Implementing the Privacy Act of 1974

AGENCY:

Federal Communications Commission.

ACTION:

Proposed rule.

SUMMARY:

In this document, the Federal Communications Commission (Commission) seeks comment on revisions to the Commission's rules implementing the Privacy Act of 1974. To evolve with developments in the law and the directives from governmental bodies, the Commission proposes to update and improve its privacy rules.

DATES:

Comments due on May 5, 2021; reply comments due on June 4, 2021.

ADDRESSES:

You may submit comments, identified by GN Docket No 21-79, by any of the following methods:

Federal Communications Commission's Website: https://www.fcc.gov/ecfs/. Follow the instructions for submitting comments.

People With Disabilities: Contact the FCC to request reasonable accommodations (accessible format documents, sign language interpreters, CART, etc.) by email: FCC504@fcc.gov or phone: 202-418-0530 or TTY: 202-418-0432.

FOR FURTHER INFORMATION CONTACT:

Bahareh Moradi, Office of General Counsel, at Bahareh.Moradi@fcc.gov or 202-418-1700.

SUPPLEMENTARY INFORMATION:

This is a summary of the Commission's Notice of Proposed Rulemaking in GN Docket No. 21-79; FCC 21-30, adopted on March 3, 2021, and released on March 4, 2021. The complete text of this document can be located on the FCC website at https://docs.fcc.gov/public/attachments/FCC-21-30A1.pdf.

Synopsis

1. We propose revisions to the current rules to reflect amendments to the Privacy Act, Federal case law, OMB guidance, and the FCC's current practices. Most notably, we propose amendments to our rules that will update them to account for the developments described above. Because these changes are scattered throughout our current Privacy Act rules, we proceed to discuss each change in this section in the order that the change appears in our revised rules.

A. Section 0.551—Purpose and Scope: Definitions

2. We first propose several updates to the purpose and definition provisions of the Commission's Privacy Act Rules, which are currently codified in § 0.551. The current text states, in part, that the purpose of the subpart is to implement the Privacy Act, and “to protect the rights of the individual in the accuracy and privacy of information concerning him which is contained in Commission records.” To clarify our rules, we propose a more concrete and descriptive statement of purpose. Our proposed amendment would explain that the purpose of the subpart is to establish procedures that individuals may follow to exercise their right to access and request amendment of their records under the Privacy Act.

3. We also propose several updates to § 0.551(b), which defines the terms “Individual,” “Record,” “System of Records,” “Routine Use,” and “System Manager.” We propose to amend the definition of “System of Records,” which is currently defined as “a group of records under the control of the Commission from which information is retrievable by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual,” to add the word “any” before “records under the control of the Commission.” In addition to more closely matching the statutory language, we believe that this change may better signal to the public the broad category of records that requesters may seek.

4. Current rules define “System Manager” as “the Commission official responsible for the storage, maintenance, safekeeping, and disposal of a system of records.” To conform this definition with the Commission's current practices and terminology, we propose to replace the term with “Privacy Analyst.” Under current practices, all Privacy Act requests submitted to the FCC are handled in the first instance by a Privacy Analyst in the Office of General Counsel, rather than by the managers or owners of any particular system of records. A Privacy Analyst coordinates with the system owner to search for, collect, and then produce responsive records. The Privacy Analyst serves as the interface between Privacy Act requesters and the Commission, and generally signs correspondence related to Privacy Act requests. Our proposed amendment would formalize that role in our rules, defining the “Privacy Analyst” as a Commission official responsible for processing and responding to requests by individuals to be notified of, to access, or to amend records pertaining to them that are maintained in the FCC's systems of records.

5. Finally, we propose adding a new paragraph defining the position of the Commission's Senior Agency Official for Privacy. Following a requirement that became law as part of the Consolidated Appropriations Act of 2005, OMB required agencies to identify to OMB “the senior official who has the overall agency-wide responsibility for information privacy issues.” Following Executive Order 13719, OMB updated and broadened the responsibilities of the Senior Agency Official for Privacy in 2016 guidance. Consistent with this requirement, the FCC has designated a Senior Agency Official for Privacy since 2005. We seek comment on these definitional changes.

