[House Report 106-919] [From the U.S. Government Publishing Office] 106th Congress Report HOUSE OF REPRESENTATIVES 2d Session 106-919 ====================================================================== PRIVACY COMMISSION ACT _______ September 29, 2000.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Burton of Indiana, from the Committee on Government Reform, submitted the following R E P O R T together with MINORITY VIEWS [To accompany H.R. 4049] [Including cost estimate of the Congressional Budget Office] The Committee on Government Reform, to whom was referred the bill (H.R. 4049) to establish the Commission for the Comprehensive Study of Privacy Protection, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page I. Summary of Legislation...........................................6 II. Background and Need for the Legislation..........................6 III. Legislative Hearings and Committee Actions.......................7 IV. Explanation of the Bill..........................................8 V. Committee Oversight Findings....................................14 VI. Budget Analysis and Projections.................................14 VII. Cost Estimate of the Congressional Budget Office................15 VIII.Statement of Constitutional Authority...........................16 IX. Committee Recommendation........................................16 X. Congressional Accountability Act; P.L. 104-1....................16 XI. Unfunded Mandates Reform Act; P.L. 104-4, Section 423...........16 XII. Federal Advisory Committee Act (5 U.S.C. App.) Section 5(b).....16 XIII.Changes in Existing Law.........................................16 The amendment is as follows: Strike out all after the enacting clause and insert in lieu thereof the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Privacy Commission Act''. SEC. 2. FINDINGS. The Congress finds the following: (1) Americans are increasingly concerned about their civil liberties and the security and use of their personal information, including medical records, educational records, library records, magazine subscription records, records of purchases of goods and other payments, and driver's license numbers. (2) Commercial entities are increasingly aware that consumers expect them to adopt privacy policies and take all appropriate steps to protect the personal information of consumers. (3) There is a growing concern about the confidentiality of medical records, because there are inadequate Federal guidelines and a patchwork of confusing State and local rules regarding privacy protection for individually identifiable patient information. (4) In light of recent changes in financial services laws allowing for increased sharing of information between traditional financial institutions and insurance entities, a coordinated and comprehensive review is necessary regarding the protections of personal data compiled by the health care, insurance, and financial services industries. (5) The use of Social Security numbers has expanded beyond the uses originally intended. (6) Use of the Internet has increased at astounding rates, with approximately 5 million current Internet sites and 64 million regular Internet users each month in the United States alone. (7) Financial transactions over the Internet have increased at an astounding rate, with 17 million American households spending $20 billion shopping on the Internet last year. (8) Use of the Internet as a medium for commercial activities will continue to grow, and it is estimated that by the end of 2000, 56 percent of the companies in the United States will sell their products on the Internet. (9) There have been reports of surreptitious collection of consumer data by Internet marketers and questionable distribution of personal information by on-line companies. (10) In 1999, the Federal Trade Commission found that 87 percent of Internet sites provided some form of privacy notice, which represented an increase from 15 percent in 1998. (11) The United States is the leading economic and social force in the global information economy, largely because of a favorable regulatory climate and the free flow of information. It is important for the United States to continue that leadership. As nations and governing bodies around the world begin to establish privacy standards, these standards will directly affect the United States. (12) The shift from an industry-focused economy to an information-focused economy calls for a reassessment of the most effective way to balance personal privacy and information use, keeping in mind the potential for unintended effects on technology development, innovation, the marketplace, and privacy needs. (13) This Act shall not be construed to prohibit the enactment of legislation on privacy issues by the Congress during the existence of the Commission. It is the responsibility of the Congress to act to protect the privacy of individuals, including individuals' medical and financial information. Various committees of the Congress are currently reviewing legislation in the area of medical and financial privacy. Further study by the Commission established by this Act should not be considered a prerequisite for further consideration or enactment of financial or medical privacy legislation by the Congress. SEC. 3. ESTABLISHMENT. There is established a commission to be known as the ``Commission for the Comprehensive Study of Privacy Protection'' (in this Act referred to as the ``Commission''). SEC. 4. DUTIES OF COMMISSION. (a) Study.--The Commission shall conduct a study of issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing appropriate uses of information, including the following: (1) The monitoring, collection, and distribution of personal information by Federal, State, and local governments, including personal information collected for a decennial census, and such personal information as a driver's license number. (2) Current efforts to address the monitoring, collection, and distribution of personal information by Federal and State governments, individuals, or entities, including-- (A) existing statutes and regulations relating to the protection of individual privacy, such as section 552a of title 5, United States Code (commonly referred to as the Privacy Act of 1974) and section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act); (B) legislation pending before the Congress; (C) privacy protection efforts undertaken by the Federal Government, State governments, foreign governments, and international governing bodies; (D) privacy protection efforts undertaken by the private sector; and (E) self-regulatory efforts initiated by the private sector to respond to privacy issues. (3) The monitoring, collection, and distribution of personal information by individuals or entities, including access to and use of medical records, financial records (including credit cards, automated teller machine cards, bank accounts, and Internet transactions), personal information provided to on- line sites accessible through the Internet, Social Security numbers, insurance records, education records, and driver's license numbers. (4) Employer practices and policies with respect to the financial and health information of employees, including-- (A) whether employers use or disclose employee financial or health information for marketing, employment, or insurance underwriting purposes; (B) what restrictions employers place on disclosure or use of employee financial or health information; (C) employee rights to access, copy, and amend their own health records and financial information; (D) what type of notice employers provide to employees regarding employer practices with respect to employee financial and health information; and (E) practices of employer medical departments with respect to disclosing employee health information to administrative or other personnel of the employer. (5) The extent to which individuals in the United States can obtain redress for privacy violations. (6) The extent to which older individuals and disabled individuals are subject to exploitation involving the disclosure or use of their financial information. (b) Field Hearings.-- (1) In general.--The Commission shall conduct at least 2 field hearings in each of the 5 geographical regions of the United States. (2) Boundaries.--For purposes of this subsection, the Commission may determine the boundaries of the five geographical regions of the United States. (c) Report.-- (1) In general.--Not later than 18 months after appointment of all members of the Commission-- (A) a majority of the members of the Commission shall approve a report; and (B) the Commission shall submit the approved report to the Congress and the President. (2) Contents.