Implementing the Privacy Act of 1974, 17575-17585 [2021-06152]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 86, Number 63 (Monday, April 5, 2021)]
[Proposed Rules]
[Pages 17575-17585]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-06152]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 0

[GN Docket No. 21-79; FCC 21-30; FRS 17571]


Implementing the Privacy Act of 1974

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission) seeks comment on revisions to the Commission's rules 
implementing the Privacy Act of 1974. To evolve with developments in 
the law and the directives from governmental bodies, the Commission 
proposes to update and improve its privacy rules.

DATES: Comments due on May 5, 2021; reply comments due on June 4, 2021.

ADDRESSES: You may submit comments, identified by GN Docket No 21-79, 
by any of the following methods:
    [ssquf] Federal Communications Commission's Website: https://www.fcc.gov/ecfs/. Follow the instructions for submitting comments.
    [ssquf] People With Disabilities: Contact the FCC to request 
reasonable accommodations (accessible format documents, sign language 
interpreters, CART, etc.) by email: fcc.gov">[email protected]fcc.gov or phone: 202-418-
0530 or TTY: 202-418-0432.

FOR FURTHER INFORMATION CONTACT: Bahareh Moradi, Office of General 
Counsel, at fcc.gov">[email protected]fcc.gov or 202-418-1700.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice 
of Proposed Rulemaking in GN Docket No. 21-79; FCC 21-30, adopted on 
March 3, 2021, and released on March 4, 2021. The complete text of this 
document can be located on the FCC website at https://docs.fcc.gov/public/attachments/FCC-21-30A1.pdf.

Synopsis

    1. We propose revisions to the current rules to reflect amendments 
to the Privacy Act, Federal case law, OMB guidance, and the FCC's 
current practices. Most notably, we propose amendments to our rules 
that will update them to account for the developments described above. 
Because these changes are scattered throughout our current Privacy Act 
rules, we proceed to discuss each change in this section in the order 
that the change appears in our revised rules.

A. Section 0.551--Purpose and Scope: Definitions

    2. We first propose several updates to the purpose and definition 
provisions of the Commission's Privacy Act Rules, which are currently 
codified in Sec.  0.551. The current text states, in part, that the 
purpose of the subpart is to implement the Privacy Act, and ``to 
protect the rights of the individual in the accuracy and privacy of 
information concerning him which is contained in Commission records.'' 
To clarify our rules, we propose a more concrete and descriptive 
statement of purpose. Our proposed amendment would explain that the 
purpose of the subpart is to establish procedures that individuals may 
follow to exercise their right to access and request amendment of their 
records under the Privacy Act.
    3. We also propose several updates to Sec.  0.551(b), which defines 
the terms ``Individual,'' ``Record,'' ``System of Records,'' ``Routine 
Use,'' and ``System Manager.'' We propose to amend the definition of 
``System of Records,'' which is currently defined as ``a group of 
records under the control of the Commission from which information is 
retrievable by the name of the individual or by some identifying 
number, symbol, or other identifying particular assigned to the 
individual,'' to add the word ``any'' before ``records under the 
control of the Commission.'' In addition to more closely matching the 
statutory language, we believe that this change may better signal to 
the public the broad category of records that requesters may seek.
    4. Current rules define ``System Manager'' as ``the Commission 
official responsible for the storage, maintenance, safekeeping, and 
disposal of a system of records.'' To conform this definition with the 
Commission's current practices and terminology, we

[[Page 17576]]

propose to replace the term with ``Privacy Analyst.'' Under current 
practices, all Privacy Act requests submitted to the FCC are handled in 
the first instance by a Privacy Analyst in the Office of General 
Counsel, rather than by the managers or owners of any particular system 
of records. A Privacy Analyst coordinates with the system owner to 
search for, collect, and then produce responsive records. The Privacy 
Analyst serves as the interface between Privacy Act requesters and the 
Commission, and generally signs correspondence related to Privacy Act 
requests. Our proposed amendment would formalize that role in our 
rules, defining the ``Privacy Analyst'' as a Commission official 
responsible for processing and responding to requests by individuals to 
be notified of, to access, or to amend records pertaining to them that 
are maintained in the FCC's systems of records.
    5. Finally, we propose adding a new paragraph defining the position 
of the Commission's Senior Agency Official for Privacy. Following a 
requirement that became law as part of the Consolidated Appropriations 
Act of 2005, OMB required agencies to identify to OMB ``the senior 
official who has the overall agency-wide responsibility for information 
privacy issues.'' Following Executive Order 13719, OMB updated and 
broadened the responsibilities of the Senior Agency Official for 
Privacy in 2016 guidance. Consistent with this requirement, the FCC has 
designated a Senior Agency Official for Privacy since 2005. We seek 
comment on these definitional changes.

