[House Report 107-701]
[From the U.S. Government Publishing Office]



107th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 2d Session                                                     107-701

======================================================================



 
                FEDERAL AGENCY PROTECTION OF PRIVACY ACT

                                _______
                                

 September 30, 2002.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

 Mr. Sensenbrenner, from the Committee on the Judiciary, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 4561]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on the Judiciary, to whom was referred the 
bill (H.R. 4561) to amend title 5, United States Code, to 
require that agencies, in promulgating rules, take into 
consideration the impact of such rules on the privacy of 
individuals, and for other purposes, having considered the 
same, reports favorably thereon without amendment and 
recommends that the bill do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     1
Background and Need for the Legislation..........................     2
Hearings.........................................................     9
Committee Consideration..........................................     9
Vote of the Committee............................................     9
Committee Oversight Findings.....................................     9
Performance Goals and Objectives.................................     9
New Budget Authority and Tax Expenditures........................     9
Congressional Budget Office Cost Estimate........................     9
Constitutional Authority Statement...............................    11
Section-by-Section Analysis and Discussion.......................    11
Changes in Existing Law Made by the Bill, as Reported............    12
Markup Transcript................................................    17

                          Purpose and Summary

    H.R. 4561, the ``Federal Agency Protection of Privacy 
Act,'' preserves and promotes the privacy rights of all 
Americans by requiring Federal agencies to assess and mitigate 
the adverse privacy impact of rules noticed for public comment 
pursuant to the Administrative Procedure Act \1\ (APA). H.R. 
4561 helps safeguard privacy rights by requiring that rules 
noticed for public comment by Federal agencies be accompanied 
by an initial assessment of the rule's impact on personal 
privacy interests, including the extent to which the proposed 
rule provides notice of the collection of personally 
identifiable information, the type of personally identifiable 
information to be obtained, and the manner in which this 
information will be collected, maintained, protected, 
transferred, or disclosed by the Federal Government.
---------------------------------------------------------------------------
    \1\ 5 U.S.C. Sec. 553 et seq. (2001).
---------------------------------------------------------------------------
    The bill further provides that final rules be accompanied 
by a final privacy impact analysis which details how the 
issuing agency considered and responded to privacy concerns 
raised by the public during the comment period and explains 
whether the agency issuing the rule could have taken an 
approach less burdensome to personal privacy. Of critical 
importance, H.R. 4561 contains a provision for judicial review 
to ensure agency compliance with its requirements. While 
existing Federal statutes protect against the disclosure of 
information already obtained by the Federal Government, the 
Federal Agency Protection of Privacy Act provides the public 
with prospective notice and an opportunity to comment on how 
proposed Federal rules might affect personal privacy before 
they become binding regulations.

                Background and Need for the Legislation

                            PUBLIC CONCERNS

    There is growing public anxiety toward the diminishing 
sphere of personal privacy brought about by the rapid pace of 
technological and social change. Many have decried the 
perceived encroachment by outside entities into areas until 
recently considered part of our private lives. Examples 
include: facial recognition software linked to video cameras 
that can identify individuals in public places; tracking 
devices that monitor online activity; cameras that record our 
movements at traffic intersections and whose photographs serve 
as an exclusive basis for traffic fines and other penalties; 
Government-mandated devices in cellular phones that record the 
physical movements of their users; and the proliferation of 
Global Position Satellite (GPS) technologies that can be used 
to monitor a range of personal public and private activity.
    The effort to create a Federal Department of Homeland 
Security and America's ongoing war against terrorism has 
heightened public sensitivity toward Government policies which 
might intrude upon personal privacy interests. H.R. 4561 would 
help address these concerns by ensuring that the privacy impact 
of proposed regulations are considered by Federal agencies when 
rules are noticed for public comment under the Administrative 
Procedure Act.

              GOVERNMENT COLLECTION OF PRIVATE INFORMATION

    The compulsory nature of Government collection of 
personally identifiable information raises serious concerns. 
Unlike private entities, with which consumers voluntarily 
interact, the Government often requires the disclosure of 
personal information under penalty of law. The Government 
collects and maintains large volumes of personally-identifiable 
information. Much of this information is available to the 
public. While the legitimacy of our judicial system is premised 
on public access to court documents, this information might be 
susceptible to misuse. For example, section 107 of the 
Bankruptcy Code makes any filing in a bankruptcy case a matter 
of public record.\2\ With bankruptcy records increasingly 
available online, the potential for identity theft has greatly 
multiplied. In addition, the Social Security card has been 
widely adopted by both governments and the public as a standard 
identifier. Social Security numbers are now used for tax 
collection, credit and banking transactions, Federal Government 
security, State-level record keeping, passport issuance, and 
other purposes. Public transmission of this information further 
heightens the potential for identity fraud, a growing problem 
which impacted over 700 thousand Americans last year.\3\ While 
the Identity Theft and Assumption Deterrence Act of 1998 \4\ 
was enacted to address this problem, persistent concerns remain 
unaddressed.
---------------------------------------------------------------------------
    \2\ 11 U.S.C. Sec. 107 (2002).
    \3\ Identity Theft Resource Center, available at http://
www.idtheftcenter.org/.
    \4\ Pub. L. No. 105-318, 112 Stat. 3007 (1998), codified at 18 
U.S.C. Sec. 1028 (2001).
---------------------------------------------------------------------------
    States also maintain large, comprehensive databases of 
personal information, some of which are susceptible to 
intrusion. In 1994, Congress enacted the Driver's Privacy 
Protection Act \5\ after the murder of actress Rebecca Shaeffer 
by an assailant who obtained her address from the California 
Department of Motor Vehicles. While responsibility for this 
crime lies squarely with the assailant, the Shaeffer case 
highlights the potential vulnerability of personal information 
in public records databases.
---------------------------------------------------------------------------
    \5\ 18 U.S.C. Sec. 2721-2725 (2001).
---------------------------------------------------------------------------
    Federal agencies collect and maintain large volumes of 
personally-identifiable, private information in computer 
databases. Much of this information is obtained from 
individuals pursuant to regulations issued by Federal agencies 
in accordance with their organic statutes and the procedural 
requirements of the APA. While Federal agencies are required to 
conduct a cost-benefit analysis of rules noticed for public 
comment, privacy concerns often go unaddressed. Currently, 
there is no requirement that agencies issuing rules in 
accordance with the APA specifically examine the privacy 
implications of rules they promulgate. As a result, agencies 
are free to issue rules without considering how personally-
sensitive information may be stored, protected, and transmitted 
among Federal agencies. The public is often uninformed about 
the privacy impact of proposed rules. The following is a 
summary of the major databases containing private information 
currently operated by the Federal Government.

