Contents 1 The E-Privacy Act Amendments of 2009 1.1 Section 1. Short Title 1.2 Section 2. Findings and Purposes 2 Title I (Creation of Privacy Leadership) 2.1 Section 101. Government-Wide Chief Privacy Officer (CPO) 2.2 Section 102. CPOs at all Major Agencies 2.3 Section 103. Creation of CPO Council headed by the Government-Wide CPO 3 Title II (Amendments to the Privacy Act of 1974) 3.1 Section 201. Definition of system of records 3.2 Section 202. Clarifying uses and sharing of records 3.3 Section 203. Amendments to conditions of disclosure 3.4 Section 204. Amendments to improve notification 3.5 Section 205. Liquidated Damages and Coverage of Negligent Violations 4 Title III (Amendments to Section 208 of the E-Government of 2002) 4.1 Section 301. Best Practices for PIAs 4.2 Section 302. Privacy Impact Assessment of Federal Government Employee Systems 4.3 Section 303. Privacy Impact Assessment of Government Use of Commercial Information Services Containing Personal Information. 4.4 Section 304. Role of OMB Chief Privacy Officer in Implementing the E-Government Act

The E-Privacy Act Amendments of 2009

A Bill

To amend section 552 of title 5a, United States Code, popularly known as the Privacy Act, the E-Government Act and related statutes to protect the privacy of personal information and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

Section 1. Short Title

This Act may be cited as the 'Electronic Privacy Act Amendments of 2009.'

Section 2. Findings and Purposes

(a) FINDINGS - The Congress finds that--

1. the purpose of section 552 of title 5a, United States Code, popularly known as the Privacy Act, and related law and policy, is to provide certain safeguards for an individual against an invasion of personal privacy;
2. since the enactment of the Privacy Act in 1974 and Section 208 of the E-Government Act in 2002 and related law and policy have been a valuable means through which any person can learn how the Federal Government utilizes their personal information;

3. the Privacy Act in 1974 and Section 208 of the E-Government Act in 2002 privacy policy has ensured that the Federal government utilize the information in a means that helps protect a citizens constitutional right to privacy and unwarranted invasions into the private lives of the public;

4. government agencies increasingly use complex databases and related software tools to conduct agency business and to store personal information of individuals; and

5. in order to protect the privacy of individuals to protect the privacy of individuals in information systems maintained by federal agencies, it is necessary to ensure that US privacy policy keeps up with technical advances.

(b) PURPOSES - The purposes of this Act are to--

1. create and sustain privacy leadership in the federal government;
2. ensure that agencies collect, maintain, use or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent the misuse of such information;

3. permit exemptions from such requirements with respect to records provided only in cases where there is an important public policy need for such exemption as has been determined by specific statutory authority;
4. ensure that the civil protections afforded to individuals include the ability to recover damages in cases where emotional damages are clear when a willful or intentional action has occurred that violates individual rights under the Privacy Act; and
5. ensure that agencies are disclosing information about their information collection practices in a timely and meaningful manner.

Title I (Creation of Privacy Leadership)

Section 101. Government-Wide Chief Privacy Officer (CPO)

(a) IN GENERAL. — The President shall designate a senior official within the Office of Management and Budget as the Chief Privacy Officer, who shall manage internal privacy policy throughout all federal government agencies.

(b) Agency Information-

1. The head of each agency shall provide to the OMB Chief Privacy Officer such information as the OMB Chief Privacy Officer considers necessary
2. The OMB Chief Privacy Officer may:
   1. exempt agencies or components of agencies from the entities covered by this Act; and
   2. recommend to the agency head that chief privacy officers be established in components of agencies, which at a minimum must include considering whether to make this recommendation for the Internal Revenue Service within Treasury, the Census Bureau within the Department of Commerce, and the Federal Emergency Management Agency and Customs and Border Protection within the Department of Homeland Security.
   3. Exemptions and recommendations made under (b)(2) above should have a rationale based on the nature and extent of systems of records issues under the Privacy Act of 1974, personnel data processing and practices, and other relevant matters.

(c) The OMB Chief Privacy Officer shall coordinate with the Civil Liberties Board established in the Intelligence Reform Act of 2004.

