[House Report 106-919]
[From the U.S. Government Publishing Office]



106th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 2d Session                                                     106-919

======================================================================



 
                         PRIVACY COMMISSION ACT

                                _______
                                

 September 29, 2000.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

    Mr. Burton of Indiana, from the Committee on Government Reform, 
                        submitted the following

                              R E P O R T

                             together with

                             MINORITY VIEWS

                        [To accompany H.R. 4049]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Government Reform, to whom was referred the 
bill (H.R. 4049) to establish the Commission for the 
Comprehensive Study of Privacy Protection, having considered 
the same, report favorably thereon with an amendment and 
recommend that the bill as amended do pass.

                                CONTENTS

                                                                   Page
  I. Summary of Legislation...........................................6
 II. Background and Need for the Legislation..........................6
III. Legislative Hearings and Committee Actions.......................7
 IV. Explanation of the Bill..........................................8
  V. Committee Oversight Findings....................................14
 VI. Budget Analysis and Projections.................................14
VII. Cost Estimate of the Congressional Budget Office................15
VIII.Statement of Constitutional Authority...........................16

 IX. Committee Recommendation........................................16
  X. Congressional Accountability Act; P.L. 104-1....................16
 XI. Unfunded Mandates Reform Act; P.L. 104-4, Section 423...........16
XII. Federal Advisory Committee Act (5 U.S.C. App.) Section 5(b).....16
XIII.Changes in Existing Law.........................................16

  The amendment is as follows:
  Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Privacy Commission Act''.

SEC. 2. FINDINGS.

  The Congress finds the following:
          (1) Americans are increasingly concerned about their civil 
        liberties and the security and use of their personal 
        information, including medical records, educational records, 
        library records, magazine subscription records, records of 
        purchases of goods and other payments, and driver's license 
        numbers.
          (2) Commercial entities are increasingly aware that consumers 
        expect them to adopt privacy policies and take all appropriate 
        steps to protect the personal information of consumers.
          (3) There is a growing concern about the confidentiality of 
        medical records, because there are inadequate Federal 
        guidelines and a patchwork of confusing State and local rules 
        regarding privacy protection for individually identifiable 
        patient information.
          (4) In light of recent changes in financial services laws 
        allowing for increased sharing of information between 
        traditional financial institutions and insurance entities, a 
        coordinated and comprehensive review is necessary regarding the 
        protections of personal data compiled by the health care, 
        insurance, and financial services industries.
          (5) The use of Social Security numbers has expanded beyond 
        the uses originally intended.
          (6) Use of the Internet has increased at astounding rates, 
        with approximately 5 million current Internet sites and 64 
        million regular Internet users each month in the United States 
        alone.
          (7) Financial transactions over the Internet have increased 
        at an astounding rate, with 17 million American households 
        spending $20 billion shopping on the Internet last year.
          (8) Use of the Internet as a medium for commercial activities 
        will continue to grow, and it is estimated that by the end of 
        2000, 56 percent of the companies in the United States will 
        sell their products on the Internet.
          (9) There have been reports of surreptitious collection of 
        consumer data by Internet marketers and questionable 
        distribution of personal information by on-line companies.
          (10) In 1999, the Federal Trade Commission found that 87 
        percent of Internet sites provided some form of privacy notice, 
        which represented an increase from 15 percent in 1998.
          (11) The United States is the leading economic and social 
        force in the global information economy, largely because of a 
        favorable regulatory climate and the free flow of information. 
        It is important for the United States to continue that 
        leadership. As nations and governing bodies around the world 
        begin to establish privacy standards, these standards will 
        directly affect the United States.
          (12) The shift from an industry-focused economy to an 
        information-focused economy calls for a reassessment of the 
        most effective way to balance personal privacy and information 
        use, keeping in mind the potential for unintended effects on 
        technology development, innovation, the marketplace, and 
        privacy needs.
          (13) This Act shall not be construed to prohibit the 
        enactment of legislation on privacy issues by the Congress 
        during the existence of the Commission. It is the 
        responsibility of the Congress to act to protect the privacy of 
        individuals, including individuals' medical and financial 
        information. Various committees of the Congress are currently 
        reviewing legislation in the area of medical and financial 
        privacy. Further study by the Commission established by this 
        Act should not be considered a prerequisite for further 
        consideration or enactment of financial or medical privacy 
        legislation by the Congress.

SEC. 3. ESTABLISHMENT.

  There is established a commission to be known as the ``Commission for 
the Comprehensive Study of Privacy Protection'' (in this Act referred 
to as the ``Commission'').

SEC. 4. DUTIES OF COMMISSION.

  (a) Study.--The Commission shall conduct a study of issues relating 
to protection of individual privacy and the appropriate balance to be 
achieved between protecting individual privacy and allowing appropriate 
uses of information, including the following:
          (1) The monitoring, collection, and distribution of personal 
        information by Federal, State, and local governments, including 
        personal information collected for a decennial census, and such 
        personal information as a driver's license number.
          (2) Current efforts to address the monitoring, collection, 
        and distribution of personal information by Federal and State 
        governments, individuals, or entities, including--
                  (A) existing statutes and regulations relating to the 
                protection of individual privacy, such as section 552a 
                of title 5, United States Code (commonly referred to as 
                the Privacy Act of 1974) and section 552 of title 5, 
                United States Code (commonly referred to as the Freedom 
                of Information Act);
                  (B) legislation pending before the Congress;
                  (C) privacy protection efforts undertaken by the 
                Federal Government, State governments, foreign 
                governments, and international governing bodies;
                  (D) privacy protection efforts undertaken by the 
                private sector; and
                  (E) self-regulatory efforts initiated by the private 
                sector to respond to privacy issues.
          (3) The monitoring, collection, and distribution of personal 
        information by individuals or entities, including access to and 
        use of medical records, financial records (including credit 
        cards, automated teller machine cards, bank accounts, and 
        Internet transactions), personal information provided to on-
        line sites accessible through the Internet, Social Security 
        numbers, insurance records, education records, and driver's 
        license numbers.
          (4) Employer practices and policies with respect to the 
        financial and health information of employees, including--
                  (A) whether employers use or disclose employee 
                financial or health information for marketing, 
                employment, or insurance underwriting purposes;
                  (B) what restrictions employers place on disclosure 
                or use of employee financial or health information;
                  (C) employee rights to access, copy, and amend their 
                own health records and financial information;
                  (D) what type of notice employers provide to 
                employees regarding employer practices with respect to 
                employee financial and health information; and
                  (E) practices of employer medical departments with 
                respect to disclosing employee health information to 
                administrative or other personnel of the employer.
          (5) The extent to which individuals in the United States can 
        obtain redress for privacy violations.
          (6) The extent to which older individuals and disabled 
        individuals are subject to exploitation involving the 
        disclosure or use of their financial information.
  (b) Field Hearings.--
          (1) In general.--The Commission shall conduct at least 2 
        field hearings in each of the 5 geographical regions of the 
        United States.
          (2) Boundaries.--For purposes of this subsection, the 
        Commission may determine the boundaries of the five 
        geographical regions of the United States.
  (c) Report.--
          (1) In general.--Not later than 18 months after appointment 
        of all members of the Commission--
                  (A) a majority of the members of the Commission shall 
                approve a report; and
                  (B) the Commission shall submit the approved report 
                to the Congress and the President.
          (2) Contents.--The report shall include a detailed statement 
        of findings, conclusions, and recommendations, including the 
        following:
                  (A) Findings on potential threats posed to individual 
                privacy.
                  (B) Analysis of purposes for which sharing of 
                information is appropriate and beneficial to consumers.
                  (C) Analysis of the effectiveness of existing 
                statutes, regulations, private sector self-regulatory 
                efforts, technology advances, and market forces in 
                protecting individual privacy.
                  (D) Recommendations on whether additional legislation 
                is necessary, and if so, specific suggestions on 
                proposals to reform or augment current laws and 
                regulations relating to individual privacy.
                  (E) Analysis of purposes for which additional 
                regulations may impose undue costs or burdens, or cause 
                unintended consequences in other policy areas, such as 
                security, law enforcement, medical research, or 
                critical infrastructure protection.
                  (F) Cost analysis of legislative or regulatory 
                changes proposed in the report.
                  (G) Recommendations on non-legislative solutions to 
                individual privacy concerns, including education, 
                market-based measures, industry best practices, and new 
                technology.
                  (H) Review of the effectiveness and utility of third-
                party verification of privacy statements, including 
                specifically with respect to existing private sector 
                self-regulatory efforts.
  (d) Additional Report.--Together with the report under subsection 
(c), the Commission shall submit to the Congress and the President any 
additional report of dissenting opinions or minority views by a member 
of the Commission.
  (e) Interim Report.--The Commission may submit to the Congress and 
the President an interim report approved by a majority of the members 
of the Commission.