         FEDERAL BUREAU OF INVESTIGATION ``BRADY LAW'' DATABASE

    The Brady Handgun Violence Prevention Act \6\ requires 
firearms dealers to submit information about prospective 
firearms purchasers to the Department of Justice. Required 
information includes the potential purchaser's name, sex, race, 
date of birth, and State of residence. This information is then 
cross-referenced with existing databases to prevent firearms 
sales to convicted felons, fugitives from justice, and other 
disqualified buyers. The Brady Law requires the National 
Instant Check System to ``destroy all records'' relating to the 
backgrounds of individuals cleared to purchase a firearm under 
the law. In regulations implementing this legislation, however, 
the FBI provided for an ``Audit Log'' of background checks. 
This log is maintained for as long as 6 months after a firearm 
transaction. Upon taking office, Attorney General Ashcroft 
considerably shortened this time period. While some insist the 
Audit Log might serve creditable auditing and oversight 
purposes, the collection, storage, and dissemination of private 
information relating to legal purchasers of firearms raise 
considerable constitutional concerns.
---------------------------------------------------------------------------
    \6\ Pub. L. No. 103-159 (1993), 107 Stat. 1536, codified at 18 
U.S.C. Sec. 921 et seq. (2001).
---------------------------------------------------------------------------

                        ICANN ``WHOIS'' DATABASE

    The ``Whois'' database consists of the names, e-mail 
addresses, postal addresses, and telephone numbers for the 
holders of the more than 24 million Internet domain names. The 
Internet Corporation for Assigned Names and Numbers (ICANN), 
which oversees Network Solutions, the record keeper of Internet 
addresses and the domain registration companies, currently 
requires disclosure of contact information for holders of 
``.com,'' ``.net,'' and ``.org'' Internet addresses. Compulsory 
disclosure of this information helps ensure the veracity of the 
identity of website operators. This information can reduce 
fraud, defamation, copyright infringements, and trademark 
violations. While some contend this database is private or 
quasi-governmental, ICANN exercises control of Network 
Solutions and the Whois database under authority granted by the 
U.S. Department of Commerce. It is thus best viewed as a 
Government database.

                VETERANS ADMINISTRATION COMPUTER SYSTEM

    The Veterans Administration (VA) maintains detailed records 
that facilitate the management of its finances, the oversight 
of its employees, and the delivery of health care benefits to 
military veterans and their families. The VA has not taken 
sufficient steps to protect electronic data that it maintains. 
Poor management of personal information by the VA has led to 
invasions of the privacy of those who receive treatment in VA 
facilities. Testimony received by the House Veterans Affairs 
Committee revealed that a security company hired by the VA's 
Office of Inspector General easily entered and gained control 
over VA computer system.\7\ Poor computer security has also 
produced fraud and financial mismanagement, permitting VA 
employees to write more than $1.2 million in fraudulent benefit 
checks from 1998 to 2001.\8\ While ameliorative steps have been 
taken by the agency, concerns about the security of this 
information persist.
---------------------------------------------------------------------------
    \7\ VA Computer Security, 2000, Hearings Before the House Comm. on 
Veterans' Affairs, Subcomm. on Oversight and Investigations, 106th 
Cong. (2000) (statement of Michael Slachta, Jr. Assistant Inspector 
General for Auditing Office of Inspector General Department of Veterans 
Affairs Va's Information Security Program).
    \8\ Id. (statement of Joel C. Willemsen, Director of Civil Agencies 
Information Systems Accounting and Information Management Division).
---------------------------------------------------------------------------

        HEALTH CARE FINANCING ADMINISTRATION ``OASIS'' DATABASE

    In 1999, the Health Care Financing Administration announced 
a final effective date for the mandatory use, collection, 
encoding, and transmission of OASIS data for all Medicare and 
Medicaid patients receiving skilled services.\9\ OASIS is the 
acronym for ``Outcome and Assessment Information Set.''
---------------------------------------------------------------------------
    \9\ Privacy Act of 1974, Report of New System, 64 Fed. Reg. 32,992 
(1999).
---------------------------------------------------------------------------
    Medicare and Medicaid recipients are required to submit 
highly detailed and personal medical information in accordance 
with this regulation. A cursory review of OASIS ``data sets'' 
reveals their breadth. Patients are required to submit their 
name, Social Security number, residence, birth date, gender, 
payment sources for health care, past and recent medical 
treatment, current condition, medical risk factors, living 
arrangements, residential safety hazards, the identity of those 
who have assisted or are currently assisting the patient, the 
patient's vision and speech status, and a host of other data. 
While information concerning a patient's history ensures the 
delivery of the proper medical care, the public must be assured 
that adequate safeguards exist to protect this highly personal 
information.