B. Sections 0.552—Notices Identifying Commission Systems of Records and 0.553—New Uses of Information

6. We next propose to update and streamline the Commission's rule requiring the publication of a “system of records notice” and the Commission's rule about the publication of each new routine use of an existing system of records. Our proposals reflect guidance issued by OMB following the passage of the Privacy Act, and streamline the rules in a manner that provides the Commission greater flexibility to adjust its practices consistent with evolving governmentwide practice, while still ensuring that the Commission adheres to the Privacy Act's requirement that the Commission notify the public of the establishment of and updates to its systems of records.

7. The current rule under § 0.552 explains how the Commission complies with the Privacy Act's requirement that agencies publish “a notice of the existence and character” of their systems of records. The rule recites the statutorily required elements of such a notice, including the routine uses for the information within the system of records, as well as the Act's requirement that an agency publish notices in the Federal Register. We note that the Act does not require agencies to issue rules parroting the statutory requirement, as the Commission's current rule does, and that OMB has since updated guidance further clarifying the elements required in a system of records notice, including the enumerated routine uses. For example, OMB guidance requires federal agencies to follow specific templates for new, modified, or rescinded systems of records notices that our outdated rules do not describe.

8. Section 0.553 of the rules describes the procedure the Commission follows to publish a new routine use of an existing system of records. Under the Act, an agency can define certain “routine use[s]” of information such that disclosure of a record may be made without the consent of the data subject. To be permissible, a routine use must be compatible with the purpose for which a record was collected, and must be published in a system of records notice with a 30-day comment period. The current Commission rule contemplates publishing a standalone notice of only the new routine use, rather than republishing the entire notice along with a description of the routine use. In current practice, however, when the Commission makes significant changes to its published system of records notices (such as adding one or more routine uses), it re-publishes for comment the entire notice, not just the revised portion containing the changes, and highlights the changes so that they may easily be recognized by the public. This makes it easier for the public to understand what changes the Commission is taking. This approach is also consistent with current OMB guidance; in Circular A-108, agencies are “strongly encouraged to publish all routine uses applicable to a system of records in a single Federal Register notice for that system.”

9. Because OMB's updated guidance seems to make stale the procedures recited in our rules, and because it is unnecessary for the Commission to codify these statutory requirements, we propose to combine these two sections into a single rule stating simply that upon establishment, rescission, or revision of a system of records, including the establishment of a new routine use of a system of records, the Commission will publish in the Federal Register the notice required by 5 U.S.C. 552a(e). The proposed rule would therefore alert the public to the existence of system of records notices but would not prescribe the elements of a notice. At best, codifying a description of the requirements of a notice that may become outdated or incomplete seems to be unnecessary under the Privacy Act, and to otherwise serve little purpose, given that the obligation to publish these notices rests on the Commission, and not the public. At worst, codifying these requirements is misleading, insofar as governmentwide guidance on the required elements of a system of records notice may evolve more quickly than the Commission's rules reciting these requirements. We seek comment on this proposal. Is there any utility to retaining the detail regarding system of records notices included in the current text of our rules that outweigh the arguments for streamlining? Alternatively, would a better approach be to delete and reserve §§ 0.552 and 0.553 entirely?

C. Section 0.554—Requests for Notification of and Access to Records

10. We propose several changes to the Commission's Privacy Act rules describing the process individuals should follow to determine whether the Commission is holding information about them in its systems of records. To begin with, we propose to amend the title of this section from the current “Procedures for requests pertaining to individual records in a system of records,” to “Requests for notification of and access to records.” The proposed amended title of the section would more clearly signify that the procedures in this subsection effectuate individuals' ability to ascertain what information the Commission possesses about themselves, a right they are given in subsection (d)(1) of the Act. We also propose deleting obsolete references to the annual report agencies were required to publish under the original Privacy Act law and to an alphabetical listing of agency system of records notices.