SEC. 5. MEMBERSHIP.

  (a) Number and Appointment.--The Commission shall be composed of 17 
members appointed as follows:
          (1) 4 members appointed by the President.
          (2) 4 members appointed by the majority leader of the Senate.
          (3) 2 members appointed by the minority leader of the Senate.
          (4) 4 members appointed by the Speaker of the House of 
        Representatives.
          (5) 2 members appointed by the minority leader of the House 
        of Representatives.
          (6) 1 member, who shall serve as Chairperson of the 
        Commission, appointed jointly by the President, the majority 
        leader of the Senate, and the Speaker of the House of 
        Representatives.
  (b) Diversity of Views.--The appointing authorities under subsection 
(a) shall seek to ensure that the membership of the Commission has a 
diversity of views and experiences on the issues to be studied by the 
Commission, such as views and experiences of Federal, State, and local 
governments, the media, the academic community, consumer groups, public 
policy groups and other advocacy organizations, business and industry 
(including small business), the medical community, civil liberties 
experts, and the financial services industry.
  (c) Date of Appointment.--The appointment of the members of the 
Commission shall be made not later than 30 days after the date of the 
enactment of this Act.
  (d) Terms.--Each member of the Commission shall be appointed for the 
life of the Commission.
  (e) Vacancies.--A vacancy in the Commission shall be filled in the 
same manner in which the original appointment was made.
  (f) Compensation; Travel Expenses.--Members of the Commission shall 
serve without pay, but shall receive travel expenses, including per 
diem in lieu of subsistence, in accordance with sections 5702 and 5703 
of title 5, United States Code.
  (g) Quorum.--A majority of the members of the Commission shall 
constitute a quorum, but a lesser number may hold hearings.
  (h) Meetings.--
          (1) In general.--The Commission shall meet at the call of the 
        Chairperson or a majority of its members.
          (2) Initial meeting.--Not later than 45 days after the date 
        of the enactment of this Act, the Commission shall hold its 
        initial meeting.

SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS.

  (a) Director.--
          (1) In general.--On or after October 1, 2000, the Commission 
        shall appoint a Director without regard to the provisions of 
        title 5, United States Code, governing appointments to the 
        competitive service.
          (2) Pay.--The Director shall be paid at the rate payable for 
        level III of the Executive Schedule established under section 
        5314 of such title.
  (b) Staff.--The Director may appoint staff as the Director determines 
appropriate.
  (c) Applicability of Certain Civil Service Laws.--
          (1) In general.--The staff of the Commission shall be 
        appointed without regard to the provisions of title 5, United 
        States Code, governing appointments in the competitive service.
          (2) Pay.--The staff of the Commission shall be paid in 
        accordance with the provisions of chapter 51 and subchapter III 
        of chapter 53 of that title relating to classification and 
        General Schedule pay rates, but at rates not in excess of the 
        maximum rate for grade GS-15 of the General Schedule under 
        section 5332 of that title.
  (d) Experts and Consultants.--The Director may procure temporary and 
intermittent services under section 3109(b) of title 5, United States 
Code.
  (e) Staff of Federal Agencies.--
          (1) In general.--Upon request of the Director, the head of 
        any Federal department or agency may detail, on a reimbursable 
        basis, any of the personnel of that department or agency to the 
        Commission to assist it in carrying out this Act.
          (2) Notification.--Before making a request under this 
        subsection, the Director shall give notice of the request to 
        each member of the Commission.

SEC. 7. POWERS OF COMMISSION.

  (a) Hearings and Sessions.--The Commission may, for the purpose of 
carrying out this Act, hold hearings, sit and act at times and places, 
take testimony, and receiveevidence as the Commission considers 
appropriate. The Commission may administer oaths or affirmations to 
witnesses appearing before it.
  (b) Powers of Members and Agents.--Any member or agent of the 
Commission may, if authorized by the Commission, take any action which 
the Commission is authorized to take by this section.
  (c) Obtaining Official Information.--
          (1) In general.--Except as provided in paragraph (2), if the 
        Chairperson of the Commission submits a request to a Federal 
        department or agency for information necessary to enable the 
        Commission to carry out this Act, the head of that department 
        or agency shall furnish that information to the Commission.
          (2) Exception for national security.--If the head of that 
        department or agency determines that it is necessary to guard 
        that information from disclosure to protect the national 
        security interests of the United States, the head shall not 
        furnish that information to the Commission.
  (d) Mails.--The Commission may use the United States mails in the 
same manner and under the same conditions as other departments and 
agencies of the United States.
  (e) Administrative Support Services.--Upon the request of the 
Director, the Administrator of General Services shall provide to the 
Commission, on a reimbursable basis, the administrative support 
services necessary for the Commission to carry out this Act.
  (f) Gifts and Donations.--The Commission may accept, use, and dispose 
of gifts or donations of services or property to carry out this Act, 
but only to the extent or in the amounts provided in advance in 
appropriation Acts.
  (g) Contracts.--The Commission may contract with and compensate 
persons and government agencies for supplies and services, without 
regard to section 3709 of the Revised Statutes (41 U.S.C. 5).
  (h) Subpoena Power.--
          (1) In general.--The Commission may issue subpoenas requiring 
        the attendance and testimony of witnesses and the production of 
        any evidence relating to any matter that the Commission is 
        empowered to investigate by section 4. The attendance of 
        witnesses and the production of evidence may be required by 
        such subpoena from any place within the United States and at 
        any specified place of hearing within the United States.
          (2) Failure to obey a subpoena.--If a person refuses to obey 
        a subpoena issued under paragraph (1), the Commission may apply 
        to a United States district court for an order requiring that 
        person to appear before the Commission to give testimony, 
        produce evidence, or both, relating to the matter under 
        investigation. The application may be made within the judicial 
        district where the hearing is conducted or where that person is 
        found, resides, or transacts business. Any failure to obey the 
        order of the court may be punished by the court as civil 
        contempt.
          (3) Service of subpoenas.--The subpoenas of the Commission 
        shall be served in the manner provided for subpoenas issued by 
        a United States district court under the Federal Rules of Civil 
        Procedure for the United States district courts.
          (4) Service of process.--All process of any court to which 
        application is made under paragraph (2) may be served in the 
        judicial district in which the person required to be served 
        resides or may be found.

SEC. 8. TERMINATION.

  The Commission shall terminate 30 days after submitting a report 
under section 4(c).

SEC. 9. AUTHORIZATION OF APPROPRIATIONS.

  (a) In General.--There are authorized to be appropriated to the 
Commission $5,000,000 to carry out this Act.
  (b) Availability.--Any sums appropriated pursuant to the 
authorization in subsection (a) shall remain available until expended.

SEC. 10. BUDGET ACT COMPLIANCE.