           FEDERAL BUREAU OF INVESTIGATION ``CODIS'' DATABASE

    CODIS, the Combined DNA Index System, was established by 
Congress in 1994.\10\ It gives Federal funds to States that 
assist the FBI in collecting DNA information. By 1998, all 50 
States had passed laws requiring local police departments to 
collect DNA samples. CODIS was intended to help Federal law 
enforcement collect information about convicted sex offenders. 
Since its inception, some have called for considerable 
expansion of the database. While modern technology plays an 
increasingly important and necessary part in modern law 
enforcement, steps must also be taken to ensure the security of 
this information.
---------------------------------------------------------------------------
    \10\ DNA Analysis Backlog Elimination Act of 2000, Pub. L. No. 106-
546, 114 Stat. 2726 (2000).
---------------------------------------------------------------------------

                               THE CENSUS

    The Constitution authorizes the Federal Government to 
``enumerate'' persons in order to apportion congressional 
representatives among the States.\11\ To accomplish this 
purpose, the Government needs only to know how many individuals 
reside at a given residence. This question appears on the first 
page of the census. The remaining questions which appear on the 
census long form require Americans to provide information which 
has little or nothing to do with apportioning electoral votes. 
The current census form requires all Americans to provide 
detailed information concerning income, modes of 
transportation, family status, ethnicity, and other personal 
data. Census forms also ask detailed questions about 
employment, the number of household toilets, and the annual 
cost of electricity, gas, water, and other municipal services. 
Responding to the census is not optional, it is required under 
penalty of Federal law. For this reason, all questions beyond 
those needed for apportionment are a threat to the privacy of 
Americans who do not wish to have information about their lives 
and habits collected and catalogued. In addition, the potential 
misuse of this information raises significant privacy concerns.
---------------------------------------------------------------------------
    \11\ U.S. CONST., art. 1, Sec. 8, cl. 2.
---------------------------------------------------------------------------

                TREASURY DEPARTMENT ``FINCEN'' DATABASE

    The Financial Crimes Enforcement Network (FinCEN), is a 
network of databases and financial records maintained by the 
Federal Government. Housed within the Treasury Department, 
FinCEN contains data compiled from 21,000 depository 
institutions and 200,000 nonbank financial institutions. Banks, 
casinos, brokerage firms and money transmitters all must file 
reports with FinCEN if cash transactions exceed $10,000.
    The Bank Secrecy Act authorizes the Treasury Department to 
require financial institutions to maintain records of personal 
financial transactions that ``have a high degree of usefulness 
in criminal, tax and regulatory investigations and 
proceedings.'' \12\ It also authorizes the Treasury Department 
to require any financial institution to report any ``suspicious 
transaction relevant to a possible violation of law or 
regulation.'' \13\ This is done secretly, without the consent 
or knowledge of bank customers, any time a financial 
institution decides that a transaction is ``suspicious.'' The 
reports are made available electronically to every U.S. 
Attorney's Office and to 59 law enforcement agencies, including 
the FBI, Secret Service, and Customs Service. A law enforcement 
agency does not have to be suspicious of an actual crime before 
it accesses a report, and no court order, warrant, subpoena, or 
even written request is needed. While this information serves 
legitimate law enforcement objectives, the security of this 
information should be maintained.
---------------------------------------------------------------------------
    \12\ 12 U.S.C. Sec. 951 (2002).
    \13\ Bank Secrecy Act of 1970, 31 U.S.C. Sec. Sec. 5311-5330 
(2002).
---------------------------------------------------------------------------

            HEALTH AND HUMAN SERVICES ``NEW HIRES'' DATABASE

    The Personal Responsibility and Work Opportunity 
Reconciliation Act of 1996 \14\ requires the Secretary of 
Health and Human Services to develop a National Directory of 
recently employed ``New Hires.'' This directory contains 
information on all newly hired employees, quarterly wage 
reports, and unemployment insurance claims in the United 
States. The National Directory of New Hires is maintained by 
the Federal Office of Child Support Enforcement in the 
Administration for Children and Families at the U.S. Department 
of Health and Human Services, and is located at the Social 
Security Administration's National Computer Center.
---------------------------------------------------------------------------
    \14\ Pub. L. No. 104-193, 109 Stat. 961 (1996) (codified in 
scattered sections of 42 U.S.C.).
---------------------------------------------------------------------------
    This database has helped States locate parents who evade 
their child support obligations. However, it has also been 
employed for purposes which exceed its original scope.\15\ The 
National Directory of New Hires has already been expanded to 
track down defaulters on student loans.\16\ Additional 
expansions have been proposed that would give State 
unemployment insurance officials access to the database. A 
centralized database containing detailed personal information 
on every working American raises considerable privacy concerns.
---------------------------------------------------------------------------
    \15\ Solveig Singleton, How Big Brother Began, Cato Institute (Nov. 
25, 1997), available at: http://www.cato.org/dailys/11-25-97.html.
    \16\ See Greg Langois, Fed. Computer Week, ``Education Touts New 
Loan Default Tool,'' Sept. 24, 2001, available at: http://www.fcw.com/
fcw/articles/2001/0924/news-edu-09-24-01.asp.
---------------------------------------------------------------------------