11. Under current Commission practice, all requests are routed to a Privacy Analyst, who directs requesters to the list of system of records notices on the Commission's website in the event that the request does not identify the relevant system(s) of records. We propose adding a sentence clarifying that a proper request must identify the system(s) of records to be searched.

12. We also propose modifying how an individual may verify their identity when requesting access to records. Currently, paragraph (b)(1) requires an individual requesting access to records to verify their identity by submitting two of the following forms of identification: Social Security card; driver's license; employee identification card; Medicare card; birth certificate; bank credit card; or similar form of identification. This requirement seems inconsistent with recent OMB guidance explaining that while “agencies may customize the [personally identifiable information (PII)] required by their access and consent forms [to verify identity for access to or consent to disclose records] in accordance with applicable law and policy requirements and assessment of privacy risks,” “agencies shall accept [access or consent forms [developed by OMB] from individuals,” and “limit the collection of PII to the minimum that is directly relevant and necessary.” Therefore, we seek comment on deleting the requirement for requesters to provide two forms of identification and allowing individuals to verify their identity by submitting an Identity Affirmation form, based on the template provided by OMB. The Privacy Analyst reviewing the request would be responsible for determining whether the form has been properly completed before any disclosure is made. Would relying on an Identity Affirmation form increase the risk of fraudulent requests? We note that the Commission could safeguard against such fraud, while minimizing the Commission's collection of PII, by requiring that the Identify Affirmation form be notarized. We request comment on requiring that the Identity Affirmation form be notarized in lieu of the Commission collecting identification documentation from requesters.

13. We also propose making the Privacy Act request submission process consistent with the submission process established in the Commission's most recent revision of the Freedom of Information Act (FOIA) rules. In current practice, the Commission receives almost all of its Privacy Act requests through its FOIAOnline web portal. Both Congress and Federal courts have acknowledged that the access provisions of the FOIA and the Privacy Act are somewhat overlapping. Congress amended subsection (t) of the Privacy Act in 1984 to clarify that agencies cannot use FOIA exemptions to deny access to records requesters have access to under the Privacy Act, or vice versa. Likewise, DOJ published a comprehensive analysis of the legislative history and judicial precedent on this question, which concluded that “[a]n individual's access request for his own record maintained in a system of records should be processed under both the Privacy Act and the FOIA, regardless of the statute(s) cited.” We find persuasive DOJ's Privacy Act analysis, and believe that a best practice would be to structure our process to ensure that any requester can efficiently get the benefits of both statutes. For example, it may be appropriate to process parts of a request under the Privacy Act and parts of it under the FOIA. We seek comment on this interpretation.

14. Finally, we propose updates to paragraphs (c) and (d) of this section. Paragraph (c) currently requires individuals to deliver their requests for notification and access to a specific system manager or to the Associate Managing Director. Our proposed amendments to paragraph (a) would make this requirement obsolete by permitting individuals to submit requests via the Commission's website, by email, or by mail to the Commission. We propose removing the option to hand deliver requests for access to the Commission because the Commission's new headquarters building does not have a public filing window and cannot accept hand deliveries. Therefore, we propose combining current paragraphs (c) and (d) and removing reference to the method through which individuals submit requests.

D. Section 0.555—Disclosure of Record Information to Individuals

15. We propose making changes to § 0.555 to reflect current Commission practices. The current rule describes how individuals can access the records that the Commission maintains about them in its systems of records. It also lists reasons why the Commission might limit this access and describes how individuals may contest a Commission decision to deny their access to records.