  Any new contract authority authorized by this Act shall be effective 
only to the extent or in the amounts provided in advance in 
appropriation Acts.

SEC. 11. PRIVACY PROTECTIONS.

  (a) Destruction or Return of Information Required.--Upon the 
conclusion of the matter or need for which individually identifiable 
information was disclosed to the Commission, the Commission shall 
either destroy the individually identifiable information or return it 
to the person or entity from which it was obtained, unless the 
individual that is the subject of the individually identifiable 
information has authorized its disclosure.
  (b) Disclosure of Information Prohibited.--The Commission--
          (1) shall protect individually identifiable information from 
        improper use; and
          (2) may not disclose such information to any person, 
        including the Congress or the President, unless the individual 
        that is the subject of the information has authorized such a 
        disclosure.
  (c) Proprietary Business Information and Financial Information.--The 
Commission shall protect from improper use, and may not disclose to any 
person, proprietary business information and proprietary financial 
information that may be viewed or obtained by the Commission in the 
course of carrying out its duties under this Act.
  (d) Individually Identifiable Information Defined.--For the purposes 
of this Act, the term ``individually identifiable information'' means 
any information, whether oral or recorded in any form or medium, that 
identifies an individual, or with respect to which there is a 
reasonable basis to believe that the information can be used to 
identify an individual.

                       I. Summary of Legislation

    H.R. 4049, the ``Privacy Commission Act,'' establishes a 
17-member commission to study issues relating to the protection 
of individual privacy and the appropriate balance to be 
achieved between protecting such privacy and allowing 
appropriate uses of information. The Commission also will make 
recommendations to Congress.

              II. Background and Need for the Legislation

    Americans are increasingly concerned that their personal 
information is no longer confidential. Recent public opinion 
polls have found that the threat of the loss of personal 
privacy is one of the leading issues concerning Americans 
today.
    Although personal privacy has been a concern of Americans, 
recent developments in information technology and changes in 
existing law have heightened attention to privacy issues. 
Increased access to the Internet now allows millions of 
Americans to access computer networks each month. Internet 
financial transactions have grown at an astounding rate. In the 
year 2000, an estimated 17 million U.S. households will spend 
approximately $30 billion shopping on-line. This number is 
expected to grow with predictions that 42 million households 
will purchase over $64 billion worth of on-line goods and 
services by the end of 2001.\1\ Commercial use of the Internet 
will continue to grow, with predictions that 56 percent of U.S. 
companies will sell their products on-line by the end of the 
year 2000.
---------------------------------------------------------------------------
    \1\ ``The Whole View'' by Forrester Research, Inc., Cambridge, 
Mass., September 19, 2000.
---------------------------------------------------------------------------
    In addition to the resultant flow of information allowed by 
the Internet, changes in financial laws and changes in medical 
records policy, a number of traditional barriers protecting 
individual privacy have been eliminated. Advances in genetic 
testing and the sharing of medical records among insurance 
entities, pharmaceutical companies, and other health-related 
entities alarm many American who are concerned that their 
medical history could become available to inappropriate 
individuals.
    Along with consumers, local, State, and Federal lawmakers 
have increasingly become concerned about privacy issues leading 
to a rapid increase in the number of privacy-related 
legislative proposals. Yet few of these bills have been 
enacted, largely because of the issues' complexity and the lack 
of consensus on an appropriate approach to resolve the 
problems. Of the laws that have been enacted, several resulted 
in unintended consequences, and at least one has been repealed.
    H.R. 4049 would establish a commission to examine privacy 
issues at all levels of government and make recommendations to 
Congress regarding needed legislative initiatives to protect 
personally identifiable information.\2\ This Commission will 
have the authority to examine privacy from a broad perspective 
in contrast to previous approaches, which have examined privacy 
from a narrower spectrum.
---------------------------------------------------------------------------
    \2\ As defined by the bill, ``individually identifiable 
information'' is any information, whether verbal or recorded in any 
form or medium, that identifies an individual, for which there is a 
reasonable basis to believe could be used to identify an individual.
---------------------------------------------------------------------------
    This legislation is the first congressional effort in more 
than 25 years to address privacy issues via a commission. H.R. 
4049 will build upon the work of the 1974 Privacy Commission by 
venturing into new areas of privacy concerns, such as the 
Internet.\3\ As the 1974 Commission helped set parameters for 
the privacy debate of the last 25 years, H.R. 4049 will assist 
in establishing principles that will serve as a guide 
throughout the beginning of the 21st century.
---------------------------------------------------------------------------
    \3\ Legislative Hearing to Establish the Commission for the 
Comprehensive Study of Privacy Protection, 106th Congress, 2nd session 
(2000) Statement of Sandra Parker, Director of Government Affairs and 
Health Policy, Maine Hospital Association. (Transcript not printed at 
the time of this report's publication.)
---------------------------------------------------------------------------

            III. Legislative Hearings and Committee Actions

    H.R. 4049 was introduced on March 21, 2000, by the Rep. Asa 
Hutchinson (R-AR) and the Rep. Jim Moran (D-VA). Original co-
sponsors include Rep. Kay Granger (R-TX), Rep. Kevin Brady (R-
TX), Rep. Jim Davis (D-FL), Rep. Deborah Pryce (R-OH), Rep. 
John Sununu (R-NH), Rep. Thomas Barrett (D-WI), Rep. Tom Coburn 
(R-OK), Rep. Jay Dickey (R-AR), Rep. Gerald Kleczka (D-WI), 
Rep. Joseph Pitts (R-PA), Rep. James Greenwood (R-PA), Rep. Bob 
Riley (R-AL), Rep. John Duncan (R-TN), Rep. Frank Lucas (R-OK), 
Rep. Jim Kolbe (R-AZ), Rep. Tom Campbell (R-CA), Rep. Sue Kelly 
(R-NY), Rep. Thomas Davis (R-VA), and Rep. David Vitter (R-LA).
    On March 29, 2000, H.R. 4049 was referred to the Committee 
on Government Reform, and subsequently to its Subcommittee on 
Government Management, Information, and Technology. The 
subcommittee held three days of legislative hearings on the 
legislation on April 12, 2000, and May 15-16, 2000. The 
subcommittee held a mark-up of the bill on June 14, 2000, at 
which time subcommittee Chairman Stephen Horn (R-CA) offered an 
amendment in the nature of a substitute to H.R. 4049. The 
amended bill was favorably reported to the full Committee by 
voice vote.
    On June 29, 2000, the full Committee on Government Reform 
met to consider H.R. 4049. An amendment by Representative 
Carolyn Maloney (D-NY) was acceptedrequiring the Commission to 
review the effectiveness and utility of third-party verification of 
privacy statements. In addition, another amendment offered by Mrs. 
Maloney was adopted, requiring the Commission to review the extent to 
which older or disabled individuals are subjected to exploitation 
because of the disclosure or inappropriate use of their financial 
information. Representative Janice Schakowsky (D-IL) offered an 
amendment, which was approved, that inserted ``civil liberties 
experts'' into the section of the bill that addresses the Commission's 
recommended composition. Representative Henry Waxman (D-CA) offered an 
amendment, also adopted, that added a finding stating that the Act 
should not be construed to prohibit enactment of legislation on privacy 
issues by Congress during the existence of the Commission, and that 
further study by the Commission should not be considered a prerequisite 
for further consideration or enactment of financial or medical privacy 
legislation by the Congress. Following the adoption of the aforesaid, 
the Committee favorably reported H.R. 4049, as amended, to the full 
House by voice vote.

                      IV. Explanation of the Bill


Sec. 1. Short title

    Section 1 provides that the Act may be cited as the 
``Privacy Commission Act.''

Sec. 2. Finding and purposes

    Section 2 provides a statement of findings and purposes for 
the legislation.