--The report shall include a detailed statement of findings, conclusions, and recommendations, including the following: (A) Findings on potential threats posed to individual privacy. (B) Analysis of purposes for which sharing of information is appropriate and beneficial to consumers. (C) Analysis of the effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual privacy. (D) Recommendations on whether additional legislation is necessary, and if so, specific suggestions on proposals to reform or augment current laws and regulations relating to individual privacy. (E) Analysis of purposes for which additional regulations may impose undue costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, or critical infrastructure protection. (F) Cost analysis of legislative or regulatory changes proposed in the report. (G) Recommendations on non-legislative solutions to individual privacy concerns, including education, market-based measures, industry best practices, and new technology. (H) Review of the effectiveness and utility of third- party verification of privacy statements, including specifically with respect to existing private sector self-regulatory efforts. (d) Additional Report.--Together with the report under subsection (c), the Commission shall submit to the Congress and the President any additional report of dissenting opinions or minority views by a member of the Commission. (e) Interim Report.--The Commission may submit to the Congress and the President an interim report approved by a majority of the members of the Commission. SEC. 5. MEMBERSHIP. (a) Number and Appointment.--The Commission shall be composed of 17 members appointed as follows: (1) 4 members appointed by the President. (2) 4 members appointed by the majority leader of the Senate. (3) 2 members appointed by the minority leader of the Senate. (4) 4 members appointed by the Speaker of the House of Representatives. (5) 2 members appointed by the minority leader of the House of Representatives. (6) 1 member, who shall serve as Chairperson of the Commission, appointed jointly by the President, the majority leader of the Senate, and the Speaker of the House of Representatives. (b) Diversity of Views.--The appointing authorities under subsection (a) shall seek to ensure that the membership of the Commission has a diversity of views and experiences on the issues to be studied by the Commission, such as views and experiences of Federal, State, and local governments, the media, the academic community, consumer groups, public policy groups and other advocacy organizations, business and industry (including small business), the medical community, civil liberties experts, and the financial services industry. (c) Date of Appointment.--The appointment of the members of the Commission shall be made not later than 30 days after the date of the enactment of this Act. (d) Terms.--Each member of the Commission shall be appointed for the life of the Commission. (e) Vacancies.--A vacancy in the Commission shall be filled in the same manner in which the original appointment was made. (f) Compensation; Travel Expenses.--Members of the Commission shall serve without pay, but shall receive travel expenses, including per diem in lieu of subsistence, in accordance with sections 5702 and 5703 of title 5, United States Code. (g) Quorum.--A majority of the members of the Commission shall constitute a quorum, but a lesser number may hold hearings. (h) Meetings.-- (1) In general.--The Commission shall meet at the call of the Chairperson or a majority of its members. (2) Initial meeting.--Not later than 45 days after the date of the enactment of this Act, the Commission shall hold its initial meeting. SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS. (a) Director.-- (1) In general.--On or after October 1, 2000, the Commission shall appoint a Director without regard to the provisions of title 5, United States Code, governing appointments to the competitive service. (2) Pay.--The Director shall be paid at the rate payable for level III of the Executive Schedule established under section 5314 of such title. (b) Staff.--The Director may appoint staff as the Director determines appropriate. (c) Applicability of Certain Civil Service Laws.-- (1) In general.--The staff of the Commission shall be appointed without regard to the provisions of title 5, United States Code, governing appointments in the competitive service. (2) Pay.--The staff of the Commission shall be paid in accordance with the provisions of chapter 51 and subchapter III of chapter 53 of that title relating to classification and General Schedule pay rates, but at rates not in excess of the maximum rate for grade GS-15 of the General Schedule under section 5332 of that title. (d) Experts and Consultants.--The Director may procure temporary and intermittent services under section 3109(b) of title 5, United States Code. (e) Staff of Federal Agencies.-- (1) In general.--Upon request of the Director, the head of any Federal department or agency may detail, on a reimbursable basis, any of the personnel of that department or agency to the Commission to assist it in carrying out this Act. (2) Notification.--Before making a request under this subsection, the Director shall give notice of the request to each member of the Commission. SEC. 7. POWERS OF COMMISSION. (a) Hearings and Sessions.--The Commission may, for the purpose of carrying out this Act, hold hearings, sit and act at times and places, take testimony, and receiveevidence as the Commission considers appropriate. The Commission may administer oaths or affirmations to witnesses appearing before it. (b) Powers of Members and Agents.--Any member or agent of the Commission may, if authorized by the Commission, take any action which the Commission is authorized to take by this section. (c) Obtaining Official Information.-- (1) In general.--Except as provided in paragraph (2), if the Chairperson of the Commission submits a request to a Federal department or agency for information necessary to enable the Commission to carry out this Act, the head of that department or agency shall furnish that information to the Commission. (2) Exception for national security.--If the head of that department or agency determines that it is necessary to guard that information from disclosure to protect the national security interests of the United States, the head shall not furnish that information to the Commission. (d) Mails.--The Commission may use the United States mails in the same manner and under the same conditions as other departments and agencies of the United States. (e) Administrative Support Services.--Upon the request of the Director, the Administrator of General Services shall provide to the Commission, on a reimbursable basis, the administrative support services necessary for the Commission to carry out this Act. (f) Gifts and Donations.--The Commission may accept, use, and dispose of gifts or donations of services or property to carry out this Act, but only to the extent or in the amounts provided in advance in appropriation Acts. (g) Contracts.--The Commission may contract with and compensate persons and government agencies for supplies and services, without regard to section 3709 of the Revised Statutes (41 U.S.C. 5). (h) Subpoena Power.-- (1) In general.--The Commission may issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence relating to any matter that the Commission is empowered to investigate by section 4. The attendance of witnesses and the production of evidence may be required by such subpoena from any place within the United States and at any specified place of hearing within the United States. (2) Failure to obey a subpoena.--If a person refuses to obey a subpoena issued under paragraph (1), the Commission may apply to a United States district court for an order requiring that person to appear before the Commission to give testimony, produce evidence, or both, relating to the matter under investigation. The application may be made within the judicial district where the hearing is conducted or where that person is found, resides, or transacts business. Any failure to obey the order of the court may be punished by the court as civil contempt. (3) Service of subpoenas.--The subpoenas of the Commission shall be served in the manner provided for subpoenas issued by a United States district court under the Federal Rules of Civil Procedure for the United States district courts. (4) Service of process.--All process of any court to which application is made under paragraph (2) may be served in the judicial district in which the person required to be served resides or may be found. SEC. 8. TERMINATION. The Commission shall terminate 30 days after submitting a report under section 4(c). SEC. 9. AUTHORIZATION OF APPROPRIATIONS. (a) In General.--There are authorized to be appropriated to the Commission $5,000,000 to carry out this Act. (b) Availability.--Any sums appropriated pursuant to the authorization in subsection (a) shall remain available until expended. SEC. 10. BUDGET ACT COMPLIANCE. Any new contract authority authorized by this Act shall be effective only to the extent or in the amounts provided in advance in appropriation Acts. SEC. 11. PRIVACY PROTECTIONS. (a) Destruction or Return of Information Required.