16. While most individuals currently seek to access their records remotely through correspondence—whether electronically or via first-class mail—they still have a right to review records in person. The current rules urge individuals to make an appointment with the specific system manager responsible for the system of records they are interested in reviewing. The proposed new rules would create a single point of contact for requesters who would like to inspect their records in person by stating that individuals who wish to review their records should contact the Privacy Analyst. The proposed changes also include modifying paragraph (a)(1) to correct a grammatical error and conform the language to subsection (d)(1) of the Privacy Act, which specifies who may accompany individuals to view records. Specifically, the proposed language, “However, in such cases, the individual must provide written consent authorizing discussion of their record in the accompanying person's presence,” would replace the seemingly incomplete sentence currently in (a)(1), “However, in such cases, a written statement authorizing discussion of their record in the presence of a Commission representative having physical custody of the records.”

17. Paragraph (b)(1) provides the Commission discretion to limit access to medical records where the Commission staff, in consultation with a medical professional, has determined that access to the records could have an adverse impact on the individual. But with very limited exceptions, FCC systems of records do not contain personal health information. Therefore, we propose deleting the medical records provision (paragraph (b)(1)). In addition, a 1993 D.C. Circuit case invalidated a similar provision on the ground that it effectively created a new substantive exemption to an individual's Privacy Act right of access.

18. Paragraph (b)(2) discusses exempting classified material, investigative material compiled for law enforcement purposes, investigatory material compiled solely for determining suitability for Federal employment or access to classified information, and certain testing or examination material from disclosure and refers to § 0.561, which lists the Commission's exempt systems of records. Here, we propose a limited edit that would replace the current general reference to the Privacy Act with a specific cite to subsections (j) and (k) of the Privacy Act, upon which the Commission's authority to make “specific” or “general” exemptions for certain types of sensitive information is based. We also propose to strike some seemingly extraneous phrases from the final sentence of this paragraph—for example, by removing the unnecessary phrase “totally or partially.”

19. Paragraph (c) states that “requests involving more than 25 pages shall be submitted to the duplicating contractor.” While the Commission has never charged a fee for the search and review time for responsive records, the Commission has charged fees for copying responsive records that exceeded 25 pages. Because the Commission no longer employs a copying contractor, we propose eliminating the reference in paragraph (c). At the same time, we propose to make clear, consistent with the Privacy Act's prohibition on charging fees for searching for and reviewing records in response to a Privacy Act request, that we will not charge a fee for such activities in connection with records requested pursuant to § 0.554. However, we seek comment on whether the Commission should charge fees for producing copies of records. What is a reasonable fee structure for producing copies of records in response to a Privacy Act request?

20. Finally, we propose amending paragraph (e) to modify the procedures under which requesters may contest an initial staff decision denying them access to records. The Privacy Act does not specify an administrative appeal process in the case of a denial of access. The Commission addressed this silence in 1975 with a rule (paragraph 0.555(e)) that gave unsatisfied requesters the option of (1) seeking an administrative review from the system manager who denied the initial access request, or (2) immediately seeking judicial relief under the Privacy Act. This rule appears to be inconsistent with court rulings holding that requesters should exhaust their administrative remedies before filing suit under the Act. Further, it appears to conflict with the Communications Act's requirement that the filing of an application for review to the Commission is “a condition precedent for judicial review” of any decision made by staff.

21. To address these problems, we propose an administrative review process that would treat denials of requests to access or amend a record under the Privacy Act in the same way the Commission treats other appeals of decisions made under delegated authority. Specifically, the proposed rules would explain that an aggrieved requester may file a petition for reconsideration to the Senior Agency Official for Privacy or file an application for review before the Commission pursuant to the procedures specified in § 0.557. While a requester would retain the option of seeking further review by Commission staff (in the form of a petition for reconsideration), the alternative would be to file an application for review under the Commission's existing procedures.

22. Our proposal would strike what is now paragraph (e)(2) from § 0.555, which currently provides that an individual whose request for access has been denied may “[s]eek judicial relief in the district courts of the United States pursuant to paragraph (g)(1)(B) of the Act.” Instead of suggesting that an aggrieved requester could immediately seek judicial review, the proposed revisions make clear that a requester has two options: Seek further review by Commission staff (in the form of a petition for reconsideration), or file an application for review under the Commission's existing procedures. Only after the Commission has been given the opportunity to review a staff decision—through the filing of an application for review pursuant to our proposed revision to § 0.557, discussed below—would judicial review become available. We seek comment on whether this approach to managing appeals to denials of access is both practical and consistent with the rights individuals have under the Privacy Act.