Sec. 3. Establishment of Commission

    Section 3 establishes the Commission.

Sec. 4. Duties of the Commission

    Section 4 of the Act establishes the responsibilities and 
goals of the Commission and offers broad recommendations on 
those areas the Commission should review.
    Subsection (a) directs the Commission to examine issues 
relating to the protection of personal privacy and the need to 
achieve a balance between protecting individual privacy and 
allowing appropriate uses of information. During the hearings, 
the Committee found that the privacy debate centers around the 
issue of permissible and non-permissible uses of personally 
identifiable information, as this information becomes 
increasingly available. The testimony focused on the need to 
strike a balance between protecting individually identifiable 
information and the sharing of that information for purposes of 
business, medicine, and other uses.
    Under section (a)(1) the Commission is instructed to review 
Federal, State and local governments' monitoring, collection 
and distribution of personally identifiable information, and 
the use of documents such as the decennial census and drivers 
license applications.
    Section (a)(2), instructs the Commission to examine 
existing laws to protect individuals' privacy, including but 
not limited to: the Privacy Act of 1974 and the Freedom of 
Information Act. The Commission shall examine extant efforts to 
address monitoring, collection and distribution of personal 
information by the Federal Government, State Governments, 
individuals and other entities.
    During the Committee mark-up, some Committee members raised 
concerns regarding the use of individually identifiable 
information by Congress and the Executive Office of the 
President. Presently, Congress is not covered by the 1974 
Privacy Act or the Freedom of Information Act and the 
longstanding position of the Department of Justice is that 
certain components of the Executive Office of the President are 
also not covered by those acts. The Committee believes that the 
Commission should study the implications of applying the 
Privacy Act and Freedom of Information Act to Congress and to 
all components of the Executive Office of the President.
    Under section (a)(2)(B) of the Act, the Commission is 
directed to examine privacy-related legislation pending before 
the Congress. There are currently many bills before Congress, 
both in the Senate and House that address the issue of privacy. 
The Commission should consider the differing congressional 
views on the privacy debate.
    Under section (a)(2)(C), the Commission is directed to 
review the privacy protection efforts previously undertaken by 
Federal and State governments, foreign bodies, and 
international governing bodies. With thousands of privacy bills 
introduced at the State and local levels, as well as 
international bodies and sovereign nations implementing their 
own privacy laws, the Commission needs to understand how these 
different initiatives will interact and what can be learned 
from them. The Commission should look at such questions as: 
Should there be Federally guaranteed minimum levels of privacy 
protections? Should there be Federal preemption for privacy 
issues, particularly in light of the explosion in Internet use? 
What occurs when privacy laws conflict? How will U.S. privacy 
laws be affected by implementation of external regulations and 
directives, such as the European Directive?
    Under sections (a)(2)(D) and (a)(2)(E), the Commission is 
directed to review privacy protection efforts undertaken by the 
private sector, as well as self-regulated efforts initiated by 
the private sector. In response to the growing concern of 
individuals about their personal information, the Committee 
found that some in the private sector--including high tech 
companies, financial services, medical entities, and others--
are developing or have implemented new technologies and 
practices designed to ensure the protection of individual 
privacy. The Commission should review these policies and 
procedures to determine their efficacy, as well as their impact 
on consumers and others.
    Under section (a)(3), the Commission is instructed to 
examine the monitoring, collection, and distribution of 
personal information by individuals or entities, both public 
and private, including access to and the use of medical 
records, financial records (such as credit cards, automated 
teller machine cards, bank accounts, and Internet 
transactions), personal information provided to on-line sites 
accessible through the Internet, Social Security numbers, 
insurance records, education records, and drivers license 
numbers. In addition, the Committee believes that the 
Commission should examine the use to which that information is 
being employed once it has been collected.
    Section (a)(4), instructs the Commission to review employer 
practices and policies with respect to the financial and health 
information of employees, including: under section (a)(4)(A), 
whether employers use or disclose employee financial or health 
information for marketing employment or insurance underwriting 
purposes; under section (a)(4)(B), what restrictions employers 
place on disclosure or use of employee financial or health 
information; under section (a)(4)(C), what rights employees 
have to access, copy, and amend their own health records and 
financial information; under section (a)(4)(D), what type of 
notice is provided to employees regarding employer practices 
with respect to employee financial and health information; and, 
under section (a)(4)(E), what practices employer medical 
departments use regarding the disclosure of employee health 
information to the employer. During the hearings, some 
Committee members raised the point that employers collect 
information on employees so that an employer may fulfil his or 
her obligation to provide information to health insurance or 
retirement plans. It is the view of the Committee that the 
Commission should review the potential uses of any collected 
information, as well as current trends among employers 
regarding that information.
    Section (a)(5), requires the Commission to review the 
extent to which individuals in the United States can obtain 
redress for privacy violations. The Commission should examine 
whether mechanisms exist to assist people who believe their 
privacy has been inappropriately compromised, and if so, 
whether these mechanisms are effective.
    Under section (a)(6), the Commission is to review the 
extent to which older individuals and disabled individuals are 
subject to exploitation involving the disclosure or use of 
their financial information. The Committee believes that the 
Commission should evaluate present trends occurring in the 
financial community and their impact on seniors and the 
disabled.
    Section (b) directs the Commission to hold at least two 
field hearings in five geographical regions of the United 
States. For purposes of these field hearings, the Commission is 
charged with the responsibility of designating the boundaries 
that constitute the geographical areas. Field hearings may be 
held with less than a majority of Commission members present. 
During the course of the Committee hearings, it was suggested 
that requiring members to be at every meeting would be 
unnecessarily burdensome, and that the field hearings could be 
equally effective with less than a majority of the Commission 
present. The Committee agrees.
    Section (c) requires that no later than 18 months after the 
appointment of all members of the Commission, a majority of the 
Commission's members shall submit a report to Congress and the 
President.
    Section (c)(2), delineates the minimum content of the 
report. Section (c)(2)(H), requires the Commission to review 
the effectiveness and utility of third-party verification of 
privacy statements, including existing private sector self-
regulatory efforts. This provision contains language that may 
lead the private and public sectors to a mutually satisfactory 
solution on the broad privacy concerns of the American public 
and the business community. The private sector has a long 
history of securing objective, third party professionals to 
undertake reviews of the financial and business records of 
American industry. These reviews are, primarily, initiated by 
the private sector. Arms-length reviews have been and remain an 
important tradition in reassuring the American public that the 
corporate sector can be depended upon for honest business 
dealings. Now, more than ever, the public trusts the corporate 
sector with its personal investments and savings. This trust 
must include the maintenance of Americans' most private 
information as well. This is why the Committee is specifically 
asking the Commission to review and report to the Congress on 
the efficacy of third-party verification and assurance services 
for protecting individual private information. This objective 
is critically important, in that it may protect the future of 
the evolving e-commerce industry as well as the private 
information of American citizens.
    Subsection (d) allows for the submission of additional 
reports in the event of dissenting points of view. Any 
additional reports shall also be made public so that all points 
of view can be disseminated.
    Pursuant to section (e), the Commission has the authority 
to issue interim reports approved by a majority of members of 
the Commission. The Committee was concerned that during the 
operation of the Commission, the Commission may determine that 
certain aspects of the privacy debate require immediate 
attention, and that the Commission might be prepared to make a 
recommendation before the final report of the Commission. 
Because governmental bodies and private entities continue to 
question the appropriate relationships between protecting 
privacy and the sharing of information, the Committee believes 
that the Commission may want to issue interim reports on time-
sensitive privacy issues, so that the Commission's findings may 
be used to assist entities that are moving forward on the 
privacy front.

