly
and fairly describes activities of the agency to individuals;
and
``(ii) ensure that the inventory--
[[Page S6670]]
``(I) is annually updated and published in the Federal
Register, on the website established under subparagraph (D),
and on the agency's website; and
``(II) does not contain any information that would be
exempted from disclosure under this section or section 522 of
this title; and
``(N) make reasonable efforts to limit disclosure from a
system of records to minimum information necessary to
accomplish the purpose of the disclosure.''.
(e) Agency Rules.--Section 552a(f) of title 5, United
States Code, is amended in the last sentence--
(1) by striking ``biennially'' and inserting ``annually'';
(2) by striking ``subsection (e)(4)'' and inserting
``subsection (e)(2)(D)(iv)''; and
(3) by striking ``at low cost'' and inserting
``electronically, or at low cost physically''.
(f) Civil Remedies.--Section 552a(g)(4) is amended--
(1) by inserting ``and in which the complainant has
substantially prevailed'' after ``the agency acted in a
manner which was intentional or willful''; and
(2) in subparagraph (A), by striking ``, but in no case
shall a person entitled to recovery receive less than the sum
of $1,000'' and inserting ``or the sum of $1,000, whichever
is greater, except that in a class action the minimum for
each individual shall be reduced as necessary to ensure that
the total recovery in any class action or series of class
actions arising out of the same refusal or failure to comply
by the same agency shall not be greater than $10,000,000''.
(g) Criminal Penalties.--Section 552a(i) of title 5, United
States Code, is amended--
(1) in paragraph (1)--
(A) by inserting ``(A)'' before ``Any officer or
employee''; and
(B) by adding at the end the following:
``(B) A person who commits the offense described under
subparagraph (A) with the intent to sell, transfer, or use an
agency record for commercial advantage, personal gain, or
malicious harm shall be fined not more than $250,000,
imprisoned for not more than 10 years, or both.''; and
(2) in paragraph (3), by striking ``misdemeanor and fined
not more than $5,000'' and inserting ``felony and fined not
more than $100,000, imprisoned for not more than 5 years, or
both''.
(h) General Exemptions.--Section 552a(j) of title 5, United
States Code, is amended by striking ``The head of any
agency'' and inserting ``Notwithstanding any requirements of
a routine use as defined under subsection (a)(7), the head of
any agency''.
(i) Specific Exemptions.--Section 552a(k) of title 5,
United States Code, is amended by striking ``The head of any
agency'' and inserting ``Notwithstanding any requirements of
a routine use as defined under subsection (a)(7), the head of
any agency''.
(j) Archival Records.--Section 552a(l) of title 5, United
States Code, is amended in paragraphs (2) and (3) by striking
``National Archives of the United States'' each place that
term appears and inserting ``National Archives and Records
Administration''.
(k) Government Contractors.--Section 552(m)(1) of title 5,
United States Code, is amended by striking ``for the
operation by or on behalf of the agency of a system of
records to accomplish an agency function'' and inserting ``or
other agreement, including with another agency, for the
maintenance of a system of records to accomplish an agency
function on behalf of the agency''.
(l) Office of Management and Budget Responsibilities.--
Section 552a(v) of title 5, United States Code, is amended--
(1) in paragraph (1), by striking ``and'' after the
semicolon;
(2) in paragraph (2), by striking the period and inserting
``; and''; and
(3) by adding at the end the following:
``(3) establish and update a list of recommended standard
routine uses.''.
SEC. 3. AMENDMENTS TO THE E-GOVERNMENT ACT OF 2002.
Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501
note; Public Law 107-347) is amended--
(1) in subsection (b)--
(A) in paragraph (1)(A)--
(i) by striking clause (i) and inserting the following:
``(i) developing, procuring, or otherwise making use of
information technology that collects, maintains, or
disseminates personally identifiable information; or'';
(ii) in clause (ii)(II)--
(I) by striking ``information in an identifiable form'' and
inserting ``personally identifiable information''; and
(II) by striking ``, other than agencies,
instrumentalities, or employees of the Federal Government.''
and inserting ``; and''; and
(iii) by adding at the end the following:
``(iii) using personally identifiable information
purchased, or subscribed to for a fee, from a commercial data
source.''; and
(B) in paragraph (2)(B)--
(i) in clause (i), by striking ``information that is in an
identifiable form'' and inserting ``personally identifiable
information''; and
(ii) in clause (ii)--
(I) in subclause (VI), by striking ``and'' at the end;
(II) in subclause (VII), by striking the period and
inserting ``; and''; and
(III) by adding at the end the following:
``(VIII) to what extent risks to privacy protection are
created by the use of the information and what steps have
been taken to mitigate such risks.''; and
(2) by striking subsection (d) and inserting the following:
``(d) Definition.--In this section, the term `personally
identifiable information' means any information about an
individual maintained by an agency, including--
``(1) any information that can be used to distinguish or
trace an individual's identity, such as name, social security
number, date and place of birth, mother's maiden name, or
biometric records; or
``(2) any other information that is linked or linkable to
an individual, such as medical, educational, financial, and
employment information.''.