             INTER-AGENCY TRANSFER OF PERSONAL INFORMATION

    While Federal agencies individually collect a wealth of 
personal information, this information is often shared with 
other Federal agencies in a manner which compounds the risks of 
unauthorized disclosure. According to a report prepared by 
Privacilla.org entitled ``Government Exchange and Merger of 
Citizens' Personal Information is Systematic and Routine,'' 
Federal agencies routinely share personally-identifiable 
information with other Federal agencies without the knowledge 
or consent of those whose information is being exchanged.\17\ 
The report cites 47 specific instances between September 1999 
and February 2001 when Federal agencies announced their 
intention to exchange personal data and combine it into their 
own databases.\18\ The transfer of personal information between 
and among Federal agencies without the consent of those in 
question heightens concern that personal information could be 
utilized for a purpose inconsistent with that for which it was 
originally obtained.
---------------------------------------------------------------------------
    \17\ Report available at: http://www.privacilla.org/releases/
Government--Data--Merger.html
    \18\ Id. at 1.
---------------------------------------------------------------------------

    GOVERNMENT USE AND MISUSE OF PERSONALLY-IDENTIFIABLE INFORMATION

GAO Studies of Government Federal Government Privacy Practices
    A series of General Accounting Office (GAO) reports have 
demonstrated the vulnerability of personal information 
maintained in several Federal databases. On September 5, 2000, 
the GAO released a study that revealed that Federal agencies 
largely ignore Office of Management and Budget guidelines on 
the maintenance of computer websites.\19\ In a survey of online 
privacy protections at Government-run websites, the GAO found 
that 23 of the 70 agencies it surveyed had disclosed personal 
information gathered from websites to third parties, mostly 
other Government agencies. At least four agencies had shared 
information with private entities.
---------------------------------------------------------------------------
    \19\ Internet Privacy: Agencies' Efforts to Implement OMB's Privacy 
Policy, Report of the General Accounting Office, September 5, 2000, 
available at: http://www.gao.gov/new.items/gg00191.pdf.
---------------------------------------------------------------------------
    On September 6, 2000, the GAO issued a second study which 
concluded that security practices at Federal Government 
agencies are fraught with weaknesses.\20\ The study concluded 
that ``information security weaknesses place enormous amounts 
of confidential data, ranging from personal and tax to 
proprietary business information, at risk of inappropriate 
disclosure.'' \21\
---------------------------------------------------------------------------
    \20\ Information Security: Serious and Widespread Risks Persist At 
Federal Agencies, Report of the General Accounting Office, Sept. 6, 
2000, available at: http://www.gao.gov/news items/ai00295.pdf.
    \21\ Id. at 7.
---------------------------------------------------------------------------
    Finally, a third GAO study, released on September 12, 2000, 
found that a staggering 97 percent of Federal websites did not 
adhere to the principles of notice, choice, access, and 
security that the Federal Trade Commission has imposed on 
private-sector websites.\22\ This study is particularly 
significant because while consumers may freely decide whether 
to disclose information to private, commercial entities, the 
compulsory nature of Government collection of personal 
information forecloses this option.
---------------------------------------------------------------------------
    \22\ Internet Privacy: Comparison of Federal Agency Practices With 
FTC's Fair Information Principles, Report of the General Accounting 
Office, September 12, 2000, available at: http://www.gao.gov/new.items/
ai00296r.pdf.
---------------------------------------------------------------------------
    The vulnerability of private information collected and 
maintained by the Federal Government is clearly established and 
well-documented. A legislative solution is a necessary first 
step toward addressing this pervasive problem.

            FEDERAL AGENCY PROTECTION OF PRIVACY ACT (FAPPA)

    On April 24, 2002, Subcommittee on Commercial and 
Administrative Law Chairman Bob Barr introduced H.R. 4561. 
Original cosponsors included: Subcommittee Ranking Member 
Melvin Watt (D-NC); Rep. George W. Gekas (R-PA); Rep. Gerrold 
Nadler (D-NY); and Rep. Steve Chabot (R-OH). Since its 
introduction, Judiciary Committee Chairman F. James 
Sensenbrenner, Jr. (R-WI), Ranking Member John Conyers, Jr. (D-
MI), and several other Committee Members have joined as 
cosponsors. While H.R. 4561 makes no substantive demands on 
Federal agencies with respect to privacy, it would ensure that 
Federal agencies consider the privacy implications of proposed 
rules and regulations when they are noticed for public comment. 
Specifically, FAPPA would help ensure Federal agencies consider 
ways to: (1) protect the individual privacy rights of all 
Americans; (2) safeguard personal information collected and 
maintained by the Federal Government; and (3) indicate how 
personally-identifiable information will be used by the Federal 
Government; and (4) specify if and how this information will be 
disseminated among Federal agencies or State governments. The 
Federal Agency Protection of Privacy Act seeks to improve the 
regulatory process and protect Americans from unjustified or 
unintended invasions of privacy, by:

         Lensuring Federal agencies consider the impact 
        of proposed regulations on individual privacy;

         Lrequiring agencies to include an initial 
        privacy impact analysis with proposed regulations that 
        are circulated for public notice and comment;

         Lrequiring agencies, after the notice and 
        comment period, to include a final privacy impact 
        analysis that describes the steps that were taken to 
        minimize the significant privacy impact of proposed 
        regulations and that justifies the alternative with 
        respect to privacy that was chosen by the agency;

         Lpermitting judicial review of the adequacy of 
        an agency's final privacy impact, similar to that 
        provided by the Regulatory Flexibility Act for small 
        businesses; and

         Lrequiring agencies to periodically review 
        rules that have either a significant privacy impact on 
        individuals or a privacy impact on a significant number 
        or individuals.

    H.R. 4561 does not unduly burden agencies in the 
development and issuance of proposed rules, because:

         Lit would require a privacy impact analysis 
        only when an agency is already required to publish a 
        general notice of proposed rulemaking; and

         Lan agency would not be required to do 
        anything that it presumably had not already done, i.e. 
        consider the consequences of the proposed rule. It 
        would only have to publicly articulate how its proposed 
        rule would effect privacy interests.

