108th CONGRESS
2d Session
S. 2471
To regulate the transmission of personally identifiable information
to foreign affiliates and subcontractors
IN THE SENATE OF THE UNITED STATES
May 20, 2004
Mrs. CLINTON introduced the following bill; which was read twice and referred
to the Committee on the Judiciary
A BILL
To regulate the transmission of personally identifiable information
to foreign affiliates and subcontractors
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Safeguarding Americans From Exporting Identification
Data Act' or the `SAFE-ID Act'.
SEC. 2. DEFINITIONS.
As used in this Act, the following definitions shall apply:
(1) BUSINESS ENTERPRISE- The term `business enterprise' means--
(A) any organization, association, or venture established to make a profit;
(B) any health care business;
(C) any private, nonprofit organization; or
(D) any contractor, subcontractor, or potential subcontractor of an entity
described in subparagraph (A), (B), or (C).
(2) HEALTH CARE BUSINESS- The term `health care business' means any business
enterprise or private, nonprofit organization that collects or retains personally
identifiable information about consumers in relation to medical care, including--
(B) health maintenance organizations;
(C) medical partnerships;
(D) emergency medical transportation companies;
(E) medical transcription companies;
(F) banks that collect or process medical billing information; and
(G) subcontractors, or potential subcontractors, of the entities described
in subparagraphs (A) through (F).
(3) PERSONALLY IDENTIFIABLE INFORMATION- The term `personally identifiable
information' includes information such as--
(C) financial information;
(H) social security number;
(I) mother's maiden name;
(K) state identification information; and
(L) driver's license number.
SEC. 3. TRANSMISSION OF INFORMATION.
(a) PROHIBITION- A business enterprise may not disclose personally identifiable
information regarding a resident of the United States to any foreign branch,
affiliate, subcontractor, or unaffiliated third party located in a foreign
country unless--
(1) the business enterprise provides the notice of privacy protections described
in sections 502 and 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802 and
6803) or required by the regulations promulgated pursuant to section 264(c)
of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C.
1320d-2 note), as appropriate;
(2) the business enterprise complies with the safeguards described in section
501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), as appropriate;
(3) the consumer is given the opportunity, before the time that such information
is initially disclosed, to object to the disclosure of such information
to such foreign branch, affiliate, subcontractor, or unaffiliated third
party; and
(4) the consumer is given an explanation of how the consumer can exercise
the nondisclosure option described in paragraph (3).
(b) HEALTH CARE BUSINESSES- A health care business may not terminate an existing
relationship with a consumer of health care services to avoid the consumer
from objecting to the disclosure under subsection (a)(3).
(c) EFFECT ON BUSINESS RELATIONSHIP-
(1) NONDISCRIMINATION- A business enterprise may not discriminate against
or deny an otherwise qualified consumer a financial product or a health
care service because the consumer has objected to the disclosure under subsection
(a)(3).
(2) PRODUCTS AND SERVICES- A business enterprise shall not be required to
offer or provide a product or service through affiliated entities or jointly
with nonaffiliated business enterprises.
(3) INCENTIVES AND DISCOUNTS- Nothing in this subsection is intended to
prohibit a business enterprise from offering incentives or discounts to
elicit a specific response to the notice required under subsection (a).
(1) IN GENERAL- A business enterprise that knowingly and directly transfers
personally identifiable information to a foreign branch, affiliate, subcontractor,
or unaffiliated third party shall be liable to any person suffering damages
resulting from the improper storage, duplication, sharing, or other misuse
of such information by the transferee.
(2) CIVIL ACTION- An injured party under paragraph (1) may sue in law or
in equity in any court of competent jurisdiction to recover the damages
sustained as a result of a violation of this section.
(e) RULEMAKING- The Chairman of the Federal Trade Commission shall promulgate
regulations through which the Chairman may enforce the provisions of this
section and impose a civil penalty for a violation of this section.
SEC. 4. PRIVACY FOR CONSUMERS OF HEALTH SERVICES.
The Secretary of Health and Human Services shall revise the regulations promulgated
pursuant to section 264(c) of the Health Insurance Portability and Accountability
Act of 1996 (42 U.S.C. 1320d-2 note) to require a covered entity (as defined
under such regulations) that outsources protected health information (as defined
under such regulations) outside the United States to include in such entity's
notice of privacy protections--
(1) notification that the covered entity outsources protected health information
to business associates (as defined under such regulations) for processing
outside the United States;
(2) a description of the privacy laws of the country to which the protected
health information will be sent;
(3) any additional risks and consequences to the privacy and security of
protected health information that arise as a result of the processing of
such information in a foreign country;
(4) additional measures the covered entity is taking to protect the protected
health information outsourced for processing outside the United States;
(5) notification that the protected health information will not be outsourced
outside the United States if the consumer objects; and
(6) a certification that--
(A) the covered entity has taken reasonable steps to identify the locations
where protected health information is outsourced by such business associates;
(B) attests to the privacy and security of the protected health information
outsourced for processing outside the United States; and
(C) states the reasons for the determination by the covered entity that
the privacy and security of such information is maintained.
SEC. 5. PRIVACY FOR CONSUMERS OF FINANCIAL SERVICES.
Section 503(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)) is amended--
(1) in paragraph (3), by striking `and' after the semicolon;
(2) in paragraph (4), by striking the period at the end and inserting `;
and'; and
(3) by adding at the end the following:
`(5) if the financial institution outsources nonpublic personal information
outside the United States--
`(A) information informing the consumer in simple language--
`(i) that the financial institution outsources nonpublic personal information
to entities for processing outside the United States;
`(ii) of the privacy laws of the country to which nonpublic personal
information will be sent;
`(iii) of any additional risks and consequences to the privacy and security
of an individual's nonpublic personal information that arise as a result
of the processing of such information in a foreign country; and
`(iv) of the additional measures the financial institution is taking
to protect the nonpublic personal information outsourced for processing
outside the United States; and
`(B) a certification that--
`(i) the financial institution has taken reasonable steps to identify
the locations where nonpublic personal information is outsourced by
such entities;
`(ii) attests to the privacy and security of the nonpublic personal
information outsourced for processing outside the United States; and
`(iii) states the reasons for the determination by the institution that
the privacy and security of such information is maintained.'
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the expiration of the date which is 90 days
after the date of enactment of this Act.
END