SEC. 4. AMENDMENTS TO CHAPTERS 35 AND 36 OF TITLE 44, UNITED
STATES CODE.
(a) Office of Management and Budget.--Section 3504 of title
44, United States Code, is amended--
(1) in subsection (a)(1)(A)--
(A) in clause (iv), by inserting ``and'' after the
semicolon;
(B) by striking clause (v); and
(C) by redesignating clause (vi) as clause (v);
(2) by striking subsection (g); and
(3) by redesignating subsection (h) as subsection (g).
(b) Federal Information Privacy Policy.--
(1) In general.--Chapter 35 of title 44, United States
Code, is amended by adding at the end the following:
``SUBCHAPTER IV--FEDERAL INFORMATION PRIVACY POLICY
``Sec. 3561. Purposes
``The purposes of this subchapter are to--
``(1) ensure the consistent application of privacy
protections to personally identifiable information collected,
maintained, and used by all agencies;
``(2) strengthen the responsibility and accountability of
the Office of Management and Budget for overseeing privacy
protection in agencies;
``(3) improve agency responses to privacy breaches to
better inform and protect the public from the misuse of
personally identifiable information;
``(4) strengthen the responsibility and accountability of
agency officials for ensuring effective implementation of
privacy protection requirements; and
``(5) ensure that agency use of commercial sources of
information and information system services provides adequate
information security and privacy protections.
``Sec. 3562. Definitions
``(a) In General.--Except as provided under subsection (b),
the definitions under section 3502 shall apply to this
subchapter.
``(b) Additional Definitions.--In this subchapter--
``(1) the term `Council' means the Chief Privacy Officers
Council established under section 3567;
``(2) the term `personally identifiable information' means
any information about an individual maintained by an agency,
including--
``(A) any information that can be used to distinguish or
trace an individual's identity, such as name, social security
number, date and place of birth, mother's maiden name, or
biometric records; and
``(B) any other information that is linked or linkable to
an individual, such as medical, educational, financial, and
employment information; and
``(3) the term `data broker' means a person or entity that
for a fee regularly engages in the practice of collecting,
transmitting, or providing access to personally identifiable
information concerning more than 5,000 individuals who are
not the customers or employees of that person or entity (or
an affiliated entity) primarily for the purposes of providing
such information to non-affiliated third parties on an
interstate basis.
``Sec. 3563. Authority and functions of the Director
``(a) In fulfilling the responsibility to administer the
functions assigned under subchapter I, the Director of the
Office of Management and Budget shall comply with this
subchapter with respect to the specific matters covered by
this subchapter.
``(b) The Director shall oversee agency privacy protection
policies and practices, including by--
``(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on privacy
protection;
``(2) providing direction and overseeing privacy,
confidentiality, security, disclosure, and sharing of
information;
``(3) overseeing agency compliance with laws relating to
privacy protection, including the requirements of this
subchapter, section 552a of title 5 (commonly referred to as
the Privacy Act), and section 208 of the E-Government Act of
2002;
``(4) coordinating privacy protection policies and
procedures with related information resources management
policies and procedures, including through ensuring that
privacy protection considerations are taken into account in
managing the collection of information and the control of
paperwork as provided under subchapter I; and
``(5) appointing a Federal Chief Privacy Officer under
section 3564.
``Sec. 3564. Specific responsibilities of the Federal Chief
Privacy Officer
``(a) Federal Chief Privacy Officer.--
``(1) Definitions.--In this section--
``(A) the term `Senior Executive Service position' has the
meaning given under section 3132(a)(2) of title 5; and
[[Page S6671]]
``(B) the term `noncareer appointee' has the meaning given
under section 3132(a)(7) of title 5;
``(2) Establishment.--There is established the position of
the Federal Chief Privacy Officer within the Office of
Management and Budget. The position shall be a Senior
Executive Service position. The Director shall appoint a
noncareer appointee to the position. The primary
responsibilities of the position shall be the
responsibilities under subsection (b).
``(3) Qualifications.--The individual appointed to be the
Federal Chief Privacy Officer shall posses demonstrated
expertise in privacy protection policy and Government
information.