--Upon the conclusion of the matter or need for which individually identifiable information was disclosed to the Commission, the Commission shall either destroy the individually identifiable information or return it to the person or entity from which it was obtained, unless the individual that is the subject of the individually identifiable information has authorized its disclosure. (b) Disclosure of Information Prohibited.--The Commission-- (1) shall protect individually identifiable information from improper use; and (2) may not disclose such information to any person, including the Congress or the President, unless the individual that is the subject of the information has authorized such a disclosure. (c) Proprietary Business Information and Financial Information.--The Commission shall protect from improper use, and may not disclose to any person, proprietary business information and proprietary financial information that may be viewed or obtained by the Commission in the course of carrying out its duties under this Act. (d) Individually Identifiable Information Defined.--For the purposes of this Act, the term ``individually identifiable information'' means any information, whether oral or recorded in any form or medium, that identifies an individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify an individual. I. Summary of Legislation H.R. 4049, the ``Privacy Commission Act,'' establishes a 17-member commission to study issues relating to the protection of individual privacy and the appropriate balance to be achieved between protecting such privacy and allowing appropriate uses of information. The Commission also will make recommendations to Congress. II. Background and Need for the Legislation Americans are increasingly concerned that their personal information is no longer confidential. Recent public opinion polls have found that the threat of the loss of personal privacy is one of the leading issues concerning Americans today. Although personal privacy has been a concern of Americans, recent developments in information technology and changes in existing law have heightened attention to privacy issues. Increased access to the Internet now allows millions of Americans to access computer networks each month. Internet financial transactions have grown at an astounding rate. In the year 2000, an estimated 17 million U.S. households will spend approximately $30 billion shopping on-line. This number is expected to grow with predictions that 42 million households will purchase over $64 billion worth of on-line goods and services by the end of 2001.\1\ Commercial use of the Internet will continue to grow, with predictions that 56 percent of U.S. companies will sell their products on-line by the end of the year 2000. --------------------------------------------------------------------------- \1\ ``The Whole View'' by Forrester Research, Inc., Cambridge, Mass., September 19, 2000. --------------------------------------------------------------------------- In addition to the resultant flow of information allowed by the Internet, changes in financial laws and changes in medical records policy, a number of traditional barriers protecting individual privacy have been eliminated. Advances in genetic testing and the sharing of medical records among insurance entities, pharmaceutical companies, and other health-related entities alarm many American who are concerned that their medical history could become available to inappropriate individuals. Along with consumers, local, State, and Federal lawmakers have increasingly become concerned about privacy issues leading to a rapid increase in the number of privacy-related legislative proposals. Yet few of these bills have been enacted, largely because of the issues' complexity and the lack of consensus on an appropriate approach to resolve the problems. Of the laws that have been enacted, several resulted in unintended consequences, and at least one has been repealed. H.R. 4049 would establish a commission to examine privacy issues at all levels of government and make recommendations to Congress regarding needed legislative initiatives to protect personally identifiable information.\2\ This Commission will have the authority to examine privacy from a broad perspective in contrast to previous approaches, which have examined privacy from a narrower spectrum. --------------------------------------------------------------------------- \2\ As defined by the bill, ``individually identifiable information'' is any information, whether verbal or recorded in any form or medium, that identifies an individual, for which there is a reasonable basis to believe could be used to identify an individual. --------------------------------------------------------------------------- This legislation is the first congressional effort in more than 25 years to address privacy issues via a commission. H.R. 4049 will build upon the work of the 1974 Privacy Commission by venturing into new areas of privacy concerns, such as the Internet.\3\ As the 1974 Commission helped set parameters for the privacy debate of the last 25 years, H.R. 4049 will assist in establishing principles that will serve as a guide throughout the beginning of the 21st century. --------------------------------------------------------------------------- \3\ Legislative Hearing to Establish the Commission for the Comprehensive Study of Privacy Protection, 106th Congress, 2nd session (2000) Statement of Sandra Parker, Director of Government Affairs and Health Policy, Maine Hospital Association. (Transcript not printed at the time of this report's publication.) --------------------------------------------------------------------------- III. Legislative Hearings and Committee Actions H.R. 4049 was introduced on March 21, 2000, by the Rep. Asa Hutchinson (R-AR) and the Rep. Jim Moran (D-VA). Original co- sponsors include Rep. Kay Granger (R-TX), Rep. Kevin Brady (R- TX), Rep. Jim Davis (D-FL), Rep. Deborah Pryce (R-OH), Rep. John Sununu (R-NH), Rep. Thomas Barrett (D-WI), Rep. Tom Coburn (R-OK), Rep. Jay Dickey (R-AR), Rep. Gerald Kleczka (D-WI), Rep. Joseph Pitts (R-PA), Rep. James Greenwood (R-PA), Rep. Bob Riley (R-AL), Rep. John Duncan (R-TN), Rep. Frank Lucas (R-OK), Rep. Jim Kolbe (R-AZ), Rep. Tom Campbell (R-CA), Rep. Sue Kelly (R-NY), Rep. Thomas Davis (R-VA), and Rep. David Vitter (R-LA). On March 29, 2000, H.R. 4049 was referred to the Committee on Government Reform, and subsequently to its Subcommittee on Government Management, Information, and Technology. The subcommittee held three days of legislative hearings on the legislation on April 12, 2000, and May 15-16, 2000. The subcommittee held a mark-up of the bill on June 14, 2000, at which time subcommittee Chairman Stephen Horn (R-CA) offered an amendment in the nature of a substitute to H.R. 4049. The amended bill was favorably reported to the full Committee by voice vote. On June 29, 2000, the full Committee on Government Reform met to consider H.R. 4049. An amendment by Representative Carolyn Maloney (D-NY) was acceptedrequiring the Commission to review the effectiveness and utility of third-party verification of privacy statements. In addition, another amendment offered by Mrs. Maloney was adopted, requiring the Commission to review the extent to which older or disabled individuals are subjected to exploitation because of the disclosure or inappropriate use of their financial information. Representative Janice Schakowsky (D-IL) offered an amendment, which was approved, that inserted ``civil liberties experts'' into the section of the bill that addresses the Commission's recommended composition. Representative Henry Waxman (D-CA) offered an amendment, also adopted, that added a finding stating that the Act should not be construed to prohibit enactment of legislation on privacy issues by Congress during the existence of the Commission, and that further study by the Commission should not be considered a prerequisite for further consideration or enactment of financial or medical privacy legislation by the Congress. Following the adoption of the aforesaid, the Committee favorably reported H.R. 4049, as amended, to the full House by voice vote. IV. Explanation of the Bill Sec. 1. Short title Section 1 provides that the Act may be cited as the ``Privacy Commission Act.'' Sec. 2. Finding and purposes Section 2 provides a statement of findings and purposes for the legislation. Sec. 3. Establishment of Commission Section 3 establishes the Commission. Sec. 4. Duties of the Commission Section 4 of the Act establishes the responsibilities and goals of the Commission and offers broad recommendations on those areas the Commission should review. Subsection (a) directs the Commission to examine issues relating to the protection of personal privacy and the need to achieve a balance between protecting individual privacy and allowing appropriate uses of information. During the hearings, the Committee found that the privacy debate centers around the issue of permissible and non-permissible uses of personally identifiable information, as this information becomes increasingly available. The testimony focused on the need to strike a balance between protecting individually identifiable information