To require a report on Federal Government use of commercial and other databases for national security, intelligence, and law enforcement purposes, and for other purposes.

July 29 (legislative day, JULY 21), 2003

Mr. WYDEN introduced the following bill; which was read twice and referred to the Committee on the Judiciary

To require a report on Federal Government use of commercial and other databases for national security, intelligence, and law enforcement purposes, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Citizens' Protection in Federal Databases Act'.

SEC. 2. FINDINGS.

Congress makes the following findings:

(1) Many Federal national security, law enforcement, and intelligence agencies are currently accessing large databases, both public and private, containing information that was not initially collected for national security, law enforcement, or intelligence purposes.

(2) These databases contain personal and sensitive information on millions of United States persons.

(3) Some of these databases are subject to Federal privacy protections when in private sector control.

(4) Risks to personal privacy are heightened when personal information from different sources, including public records, is aggregated in a single file and made accessible to thousands of national security, law enforcement, and intelligence personnel.

(5) It is unclear what standards, policies, procedures, and guidelines govern the access to or use of these public and private databases by the Federal Government.

(6) It is unclear what Federal Government agencies believe they legally can and cannot do with the information once acquired.

(7) The Federal Government should be required to adhere to clear civil liberties and privacy standards when accessing personal information.

(8) There is a need for clear accountability standards with regard to the accessing or usage of information contained in public and private databases by Federal agencies.

(9) Without accountability, individuals and the public have no way of knowing who is reading, using, or disseminating personal information.

(10) The Federal Government should not access personal information on United States persons without some nexus to suspected counterintelligence, terrorist, or other illegal activity.

SEC. 3. LIMITATION ON USE OF FUNDS FOR PROCUREMENT OR ACCESS OF COMMERCIAL DATABASES PENDING REPORT ON USE OF INFORMATION.

(a) LIMITATION- Notwithstanding any other provision of law, commencing 60 days after the date of the enactment of this Act, no funds appropriated or otherwise made available to the Department of Justice, the Department of Defense, the Department of Homeland Security, the Central Intelligence Agency, the Department of Treasury, or the Federal Bureau of Investigation may be obligated or expended by such department or agency on the procurement of or access to any commercially available database unless such head of such department or agency submits to Congress the report required by subsection (b) not later than 60 days after the date of the enactment of this Act.

(b) REPORT- (1) The Attorney General, the Secretary of Defense, the Secretary of Homeland Security, the Secretary of the Treasury, the Director of Central Intelligence, and the Director of the Federal Bureau of Investigation shall each prepare, submit to the appropriate committees of Congress, and make available to the public a report, in writing, containing a detailed description of any use by the department or agency under the jurisdiction of such official, or any national security, intelligence, or law enforcement element under the jurisdiction of the department or agency, of databases that were obtained from or remain under the control of a non-Federal entity, or that contain information that was acquired initially by another department or agency of the Federal Government for purposes other than national security, intelligence or law enforcement, regardless of whether any compensation was paid for such databases.

(2) Each report shall include--

(A) a list of all contracts, memoranda of understanding, or other agreements entered into by the department or agency, or any other national security, intelligence, or law enforcement element under the jurisdiction of the department or agency for the

use of, access to, or analysis of databases that were obtained from or remain under the control of a non-Federal entity, or that contain information that was acquired initially by another department or agency of the Federal Government for purposes other than national security, intelligence, or law enforcement;

(B) the duration and dollar amount of such contracts;

(C) the types of data contained in the databases referred to in subparagraph (A);

(D) the purposes for which such databases are used, analyzed, or accessed;

(E) the extent to which such databases are used, analyzed, or accessed;

(F) the extent to which information from such databases is retained by the department or agency, or any national security, intelligence, or law enforcement element under the jurisdiction of the department or agency, including how long the information is retained and for what purpose;

(G) a thorough description, in unclassified form, of any methodologies being used or developed by the department or agency, or any intelligence or law enforcement element under the jurisdiction of the department or agency, to search, access, or analyze such databases;

(H) an assessment of the likely efficacy of such methodologies in identifying or locating criminals, terrorists, or terrorist groups, and in providing practically valuable predictive assessments of the plans, intentions, or capabilities of criminals, terrorists, or terrorist groups;

(I) a thorough discussion of the plans for the use of such methodologies;

(J) a thorough discussion of the activities of the personnel, if any, of the department or agency while assigned to the Terrorist Threat Integration Center; and

(K) a thorough discussion of the policies, procedures, guidelines, regulations, and laws, if any, that have been or will be applied in the access, analysis, or other use of the databases referred to in subparagraph (A), including--

(i) the personnel permitted to access, analyze, or otherwise use such databases;

(ii) standards governing the access, analysis, or use of such databases;

(iii) any standards used to ensure that the personal information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate Government purpose;

(iv) standards limiting the retention and redisclosure of information obtained from such databases;

(v) procedures ensuring that such data meets standards of accuracy, relevance, completeness, and timeliness;

(vi) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases;

(vii) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongfully incurred due to the access, analysis, or use of such databases;

(viii) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and

(ix) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases.

SEC. 4. GENERAL PROHIBITIONS.

(a) IN GENERAL- Notwithstanding any other provision of law, no department, agency, or other element of the Federal Government, or officer or employee of the Federal Government, may conduct a search or other analysis for national security, intelligence, or law enforcement purposes of a database based solely on a hypothetical scenario or hypothetical supposition of who may commit a crime or pose a threat to national security.

(b) CONSTRUCTION- The limitation in subsection (a) shall not be construed to endorse or allow any other activity that involves use or access of databases referred to in section 3(b)(2)(A).

SEC. 5. DEFINITIONS.

In this Act:

(1) APPROPRIATE COMMITTEES OF CONGRESS- The term `appropriate committees of Congress' means--

(A) the Select Committee on Intelligence and the Committee on the Judiciary of the Senate; and

(B) the Permanent Select Committee on Intelligence and the Committee on the Judiciary of the House of Representatives.

(2) DATABASE- The term `database' means any collection or grouping of information about individuals that contains personally identifiable information about individuals, such as individual's names, or identifying numbers, symbols, or other identifying particulars associated with individuals, such as fingerprints, voice prints, photographs, or other biometrics. The term does not include telephone directories or information publicly available on the Internet without fee.

(3) UNITED STATES PERSON- The term `United States person' has the meaning given that term in section 101(i) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801(i)).

END