Sec. 5. Membership

    Under section 5 of the Act, the Commission shall be 
composed of 17 members--4 members appointed by the President; 4 
members appointed by the Majority Leader of the Senate; 2 
members appointed by the Minority Leader of the Senate; 4 
members appointed by the Speaker of the House of 
Representatives; 2 members appointed by the Minority Leader of 
the House of Representatives; and 1 member, who shall serve as 
Chairperson of the Commission, appointed jointly by the 
President, the Majority Leader of the Senate, and the Speaker 
of the House of Representatives.
    Under subsection (b), the Committee firmly believes that it 
is important for the Commission to be composed of individuals 
who have a wide diversity of viewpoints as well as those who 
deal with privacy issues on a regular basis. Furthermore, the 
Committee believes that Commission members should possess 
practical knowledge and experience in balancing individual 
privacy interests with the legitimate needs of the public, 
government, commercial interests, and news organizations to 
gain access to and use information. The individuals appointed 
should be open-minded and willing to look at new ideas and 
possibilities. During the mark-up, the Committee included 
language offering a broad outline of groups that should 
comprise the Commission, including representatives from groups 
such as: Federal, State and local governments who can provide 
insight on the government's collection of information and 
existing State and Federal laws; the news media, who have a 
working familiarity with the use of public documents for the 
dissemination of public information; the academic community, 
who can provide expertise in the history and theories of 
privacy policy; consumer groups, who can represent individual 
consumers and their privacy concerns; public policy groups who 
are knowledgeable on legislative policies and privacy policies 
within private industry; the business community, including 
small business, who can share information about developing 
technologies and discuss the impact of privacy protections on 
business endeavors including Internet and e-commerce; the 
medical community, who can provide the Commission with an 
understanding of the intricacies of privacy issues in the 
medical profession; civil liberties organizations, who can help 
raise awareness of privacy issues; and the financial community, 
who can provide expertise regarding financial modernization 
laws and can explain the need for allowing the free flow of 
information while protecting privacy.
    Under subsection (c), the appointment of the members of the 
Commission shall be made no later than 30 days after the date 
of the enactment of the Act.
    Under subsection (d), each member of the Commission will 
serve for the life of the Commission.
    Under subsection (e), in the event of a vacancy, the 
position will be filled in the same manner as the original 
appointment. The individual serving in the capacity of the 
appointing official (e.g., the Majority Leader of the House) 
has the authority to appoint a replacement to fill the vacancy.
    Pursuant to subsection (f), members of the Commission shall 
serve without pay, but shall receive travel expenses, including 
per diem in lieu of subsistence.
    Subsection (g) establishes that a majority of the 
Commission shall constitute a quorum, but a lesser number may 
hold hearings.
    Under subsection (h), the Commission shall meet at the call 
of the Chairperson or a majority of its members. The initial 
meeting of the Commission shall not be later than 45 days after 
the date of enactment of this Act.

Sec. 6. Director; staff; experts and consultants

    Section 6 of the Act addresses the staff of the Commission. 
The Commission shall appoint a director, who will be paid at 
the rate payable for level III of the Executive Schedule 
established under section 5314 of Title 5, United States Code. 
The Director may appoint staff, who will be paid in accordance 
with the provisions of chapter 51 and subchapter III of chapter 
53 of that title relating to classification and General 
Schedule pay rates, but at rates not in excess of the maximum 
rate for grade GS-15 of the General Schedule under section 5332 
of that title. The Director may procure temporary and 
intermittent services under section 3109(b) of Title 5, United 
States Code. Finally, the Director, if it is deemed necessary, 
may request the head of any Federal department or agency to 
detail personnel of that department or agency on a reimbursable 
to the Commission to assist in the carrying out of this Act. 
However, before making such a request, the Director shall give 
notice of the request to each member of the Commission.

Sec. 7. Powers of Commission

    Pursuant to subsection (a), the Commission may hold 
hearings, sit and act at times and places, take testimony, and 
receive evidence, as the Commission considers appropriate. The 
Commission may administer oaths or affirmation to witnesses 
appearing before it.
    Under subsection (b), any member or agent of the Commission 
may, if authorized by the Commission, take any action which the 
Commission is authorized to take by this section.
    Under subsection (c), except as provided for by section 
(7)(c)(2), if the Chairperson of the Commission submits a 
request to a Federal department or agency for information 
necessary to enable the Commission to carry out this Act, the 
head of the department or agency shall furnish that information 
to the Commission. However, if the head of the department or 
agency determines that this information should not be furnished 
due toissues of national security, the department or agency 
head shall not furnish that information to the Commission. During the 
hearings, witnesses representing the Administration raised the issue 
that some agencies may need to withhold information from the Commission 
that is deemed vital to the national security. It is the firm belief of 
the Committee that the collection of information by the Commission 
should in no way threaten the national security of the United States. 
However, the determination to withhold information should be used 
sparingly, and departments and agencies should work with the Commission 
to ensure that information contained in said documents that can be 
segregated and released without threatening national security are 
released.
    Under subsection (d), the Commission may use the United 
States mail in the same manner and under the same conditions as 
other departments and agencies of the United States.
    Under subsection (e), upon request of the Director, the 
Administrator of General Services shall provide to the 
Commission, on a reimbursable basis, the administrative support 
services necessary for the Commission to carry out this bill.
    Subsection (f) provides that, the Commission may accept, 
use, and dispose of gifts or donations of services or property 
to carry out this bill, but only to the extent or in the 
amounts provided in advance in appropriation Acts.
    Pursuant to subsection (g), the Commission may contract 
with and compensate individuals and government agencies for 
supplies and services.
    Subsection (h) allows the Commission to issue subpoenas 
requiring the attendance and testimony of witnesses and the 
production of any evidence relating to any matter that the 
Commission is empowered to investigate. The attendance of 
witnesses and the production of evidence may be required by 
such subpoena from any place within the United States and at 
any specified place of hearing within the United States. Should 
a witness fail to obey a subpoena, the Commission may apply to 
a United States district court for an order requiring the 
witness to appear before the Commission to give testimony, 
produce evidence, or both. The application may be made within 
the judicial district where the hearing is conducted or where 
that person is found, resides, or transacts business. Any 
failure to obey the order of the court may be punished by the 
court as civil contempt. Subpoenas of the Commission shall be 
served in the manner provided for subpoenas issued by a United 
States district court under the Federal Rules of Civil 
Procedure for the United States district courts. All process of 
any court to which application is made under this subsection 
may be served in the judicial district, in which the person 
required to be served resides or may be found.

Sec. 8. Termination

    Under section 8, the Commission shall terminate 30 days 
after submitting a report under section 4(c).

Sec. 9. Authorization of appropriations

    Section 9 authorizes $5 million to be appropriated to the 
Commission to carry out this Act. Any sum appropriated pursuant 
to the authorization in subsection (a) shall remain available 
until expended.

Sec. 10. Budget Act compliance

    Under section 10, any new contract authority authorized by 
this Act shall be effective only to the extent or in the 
amounts provided in advance in appropriation Acts.

Sec. 11. Privacy protections

    Section 11 directs the Commission upon conclusion of its 
work or upon making a determination that individually 
identifiable information disclosed to the Commission is no 
longer needed, to either destroy the individually identifiable 
information or return it to the person or entity from which it 
was obtained, unless the subject of the individually 
identifiable information has authorized its disclosure. The 
Commission shall protect individually identifiable information 
from improper use, and it may not disclose such information to 
any person, including the Congress or the President, unless the 
individual that is the subject of the information has 
authorized such a disclosure. In addition, the Commission will 
protect from improper use and may not disclose to any person, 
proprietary business and financial information that may be 
viewed or obtained by the Commission in the course of carrying 
out its duties under this bill. It is the Committee's view that 
as the Commission is reviewing the question concerning the 
appropriate level of protection for personally identifiable 
information, so, too, the Commission should be aware of how it 
uses, discloses, and disposes of personally identifiable 
information.