``(b) Responsibilities.--The Federal Chief Privacy Officer
shall--
``(1) carry out the responsibilities of the Director under
this subchapter;
``(2) provide overall direction, consistent with the Office
of Management and Budget guidance, section 552a of title 5
(commonly referred to as the Privacy Act), and section 208 of
the E-Government Act of 2002, of privacy policy governing the
Federal Government's collection, use, sharing, disclosure,
transfer, storage, security, and disposition of personally
identifiable information;
``(3) to the extent that the Federal Chief Privacy Officer
considers appropriate, establish procedures to review and
approve privacy documentation before public dissemination;
``(4) serve as the principal advisor for Federal privacy
policy matters to the Executive Office of the President,
including the President, the Director, the National Security
Council, the Homeland Security Council, and the Office of
Science and Technology Policy;
``(5) coordinate with the Privacy and Civil Liberties
Oversight Board established under section 1061 of the
Intelligence Reform and Terrorism Prevention Act of 2004 (5
U.S.C. 601 note); and
``(6) every 2 years submit a report to Congress on the
protection of privacy by the United States Government,
including the status of implementation of requirements under
this subchapter and other privacy related laws and policies.
``Sec. 3565. Privacy breach requirements
``The Director shall establish and oversee policies and
procedures for agencies to follow in the event of a breach of
information security involving the disclosure of personally
identifiable information and for which harm to an individual
could reasonably be expected to result, including--
``(1) a requirement for timely notice to be provided to
those individuals whose personally identifiable information
could be compromised as a result of such breach, except no
notice shall be required if the breach does not create a
reasonable risk of identity theft, fraud, or other unlawful
conduct regarding such individual;
``(2) guidance on determining how timely notice is to be
provided;
``(3) guidance regarding whether additional actions are
necessary and appropriate, including data breach analysis,
fraud resolution services, identity theft insurance, and
credit protection or monitoring services; and
``(4) requirements for timely reporting by the agencies of
such breaches to the director and the Federal information
security incident center referred to in section 3546.
``Sec. 3566. Agency responsibilities
``(a) In General.--In addition to requirements under
section 1062 of the National Security Intelligence Reform Act
of 2004, and in fulfilling the responsibilities under section
3506(g), the head of each agency shall ensure compliance with
laws relating to privacy protection, including the
requirements of this subchapter, section 552a of title 5
(commonly referred to as the Privacy Act), and section 208 of
the E-Government Act of 2002.
``(b) Chief Privacy Officers.--In the case of an agency
that has not designated a Chief Privacy Officer under section
522 of the Transportation, Treasury, Independent Agencies and
General Government Appropriations Act, 2005 (42 U.S.C.
2000ee-2), the head of each agency shall--
``(1) designate a senior official to be the chief privacy
officer of that agency; and
``(2) provide to the chief privacy officer such information
as the officer considers necessary.
``(c) Responsibilities of Agency Chief Privacy Officer.--
Each chief privacy officer shall have primary responsibility
for assuring the adequacy of privacy protections for
personally identifiable information collected, used, or
disclosed by the agency, including--
``(1) ensuring that the use of technologies sustain, and do
not erode, privacy protections relating to the use,
collection, and disclosure of personal information, including
through the conduct of privacy impact assessments as provided
by section 208 of the E-Government Act of 2002;
``(2) ensuring that personal information is handled in full
compliance with fair information practices under section 552a
of title 5 (commonly referred to as the Privacy Act) and
other applicable laws and policies;
``(3) evaluating legislative and regulatory proposals
involving collection, use, and disclosure of personally
identifiable information;
``(4) coordinating with the chief information officer to
ensure that privacy is adequately addressed in the agency
information security program, established under section 3544;
``(5) coordinating with other senior officials to ensure
programs, policies, and procedures involving civil rights,
civil liberties, and privacy considerations addressed in an
integrated and comprehensive manner; and
``(6) reporting periodically to the head of the agency on
agency privacy protection activities.
``Sec. 3567. Chief Privacy Officers Council
``(a) Establishment.--There is established in the executive
branch a Chief Privacy Officers Council.
``(b) Membership.--
``(1) In general.--The members of the Council shall be as
follows:
``(A) The Federal Chief Privacy Officer, who shall serve as
chairperson of the Council.
``(B) Chief Privacy Officers established under section 522
of division H of the Consolidated Appropriations Act, 2005
(42 U.S.C. 2000 ee-2; Public Law 108-447).
``(C) The chairperson of the Privacy and Civil Liberties
Oversight Board.
``(D) As designated by the chairperson of the Council, any
senior agency official designated to be a chief privacy
officer under section 3566.
