Safeguarding Americans From Exporting Identification Data (SAFE-ID) Act - Prohibits business enterprises from disclosing personally identifiable information regarding U.S. residents to any branch, affiliate, subcontractor, or unaffiliated third party located in a foreign country unless: (1) the business enterprise provides notice of privacy protections and complies with safeguards described in specified Federal laws; (2) the consumer is given the opportunity to object prior to such disclosure; and (3) the consumer is given an explanation of how to exercise the nondisclosure option.
Prohibits: (1) health care businesses from terminating existing relationships with consumers to avoid objections to disclosure; and (2) business enterprises from discriminating against otherwise qualified consumers of financial products or health care services due to such objections.
Makes business enterprises that knowingly and directly transfer personally identifiable information to foreign entities liable to persons suffering damages due to the misuse of that information. Authorizes injured parties to file civil actions for violations of the information transmission provisions of this Act.
Requires the Secretary of Health and Human Services to revise existing regulations to require covered entities that outsource protected health information to a foreign country to include certain information relating to outsourcing in such entity's privacy protection notices. Amends the Gramm-Leach-Bliley Act to require the inclusion of similar information in privacy protection notices for consumers of financial services.
[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 2471 Introduced in Senate (IS)]
2d Session
S. 2471
To regulate the transmission of personally identifiable information to
foreign affiliates and subcontractors
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 20, 2004
Mrs. Clinton introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
_______________________________________________________________________
A BILL
To regulate the transmission of personally identifiable information to
foreign affiliates and subcontractors
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safeguarding Americans From
Exporting Identification Data Act'' or the ``SAFE-ID Act''.
SEC. 2. DEFINITIONS.
As used in this Act, the following definitions shall apply:
(1) Business enterprise.--The term ``business enterprise''
means--
(A) any organization, association, or venture
established to make a profit;
(B) any health care business;
(C) any private, nonprofit organization; or
(D) any contractor, subcontractor, or potential
subcontractor of an entity described in subparagraph
(A), (B), or (C).
(2) Health care business.--The term ``health care
business'' means any business enterprise or private, nonprofit
organization that collects or retains personally identifiable
information about consumers in relation to medical care,
including--
(A) hospitals;
(B) health maintenance organizations;
(C) medical partnerships;
(D) emergency medical transportation companies;
(E) medical transcription companies;
(F) banks that collect or process medical billing
information; and
(G) subcontractors, or potential subcontractors, of
the entities described in subparagraphs (A) through
(F).
(3) Personally identifiable information.--The term
``personally identifiable information'' includes information
such as--
(A) name;
(B) postal address;
(C) financial information;
(D) medical records;
(E) date of birth;
(F) phone number;
(G) e-mail address;
(H) social security number;
(I) mother's maiden name;
(J) password;
(K) state identification information; and
(L) driver's license number.
SEC. 3. TRANSMISSION OF INFORMATION.
(a) Prohibition.--A business enterprise may not disclose personally
identifiable information regarding a resident of the United States to
any foreign branch, affiliate, subcontractor, or unaffiliated third
party located in a foreign country unless--
(1) the business enterprise provides the notice of privacy
protections described in sections 502 and 503 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6802 and 6803) or required by the
regulations promulgated pursuant to section 264(c) of the
Health Insurance Portability and Accountability Act of 1996 (42
U.S.C. 1320d-2 note), as appropriate;
(2) the business enterprise complies with the safeguards
described in section 501(b) of the Gramm-Leach-Bliley Act (15
U.S.C. 6801(b)), as appropriate;
(3) the consumer is given the opportunity, before the time
that such information is initially disclosed, to object to the
disclosure of such information to such foreign branch,
affiliate, subcontractor, or unaffiliated third party; and
(4) the consumer is given an explanation of how the
consumer can exercise the nondisclosure option described in
paragraph (3).