                    V. Committee Oversight Findings

    Pursuant to rule XIII, clause 3(c)(1) of the Rules of the 
House of Representatives, the results and findings of those 
oversight activities are incorporated in the recommendations 
found in the bill and in this report.

                  VI. Budget Analysis and Projections

    Clause 3(c)(2) of rule XIII of the Rules of the House of 
Representatives isinapplicable because the bill does not 
provide new budget authority, new spending authority, new credit 
authority, or an increase or decrease in revenues or tax expenditures.

         VII. Cost Estimate of the Congressional Budget Office

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, July 26, 2000.
Hon. Dan Burton,
Chairman, Committee on Government Reform,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 4049, the Privacy 
Commission Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contacts are John R. 
Righter (for the federal costs); Susan Sieg Tompkins (for state 
and local impact); and Sarah E. Sitarek (for the private-sector 
impact).
            Sincerely,
                                        Steven M. Lieberman
                                    (For Dan L. Crippen, Director).
    Enclosure.

H.R. 4049--Privacy Commission Act

    H.R. 4049 would establish the Commission for the 
Comprehensive Study of Privacy Protection to study issues 
related to the protection of individual privacy. The bill would 
direct the commission to discuss potential threats to such 
privacy, assess when the sharing of personal information is 
appropriate and beneficial to consumers, analyze the 
effectiveness of existing statutes and regulations, and 
recommend legislative and regulatory changes to improve the 
security of personal information. The commission would have 18 
months from the time all 17 members are appointed to issue its 
report to the Congress and the President. To cover the costs of 
the commission, the bill would authorize the appropriation of 
$5 million. The commission would terminate 30 days after 
submitting its report.
    Assuming appropriation of the authorized amount, CBO 
estimates that implementing the bill would cost $5 million over 
fiscal years 2001 and 2002. Because the bill would not affect 
direct spending or receipts, pay-as-you-go procedures would not 
apply.
    H.R. 4049 would require state, local, or tribal governments 
and entities in the private sector, if subpoenaed, to provide 
testimony and evidence related to matters the privacy 
commission would be empowered to investigate. Such a 
requirement would be a federal mandate under the Unfunded 
Mandates Reform Act (UMRA). The bill would authorize the 
commission to subpoena the attendance of witnesses and the 
production of evidence from any place within the United States 
and at any specified place of hearing within the United States. 
CBO expects that the commission would likely exercise its 
subpoena power sparingly and that the costs to comply with a 
subpoena would not be significant. Thus, CBO estimates that the 
intergovernmental and private-sector costs of the mandate would 
be small and well below the relevant thresholds established by 
UMRA ($55 million for intergovernmental mandates and $109 
million for private-sector mandates in 2000, adjusted annually 
for inflation).
    The CBO staff contacts for this estimate are John R. 
Righter (for the federal costs); Susan Sieg Tompkins (for the 
state and local impact); and Sarah E. Sitarek (for the private-
sector impact). The estimate was approved by Robert A. 
Sunshine, Assistant Director for Budget Analysis.

              VIII. Statement of Constitutional Authority

    Pursuant to rule XIII, clause 3(d)(1), the Committee finds 
that clauses 14 and 18 of Article I, Section 8 of the U.S. 
Constitution grants Congress the power to enact this law.

                      IX. Committee Recommendation

    On Wednesday, June 28, 2000, a quorum being present, the 
Committee on Government Reform ordered the bill, as amended, 
favorably reported to the House for consideration by voice 
vote.

         X. Congressional Accountability Act; Public Law 104-1

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(B)(3) of the Congressional Accountability Act (P.L. 104-1).

    XI. Unfunded Mandates Reform Act; Public Law 104-4, Section 423

    The Committee finds that the legislation does not impose 
any Federal mandates within the meaning of section 423 of the 
Unfunded Mandates Reform Act (P.L. 104-4).

    XII. Federal Advisory Committee Act (5 U.S.C. App.) Section 5(B)

    The functions of the proposed advisory committee authorized 
in the bill are not currently being nor could they be performed 
by one or more agencies, an advisory committee already in 
existence or by enlarging the mandate of an existing advisory 
committee.

      XIII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3 of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, existing law in which no change is 
proposed is shown in Roman):
  Be it enacted by the Senate and House of Representatives of 
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Privacy Commission Act''.

SEC. 2. FINDINGS.

  The Congress finds the following:
          (1) Americans are increasingly concerned about their 
        civil liberties and the security and use of their 
        personal information, including medical records, 
        educational records, library records, magazine 
        subscription records, records of purchases of goods and 
        other payments, and driver's license numbers.
          (2) Commercial entities are increasingly aware that 
        consumers expect them to adopt privacy policies and 
        take all appropriate steps to protect the personal 
        information of consumers.
          (3) There is a growing concern about the 
        confidentiality of medical records, because there are 
        inadequate Federal guidelines and a patchwork of 
        confusing State and local rules regarding privacy 
        protection for individually identifiable patient 
        information.
          (4) In light of recent changes in financial services 
        laws allowing for increased sharing of information 
        between traditional financial institutions and 
        insurance entities, a coordinated and comprehensive 
        review is necessary regarding the protections of 
        personal data compiled by the health care, insurance, 
        and financial services industries.
          (5) The use of Social Security numbers has expanded 
        beyond the uses originally intended.
          (6) Use of the Internet has increased at astounding 
        rates, with approximately 5 million current Internet 
        sites and 64 million regular Internet users each month 
        in the United States alone.
          (7) Financial transactions over the Internet have 
        increased at an astounding rate, with 17 million 
        American households spending $20 billion shopping on 
        the Internet last year.
          (8) Use of the Internet as a medium for commercial 
        activities will continue to grow, and it is estimated 
        that by the end of 2000, 56 percent of the companies in 
        the United States will sell their products on the 
        Internet.
          (9) There have been reports of surreptitious 
        collection of consumer data by Internet marketers and 
        questionable distribution of personal information by 
        on-line companies.
          (10) In 1999, the Federal Trade Commission found that 
        87 percent of Internet sites provided some form of 
        privacy notice, which represented an increase from 15 
        percent in 1998.
          (11) The United States is the leading economic and 
        social force in the global information economy, largely 
        because of a favorable regulatory climate and the free 
        flow of information. It is important for the United 
        States to continue that leadership. As nations and 
        governing bodies around the world begin to establish 
        privacy standards, these standards will directly affect 
        the United States.
          (12) The shift from an industry-focused economy to an 
        information-focused economy calls for a reassessment of 
        the most effective way to balance personal privacy and 
        information use, keeping in mind the potential for 
        unintended effects on technology development, 
        innovation, the marketplace, and privacy needs.
          (13) This Act shall not be construed to prohibit the 
        enactment of legislation on privacy issues by the 
        Congress during the existence of the Commission. It is 
        the responsibility of the Congress to act to protect 
        the privacy of individuals, including individuals' 
        medical and financial information. Various committees 
        of the Congress are currently reviewing legislation in 
        the area of medical and financial privacy. Further 
        study by the Commission established by this Act should 
        not be considered a prerequisite for further 
        consideration or enactment of financial or medical 
        privacy legislation by the Congress.

SEC. 3. ESTABLISHMENT.

  There is established a commission to be known as the 
``Commission for the Comprehensive Study of Privacy 
Protection'' (in this Act referred to as the ``Commission'').

SEC. 4. DUTIES OF COMMISSION.