``(E) The Administrator of the Office of Electronic
Government, as an ex-officio member.
``(F) The Administrator of the Office of Information and
Regulatory Affairs, as an ex-officio member.
``(G) Any other officer or employee of the United States
designated by the chairperson.
``(2) Ex-officio members.--An ex-officio member may not
vote in Council proceedings.
``(c) Administrative Support.--The Administrator of the
General Services shall provide administrative and other
support for the Council.
``(d) Functions.--The Council shall--
``(1) be an interagency forum for establishing best
practices for agency privacy policy;
``(2) share, and promote the development of, best practices
to assure that the use of technologies sustains, and does not
erode, privacy protections relating to the use, collection,
and disclosure of personal information; assure that personal
information contained in systems of records are handled in
full compliance with fair information practices; and evaluate
legislative and regulatory proposals involving collection,
use, and disclosure of personal information by the Federal
Government; and
``(3) submit proposed improvements to privacy practices to
the Director.''.
(2) Technical and conforming amendment.--The table of
sections for chapter 35 of title 44, United States Code, is
amended by adding at the end the following:
``subchapter iv--federal information privacy policy
``Sec.
``3561. Purposes.
``3562. Definitions.
``3563. Authority and functions of the Director.
``3564. Specific responsibilities of the Chief Privacy Officer.
``3565. Privacy breach requirements.
``3566. Agency responsibilities.
``3567. Chief Privacy Officers Council.''.
(c) Electronic Government.--Section 3602(d) of title 44,
United States Code, is amended by inserting ``and the Federal
Chief Privacy Officer'' after ``Information and Regulatory
Affairs''.
SEC. 5. AMENDMENTS TO SECTION 1062 OF THE NATIONAL
INTELLIGENCE REFORM ACT OF 2004.
Section 1062 of the National Intelligence Reform Act of
2004 (42 U.S.C. 2000ee-1) is amended--
(1) by redesignating subsection (d) through (h) as
subsections (e) through (i); and
(2) by striking subsection (c) and inserting the following:
``(c) Authority To Investigate.--
``(1) In general.--Each privacy officer or civil liberties
officer described under subsection (a) or (b) may--
``(A) have access to all records, reports, audits, reviews,
documents, papers, recommendations, and other materials
available to the Department, agency, or element of the
executive branch that relate to programs and operations with
respect to the responsibilities of the senior official under
this section;
``(B) make such investigations and reports relating to the
administration of the programs and operations of the
Department, agency, or element of the executive branch as
are, in the senior official's judgment, necessary or
desirable;
``(C) subject to the approval of the Secretary or head of
the agency or element of the executive branch, require by
subpoena the production, by any person other than a Federal
agency, of all information, documents, reports, answers,
records, accounts, papers, and other data and documentary
evidence necessary to performance of the responsibilities of
the senior official under this section; and
``(D) administer to or take from any person an oath,
affirmation, or affidavit, whenever necessary to performance
of the responsibilities of the senior official under this
section.
``(2) Enforcement of subpoenas.--Any subpoena issued under
paragraph (1)(C) shall, in the case of contumacy or refusal
to obey, be enforceable by order of any appropriate United
States district court.
``(3) Effect of oaths.--Any oath, affirmation, or affidavit
administered or taken
[[Page S6672]]
under paragraph (1)(D) by or before an employee of the
Privacy Office designated for that purpose by the senior
official appointed under subsection (a) shall have the same
force and effect as if administered or taken by or before an
officer having a seal of office.
``(d) Supervision and Coordination.--
``(1) In general.--Each privacy officer or civil liberties
officer described under subsection (a) or (b) shall--
``(A) report to, and be under the general supervision of,
the Secretary; and
``(B) coordinate activities with the Inspector General of
the Department in order to avoid duplication of effort.
``(2) Coordination with the inspector general.--
``(A) In general.--Except as provided in subparagraph (B),
the senior official appointed under subsection (a) may
investigate any matter relating to possible violations or
abuse concerning the administration of any program or
operation of the Department, agency, or element of the
executive branch relevant to the purposes under this section.
``(B) Coordination.--
``(i) Referral.--Before initiating any investigation
described under subparagraph (A), the senior official shall
refer the matter and all related complaints, allegations, and
information to the Inspector General of the Department,
agency, or element of the executive branch.
``(ii) Determinations and notifications by the inspector
general.--Not later than 30 days after the receipt of a
matter referred under clause (i), the Inspector General
shall--
``(I) make a determination regarding whether the Inspector
General intends to initiate an audit or investigation of the
matter referred under clause (i); and
``(II) notify the senior official of that determination.''.
____________________