and the sharing of that information for purposes of business, medicine, and other uses. Under section (a)(1) the Commission is instructed to review Federal, State and local governments' monitoring, collection and distribution of personally identifiable information, and the use of documents such as the decennial census and drivers license applications. Section (a)(2), instructs the Commission to examine existing laws to protect individuals' privacy, including but not limited to: the Privacy Act of 1974 and the Freedom of Information Act. The Commission shall examine extant efforts to address monitoring, collection and distribution of personal information by the Federal Government, State Governments, individuals and other entities. During the Committee mark-up, some Committee members raised concerns regarding the use of individually identifiable information by Congress and the Executive Office of the President. Presently, Congress is not covered by the 1974 Privacy Act or the Freedom of Information Act and the longstanding position of the Department of Justice is that certain components of the Executive Office of the President are also not covered by those acts. The Committee believes that the Commission should study the implications of applying the Privacy Act and Freedom of Information Act to Congress and to all components of the Executive Office of the President. Under section (a)(2)(B) of the Act, the Commission is directed to examine privacy-related legislation pending before the Congress. There are currently many bills before Congress, both in the Senate and House that address the issue of privacy. The Commission should consider the differing congressional views on the privacy debate. Under section (a)(2)(C), the Commission is directed to review the privacy protection efforts previously undertaken by Federal and State governments, foreign bodies, and international governing bodies. With thousands of privacy bills introduced at the State and local levels, as well as international bodies and sovereign nations implementing their own privacy laws, the Commission needs to understand how these different initiatives will interact and what can be learned from them. The Commission should look at such questions as: Should there be Federally guaranteed minimum levels of privacy protections? Should there be Federal preemption for privacy issues, particularly in light of the explosion in Internet use? What occurs when privacy laws conflict? How will U.S. privacy laws be affected by implementation of external regulations and directives, such as the European Directive? Under sections (a)(2)(D) and (a)(2)(E), the Commission is directed to review privacy protection efforts undertaken by the private sector, as well as self-regulated efforts initiated by the private sector. In response to the growing concern of individuals about their personal information, the Committee found that some in the private sector--including high tech companies, financial services, medical entities, and others-- are developing or have implemented new technologies and practices designed to ensure the protection of individual privacy. The Commission should review these policies and procedures to determine their efficacy, as well as their impact on consumers and others. Under section (a)(3), the Commission is instructed to examine the monitoring, collection, and distribution of personal information by individuals or entities, both public and private, including access to and the use of medical records, financial records (such as credit cards, automated teller machine cards, bank accounts, and Internet transactions), personal information provided to on-line sites accessible through the Internet, Social Security numbers, insurance records, education records, and drivers license numbers. In addition, the Committee believes that the Commission should examine the use to which that information is being employed once it has been collected. Section (a)(4), instructs the Commission to review employer practices and policies with respect to the financial and health information of employees, including: under section (a)(4)(A), whether employers use or disclose employee financial or health information for marketing employment or insurance underwriting purposes; under section (a)(4)(B), what restrictions employers place on disclosure or use of employee financial or health information; under section (a)(4)(C), what rights employees have to access, copy, and amend their own health records and financial information; under section (a)(4)(D), what type of notice is provided to employees regarding employer practices with respect to employee financial and health information; and, under section (a)(4)(E), what practices employer medical departments use regarding the disclosure of employee health information to the employer. During the hearings, some Committee members raised the point that employers collect information on employees so that an employer may fulfil his or her obligation to provide information to health insurance or retirement plans. It is the view of the Committee that the Commission should review the potential uses of any collected information, as well as current trends among employers regarding that information. Section (a)(5), requires the Commission to review the extent to which individuals in the United States can obtain redress for privacy violations. The Commission should examine whether mechanisms exist to assist people who believe their privacy has been inappropriately compromised, and if so, whether these mechanisms are effective. Under section (a)(6), the Commission is to review the extent to which older individuals and disabled individuals are subject to exploitation involving the disclosure or use of their financial information. The Committee believes that the Commission should evaluate present trends occurring in the financial community and their impact on seniors and the disabled. Section (b) directs the Commission to hold at least two field hearings in five geographical regions of the United States. For purposes of these field hearings, the Commission is charged with the responsibility of designating the boundaries that constitute the geographical areas. Field hearings may be held with less than a majority of Commission members present. During the course of the Committee hearings, it was suggested that requiring members to be at every meeting would be unnecessarily burdensome, and that the field hearings could be equally effective with less than a majority of the Commission present. The Committee agrees. Section (c) requires that no later than 18 months after the appointment of all members of the Commission, a majority of the Commission's members shall submit a report to Congress and the President. Section (c)(2), delineates the minimum content of the report. Section (c)(2)(H), requires the Commission to review the effectiveness and utility of third-party verification of privacy statements, including existing private sector self- regulatory efforts. This provision contains language that may lead the private and public sectors to a mutually satisfactory solution on the broad privacy concerns of the American public and the business community. The private sector has a long history of securing objective, third party professionals to undertake reviews of the financial and business records of American industry. These reviews are, primarily, initiated by the private sector. Arms-length reviews have been and remain an important tradition in reassuring the American public that the corporate sector can be depended upon for honest business dealings. Now, more than ever, the public trusts the corporate sector with its personal investments and savings. This trust must include the maintenance of Americans' most private information as well. This is why the Committee is specifically asking the Commission to review and report to the Congress on the efficacy of third-party verification and assurance services for protecting individual private information. This objective is critically important, in that it may protect the future of the evolving e-commerce industry as well as the private information of American citizens. Subsection (d) allows for the submission of additional reports in the event of dissenting points of view. Any additional reports shall also be made public so that all points of view can be disseminated. Pursuant to section (e), the Commission has the authority to issue interim reports approved by a majority of members of the Commission. The Committee was concerned that during the operation of the Commission, the Commission may determine that certain aspects of the privacy debate require immediate attention, and that the Commission might be prepared to make a recommendation before the final report of the Commission. Because governmental bodies and private entities continue to question the appropriate relationships between protecting privacy and the sharing of information, the Committee believes that the Commission may want to issue interim reports on time- sensitive privacy issues, so that