Imagine surfing the Internet and seeing your personal medical records or financial information online.
A few Indian and Pakistani workers last year threatened to post on the Internet medical records of U.S. citizens they had transcribed for U.S.-based organizations unless their demands for payment were met, according to news reports.
Although the workers never followed through on their threats, the incidents underscored the potential for information identifying U.S. citizens to be misused in other countries.
Rep. Edward Markey (D-Mass.) introduced a bill last month in the House of Representatives to provide U.S. citizens a layer of protection against these worst-case scenarios. The Personal Data Offshoring Protection Act of 2004 (HR 4366) would prohibit the transfer of information identifying U.S. citizens to anyone outside the United States without citizens being notified first.
Personally identifiable information covered by the new bill includes medical records, financial information, Social Security numbers, names, and addresses.
The transmitting organizations would also have to notify U.S. citizens that they can object to the transmission of their personal information to foreign countries, the legislation states.
The notification requirements apply to countries outside the United States that have adequate privacy protections.
Within six months of the date the bill is enacted, the Federal Trade Commission would develop regulations to certify countries with legal systems that adequately protect personally identifiable information, the legislation states.
The bill defines adequate protections as equal to or greater than those provided by U.S. federal or state laws. The list of countries would be made available to the general public.
If the foreign country doesn't meet this standard, the U.S. organization would be barred from transmitting personal information identifying U.S. citizens, unless these conditions are met:
•
The organization discloses to the citizen that the country receiving the personal information lacks adequate privacy protections.
•
The organization already has the citizen's consent to transmit personal information to foreign workers.
•
The consent is renewed by the citizen within one year before such personal information is transmitted.
If violations of the act or federal regulations occurred, citizens would be able to file suit in state court for the actual monetary loss from such a violation or receive $10,000 per violation in damages, whichever is greater.
The Personal Data Offshoring Protection Act of 2004 (HR 4366) was referred to the House Committee on Energy and Commerce last month. A similar amendment to a Senate finance bill by Sen. Hillary Rodham Clinton (D-N.Y.) in March was not approved by the Senate.
The House bill can be accessed online at<http://thomas.locgov> by searching on the bill number, HR 4366. ▪