                                Hearings

    The Subcommittee on Commercial and Administrative Law held 
1 day of hearings on H.R. 4561 on May 1, 2002. Testimony was 
received from an ideologically-diverse panel comprised of the 
following witnesses: Lori Waters, Executive Director, the Eagle 
Forum; Gregory Nojeim, Associate Director and Chief Legislative 
Counsel, American Civil Liberties Union; James Harper, Editor, 
Privacilla.com, and Adjunct Fellow, Progress & Freedom 
Foundation; and Edward Mierzwinski, Consumer Program Director, 
United States Public Interest Group.

                        Committee Consideration

    On July 9, 2002, the Subcommittee on Commercial and 
Administrative Law met in open session and ordered favorably 
reported the bill H.R.4561, without amendment by voice vote, a 
quorum being present. On September 10, 2002, the Committee met 
in open session and ordered favorably reported the bill H.R. 
4561 without amendment by voice vote, a quorum being present.

                         Vote of the Committee

    There were no recorded votes on H.R. 4561.

                      Committee Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII of the Rules 
of the House of Representatives, the Committee reports that the 
findings and recommendations of the Committee, based on 
oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

                    Performance Goals and Objectives

    H.R. 4561 does not authorize funding. Therefore, clause 
3(c) of rule XIII of the Rules of the House of Representatives 
is inapplicable. H.R. 4561 protects the privacy rights of all 
Americans by requiring that Federal agencies assess, consider, 
and inform the public about the privacy impact of rules noticed 
for public comment under the Administrative Procedure Act.

               New Budget Authority and Tax Expenditures

    Clause 3(c)(2) of House rule XIII is inapplicable because 
this legislation does not provide new budgetary authority or 
increased tax expenditures.

               Congressional Budget Office Cost Estimate

    In compliance with clause 3(c)(3) of rule XIII of the Rules 
of the House of Representatives, the Committee sets forth, with 
respect to the bill, H.R. 4561, the following estimate and 
comparison prepared by the Director of the Congressional Budget 
Office under section 402 of the Congressional Budget Act of 
1974:

                                     U.S. Congress,
                               Congressional Budget Office,
                                Washington, DC, September 10, 2002.
Hon. F. James Sensenbrenner, Jr., Chairman,
Committee on the Judiciary,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 4561, the Federal 
Agency Protection of Privacy Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford, who can be reached at 226-2860.
            Sincerely,
                                  Dan L. Crippen, Director.

Enclosure

cc:
        Honorable John Conyers, Jr.
        Ranking Member
H.R. 4561--Federal Agency Protection of Privacy Act.
    H.R. 4561 would require Federal agencies to analyze 
proposed regulations to determine their impact on the privacy 
of individuals. H.R. 4561 also would require agencies issuing 
rules with a potentially significant impact on individual 
privacy to ensure that individuals have been given ample 
opportunity to participate in such rulemakings. Finally, 
agencies would have to review existing rules to consider 
impacts on the privacy of individuals at least every 10 years.
    CBO estimates that implementing H.R. 4561 would have no 
significant effect on Federal spending. Based on a review on 
the number and types of agency rules published in recent years, 
we expect the privacy of individuals is of concern for less 
than 2 percent of the rules published annually. H.R. 4561 would 
add to the existing regulatory procedures for considering 
impacts on the privacy of individuals that are already 
performed by agencies under the Privacy Act of 1974, the 
Paperwork Reduction Act, and current Office of Management and 
Budget requirements concerning information collected from the 
public. Based on information from some agencies that would be 
affected by the bill, we expect that implementing this bill 
would not require significant additional efforts by rulemaking 
agencies. Thus, its implementation would not have a significant 
cost.
    H.R. 4561 also could affect direct spending by increasing 
the administrative costs of rulemaking agencies that receive no 
annual appropriations; therefore, pay-as-you-go procedures 
would apply. CBO estimates, however, that any increase in 
direct spending would not be significant. The bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act and would not affect the budgets 
of State, local, or tribal governments.
    The CBO staff contact for this estimate is Matthew 
Pickford, who can be reached at 226-2860. This estimate was 
approved by Peter H. Fontaine, Deputy Assistant Director for 
Budget Analysis.

                   Constitutional Authority Statement

    Pursuant to clause 3(d)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee finds the authority for 
this legislation in article I, section 8, clause 14 of the 
Constitution.