the Commission's findings may be used to assist entities that are moving forward on the privacy front. Sec. 5. Membership Under section 5 of the Act, the Commission shall be composed of 17 members--4 members appointed by the President; 4 members appointed by the Majority Leader of the Senate; 2 members appointed by the Minority Leader of the Senate; 4 members appointed by the Speaker of the House of Representatives; 2 members appointed by the Minority Leader of the House of Representatives; and 1 member, who shall serve as Chairperson of the Commission, appointed jointly by the President, the Majority Leader of the Senate, and the Speaker of the House of Representatives. Under subsection (b), the Committee firmly believes that it is important for the Commission to be composed of individuals who have a wide diversity of viewpoints as well as those who deal with privacy issues on a regular basis. Furthermore, the Committee believes that Commission members should possess practical knowledge and experience in balancing individual privacy interests with the legitimate needs of the public, government, commercial interests, and news organizations to gain access to and use information. The individuals appointed should be open-minded and willing to look at new ideas and possibilities. During the mark-up, the Committee included language offering a broad outline of groups that should comprise the Commission, including representatives from groups such as: Federal, State and local governments who can provide insight on the government's collection of information and existing State and Federal laws; the news media, who have a working familiarity with the use of public documents for the dissemination of public information; the academic community, who can provide expertise in the history and theories of privacy policy; consumer groups, who can represent individual consumers and their privacy concerns; public policy groups who are knowledgeable on legislative policies and privacy policies within private industry; the business community, including small business, who can share information about developing technologies and discuss the impact of privacy protections on business endeavors including Internet and e-commerce; the medical community, who can provide the Commission with an understanding of the intricacies of privacy issues in the medical profession; civil liberties organizations, who can help raise awareness of privacy issues; and the financial community, who can provide expertise regarding financial modernization laws and can explain the need for allowing the free flow of information while protecting privacy. Under subsection (c), the appointment of the members of the Commission shall be made no later than 30 days after the date of the enactment of the Act. Under subsection (d), each member of the Commission will serve for the life of the Commission. Under subsection (e), in the event of a vacancy, the position will be filled in the same manner as the original appointment. The individual serving in the capacity of the appointing official (e.g., the Majority Leader of the House) has the authority to appoint a replacement to fill the vacancy. Pursuant to subsection (f), members of the Commission shall serve without pay, but shall receive travel expenses, including per diem in lieu of subsistence. Subsection (g) establishes that a majority of the Commission shall constitute a quorum, but a lesser number may hold hearings. Under subsection (h), the Commission shall meet at the call of the Chairperson or a majority of its members. The initial meeting of the Commission shall not be later than 45 days after the date of enactment of this Act. Sec. 6. Director; staff; experts and consultants Section 6 of the Act addresses the staff of the Commission. The Commission shall appoint a director, who will be paid at the rate payable for level III of the Executive Schedule established under section 5314 of Title 5, United States Code. The Director may appoint staff, who will be paid in accordance with the provisions of chapter 51 and subchapter III of chapter 53 of that title relating to classification and General Schedule pay rates, but at rates not in excess of the maximum rate for grade GS-15 of the General Schedule under section 5332 of that title. The Director may procure temporary and intermittent services under section 3109(b) of Title 5, United States Code. Finally, the Director, if it is deemed necessary, may request the head of any Federal department or agency to detail personnel of that department or agency on a reimbursable to the Commission to assist in the carrying out of this Act. However, before making such a request, the Director shall give notice of the request to each member of the Commission. Sec. 7. Powers of Commission Pursuant to subsection (a), the Commission may hold hearings, sit and act at times and places, take testimony, and receive evidence, as the Commission considers appropriate. The Commission may administer oaths or affirmation to witnesses appearing before it. Under subsection (b), any member or agent of the Commission may, if authorized by the Commission, take any action which the Commission is authorized to take by this section. Under subsection (c), except as provided for by section (7)(c)(2), if the Chairperson of the Commission submits a request to a Federal department or agency for information necessary to enable the Commission to carry out this Act, the head of the department or agency shall furnish that information to the Commission. However, if the head of the department or agency determines that this information should not be furnished due toissues of national security, the department or agency head shall not furnish that information to the Commission. During the hearings, witnesses representing the Administration raised the issue that some agencies may need to withhold information from the Commission that is deemed vital to the national security. It is the firm belief of the Committee that the collection of information by the Commission should in no way threaten the national security of the United States. However, the determination to withhold information should be used sparingly, and departments and agencies should work with the Commission to ensure that information contained in said documents that can be segregated and released without threatening national security are released. Under subsection (d), the Commission may use the United States mail in the same manner and under the same conditions as other departments and agencies of the United States. Under subsection (e), upon request of the Director, the Administrator of General Services shall provide to the Commission, on a reimbursable basis, the administrative support services necessary for the Commission to carry out this bill. Subsection (f) provides that, the Commission may accept, use, and dispose of gifts or donations of services or property to carry out this bill, but only to the extent or in the amounts provided in advance in appropriation Acts. Pursuant to subsection (g), the Commission may contract with and compensate individuals and government agencies for supplies and services. Subsection (h) allows the Commission to issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence relating to any matter that the Commission is empowered to investigate. The attendance of witnesses and the production of evidence may be required by such subpoena from any place within the United States and at any specified place of hearing within the United States. Should a witness fail to obey a subpoena, the Commission may apply to a United States district court for an order requiring the witness to appear before the Commission to give testimony, produce evidence, or both. The application may be made within the judicial district where the hearing is conducted or where that person is found, resides, or transacts business. Any failure to obey the order of the court may be punished by the court as civil contempt. Subpoenas of the Commission shall be served in the manner provided for subpoenas issued by a United States district court under the Federal Rules of Civil Procedure for the United States district courts. All process of any court to which application is made under this subsection may be served in the judicial district, in which the person required to be served resides or may be found. Sec. 8. Termination Under section 8, the Commission shall terminate 30 days after submitting a report under section 4(c). Sec. 9. Authorization of appropriations Section 9 authorizes $5 million to be appropriated to the Commission to carry out this Act. Any sum appropriated pursuant to the authorization in subsection (a) shall remain available until expended. Sec. 10. Budget Act compliance Under section 10, any new contract authority authorized by this Act shall be effective only to the extent or in the amounts provided in advance in appropriation Acts. Sec. 11. Privacy protections Section 11 directs the Commission upon conclusion of its work or upon making a determination that individually identifiable information