E. Section 0.556—Request To Correct or Amend Records

23. We propose to amend § 0.556 of the Commission's rules to clarify the requester's procedural rights when a request to amend a record is denied. This section of the rules implements the Act's requirement that individuals be able to request amendments or corrections to records an agency maintains about them in a system of records. The Act requires agencies to promptly respond to such requests and to give individuals the ability to appeal a denial of an amendment request. Individuals may place statements of disagreement with such decisions in their records, and the statements must be included in subsequent agency disclosures of the records.

24. Throughout § 0.556, the system manager is referred to as the decision maker on requests to correct or amend records and requests to amend certain types of records (e.g., official personnel records of current or former employees) are required to be submitted to an Associate Managing Director and the Assistant Director for Work Force Information, Compliance and Investigations at the Office of Personnel Management. The amendments we propose to this subsection would streamline the process for requesters by directing all requests to correct or amend to the Privacy Analyst and centralizing the decision making process. Just as in the case of access requests, this would reflect current practice, in which these requests are received and processed by the Privacy Analyst, who works with relevant Commission staff to locate the disputed records and consider the requests.

25. Paragraph (a) permits individuals to request an amendment of information contained in their record by submitting (1) identity verification, (2) a brief description of the information to be amended, and (3) “the reason for the requested change.” We propose to more closely mirror the statutory language, which permits requests to correct or amend information that “the individual believes is not accurate, relevant, timely, or complete.” We tentatively find that the statutory language more precisely explains the reasons for which individuals may request correction or amendment of records and therefore propose adding this language to paragraphs (a) and (b). Additionally, we propose removing the option to hand deliver requests to correct or amend records to the Commission for the reason stated above—the Commission's new headquarters building does not have a public filing window and cannot accept hand deliveries.

26. Finally, the current paragraph (c)(2) provides, among other things, that the “system manager” advise an individual whose request to correct or amend a record has been denied that “review of the initial decision by the full Commission may be sought pursuant to the procedures set forth in § 0.557.” These rules could be read to suggest that an aggrieved requester must appeal directly to the Commission, rather than seeking reconsideration of the denial at the staff level under the Commission's ordinary procedures. In order to clarify the procedural rights the requester has under the FCC's rules, we propose adding language in a new paragraph (d)(2) that requires the Privacy Analyst to inform requesters that they have the right to seek reconsideration by the Senior Agency Official for Privacy or file an application with the Commission for review of a denial of a request to amend a record. This addition would match the description of the appeals process proposed for § 0.555(e), harmonizing both processes and making each more clearly consistent with the ordinary process for seeking review of staff-level actions under the Commission's rules.

F. Section 0.557—Administrative Review of an Initial Decision Not To Provide Access or Amend a Record

27. In the preceding two sections, we have proposed additions to both § 0.555, regarding denials of access, and § 0.556, regarding denials of amendment or correction, providing that an aggrieved requester under the Privacy Act may either seek (1) staff-level review by filing a petition for reconsideration under § 1.106, or (2) review from the full Commission by filing an application for review under § 1.115 and consistent with the procedures in § 0.557. Section 0.557 currently establishes the process for seeking review of the denial of a request to amend or correct Commission records. We now propose updates to this section to harmonize it with our proposals for §§ 0.555 and 0.556, and establish a process for seeking Commission-level review of denials both of requests to amend or correct records, as well as requests to access them.

