As shown in Canadian privacy litigation in late 2005, Canadian individuals do not have the right to opt out of foreign processing, and their remedy is to not disclose PII to merchants, which may require cessation of business with that merchant.

This proposed U.S. legislation has not been adopted yet. 

    - W. Bierce, 2/25/2006

S.810
Title: A bill to regulate the transmission of personally identifiable information to foreign affiliates and subcontractors.
Sponsor: Sen Clinton, Hillary Rodham [NY] (introduced 4/14/2005)      Cosponsors (None)
Related Bills: H.R.1653
Latest Major Action: 4/14/2005 Referred to Senate committee. Status: Read twice and referred to the Committee on the Judiciary.
as of Feb. 25, 2006

SAFE-ID Act (Introduced in Senate)
S 810 IS

April 14, 2005

Mrs. CLINTON introduced the following bill; which was read twice and referred to the Committee on the Judiciary

To regulate the transmission of personally identifiable information to foreign affiliates and subcontractors

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Safeguarding Americans From Exporting Identification Data Act' or the `SAFE-ID Act'.

SEC. 2. DEFINITIONS.

As used in this Act:
(1) BUSINESS ENTERPRISE- The term `business enterprise' means--
(A) any organization, association, or venture established to make a profit;
(B) any health care business;
(C) any private, nonprofit organization; or
(D) any contractor, subcontractor, or potential subcontractor of an entity described in subparagraph (A), (B), or (C).
(2) HEALTH CARE BUSINESS- The term `health care business' means any business enterprise or private, nonprofit organization that collects or retains personally identifiable information about consumers in relation to medical care, including--
(A) hospitals;
(B) health maintenance organizations;
(C) medical partnerships;
(D) emergency medical transportation companies;
(E) medical transcription companies;
(F) banks that collect or process medical billing information; and
(G) subcontractors, or potential subcontractors, of the entities described in subparagraphs (A) through (F).
(3) PERSONALLY IDENTIFIABLE INFORMATION- The term `personally identifiable information' includes information such as--
(A) name;
(B) postal address;
(C) financial information;
(D) medical records;
(E) date of birth;
(F) phone number;
(G) e-mail address;
(H) social security number;
(I) mother's maiden name;
(J) password;
(K) state identification information; and
(L) driver's license number.

SEC. 3. TRANSMISSION OF INFORMATION.

(a) Prohibition- A business enterprise may not disclose personally identifiable information regarding a resident of the United States to any foreign branch, affiliate, subcontractor, or unaffiliated third party located in a foreign country unless--

(1) the business enterprise provides the notice of privacy protections described in sections 502 and 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802 and 6803) or required by the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note), as appropriate;

(2) the business enterprise complies with the safeguards described in section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), as appropriate;

(3) the consumer is given the opportunity, before the time that such information is initially disclosed, to object to the disclosure of such information to such foreign branch, affiliate, subcontractor, or unaffiliated third party; and

(4) the consumer is given an explanation of how the consumer can exercise the nondisclosure option described in paragraph (3).

(b) Health Care Businesses- A health care business may not terminate an existing relationship with a consumer of health care services to avoid the consumer from objecting to the disclosure under subsection (a)(3).

(c) Effect on Business Relationship-

(1) NONDISCRIMINATION- A business enterprise may not discriminate against or deny an otherwise qualified consumer a financial product or a health care service because the consumer has objected to the disclosure under subsection (a)(3).

(2) PRODUCTS AND SERVICES- A business enterprise shall not be required to offer or provide a product or service through affiliated entities or jointly with nonaffiliated business enterprises.
(3) INCENTIVES AND DISCOUNTS- Nothing in this subsection is intended to prohibit a business enterprise from offering incentives or discounts to elicit a specific response to the notice required under subsection (a).
(d) Liability-
(1) IN GENERAL- A business enterprise that knowingly and directly transfers personally identifiable information to a foreign branch, affiliate, subcontractor, or unaffiliated third party shall be liable to any person suffering damages resulting from the improper storage, duplication, sharing, or other misuse of such information by the transferee.

(2) CIVIL ACTION- An injured party under paragraph (1) may sue in law or in equity in any court of competent jurisdiction to recover the damages sustained as a result of a violation of this section.
(e) Rulemaking- The Chairman of the Federal Trade Commission shall promulgate regulations through which the Chairman may enforce the provisions of this section and impose a civil penalty for a violation of this section.

SEC. 4. PRIVACY FOR CONSUMERS OF HEALTH SERVICES.

The Secretary of Health and Human Services shall revise the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note) to require a covered entity (as defined by such regulations) that outsources protected health information (as defined by such regulations) outside the United States to include in such entity's notice of privacy protections--
(1) notification that the covered entity outsources protected health information to business associates (as defined by such regulations) for processing outside the United States;

(2) a description of the privacy laws of the country to which the protected health information will be sent;

(3) any additional risks and consequences to the privacy and security of protected health information that arise as a result of the processing of such information in a foreign country;

(4) additional measures the covered entity is taking to protect the protected health information outsourced for processing outside the United States;
(5) notification that the protected health information will not be outsourced outside the United States if the consumer objects; and
(6) a certification that--
(A) the covered entity has taken reasonable steps to identify the locations where protected health information is outsourced by such business associates;
(B) attests to the privacy and security of the protected health information outsourced for processing outside the United States; and
(C) states the reasons for the determination by the covered entity that the privacy and security of such information is maintained.

SEC. 5. PRIVACY FOR CONSUMERS OF FINANCIAL SERVICES.

Section 503(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)) is amended--
(1) in paragraph (3), by striking `and' after the semicolon;
(2) in paragraph (4), by striking the period at the end and inserting `; and'; and
(3) by adding at the end the following:
`(5) if the financial institution outsources nonpublic personal information outside the United States--
`(A) information informing the consumer in simple language--
`(i) that the financial institution outsources nonpublic personal information to entities for processing outside the United States;
`(ii) of the privacy laws of the country to which nonpublic personal information will be sent;
`(iii) of any additional risks and consequences to the privacy and security of an individual's nonpublic personal information that arise as a result of the processing of such information in a foreign country; and
`(iv) of the additional measures the financial institution is taking to protect the nonpublic personal information outsourced for processing outside the United States; and
`(B) a certification that--
`(i) the financial institution has taken reasonable steps to identify the locations where nonpublic personal information is outsourced by such entities;
`(ii) attests to the privacy and security of the nonpublic personal information outsourced for processing outside the United States; and
`(iii) states the reasons for the determination by the institution that the privacy and security of such information is maintained.'.

SEC. 6. EFFECTIVE DATE.

This Act shall take effect on the expiration of the date which is 90 days after the date of enactment of this Act.