disclosed to the Commission is no longer needed, to either destroy the individually identifiable information or return it to the person or entity from which it was obtained, unless the subject of the individually identifiable information has authorized its disclosure. The Commission shall protect individually identifiable information from improper use, and it may not disclose such information to any person, including the Congress or the President, unless the individual that is the subject of the information has authorized such a disclosure. In addition, the Commission will protect from improper use and may not disclose to any person, proprietary business and financial information that may be viewed or obtained by the Commission in the course of carrying out its duties under this bill. It is the Committee's view that as the Commission is reviewing the question concerning the appropriate level of protection for personally identifiable information, so, too, the Commission should be aware of how it uses, discloses, and disposes of personally identifiable information. V. Committee Oversight Findings Pursuant to rule XIII, clause 3(c)(1) of the Rules of the House of Representatives, the results and findings of those oversight activities are incorporated in the recommendations found in the bill and in this report. VI. Budget Analysis and Projections Clause 3(c)(2) of rule XIII of the Rules of the House of Representatives isinapplicable because the bill does not provide new budget authority, new spending authority, new credit authority, or an increase or decrease in revenues or tax expenditures. VII. Cost Estimate of the Congressional Budget Office U.S. Congress, Congressional Budget Office, Washington, DC, July 26, 2000. Hon. Dan Burton, Chairman, Committee on Government Reform, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 4049, the Privacy Commission Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contacts are John R. Righter (for the federal costs); Susan Sieg Tompkins (for state and local impact); and Sarah E. Sitarek (for the private-sector impact). Sincerely, Steven M. Lieberman (For Dan L. Crippen, Director). Enclosure. H.R. 4049--Privacy Commission Act H.R. 4049 would establish the Commission for the Comprehensive Study of Privacy Protection to study issues related to the protection of individual privacy. The bill would direct the commission to discuss potential threats to such privacy, assess when the sharing of personal information is appropriate and beneficial to consumers, analyze the effectiveness of existing statutes and regulations, and recommend legislative and regulatory changes to improve the security of personal information. The commission would have 18 months from the time all 17 members are appointed to issue its report to the Congress and the President. To cover the costs of the commission, the bill would authorize the appropriation of $5 million. The commission would terminate 30 days after submitting its report. Assuming appropriation of the authorized amount, CBO estimates that implementing the bill would cost $5 million over fiscal years 2001 and 2002. Because the bill would not affect direct spending or receipts, pay-as-you-go procedures would not apply. H.R. 4049 would require state, local, or tribal governments and entities in the private sector, if subpoenaed, to provide testimony and evidence related to matters the privacy commission would be empowered to investigate. Such a requirement would be a federal mandate under the Unfunded Mandates Reform Act (UMRA). The bill would authorize the commission to subpoena the attendance of witnesses and the production of evidence from any place within the United States and at any specified place of hearing within the United States. CBO expects that the commission would likely exercise its subpoena power sparingly and that the costs to comply with a subpoena would not be significant. Thus, CBO estimates that the intergovernmental and private-sector costs of the mandate would be small and well below the relevant thresholds established by UMRA ($55 million for intergovernmental mandates and $109 million for private-sector mandates in 2000, adjusted annually for inflation). The CBO staff contacts for this estimate are John R. Righter (for the federal costs); Susan Sieg Tompkins (for the state and local impact); and Sarah E. Sitarek (for the private- sector impact). The estimate was approved by Robert A. Sunshine, Assistant Director for Budget Analysis. VIII. Statement of Constitutional Authority Pursuant to rule XIII, clause 3(d)(1), the Committee finds that clauses 14 and 18 of Article I, Section 8 of the U.S. Constitution grants Congress the power to enact this law. IX. Committee Recommendation On Wednesday, June 28, 2000, a quorum being present, the Committee on Government Reform ordered the bill, as amended, favorably reported to the House for consideration by voice vote. X. Congressional Accountability Act; Public Law 104-1 The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(B)(3) of the Congressional Accountability Act (P.L. 104-1). XI. Unfunded Mandates Reform Act; Public Law 104-4, Section 423 The Committee finds that the legislation does not impose any Federal mandates within the meaning of section 423 of the Unfunded Mandates Reform Act (P.L. 104-4). XII. Federal Advisory Committee Act (5 U.S.C. App.) Section 5(B) The functions of the proposed advisory committee authorized in the bill are not currently being nor could they be performed by one or more agencies, an advisory committee already in existence or by enlarging the mandate of an existing advisory committee. XIII. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3 of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in Roman): Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Privacy Commission Act''. SEC. 2. FINDINGS. The Congress finds the following: (1) Americans are increasingly concerned about their civil liberties and the security and use of their personal information, including medical records, educational records, library records, magazine subscription records, records of purchases of goods and other payments, and driver's license numbers. (2) Commercial entities are increasingly aware that consumers expect them to adopt privacy policies and take all appropriate steps to protect the personal information of consumers. (3) There is a growing concern about the confidentiality of medical records, because there are inadequate Federal guidelines and a patchwork of confusing State and local rules regarding privacy protection for individually identifiable patient information. (4) In light of recent changes in financial services laws allowing for increased sharing of information between traditional financial institutions and insurance entities, a coordinated and comprehensive review is necessary regarding the protections of personal data compiled by the health care, insurance, and financial services industries. (5) The use of Social Security numbers has expanded beyond the uses originally intended. (6) Use of the Internet has increased at astounding rates, with approximately 5 million current Internet sites and 64 million regular Internet users each month in the United States alone. (7) Financial transactions over the Internet have increased at an astounding rate, with 17 million American households spending $20 billion shopping on the Internet last year. (8) Use of the Internet as a medium for commercial activities will continue to grow, and it is estimated that by the end of 2000, 56 percent of the companies in the United States will sell their products on the Internet. (9) There have been reports of surreptitious collection of consumer data by Internet marketers and questionable distribution of personal information by on-line companies. (10) In 1999, the Federal Trade Commission found that 87 percent of Internet sites provided some form of privacy notice, which represented an increase from 15 percent in 1998. (11) The United States is the leading economic and social force in the global information economy, largely because of a favorable regulatory climate and the free flow of information. It is important for the United States to continue that leadership. As nations and governing bodies around the world begin to establish privacy standards, these standards will directly affect the United States. (12) The shift from an industry-focused economy to an information-focused economy calls for a reassessment of the most effective way to balance personal privacy and information use, keeping in mind the potential for unintended effects on technology development, innovation, the marketplace, and privacy needs. (13) This Act shall not be construed to prohibit the enactment of legislation on privacy issues by the Congress during the existence of the Commission. It is the responsibility of the Congress to act to protect the privacy of individuals, including individuals' medical and financial information. Various committees of the Congress are currently reviewing legislation in the area of medical and financial privacy. Further study by the Commission established by this Act should not be considered a prerequisite for further consideration or enactment of financial or medical privacy legislation by the Congress. SEC. 3. ESTABLISHMENT. There is established a commission to be known as the ``Commission for the Comprehensive Study of Privacy Protection'' (in this Act referred to as the ``Commission''). SEC. 4. DUTIES OF COMMISSION. (a) Study.