Introduced by: Clinton
April 4, 2004

“A bill to regulate the transmission of personally identifiable information to foreign affiliates and subcontractors.”

http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.02312:

Congressional Research Service Summary
4/8/2004–Introduced.

Safe-ID Act - Authorizes a business to transmit personally identifiable information regarding a U.S. citizen to any foreign affiliate or subcontractor located in a country certified by the Federal Trade Commission (FTC) as having adequate privacy protection for such information. Prohibits such business from transmitting such information to an affiliate or subcontractor in a country without such privacy protection unless: (1) the business discloses to the citizen that the country does not have such privacy protection; (2) the business obtains the citizen’s consent to transmit such information; and (3) the consent is renewed by the citizen within one year before the information is transmitted. Provides liability for businesses improperly transmitting such information.

Makes any business or organization that collects or retains personally identifiable health care information about consumers (health care business) liable for any damages caused by improper storage, duplication, sharing, or other misuse of such information by the health care business or any foreign affiliate or subcontractor that received such information. Prohibits a health care business from terminating an existing relationship with a consumer of health care services in order to avoid the consent requirement.

Directs the FTC to certify, and make a list of, those countries that have legal systems that provide adequate privacy protection for such information.

Introduced by: Markey
May 13, 2004

“To prohibit the transfer of personal information to any person outside the United States, without notice and consent, and for other purposes.”
http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.04366:

Congressional Research Service Summary
5/13/2004–Introduced.
Personal Data Offshoring Protection Act of 2004 - Requires business enterprises to give U.S. citizens notice before transmitting personally identifiable information about such citizens to foreign affiliates or subcontractors located in countries with (without?) adequate privacy protections. Prohibits such transmittal where adequate privacy protections are lacking, unless: (1) the business enterprise discloses the lack of protections and obtains the citizen’s prior consent for transmittal; and (2) such consent is renewed by the citizen within one year before the transmittal.

Prohibits business entities from denying goods and services or modifying business terms for any person based on that person’s exercise of consent rights provided by this Act or other law.

Requires violations of this Act to be treated as unfair or deceptive acts or practices under the Federal Trade Commission Act.

Creates a private right of action in State court for violations of this Act. Authorizes States, on behalf of their residents, to bring civil actions in Federal court for such violations. Requires prior notice to the Federal Trade Commission (FTC) of State actions and authorizes the FTC’s intervention and appeal.

Directs the FTC to certify those countries that have legal systems providing adequate privacy protections. Creates a presumption of inadequacy for foreign laws that are less protective of privacy than Federal law or the law of any State, or where the FTC determines that enforcement is lacking. Requires certification of countries whose laws meet the requirements of the European Union Data Protection Directive, unless such laws are not adequately enforced.