(b) Health Care Businesses.--A health care business may not
terminate an existing relationship with a consumer of health care
services to avoid the consumer from objecting to the disclosure under
subsection (a)(3).
(c) Effect on Business Relationship.--
(1) Nondiscrimination.--A business enterprise may not
discriminate against or deny an otherwise qualified consumer a
financial product or a health care service because the consumer
has objected to the disclosure under subsection (a)(3).
(2) Products and services.--A business enterprise shall not
be required to offer or provide a product or service through
affiliated entities or jointly with nonaffiliated business
enterprises.
(3) Incentives and discounts.--Nothing in this subsection
is intended to prohibit a business enterprise from offering
incentives or discounts to elicit a specific response to the
notice required under subsection (a).
(d) Liability.--
(1) In general.--A business enterprise that knowingly and
directly transfers personally identifiable information to a
foreign branch, affiliate, subcontractor, or unaffiliated third
party shall be liable to any person suffering damages resulting
from the improper storage, duplication, sharing, or other
misuse of such information by the transferee.
(2) Civil action.--An injured party under paragraph (1) may
sue in law or in equity in any court of competent jurisdiction
to recover the damages sustained as a result of a violation of
this section.
(e) Rulemaking.--The Chairman of the Federal Trade Commission shall
promulgate regulations through which the Chairman may enforce the
provisions of this section and impose a civil penalty for a violation
of this section.
SEC. 4. PRIVACY FOR CONSUMERS OF HEALTH SERVICES.
The Secretary of Health and Human Services shall revise the
regulations promulgated pursuant to section 264(c) of the Health
Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2
note) to require a covered entity (as defined under such regulations)
that outsources protected health information (as defined under such
regulations) outside the United States to include in such entity's
notice of privacy protections--
(1) notification that the covered entity outsources
protected health information to business associates (as defined
under such regulations) for processing outside the United
States;
(2) a description of the privacy laws of the country to
which the protected health information will be sent;
(3) any additional risks and consequences to the privacy
and security of protected health information that arise as a
result of the processing of such information in a foreign
country;
(4) additional measures the covered entity is taking to
protect the protected health information outsourced for
processing outside the United States;
(5) notification that the protected health information will
not be outsourced outside the United States if the consumer
objects; and
(6) a certification that--
(A) the covered entity has taken reasonable steps
to identify the locations where protected health
information is outsourced by such business associates;
(B) attests to the privacy and security of the
protected health information outsourced for processing
outside the United States; and
(C) states the reasons for the determination by the
covered entity that the privacy and security of such
information is maintained.
SEC. 5. PRIVACY FOR CONSUMERS OF FINANCIAL SERVICES.
Section 503(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)) is
amended--
(1) in paragraph (3), by striking ``and'' after the
semicolon;
(2) in paragraph (4), by striking the period at the end and
inserting ``; and''; and
(3) by adding at the end the following:
``(5) if the financial institution outsources nonpublic
personal information outside the United States--
``(A) information informing the consumer in simple
language--
``(i) that the financial institution
outsources nonpublic personal information to
entities for processing outside the United
States;
``(ii) of the privacy laws of the country
to which nonpublic personal information will be
sent;
``(iii) of any additional risks and
consequences to the privacy and security of an
individual's nonpublic personal information
that arise as a result of the processing of
such information in a foreign country; and
``(iv) of the additional measures the
financial institution is taking to protect the
nonpublic personal information outsourced for
processing outside the United States; and
``(B) a certification that--
``(i) the financial institution has taken
reasonable steps to identify the locations
where nonpublic personal information is
outsourced by such entities;
``(ii) attests to the privacy and security
of the nonpublic personal information
outsourced for processing outside the United
States; and
``(iii) states the reasons for the
determination by the institution that the
privacy and security of such information is
maintained.''
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the expiration of the date which is
90 days after the date of enactment of this Act.
<all>
Introduced in Senate
Read twice and referred to the Committee on the Judiciary.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line