--The Commission shall conduct a study of issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing appropriate uses of information, including the following: (1) The monitoring, collection, and distribution of personal information by Federal, State, and local governments, including personal information collected for a decennial census, and such personal information as a driver's license number. (2) Current efforts to address the monitoring, collection, and distribution of personal information by Federal and State governments, individuals, or entities, including-- (A) existing statutes and regulations relating to the protection of individual privacy, such as section 552a of title 5, United States Code (commonly referred to as the Privacy Act of 1974) and section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act); (B) legislation pending before the Congress; (C) privacy protection efforts undertaken by the Federal Government, State governments, foreign governments, and international governing bodies; (D) privacy protection efforts undertaken by the private sector; and (E) self-regulatory efforts initiated by the private sector to respond to privacy issues. (3) The monitoring, collection, and distribution of personal information by individuals or entities, including access to and use of medical records, financial records (including credit cards, automated teller machine cards, bank accounts, and Internet transactions), personal information provided to on-line sites accessible through the Internet, Social Security numbers, insurance records, education records, and driver's license numbers. (4) Employer practices and policies with respect to the financial and health information of employees, including-- (A) whether employers use or disclose employee financial or health information for marketing, employment, or insurance underwriting purposes; (B) what restrictions employers place on disclosure or use of employee financial or health information; (C) employee rights to access, copy, and amend their own health records and financial information; (D) what type of notice employers provide to employees regarding employer practices with respect to employee financial and health information; and (E) practices of employer medical departments with respect to disclosing employee health information to administrative or other personnel of the employer. (5) The extent to which individuals in the United States can obtain redress for privacy violations. (6) The extent to which older individuals and disabled individuals are subject to exploitation involving the disclosure or use of their financial information. (b) Field Hearings.-- (1) In general.--The Commission shall conduct at least 2 field hearings in each of the 5 geographical regions of the United States. (2) Boundaries.--For purposes of this subsection, the Commission may determine the boundaries of the five geographical regions of the United States. (c) Report.-- (1) In general.--Not later than 18 months after appointment of all members of the Commission-- (A) a majority of the members of the Commission shall approve a report; and (B) the Commission shall submit the approved report to the Congress and the President. (2) Contents.--The report shall include a detailed statement of findings, conclusions, and recommendations, including the following: (A) Findings on potential threats posed to individual privacy. (B) Analysis of purposes for which sharing of information is appropriate and beneficial to consumers. (C) Analysis of the effectiveness of existing statutes, regulations, private sector self- regulatory efforts, technology advances, and market forces in protecting individual privacy. (D) Recommendations on whether additional legislation is necessary, and if so, specific suggestions on proposals to reform or augment current laws and regulations relating to individual privacy. (E) Analysis of purposes for which additional regulations may impose undue costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, or critical infrastructure protection. (F) Cost analysis of legislative or regulatory changes proposed in the report. (G) Recommendations on non-legislative solutions to individual privacy concerns, including education, market-based measures, industry best practices, and new technology. (H) Review of the effectiveness and utility of third-party verification of privacy statements, including specifically with respect to existing private sector self-regulatory efforts. (d) Additional Report.--Together with the report under subsection (c), the Commission shall submit to the Congress and the President any additional report of dissenting opinions or minority views by a member of the Commission. (e) Interim Report.--The Commission may submit to the Congress and the President an interim report approved by a majority of the members of the Commission. SEC. 5. MEMBERSHIP. (a) Number and Appointment.--The Commission shall be composed of 17 members appointed as follows: (1) 4 members appointed by the President. (2) 4 members appointed by the majority leader of the Senate. (3) 2 members appointed by the minority leader of the Senate. (4) 4 members appointed by the Speaker of the House of Representatives. (5) 2 members appointed by the minority leader of the House of Representatives. (6) 1 member, who shall serve as Chairperson of the Commission, appointed jointly by the President, the majority leader of the Senate, and the Speaker of the House of Representatives. (b) Diversity of Views.--The appointing authorities under subsection (a) shall seek to ensure that the membership of the Commission has a diversity of views and experiences on the issues to be studied by the Commission, such as views and experiences of Federal, State, and local governments, the media, the academic community, consumer groups, public policy groups and other advocacy organizations, business and industry (including small business), the medical community, civil liberties experts, and the financial services industry. (c) Date of Appointment.--The appointment of the members of the Commission shall be made not later than 30 days after the date of the enactment of this Act. (d) Terms.--Each member of the Commission shall be appointed for the life of the Commission. (e) Vacancies.--A vacancy in the Commission shall be filled in the same manner in which the original appointment was made. (f) Compensation; Travel Expenses.--Members of the Commission shall serve without pay, but shall receive travel expenses, including per diem in lieu of subsistence, in accordance with sections 5702 and 5703 of title 5, United States Code. (g) Quorum.--A majority of the members of the Commission shall constitute a quorum, but a lesser number may hold hearings. (h) Meetings.-- (1) In general.--The Commission shall meet at the call of the Chairperson or a majority of its members. (2) Initial meeting.--Not later than 45 days after the date of the enactment of this Act, the Commission shall hold its initial meeting. SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS. (a) Director.-- (1) In general.--On or after October 1, 2000, the Commission shall appoint a Director without regard to the provisions of title 5, United States Code, governing appointments to the competitive service. (2) Pay.--The Director shall be paid at the rate payable for level III of the Executive Schedule established under section 5314 of such title. (b) Staff.--The Director may appoint staff as the Director determines appropriate. (c) Applicability of Certain Civil Service Laws.-- (1) In general.--The staff of the Commission shall be appointed without regard to the provisions of title 5, United States Code, governing appointments in the competitive service. (2) Pay.--The staff of the Commission shall be paid in accordance with the provisions of chapter 51 and subchapter III of chapter 53 of that title relating to classification and General Schedule pay rates, but at rates not in excess of the maximum rate for grade GS-15 of the General Schedule under section 5332 of that title. (d) Experts and Consultants.--The Director may procure temporary and intermittent services under section 3109(b) of title 5, United States Code. (e) Staff of Federal Agencies.-- (1) In general.--Upon request of the Director, the head of any Federal department or agency may detail, on a reimbursable basis, any of the personnel of that department or agency to the Commission to assist it in carrying out this Act. (2) Notification.--Before making a request under this subsection, the Director shall give notice of the request to each member of the Commission. SEC. 7. POWERS OF COMMISSION. (a) Hearings and Sessions.