               Section-by-Section Analysis and Discussion

Section 1. Short Title
    The title of this bill is the ``Federal Agency Protection 
of Privacy Act.''
Section 2. Requirement that Agency Rulemaking Take Into Consideration 
        Impacts on Individual Privacy
    This section amends the Administrative Procedure Act to 
require agencies to provide an initial privacy impact analysis 
when publishing rules requiring notice and comment under 5 
U.SC. Sec. 553 or other laws. The analysis must describe the 
impact of the proposed rule or IRS interpretive statement on 
individual privacy and be signed by the senior agency official 
with primary responsibility for privacy policy and be published 
in the Federal Register at the time the rule is published.
    The initial privacy impact analysis must contain: a 
description and assessment of the rule's impact on personal 
privacy interests, including the extent to which the proposed 
rule provides notice of the collection of personally 
identifiable information; what information will be obtained, 
how it is to be collected, maintained, used and disclosed. The 
initial statement must also provide the person to whom the 
personal information pertains an opportunity to correct 
inaccuracies, prevent the information from being used for 
another purpose, provide security for such information, and 
contain a description of any significant alternatives to the 
proposed rule that would advance its goals while protecting 
private information.
    This section also requires an agency to issue a final 
privacy impact analysis to accompany rules published for notice 
and comment under 5 U.S.C. Sec. 553 or issued by the IRS. The 
final statement must be signed by the senior agency official 
responsible for privacy policy, and contain an assessment of 
the extent to which the final rule will impact the privacy of 
individuals, including the degree to which the proposed rule: 
provides notice of the collection of private information, 
specifies what information is to be collected, maintained and 
disclosed, allows access and opportunity to correct 
inaccuracies to the person whose information is obtained, 
prevents this information from being used for another purpose, 
and provides security for this information.
    This statement must contain a summary of the significant 
issues raised by the public comments in response to the initial 
privacy analysis, a summary of the assessment of the agency, 
and a statement of any changes made in the proposed rule. This 
statement must also contain a description of the steps the 
agency has taken to minimize the significant privacy impact on 
individuals consistent with the objective of the rules and 
applicable statutes, including a Statement of the factual and 
legal basis for selection of the final rule as well as other 
alternatives that might have a less adverse impact on privacy. 
The final privacy impact analysis shall be made available to 
the public and published in the Federal Register.
    This section also provides heads of agencies authority to 
waive or delay the completion of the final privacy impact 
analysis in specified circumstances. It further provides for 
procedures designed to ensure that the public adequately 
participates in the rulemaking process by including in the 
advance notice of proposed rulemaking, a statement that the 
proposed rule may have a significant impact on personal 
privacy, or a privacy impact on a substantial number of 
individuals, the publication of a general notice of proposed 
rulemaking in national publications, direct notification of 
affected individuals, and the adoption of agency procedural 
rules to reduce the cost and complexity of participation in the 
rulemaking by individuals.
    In addition, this section requires that agencies conduct 
periodic reviews of rules having a significant privacy impact 
to determine whether the rule can be amended or rescinded in a 
manner that minimizes any such impact while remaining 
accordance with applicable statutes. In making this 
determination, the agency should examine the need for the rule, 
the nature of complaints or comments received from the public 
concerning the rule, the complexity of the rule, the extent to 
which the rule is duplicative, the length of time since the 
rule was last reviewed, and changing technology. Each agency is 
required to carry out its periodic reviews in accordance with a 
plan published in the Federal Register, and each rule shall be 
examined no later than 10 years after its finalization. The 
agency in question shall annually publish a list of all rules 
to be reviewed.
    Of critical importance, this section allows individuals 
adversely affected by a final agency action to seek judicial 
review of agency compliance with the requirements of this 
legislation. Jurisdiction is conferred upon all courts which 
currently have jurisdiction over 5 U.S.C. Sec. 553. There are 
limitations on this standing. For example, an individual is 
permitted to challenge the rule only after the rule has been in 
existence for 1 year, unless otherwise specified. In the case 
where an agency delays the issuance of a final privacy impact 
analysis, an action for judicial review under this section 
shall be filed not later than 1 year after the date the 
analysis is made public, unless otherwise specified.
    In granting relief under this section, a court may remand 
the rule to the agency, or defer the enforcement of the rule 
unless the court finds the rule is in the public interest. This 
section also contains a savings clause, which permits judicial 
review of other privacy-related claims if otherwise not 
prohibited.
    This section defines personally identifiable information as 
data that can be used to identify an individual, including the 
individual's name, address, telephone number, photograph, 
Social Security number, other identifying information. This 
definition encompasses information related to medical or 
financial condition. Finally, this section amends the 
Congressional Review Act to permit Congress to strike agency 
rules inconsistent with the requirements of this legislation.

         Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italics, existing law in which no change 
is proposed is shown in roman):