28. Subsection (d)(3) of the Privacy Act provides requesters who are dissatisfied with an agency response to their amendment requests the right to file an administrative appeal, but it is silent on the availability of administrative appeals of denial of access requests made under subsection (d)(1) of the Act. When it published its Privacy Act rules in 1975, the Commission created two separate appeals processes—one for denied access requests, and another for denied amendment or correction requests. Section 0.555(e) establishes the procedure for challenging a denial of a request to access records. That section currently provides that individuals may either submit their request for administrative review to the system manager, who under the current rules makes the determination on whether to grant access to the records, or “seek judicial relief pursuant to paragraph (g)(1)(B) of the [Privacy] Act.” Meanwhile, § 0.557 establishes a separate procedure for challenging a denial of a request to amend or correct records. Among other requirements, § 0.557 of the current rules requires individuals to file their appeal to the full Commission within 30 days of the denial and “specify with particularity why the decision reached by the system manager is erroneous or inequitable.” Section 0.557 explicitly states that such a review is a prerequisite to seeking judicial review in a district court of the United States.

29. These procedures differ in two important respects: The 30-day deadline to file an appeal and the requirement to appeal to the full Commission. Both are explicit requirements for an appeal made under § 0.557, but are not mentioned in § 0.555. We see no clear reason for the differences in these processes. We further note that both current sections seem to depart from yet another process for challenging staff-level action—namely, the familiar procedures for review established under §§ 1.106 and 1.115 of our rules, which provide for petitions for reconsideration and applications for review, respectively. The current dual tracks for review seem to serve only to confound those aggrieved by denials of Privacy Act requests. We seek comment on these tentative conclusions.

30. Our proposed edits would, along with the edits discussed above, harmonize the process for seeking review under these two sections. Specifically, we propose to repurpose § 0.557: Instead of establishing only the process for Commission-level review of denials of a decision to amend or correct a record, our proposed edits would establish the process for Commission-level review of all Privacy Act requests—whether requests for access or requests for amendment or correction. The proposed edits to §§ 0.555 and 0.556, discussed above, would point requesters aggrieved under either section to § 0.557 for Commission-level review. To reflect the proposed change in the purpose of this section, we propose changing the title from the current “Administrative review of an initial decision not to amend a record” to “Commission review of a staff decision.” We believe that this change would more accurately reflect the broader scope of this section and seek comment on this proposal.

31. We also propose edits to certain paragraphs in § 0.557, to reflect that this section would serve as the procedure for seeking Commission level review of all Privacy Act-related appeals. In addition to the proposed amendments to § 0.555(e) regarding denials of requests for access discussed above, we propose simplifying the appeals process by requiring an application for review to the full Commission for denials of requests for both access and amendment or correction as a condition precedent to judicial review. This would harmonize the process for challenging denials of Privacy Act requests with the procedure for challenging other Commission decisions—reducing confusion and inconsistency. Specifically, we propose updating § 0.557(a) by removing the text regarding the 30-day deadline and the requirement that the appeal be addressed to the system manager or an official at the Office of Personnel Management, and instead simply citing to § 1.115 of the Commission's rules, which sets forth standard procedures for applications for review. We also propose moving paragraphs (a)(1)-(3), which discuss additional requirements for an appeal of a denial of amendment or correction, to a new paragraph (b) and updating them to include denials of access. For example, paragraph (a)(1) would no longer ask whether the information at issue is accurate and instead require an application for review to “clearly identify the adverse decision that is the subject of the review request.”

32. Current paragraph (b) of § 0.557 states that the Commission “final administrative review shall be completed not later than 30 days . . . from the date on which the individual requests such review unless the Chairman determines that a fair and equitable review cannot be made within the 30 day period” and requires that the Commission inform the individual in writing of the reasons for the delay and an approximate date on which the review is expected to be completed. We propose to modify this language to conform with current practice and the statutory requirements of the Privacy Act, which allows the head of an agency to extend the 30-day period, “for good cause shown,” and does not require notification in writing of a delay or an anticipated date of completion for a decision on appeal. Our proposal would be reflected in an updated paragraph (c) stating that the Commission will make every effort to act on an application for review within 30 business days after it is filed. We believe this would be consistent with § 1.115 of the Commission's rules and the Commission's obligations under the Privacy Act.