  (a) Study.--The Commission shall conduct a study of issues 
relating to protection of individual privacy and the 
appropriate balance to be achieved between protecting 
individual privacy and allowing appropriate uses of 
information, including the following:
          (1) The monitoring, collection, and distribution of 
        personal information by Federal, State, and local 
        governments, including personal information collected 
        for a decennial census, and such personal information 
        as a driver's license number.
          (2) Current efforts to address the monitoring, 
        collection, and distribution of personal information by 
        Federal and State governments, individuals, or 
        entities, including--
                  (A) existing statutes and regulations 
                relating to the protection of individual 
                privacy, such as section 552a of title 5, 
                United States Code (commonly referred to as the 
                Privacy Act of 1974) and section 552 of title 5, 
                United States Code (commonly referred to as the 
                Freedom of Information Act);
                  (B) legislation pending before the Congress;
                  (C) privacy protection efforts undertaken by 
                the Federal Government, State governments, 
                foreign governments, and international 
                governing bodies;
                  (D) privacy protection efforts undertaken by 
                the private sector; and
                  (E) self-regulatory efforts initiated by the 
                private sector to respond to privacy issues.
          (3) The monitoring, collection, and distribution of 
        personal information by individuals or entities, 
        including access to and use of medical records, 
        financial records (including credit cards, automated 
        teller machine cards, bank accounts, and Internet 
        transactions), personal information provided to on-line 
        sites accessible through the Internet, Social Security 
        numbers, insurance records, education records, and 
        driver's license numbers.
          (4) Employer practices and policies with respect to 
        the financial and health information of employees, 
        including--
                  (A) whether employers use or disclose 
                employee financial or health information for 
                marketing, employment, or insurance 
                underwriting purposes;
                  (B) what restrictions employers place on 
                disclosure or use of employee financial or 
                health information;
                  (C) employee rights to access, copy, and 
                amend their own health records and financial 
                information;
                  (D) what type of notice employers provide to 
                employees regarding employer practices with 
                respect to employee financial and health 
                information; and
                  (E) practices of employer medical departments 
                with respect to disclosing employee health 
                information to administrative or other 
                personnel of the employer.
          (5) The extent to which individuals in the United 
        States can obtain redress for privacy violations.
          (6) The extent to which older individuals and 
        disabled individuals are subject to exploitation 
        involving the disclosure or use of their financial 
        information.
  (b) Field Hearings.--
          (1) In general.--The Commission shall conduct at 
        least 2 field hearings in each of the 5 geographical 
        regions of the United States.
          (2) Boundaries.--For purposes of this subsection, the 
        Commission may determine the boundaries of the five 
        geographical regions of the United States.
  (c) Report.--
          (1) In general.--Not later than 18 months after 
        appointment of all members of the Commission--
                  (A) a majority of the members of the 
                Commission shall approve a report; and
                  (B) the Commission shall submit the approved 
                report to the Congress and the President.
          (2) Contents.--The report shall include a detailed 
        statement of findings, conclusions, and 
        recommendations, including the following:
                  (A) Findings on potential threats posed to 
                individual privacy.
                  (B) Analysis of purposes for which sharing of 
                information is appropriate and beneficial to 
                consumers.
                  (C) Analysis of the effectiveness of existing 
                statutes, regulations, private sector self-
                regulatory efforts, technology advances, and 
                market forces in protecting individual privacy.
                  (D) Recommendations on whether additional 
                legislation is necessary, and if so, specific 
                suggestions on proposals to reform or augment 
                current laws and regulations relating to 
                individual privacy.
                  (E) Analysis of purposes for which additional 
                regulations may impose undue costs or burdens, 
                or cause unintended consequences in other 
                policy areas, such as security, law 
                enforcement, medical research, or critical 
                infrastructure protection.
                  (F) Cost analysis of legislative or 
                regulatory changes proposed in the report.
                  (G) Recommendations on non-legislative 
                solutions to individual privacy concerns, 
                including education, market-based measures, 
                industry best practices, and new technology.
                  (H) Review of the effectiveness and utility 
                of third-party verification of privacy 
                statements, including specifically with respect 
                to existing private sector self-regulatory 
                efforts.
  (d) Additional Report.--Together with the report under 
subsection (c), the Commission shall submit to the Congress and 
the President any additional report of dissenting opinions or 
minority views by a member of the Commission.
  (e) Interim Report.--The Commission may submit to the 
Congress and the President an interim report approved by a 
majority of the members of the Commission.

SEC. 5. MEMBERSHIP.

  (a) Number and Appointment.--The Commission shall be composed 
of 17 members appointed as follows:
          (1) 4 members appointed by the President.
          (2) 4 members appointed by the majority leader of the 
        Senate.
          (3) 2 members appointed by the minority leader of the 
        Senate.
          (4) 4 members appointed by the Speaker of the House 
        of Representatives.
          (5) 2 members appointed by the minority leader of the 
        House of Representatives.
          (6) 1 member, who shall serve as Chairperson of the 
        Commission, appointed jointly by the President, the 
        majority leader of the Senate, and the Speaker of the 
        House of Representatives.
  (b) Diversity of Views.--The appointing authorities under 
subsection (a) shall seek to ensure that the membership of the 
Commission has a diversity of views and experiences on the 
issues to be studied by the Commission, such as views and 
experiences of Federal, State, and local governments, the 
media, the academic community, consumer groups, public policy 
groups and other advocacy organizations, business and industry 
(including small business), the medical community, civil 
liberties experts, and the financial services industry.
  (c) Date of Appointment.--The appointment of the members of 
the Commission shall be made not later than 30 days after the 
date of the enactment of this Act.
  (d) Terms.--Each member of the Commission shall be appointed 
for the life of the Commission.
  (e) Vacancies.--A vacancy in the Commission shall be filled 
in the same manner in which the original appointment was made.
  (f) Compensation; Travel Expenses.--Members of the Commission 
shall serve without pay, but shall receive travel expenses, 
including per diem in lieu of subsistence, in accordance with 
sections 5702 and 5703 of title 5, United States Code.
  (g) Quorum.--A majority of the members of the Commission 
shall constitute a quorum, but a lesser number may hold 
hearings.
  (h) Meetings.--
          (1) In general.--The Commission shall meet at the 
        call of the Chairperson or a majority of its members.
          (2) Initial meeting.--Not later than 45 days after 
        the date of the enactment of this Act, the Commission 
        shall hold its initial meeting.

SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS.

  (a) Director.--
          (1) In general.--On or after October 1, 2000, the 
        Commission shall appoint a Director without regard to 
        the provisions of title 5, United States Code, 
        governing appointments to the competitive service.
          (2) Pay.--The Director shall be paid at the rate 
        payable for level III of the Executive Schedule 
        established under section 5314 of such title.
  (b) Staff.--The Director may appoint staff as the Director 
determines appropriate.
  (c) Applicability of Certain Civil Service Laws.--
          (1) In general.--The staff of the Commission shall be 
        appointed without regard to the provisions of title 5, 
        United States Code, governing appointments in the 
        competitive service.
          (2) Pay.--The staff of the Commission shall be paid 
        in accordance with the provisions of chapter 51 and 
        subchapter III of chapter 53 of that title relating to 
        classification and General Schedule pay rates, but at 
        rates not in excess of the maximum rate for grade GS-15 
        of the General Schedule under section 5332 of that 
        title.
  (d) Experts and Consultants.--The Director may procure 
temporary and intermittent services under section 3109(b) of 
title 5, United States Code.
  (e) Staff of Federal Agencies.--
          (1) In general.--Upon request of the Director, the 
        head of any Federal department or agency may detail, on 
        a reimbursable basis, any of the personnel of that 
        department or agency to the Commission to assist it in 
        carrying out this Act.
          (2) Notification.--Before making a request under this 
        subsection, the Director shall give notice of the 
        request to each member of the Commission.

SEC. 7. POWERS OF COMMISSION.