                      TITLE 5, UNITED STATES CODE



           *       *       *       *       *       *       *
PART I--THE AGENCIES GENERALLY

           *       *       *       *       *       *       *


                  CHAPTER 5--ADMINISTRATIVE PROCEDURE

                    SUBCHAPTER I--GENERAL PROVISIONS

Sec.
500.    Administrative practice; general provisions.
     * * * * * * *

                 SUBCHAPTER II--ADMINISTRATIVE PROCEDURE

551.    Definitions.
     * * * * * * *
553a.   Privacy impact analysis in rulemaking.

           *       *       *       *       *       *       *


SUBCHAPTER II--ADMINISTRATIVE PROCEDURE

           *       *       *       *       *       *       *


Sec. 553a. Privacy impact analysis in rulemaking

    (a) Initial Privacy Impact Analysis.--
            (1) In general.--Whenever an agency is required by 
        section 553 of this title, or any other law, to publish 
        a general notice of proposed rulemaking for any 
        proposed rule, or publishes a notice of proposed 
        rulemaking for an interpretative rule involving the 
        internal revenue laws of the United States, the agency 
        shall prepare and make available for public comment an 
        initial privacy impact analysis. Such analysis shall 
        describe the impact of the proposed rule on the privacy 
        of individuals. The initial privacy impact analysis or 
        a summary shall be signed by the senior agency official 
        with primary responsibility for privacy policy and be 
        published in the Federal Register at the time of the 
        publication of a general notice of proposed rulemaking 
        for the rule.
            (2) Contents.--Each initial privacy impact analysis 
        required under this subsection shall contain the 
        following:
                    (A) A description and assessment of the 
                extent to which the proposed rule will impact 
                the privacy interests of individuals, including 
                the extent to which the proposed rule--
                            (i) provides notice of the 
                        collection of personally identifiable 
                        information, and specifies what 
                        personally identifiable information is 
                        to be collected and how it is to be 
                        collected, maintained, used, and 
                        disclosed;
                            (ii) allows access to such 
                        information by the person to whom the 
                        personally identifiable information 
                        pertains and provides an opportunity to 
                        correct inaccuracies;
                            (iii) prevents such information, 
                        which is collected for one purpose, 
                        from being used for another purpose; 
                        and
                            (iv) provides security for such 
                        information.
                    (B) A description of any significant 
                alternatives to the proposed rule which 
                accomplish the stated objectives of applicable 
                statutes and which minimize any significant 
                privacy impact of the proposed rule on 
                individuals.
    (b) Final Privacy Impact Analysis.--
            (1) In general.--Whenever an agency promulgates a 
        final rule under section 553 of this title, after being 
        required by that section or any other law to publish a 
        general notice of proposed rulemaking, or promulgates a 
        final interpretative rule involving the internal 
        revenue laws of the United States, the agency shall 
        prepare a final privacy impact analysis, signed by the 
        senior agency official with primary responsibility for 
        privacy policy.
            (2) Contents.--Each final privacy impact analysis 
        required under this subsection shall contain the 
        following:
                    (A) A description and assessment of the 
                extent to which the final rule will impact the 
                privacy interests of individuals, including the 
                extent to which the proposed rule--
                            (i) provides notice of the 
                        collection of personally identifiable 
                        information, and specifies what 
                        personally identifiable information is 
                        to be collected and how it is to be 
                        collected, maintained, used, and 
                        disclosed;
                            (ii) allows access to such 
                        information by the person to whom the 
                        personally identifiable information 
                        pertains and provides an opportunity to 
                        correct inaccuracies;
                            (iii) prevents such information, 
                        which is collected for one purpose, 
                        from being used for another purpose; 
                        and
                            (iv) provides security for such 
                        information.
                    (B) A summary of the significant issues 
                raised by the public comments in response to 
                the initial privacy impact analysis, a summary 
                of the assessment of the agency of such issues, 
                and a statement of any changes made in the 
                proposed rule as a result of such issues.
                    (C) A description of the steps the agency 
                has taken to minimize the significant privacy 
                impact on individuals consistent with the 
                stated objectives of applicable statutes, 
                including a statement of the factual, policy, 
                and legal reasons for selecting the alternative 
                adopted in the final rule and why each one of 
                the other significant alternatives to the rule 
                considered by the agency which affect the 
                privacy interests of individuals was rejected.
            (3) Availability to public.--The agency shall make 
        copies of the final privacy impact analysis available 
        to members of the public and shall publish in the 
        Federal Register such analysis or a summary thereof.
    (c) Procedure for Waiver or Delay of Completion.--An agency 
head may waive or delay the completion of some or all of the 
requirements of subsections (a) and (b) to the same extent as 
the agency head may, under section 608, waive or delay the 
completion of some or all of the requirements of sections 603 
and 604, respectively.
    (d) Procedures for Gathering Comments.--When any rule is 
promulgated which may have a significant privacy impact on 
individuals, or a privacy impact on a substantial number of 
individuals, the head of the agency promulgating the rule or 
the official of the agency with statutory responsibility for 
the promulgation of the rule shall assure that individuals have 
been given an opportunity to participate in the rulemaking for 
the rule through techniques such as--
            (1) the inclusion in an advance notice of proposed 
        rulemaking, if issued, of a statement that the proposed 
        rule may have a significant privacy impact on 
        individuals, or a privacy impact on a substantial 
        number of individuals;
            (2) the publication of a general notice of proposed 
        rulemaking in publications of national circulation 
        likely to be obtained by individuals;
            (3) the direct notification of interested 
        individuals;
            (4) the conduct of open conferences or public 
        hearings concerning the rule for individuals, including 
        soliciting and receiving comments over computer 
        networks; and
            (5) the adoption or modification of agency 
        procedural rules to reduce the cost or complexity of 
        participation in the rulemaking by individuals.
    (e) Periodic Review of Rules.--
            (1) In general.--Each agency shall carry out a 
        periodic review of the rules promulgated by the agency 
        that have a significant privacy impact on individuals, 
        or a privacy impact on a substantial number of 
        individuals. Under such periodic review, the agency 
        shall determine, for each such rule, whether the rule 
        can be amended or rescinded in a manner that minimizes 
        any such impact while remaining in accordance with 
        applicable statutes. For each such determination, the 
        agency shall consider the following factors:
                    (A) The continued need for the rule.
                    (B) The nature of complaints or comments 
                received from the public concerning the rule.
                    (C) The complexity of the rule.
                    (D) The extent to which the rule overlaps, 
                duplicates, or conflicts with other Federal 
                rules, and, to the extent feasible, with State 
                and local governmental rules.
                    (E) The length of time since the rule was 
                last reviewed under this subsection.
                    (F) The degree to which technology, 
                economic conditions, or other factors have 
                changed in the area affected by the rule since 
                the rule was last reviewed under this 
                subsection.
            (2) Plan required.--Each agency shall carry out the 
        periodic review required by paragraph (1) in accordance 
        with a plan published by such agency in the Federal 
        Register. Each such plan shall provide for the review 
        under this subsection of each rule promulgated by the 
        agency not later than 10 years after the date on which 
        such rule was published as the final rule and, 
        thereafter, not later than 10 years after the date on 
        which such rule was last reviewed under this 
        subsection. The agency may amend such plan at any time 
        by publishing the revision in the Federal Register.
            (3) Annual publication.--Each year, each agency 
        shall publish in the Federal Register a list of the 
        rules to be reviewed by such agency under this 
        subsection during the following year. The list shall 
        include a brief description of each such rule and the 
        need for and legal basis of such rule and shall invite 
        public comment upon the determination to be made under 
        this subsection with respect to such rule.
    (f) Judicial Review.--
            (1) In general.--For any rule subject to this 
        section, an individual who is adversely affected or 
        aggrieved by final agency action is entitled to 
        judicial review of agency compliance with the 
        requirements of subsections (b) and (c) in accordance 
        with chapter 7. Agency compliance with subsection (d) 
        shall be judicially reviewable in connection with 
        judicial review of subsection (b).
            (2) Jurisdiction.--Each court having jurisdiction 
        to review such rule for compliance with section 553, or 
        under any other provision of law, shall have 
        jurisdiction to review any claims of noncompliance with 
        subsections (b) and (c) in accordance with chapter 7. 
        Agency compliance with subsection (d) shall be 
        judicially reviewable in connection with judicial 
        review of subsection (b).
            (3) Limitations.--
                    (A) An individual may seek such review 
                during the period beginning on the date of 
                final agency action and ending 1 year later, 
                except that where a provision of law requires 
                that an action challenging a final agency 
                action be commenced before the expiration of 1 
                year, such lesser period shall apply to an 
                action for judicial review under this 
                subsection.
                    (B) In the case where an agency delays the 
                issuance of a final privacy impact analysis 
                pursuant to subsection (c), an action for 
                judicial review under this section shall be 
                filed not later than--
                            (i) 1 year after the date the 
                        analysis is made available to the 
                        public; or
                            (ii) where a provision of law 
                        requires that an action challenging a 
                        final agency regulation be commenced 
                        before the expiration of the 1-year 
                        period, the number of days specified in 
                        such provision of law that is after the 
                        date the analysis is made available to 
                        the public.
            (4) Relief.--In granting any relief in an action 
        under this subsection, the court shall order the agency 
        to take corrective action consistent with this section 
        and chapter 7, including, but not limited to--
                    (A) remanding the rule to the agency; and
                    (B) deferring the enforcement of the rule 
                against individuals, unless the court finds 
                that continued enforcement of the rule is in 
                the public interest.
            (5) Rule of construction.--Nothing in this 
        subsection shall be construed to limit the authority of 
        any court to stay the effective date of any rule or 
        provision thereof under any other provision of law or 
        to grant any other relief in addition to the 
        requirements of this subsection.
            (6) Record of agency action.--In an action for the 
        judicial review of a rule, the privacy impact analysis 
        for such rule, including an analysis prepared or 
        corrected pursuant to paragraph (4), shall constitute 
        part of the entire record of agency action in 
        connection with such review.
            (7) Exclusivity.--Compliance or noncompliance by an 
        agency with the provisions of this section shall be 
        subject to judicial review only in accordance with this 
        subsection.
            (8) Savings clause.--Nothing in this subsection 
        bars judicial review of any other impact statement or 
        similar analysis required by any other law if judicial 
        review of such statement or analysis is otherwise 
        permitted by law.
    (g) Definition.--For purposes of this section, the term 
``personally identifiable information'' means information that 
can be used to identify an individual, including such 
individual's name, address, telephone number, photograph, 
social security number or other identifying information. It 
includes information about such individual's medical or 
financial condition.