(d) The OMB Chief Privacy Officer shall issue guidance to agencies to implement this Act within 9 months of the passage of this Act and shall update guidance on implementing the Privacy Act (5 U.S.C. Section 552a) and Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note) at least every 7 years after.

(e) The OMB Chief Privacy Officer shall issue a report to Congress on the implementation of this Act 12 months and 24 months after appointment and then every 5 years.

Section 102. CPOs at all Major Agencies

In General.—Section 1062 of the National Security Intelligence Reform Act of 2004 (title I of Public Law 108-458; 118 Stat. 3688) is amended to read as follows: ``SEC. 1062. <<NOTE: 42 USC 2000ee-1.>> PRIVACY AND CIVIL LIBERTIES OFFICERS.

(a) All Executive branch Departments and major agencies shall have a Chief Privacy Officer. Other agencies may be designated by: i) the head of that department, agency, or element of the executive branch ii) the CPO of OMB, or iii) the Privacy and Civil Liberties Oversight Board under section 1061

Section 103. Creation of CPO Council headed by the Government-Wide CPO

(a) ESTABLISHMENT.—There is established in the executive branch a Chief Privacy Officers Council (in this section referred to as the 'Council').

(b) MEMBERSHIP.—The members of the Council shall be as follows:

1. The Chief Privacy Officer of the Office of Management and Budget, who shall act as chairperson of the Council.
2. The Administrator of the Office of Electronic Government of the Office of Management and Budget.
3. The Chief Privacy Officer of each agency described under section 1062 of 42 USC 2000ee-1
4. The Executive Director of the Privacy and Civil Liberties Oversight Board
5. Any other officer or employee of the United States designated by the chairperson.

(c) CO-CHAIRPERSONS AND VICE CHAIRPERSONS.—

1. The Administrator of the Office of Electronic Government of the Office of Management and Budget shall act as co-chairpersons of the Council.
2. The vice chairperson of the Council shall be selected by the Council from among its members. The vice chairperson shall serve a 1-year term and may serve multiple terms. The vice chairperson shall serve as a representative on the Chief Information Officer Council.

(d) ADMINISTRATIVE SUPPORT.—The Administrator of General Services shall provide administrative and other support for the Council.

(e) FUNCTIONS.—

1. The Council shall be the principle interagency forum for establishing best practices for agency privacy policy.
2. The Council shall—
3. share experiences and innovative approaches relating to information sharing and security best practices, common penetration testing regimes, and incident response mitigation;
4. promote the development and use of common performance measures for agency information security;
5. develop certification and accreditation processes and privacy audit process by establishing more effective and efficient methods and best practices; and
6. submit proposed enhancements to the Office of Management and Budget.

Title II (Amendments to the Privacy Act of 1974)

Section 201. Definition of system of records

Section 552a(a) of title 5, United States Code, is amended as follows—

In (5) by striking 'from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual';

Section 202. Clarifying uses and sharing of records

(a) Principal and secondary uses. Section 552a(a) of title 5, United States Code, is amended as follows—

strike (7) and insert —

(7) 'the term "principal use" means a use of a record that is explicitly necessary for the program as authorized, either in legislation or Executive Order of the President.

(8) the term “secondary use” means a use of a record that is explicitly necessary for a program that is authorized either in legislation or Executive Order of the President but not under the authority of the program for which the information was originally collected.

(b) Internal and external sharing. Section 552a(a) of title 5, United States Code, is amended as follows—

Insert — (9) The term “Internal Sharing” means the disclosure a record that is contained in a system of records to any person or organization within the government entity that created the record.

(10) The term “External Sharing” means the disclosure of any record that is contained in a system of records by any means of communication to any person, or to another agency outside of the entity that created the record.

(re-number this section accordingly)

Section 203. Amendments to conditions of disclosure

Section 552a(b) of title 5, United States Code, is amended as follows —

(1) by striking “disclose any record which is contained in a system of records by any means of communication to any person, or to another agency” in the first sentence and inserting “engage in internal or external sharing”.