  (a) Hearings and Sessions.--The Commission may, for the 
purpose of carrying out this Act, hold hearings, sit and act at 
times and places, take testimony, and receiveevidence as the 
Commission considers appropriate. The Commission may administer oaths 
or affirmations to witnesses appearing before it.
  (b) Powers of Members and Agents.--Any member or agent of the 
Commission may, if authorized by the Commission, take any 
action which the Commission is authorized to take by this 
section.
  (c) Obtaining Official Information.--
          (1) In general.--Except as provided in paragraph (2), 
        if the Chairperson of the Commission submits a request 
        to a Federal department or agency for information 
        necessary to enable the Commission to carry out this 
        Act, the head of that department or agency shall 
        furnish that information to the Commission.
          (2) Exception for national security.--If the head of 
        that department or agency determines that it is 
        necessary to guard that information from disclosure to 
        protect the national security interests of the United 
        States, the head shall not furnish that information to 
        the Commission.
  (d) Mails.--The Commission may use the United States mails in 
the same manner and under the same conditions as other 
departments and agencies of the United States.
  (e) Administrative Support Services.--Upon the request of the 
Director, the Administrator of General Services shall provide 
to the Commission, on a reimbursable basis, the administrative 
support services necessary for the Commission to carry out this 
Act.
  (f) Gifts and Donations.--The Commission may accept, use, and 
dispose of gifts or donations of services or property to carry 
out this Act, but only to the extent or in the amounts provided 
in advance in appropriation Acts.
  (g) Contracts.--The Commission may contract with and 
compensate persons and government agencies for supplies and 
services, without regard to section 3709 of the Revised 
Statutes (41 U.S.C. 5).
  (h) Subpoena Power.--
          (1) In general.--The Commission may issue subpoenas 
        requiring the attendance and testimony of witnesses and 
        the production of any evidence relating to any matter 
        that the Commission is empowered to investigate by 
        section 4. The attendance of witnesses and the 
        production of evidence may be required by such subpoena 
        from any place within the United States and at any 
        specified place of hearing within the United States.
          (2) Failure to obey a subpoena.--If a person refuses 
        to obey a subpoena issued under paragraph(1), the 
Commission may apply to a United States district court for an order 
requiring that person to appear before the Commission to give 
testimony, produce evidence, or both, relating to the matter under 
investigation. The application may be made within the judicial district 
where the hearing is conducted or where that person is found, resides, 
or transacts business. Any failure to obey the order of the court may 
be punished by the court as civil contempt.
          (3) Service of subpoenas.--The subpoenas of the 
        Commission shall be served in the manner provided for 
        subpoenas issued by a United States district court 
        under the Federal Rules of Civil Procedure for the 
        United States district courts.
          (4) Service of process.--All process of any court to 
        which application is made under paragraph (2) may be 
        served in the judicial district in which the person 
        required to be served resides or may be found.

SEC. 8. TERMINATION.

  The Commission shall terminate 30 days after submitting a 
report under section 4(c).

SEC. 9. AUTHORIZATION OF APPROPRIATIONS.

  (a) In General.--There are authorized to be appropriated to 
the Commission $5,000,000 to carry out this Act.
  (b) Availability.--Any sums appropriated pursuant to the 
authorization in subsection (a) shall remain available until 
expended.

SEC. 10. BUDGET ACT COMPLIANCE.

  Any new contract authority authorized by this Act shall be 
effective only to the extent or in the amounts provided in 
advance in appropriation Acts.

SEC. 11. PRIVACY PROTECTIONS.

  (a) Destruction or Return of Information Required.--Upon the 
conclusion of the matter or need for which individually 
identifiable information was disclosed to the Commission, the 
Commission shall either destroy the individually identifiable 
information or return it to the person or entity from which it 
was obtained, unless the individual that is the subject of the 
individually identifiable information has authorized its 
disclosure.
  (b) Disclosure of Information Prohibited.--The Commission--
          (1) shall protect individually identifiable 
        information from improper use; and
          (2) may not disclose such information to any person, 
        including the Congress or the President, unless the 
        individual that is the subject of the information has 
        authorized such a disclosure.
  (c) Proprietary Business Information and Financial 
Information.--The Commission shall protect from improper use, 
and may not disclose to any person, proprietary business 
information and proprietary financial information that may be 
viewed or obtained by the Commission in the course of carrying 
out its duties under this Act.
  (d) Individually Identifiable Information Defined.--For the 
purposes of this Act, the term ``individually identifiable 
information'' means any information, whether oral or recorded 
in any form or medium, that identifies an individual, or with 
respect to which there is a reasonable basis to believe that 
the information can be used to identify an individual.

                             MINORITY VIEWS

    We are strongly in favor of protecting the privacy of 
consumers' information, including health, financial, and other 
personal information. We believe that Congress has an essential 
role in protecting privacy, and should act now to pass 
meaningful privacy protection legislation.
    We have differing views about H.R. 4049. Some of us believe 
that a Privacy Commission could contribute to the development 
of public policy regarding privacy protections. Others believe 
that it may serve to delay privacy protection initiatives. 
Indeed, an April 17, 2000, editorial in the National 
Underwriter magazine urged support of the bill specifically on 
the grounds that a commission could delay privacy protection 
measures. The editorial noted that enactment of the bill could 
be a ``golden opportunity to forestall highly restrictive 
privacy measures that will be introduced both in Congress and 
in state legislatures around the country.'' It further stated:

          If the financial services industry can make a strong 
        economic case for the consumer benefits of information 
        sharing, the bipartisan commission proposed by Reps. 
        Hutchinson and Moran provides the best forum to do it. 
        Moreover, the presence of such a commission will 
        provide a strong argument for Congress and the state 
        legislatures to wait for the results before enacting 
        highly restrictive privacy legislation.

    We are pleased that the markup process strengthened the 
Privacy Commission bill. For example, the legislation now 
contains instructions that ensure that the Commission will 
examine several important privacy issues, including employer 
privacy practices regarding the health and financial 
information of employees, the type of redress currently 
available regarding privacy violations, exploitation of older 
and disabled Americans through the use of their financial 
information, and the use of third parties to monitor internet 
privacy practices. Amendments also strengthened the legislation 
by including consideration of civil liberties experts for 
inclusion on the Commission.
    It is important to emphasize, however, that further study 
by a Commission is not necessary before enactment of 
substantive privacy protections. The Privacy Commission should 
serve as a complement to ongoing privacy protection 
initiatives. Congress should be taking action now to enact 
privacy protections regarding consumers' financial and health 
information, among other initiatives. The recent breakthrough 
in mapping the human genome underscores the need to ensure that 
privacy protections are in place immediately for individuals' 
genetic information so that insurers, employers, and others 
cannot inappropriately access this personal information. For 
this reason, we are pleased that an amendment was accepted to 
include in the bill's findings that the Commission is not 
intended to delay privacy protection initiatives.
    We are disappointed, however, that agreement could not be 
reached to include in the bill a commitment by Congress to 
enact important privacy protections. Rep. Waxman offered an 
amendment that focused on financial privacy. It would have set 
an 18-month deadline on Congress to enact comprehensive 
protections, and would have given relevant regulatory entities 
authority to regulate if the deadline was not met. Such a 
commitment is important to ensuring that the study of privacy 
will not constitute the only action Congress takes on privacy 
protection. We regret that the amendment was rejected on a 
point of order and not incorporated into the bill.

                                   Henry A. Waxman.
                                   Carolyn B. Maloney.
                                   Major R. Owens.
                                   Danny K. Davis.
                                   John F. Tierney.
                                   Thomas H. Allen.
                                   Dennis J. Kucinich.
                                   Eleanor Holmes Norton.
                                   Rod R. Blagojevich.
                                   Paul E. Kanjorski.
                                   Tom Lantos.
                                   Edolphus Towns.
                                   Janice D. Schakowsky.
                                   Bernard Sanders.
                                   Patsy T. Mink.
                                   Elijah E. Cummings.
                                   Harold E. Ford, Jr.