33. Next, we propose updating paragraph (d) and adding a new paragraph (e) to describe the potential outcomes for an application for review. The current paragraph (d) only discusses Commission actions regarding an application for review of a denial of amendment; however, as discussed, we propose to expand § 0.557 to be inclusive of both types of appeals under the Privacy Act: Appeals of denials of access and denials of amendment or correction. Under both proposed subsections, the Commission would notify individuals of their right to pursue judicial review of the Commission's decision. Additionally, proposed paragraph (e) would retain the notice requirements listed under current paragraph (d) regarding an individual's right to provide a signed statement disagreeing with the Commission's decision, but update the addressee of the statement from the “system manager,” to the Privacy Analyst. Finally, proposed paragraph (e)(3) would reflect the requirement under the Privacy Act that the statement of disagreement be annotated so that the disputed portion of a record becomes apparent to anyone who may subsequently have access to, use, or disclose the record and that a copy of the statement accompany any subsequent disclosure of the record. We seek comment on these proposals, which we believe would simplify the process for seeking review.

34. Furthermore, we propose delegating to the General Counsel authority to dismiss Privacy Act applications for review that do not contain any statement required under § 1.115(a) or (b), or does not comply with the filing requirements of § 1.115(d) or (f) of this chapter. We seek comment on whether this proposal to create a single administrative review process is practical and consistent with individuals' rights under the Privacy Act.

35. Because part of this section addresses the disposition of appeals of requests to amend records, we propose to move the contents of § 0.559, which pertains to an individual's right to file a statement of disagreement with the Commission's decision not to amend a record, to § 0.557, the rule that describes the administrative review process. As a result, we additionally propose deleting and reserving § 0.559 to avoid repetition in our rules.

G. Section 0.558—Advice and Assistance

36. Section 0.558 directs individuals who have questions about or need assistance with the procedures set forth in this subpart or the notices described in § 0.552 to contact the Privacy Liaison Officer, a position that no longer exists.

37. We propose to amend § 0.558 to update the rules' description of where to find contact information when an individual needs advice or assistance on their rights under the Privacy Act with respect to records held by the Commission. The proposed revision would refer individuals to the Privacy Analyst, the Senior Agency Official for Privacy, and the Privacy Act Information page on the FCC website. We believe that providing this updated information will make clear the avenues available to the public to exercise fully their rights under the Privacy Act.

H. Section 0.560—Penalty for False Representation of Identity

38. This section restates the Privacy Act's criminal penalty for an individual who fraudulently requests or obtains information from an agency about an individual. The section provides, “any individual who knowingly and willfully requests or obtains under false pretenses any record concerning an individual from any system of records maintained by the Commission shall be guilty of a misdemeanor and subject to a fine of not more than $5,000.”

39. Following OMB guidance, we propose adding language restating the criminal penalty under 18 U.S.C. 1001 for providing false information to the federal government. Notably, this statute provides more serious consequences than those recited in the current rules—including a fine of not more than $10,000, imprisonment of not more than five years, or both. We believe that this proposed edit should, among other things, serve as a greater deterrent to fraudulent requests by making clear the serious criminal penalties for doing so.

I. Section 0.561—Exemptions

40. Section 0.561 currently asserts exemptions for seven separate systems of records. The listed systems of records include: FCC/FOB-1, Radio Operator Records; FCC/FOB-2, Violators File; FCC/OGC-2, Attorney Misconduct Files; FCC/Central-6, Personnel Investigation Records; FCC/OIG-1, Criminal Investigative Files; FCC/OIG-2, General Investigative Files; and an unnumbered system called Licensees or Unlicensed Persons Operating Radio Equipment Improperly. The listed systems, however, no longer correspond to systems of records that the Commission maintains.