(2) in (3) striking ‘routine use’ and inserting ‘secondary purpose’ and striking the number ‘7’ and inserting the number ‘8’

(3) in (6) inserting ‘or for records management inspections’ at the end

(4) in (9) inserting ‘or, to a congressional office when that office is acting in response to a request of particular individual in writing’ at the end

Section 204. Amendments to improve notification

(a) Section 552a(e)(3) of title 5, United States Code, is amended as follows — (1) in (B) striking 'purpose or purposes' and inserting 'use or uses' (2) in (C) striking 'the routine uses which' and inserting 'all secondary uses that'

(b) Section 552a(e) of title 5, United States Code, is amended as follows — '(13) define, to the greatest extent practicable, the number and scope of its systems of records in a manner that fairly describes its activities to individuals. An agency shall, to the extent practicable, include in the same system of records activities that relate to the same program and that have the same principal uses. (c) Section 552a(e)(4) of title 5, United States Code, is amended as follows — (1) insert ', and on a centralized Website maintained by the office of the OMB Chief Privacy Officer,' after the word 'Register' (2) strike (D) and insert

'(D) the principle use or uses for which the information may be utilized and the legal authority for this use, whether granted by statute, or by Executive Order of the President, with a description of all possible internal or external sharing for these uses including a list of entities with whom the information may be shared and the categories of information that may be shared;' and '(E) the secondary uses for which the information may be utilized and the legal authority for this use, whether granted by statute, or by Executive Order of the President, with a description of all possible internal or external sharing for these uses including a list of entities with whom the information may be shared and the categories of information that may be shared;'

(re-number this section accordingly)

Section 205. Liquidated Damages and Coverage of Negligent Violations

(a) Amend 552a(g)(4)(A) to read as follows:

"(A) actual damages sustained by the individual as a result of the refusal or failure or the sum of $1,000, whichever is greater, except that in a class action, the minimum recovery for each individual shall be reduced as necessary to ensure that the total recovery in any class action or series of class actions arising out of the same refusal or failure to comply by the same agency shall not be more than $10,000,000; and".

(b) Amend 552a(g) by adding a new paragraph (6)

"(6) (A) In any suit brought under the provisions of subsection (g)(1)(C) or (D) of this section, the court may order the agency to comply with the provisions of this section or any rule promulgated thereunder and to take other remedial action. In such a case the court shall determine the matter de novo.

"(B) The court may assess against the United States reasonable attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed."

Title III (Amendments to Section 208 of the E-Government of 2002)

Section 301. Best Practices for PIAs

Section 208(b)(3) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended--

1. in subparagraph (B), by striking 'and' at the end;
2. in subparagraph (C), by striking the period and inserting '; and'; and
3. by adding at the end the following: (D) develop best practices for agencies to follow in conducting privacy impact assessments.

Section 302. Privacy Impact Assessment of Federal Government Employee Systems

Section 208 (b)(1)(A)(ii) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended--

(II) by striking ', other than agencies, instrumentalities, or employees of the Federal Government.' at the end;

Section 303. Privacy Impact Assessment of Government Use of Commercial Information Services Containing Personal Information.

(a) In General — Section 208(b)(1)(A) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended—

(1) in clause (i), by striking or after the semicolon; (2) in clause (ii), by striking the period and inserting ; or; and (3) by adding after clause (ii) the following:

(iii) systematically using personally identifiable information purchased from, or subscribed to, for a fee from a commercial data source..

(b) Definition of Personally Identifiable Information.—Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by striking subsection (d) and inserting the following: (d) DEFINITIONS.—In this section— '(1) the term 'identifiable form' means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means; and (2) the term 'personally identifiable information' means any information, or compilation of information, in electronic or digital form comprising information are in identifiable form.

Section 304. Role of OMB Chief Privacy Officer in Implementing the E-Government Act

Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by striking 'director' in:

1. both instances in subsection (b)(1)(D),
2. subsection (b)(2)(A),
3. both instances in subsection (b)(3),
4. subsection (b)(3)(C),
5. subsection (c)(1)(A), and
6. subsection (c)(2)

and inserting 'OMB Chief Privacy Officer' in all instances