           *       *       *       *       *       *       *


CHAPTER 8--CONGRESSIONAL REVIEW OF AGENCY RULEMAKING

           *       *       *       *       *       *       *


Sec. 801. Congressional review

    (a)(1)(A) * * *
    (B) On the date of the submission of the report under 
subparagraph (A), the Federal agency promulgating the rule 
shall submit to the Comptroller General and make available to 
each House of Congress--
            (i) * * *

           *       *       *       *       *       *       *

            (iii) the agency's actions relevant to section 
        553a;
            [(iii)] (iv) the agency's actions relevant to 
        sections 202, 203, 204, and 205 of the Unfunded 
        Mandates Reform Act of 1995; and
            [(iv)] (v) any other relevant information or 
        requirements under any other Act and any relevant 
        Executive orders.

           *       *       *       *       *       *       *


                           Markup Transcript



                            BUSINESS MEETING

                      TUESDAY, SEPTEMBER 10, 2002

                  House of Representatives,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:00 a.m., in 
Room 2141, Rayburn House Office Building, Hon. F. James 
Sensenbrenner, Jr. [chairman of the Committee] presiding.
    Chairman Sensenbrenner. The Committee will be in order, and 
a working quorum is present.

           *       *       *       *       *       *       *

    The next item on the agenda is the adoption of H.R.4561, 
the ``Federal Agency Protection of Privacy Act.'' The chair 
recognizes the gentleman from Georgia, Mr. Barr, for a motion.
    Mr. Barr. Mr. Chairman, the Subcommittee on Commercial and 
Administrative Law reports favorably the bill H.R.4561 and 
moves its favorable recommendation to the full House.
    Chairman Sensenbrenner. Without objection, H.R.4561 will be 
considered as read and open for amendment at any point.
    [The bill, H.R.4561, follows:]
    
    
    Chairman Sensenbrenner. The chair again makes the same 
admonition about opening statements. Without objection, all 
opening statements will appear in the record at this point.
    Chairman Sensenbrenner. Are there amendments? If there are 
no amendments, the chair notes the presence of a reporting 
quorum.
    The question occurs on the motion to report the bill H.R. 
4561 favorably. All in favor say aye.
    Opposed, no. The ayes appear to have it. The ayes have it. 
The motion to report favorably is adopted. Without objection, 
the bill will be reported to the House favorably in the form of 
a single amendment in the nature of a substitute.
    Without objection, the Chairman is authorized to move to go 
to conference pursuant to House rules.
    Without objection, the staff is directed to make any 
technical and conforming changes and all Members will be given 
2 days, pursuant to House rules, in which to submit additional 
dissenting, supplemental or minority views.

                                