41. After reviewing the Commission's current systems of records, it appears that there are only five systems of records that contain exemptible information. These systems of records include: FCC/EB-5, Enforcement Bureau Activity Tracking System; FCC/OMD-16, Personnel Security Files; FCC/WTB-5, Application Review List for Present or Former Licensees, Operators, or Unlicensed Persons Operating Radio Equipment Improperly; FCC/WTB-6, Archival Radio Operator Records; and FCC/OIG-3, Investigative Files. We propose updating this section to strike the seven outdated lists from this section and list and describe the five current systems, which contain exemptible information. In order to comply with the requirement that agencies explicitly explain “the reasons why the system of records is to be exempted from a provision of [the Privacy Act],” we also propose rules that more fully justify each exemption we propose to claim. We seek comment on these proposals.

42. Four systems contain information that is exemptible under certain “specific exemptions” listed in subsection (k) of the Privacy Act. The Enforcement Bureau Activity Tracking System (EBATS) (FCC/EB-5) and the other supportive platforms to the EBATS boundary contain investigatory material compiled for law enforcement purposes, which is covered by exemption (k)(2). The Security Operations Center's Personnel Security Files (FCC/OMD-16) contains information covered by exemption (k)(5) including investigatory material related to suitability determinations for Federal employment. The Commission also maintains WTB-5, Application Review List for Present or Former Licensees, Operators, or Unlicensed Persons Operating Radio Equipment Improperly and WTB-6, Archival Radio Operator Records, both of which contain investigatory material compiled for law enforcement purposes covered by exemption (k)(2).

43. Finally, the Office of Inspector General's investigative files (OIG-3) contains information that is exemptible under both subsections (j) and (k). Following the guidance of courts that Inspector General offices can be viewed as agency components whose principal function is to perform an activity pertaining to the enforcement of criminal laws, we propose that this system is exempt under both general exemption (j)(2) and the specific exemption (k)(2), which exempts investigatory material compiled for law enforcement purposes. Additionally, FCC/OIG-3 supersedes FCC/OIG-1 and FCC/OIG-2 referenced in the current section 0.561 of the Commission's rules. We seek comment on these exemptions.

Procedural Matters

44. People With Disabilities. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an email to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).

45. Ex Parte Presentations. The proceeding this Notice initiates shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission's ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .docx, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission's ex parte rules.

46. Initial Regulatory Flexibility Certification. The Regulatory Flexibility Act of 1980 (RFA), as amended, requires agencies to prepare a regulatory flexibility analysis for rulemaking proceedings, unless the agency certifies that “the rule will not have a significant economic impact on a substantial number of small entities.” 5 U.S.C. 605(b).

47. In this NPRM, we propose to amend the Commission's Privacy Act rules in order to modernize them and conform them to current Commission practice. The process of seeking to access or amend records under the Privacy Act is generally undertaken by individuals, who are not categorized as “small entities” under the Regulatory Flexibility Act. Furthermore, the rule changes proposed herein consist primarily of minor procedural adjustments to how the Commission handles and responds to Privacy Act matters. Such changes are unlikely to have any significant economic impact. Therefore, we certify that the proposals in this NPRM, if adopted, will not have a significant economic impact on a substantial number of small entities.

48. Paperwork Reduction Act. This document does not contain new or revised information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. In addition, therefore, it does not contain any new or modified “information burden for small business concerns with fewer than 25 employees” pursuant to the Small Business Paperwork Relief Act of 2002.

List of Subjects in 47 CFR Part 0

• Administrative practice and procedure
• Classified Information
• Health records
• Information
• Personally identifiable information
• Privacy
• Reporting and recordkeeping requirements

Proposed Rules

For the reasons discussed in the preamble, the Federal Communications Commission proposes to amend 47 part 0 as follows:

PART 0—COMMISSION ORGANIZATION

1. The authority citation for part 0 continues to read as follows:

Authority: 47 U.S.C. 151, 154(i), 154(j), 155, 225, and 409, unless otherwise noted.

2. Section 0.251 is amended by adding paragraph (k) to read as follows:

3. Revise Subpart E, consisting of §§ 0.551 through 0.561, to read as follows:

Subpart E—Privacy Act Regulations

Authority: 47 U.S.C. 154, 303; 5 U.S.C. 552a(f).