--The Commission may, for the purpose of carrying out this Act, hold hearings, sit and act at times and places, take testimony, and receiveevidence as the Commission considers appropriate. The Commission may administer oaths or affirmations to witnesses appearing before it. (b) Powers of Members and Agents.--Any member or agent of the Commission may, if authorized by the Commission, take any action which the Commission is authorized to take by this section. (c) Obtaining Official Information.-- (1) In general.--Except as provided in paragraph (2), if the Chairperson of the Commission submits a request to a Federal department or agency for information necessary to enable the Commission to carry out this Act, the head of that department or agency shall furnish that information to the Commission. (2) Exception for national security.--If the head of that department or agency determines that it is necessary to guard that information from disclosure to protect the national security interests of the United States, the head shall not furnish that information to the Commission. (d) Mails.--The Commission may use the United States mails in the same manner and under the same conditions as other departments and agencies of the United States. (e) Administrative Support Services.--Upon the request of the Director, the Administrator of General Services shall provide to the Commission, on a reimbursable basis, the administrative support services necessary for the Commission to carry out this Act. (f) Gifts and Donations.--The Commission may accept, use, and dispose of gifts or donations of services or property to carry out this Act, but only to the extent or in the amounts provided in advance in appropriation Acts. (g) Contracts.--The Commission may contract with and compensate persons and government agencies for supplies and services, without regard to section 3709 of the Revised Statutes (41 U.S.C. 5). (h) Subpoena Power.-- (1) In general.--The Commission may issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence relating to any matter that the Commission is empowered to investigate by section 4. The attendance of witnesses and the production of evidence may be required by such subpoena from any place within the United States and at any specified place of hearing within the United States. (2) Failure to obey a subpoena.--If a person refuses to obey a subpoena issued under paragraph(1), the Commission may apply to a United States district court for an order requiring that person to appear before the Commission to give testimony, produce evidence, or both, relating to the matter under investigation. The application may be made within the judicial district where the hearing is conducted or where that person is found, resides, or transacts business. Any failure to obey the order of the court may be punished by the court as civil contempt. (3) Service of subpoenas.--The subpoenas of the Commission shall be served in the manner provided for subpoenas issued by a United States district court under the Federal Rules of Civil Procedure for the United States district courts. (4) Service of process.--All process of any court to which application is made under paragraph (2) may be served in the judicial district in which the person required to be served resides or may be found. SEC. 8. TERMINATION. The Commission shall terminate 30 days after submitting a report under section 4(c). SEC. 9. AUTHORIZATION OF APPROPRIATIONS. (a) In General.--There are authorized to be appropriated to the Commission $5,000,000 to carry out this Act. (b) Availability.--Any sums appropriated pursuant to the authorization in subsection (a) shall remain available until expended. SEC. 10. BUDGET ACT COMPLIANCE. Any new contract authority authorized by this Act shall be effective only to the extent or in the amounts provided in advance in appropriation Acts. SEC. 11. PRIVACY PROTECTIONS. (a) Destruction or Return of Information Required.--Upon the conclusion of the matter or need for which individually identifiable information was disclosed to the Commission, the Commission shall either destroy the individually identifiable information or return it to the person or entity from which it was obtained, unless the individual that is the subject of the individually identifiable information has authorized its disclosure. (b) Disclosure of Information Prohibited.--The Commission-- (1) shall protect individually identifiable information from improper use; and (2) may not disclose such information to any person, including the Congress or the President, unless the individual that is the subject of the information has authorized such a disclosure. (c) Proprietary Business Information and Financial Information.--The Commission shall protect from improper use, and may not disclose to any person, proprietary business information and proprietary financial information that may be viewed or obtained by the Commission in the course of carrying out its duties under this Act. (d) Individually Identifiable Information Defined.--For the purposes of this Act, the term ``individually identifiable information'' means any information, whether oral or recorded in any form or medium, that identifies an individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify an individual. MINORITY VIEWS We are strongly in favor of protecting the privacy of consumers' information, including health, financial, and other personal information. We believe that Congress has an essential role in protecting privacy, and should act now to pass meaningful privacy protection legislation. We have differing views about H.R. 4049. Some of us believe that a Privacy Commission could contribute to the development of public policy regarding privacy protections. Others believe that it may serve to delay privacy protection initiatives. Indeed, an April 17, 2000, editorial in the National Underwriter magazine urged support of the bill specifically on the grounds that a commission could delay privacy protection measures. The editorial noted that enactment of the bill could be a ``golden opportunity to forestall highly restrictive privacy measures that will be introduced both in Congress and in state legislatures around the country.'' It further stated: If the financial services industry can make a strong economic case for the consumer benefits of information sharing, the bipartisan commission proposed by Reps. Hutchinson and Moran provides the best forum to do it. Moreover, the presence of such a commission will provide a strong argument for Congress and the state legislatures to wait for the results before enacting highly restrictive privacy legislation. We are pleased that the markup process strengthened the Privacy Commission bill. For example, the legislation now contains instructions that ensure that the Commission will examine several important privacy issues, including employer privacy practices regarding the health and financial information of employees, the type of redress currently available regarding privacy violations, exploitation of older and disabled Americans through the use of their financial information, and the use of third parties to monitor internet privacy practices. Amendments also strengthened the legislation by including consideration of civil liberties experts for inclusion on the Commission. It is important to emphasize, however, that further study by a Commission is not necessary before enactment of substantive privacy protections. The Privacy Commission should serve as a complement to ongoing privacy protection initiatives. Congress should be taking action now to enact privacy protections regarding consumers' financial and health information, among other initiatives. The recent breakthrough in mapping the human genome underscores the need to ensure that privacy protections are in place immediately for individuals' genetic information so that insurers, employers, and others cannot inappropriately access this personal information. For this reason, we are pleased that an amendment was accepted to include in the bill's findings that the Commission is not intended to delay privacy protection initiatives. We are disappointed, however, that agreement could not be reached to include in the bill a commitment by Congress to enact important privacy protections. Rep. Waxman offered an amendment that focused on financial privacy. It would have set an 18-month deadline on Congress to enact comprehensive protections, and would have given relevant regulatory entities authority to regulate if the deadline was not met. Such a commitment is important to ensuring that the study of privacy will not constitute the only action Congress takes on privacy protection. We regret that the amendment was rejected on a point of order and not incorporated into the bill. Henry A. Waxman. Carolyn B. Maloney. Major R. Owens. Danny K. Davis. John F. Tierney. Thomas H. Allen. Dennis J. Kucinich. Eleanor Holmes Norton. Rod R. Blagojevich. Paul E. Kanjorski. Tom Lantos. Edolphus Towns. Janice D. Schakowsky. Bernard Sanders. Patsy T. Mink. Elijah E. Cummings. Harold E. Ford, Jr.