B. Sections 0.552--Notices Identifying Commission Systems of Records 
and 0.553--New Uses of Information

    6. We next propose to update and streamline the Commission's rule 
requiring the publication of a ``system of records notice'' and the 
Commission's rule about the publication of each new routine use of an 
existing system of records. Our proposals reflect guidance issued by 
OMB following the passage of the Privacy Act, and streamline the rules 
in a manner that provides the Commission greater flexibility to adjust 
its practices consistent with evolving governmentwide practice, while 
still ensuring that the Commission adheres to the Privacy Act's 
requirement that the Commission notify the public of the establishment 
of and updates to its systems of records.
    7. The current rule under Sec.  0.552 explains how the Commission 
complies with the Privacy Act's requirement that agencies publish ``a 
notice of the existence and character'' of their systems of records. 
The rule recites the statutorily required elements of such a notice, 
including the routine uses for the information within the system of 
records, as well as the Act's requirement that an agency publish 
notices in the Federal Register. We note that the Act does not require 
agencies to issue rules parroting the statutory requirement, as the 
Commission's current rule does, and that OMB has since updated guidance 
further clarifying the elements required in a system of records notice, 
including the enumerated routine uses. For example, OMB guidance 
requires federal agencies to follow specific templates for new, 
modified, or rescinded systems of records notices that our outdated 
rules do not describe.
    8. Section 0.553 of the rules describes the procedure the 
Commission follows to publish a new routine use of an existing system 
of records. Under the Act, an agency can define certain ``routine 
use[s]'' of information such that disclosure of a record may be made 
without the consent of the data subject. To be permissible, a routine 
use must be compatible with the purpose for which a record was 
collected, and must be published in a system of records notice with a 
30-day comment period. The current Commission rule contemplates 
publishing a standalone notice of only the new routine use, rather than 
republishing the entire notice along with a description of the routine 
use. In current practice, however, when the Commission makes 
significant changes to its published system of records notices (such as 
adding one or more routine uses), it re-publishes for comment the 
entire notice, not just the revised portion containing the changes, and 
highlights the changes so that they may easily be recognized by the 
public. This makes it easier for the public to understand what changes 
the Commission is taking. This approach is also consistent with current 
OMB guidance; in Circular A-108, agencies are ``strongly encouraged to 
publish all routine uses applicable to a system of records in a single 
Federal Register notice for that system.''
    9. Because OMB's updated guidance seems to make stale the 
procedures recited in our rules, and because it is unnecessary for the 
Commission to codify these statutory requirements, we propose to 
combine these two sections into a single rule stating simply that upon 
establishment, rescission, or revision of a system of records, 
including the establishment of a new routine use of a system of 
records, the Commission will publish in the Federal Register the notice 
required by 5 U.S.C. 552a(e). The proposed rule would therefore alert 
the public to the existence of system of records notices but would not 
prescribe the elements of a notice. At best, codifying a description of 
the requirements of a notice that may become outdated or incomplete 
seems to be unnecessary under the Privacy Act, and to otherwise serve 
little purpose, given that the obligation to publish these notices 
rests on the Commission, and not the public. At worst, codifying these 
requirements is misleading, insofar as governmentwide guidance on the 
required elements of a system of records notice may evolve more quickly 
than the Commission's rules reciting these requirements. We seek 
comment on this proposal. Is there any utility to retaining the detail 
regarding system of records notices included in the current text of our 
rules that outweigh the arguments for streamlining? Alternatively, 
would a better approach be to delete and reserve Sec. Sec.  0.552 and 
0.553 entirely?

C. Section 0.554--Requests for Notification of and Access to Records

    10. We propose several changes to the Commission's Privacy Act 
rules describing the process individuals should follow to determine 
whether the Commission is holding information about them in its systems 
of records. To begin with, we propose to amend the title of this 
section from the current ``Procedures for requests pertaining to 
individual records in a system of records,'' to ``Requests for 
notification of and access to records.'' The proposed amended title of 
the section would more clearly signify that the procedures in this 
subsection effectuate individuals' ability to ascertain what 
information the Commission possesses about themselves, a right they are 
given in subsection (d)(1) of the Act. We also propose deleting 
obsolete references to the annual report agencies were required to 
publish under the original Privacy Act law and to an alphabetical 
listing of agency system of records notices.
    11. Under current Commission practice, all requests are routed to a 
Privacy Analyst, who directs requesters to the list of system of 
records notices on the Commission's website in the event that the 
request does not identify the relevant system(s) of records.\1\ We 
propose adding a sentence clarifying that a proper request must 
identify the system(s) of records to be searched.
---------------------------------------------------------------------------

    \1\ A complete listing of the systems of records the Commission 
currently maintains can be found on the FCC's Privacy Act 
Information web page, https://www.fcc.gov/general/privacy-act-information.

---------------------------------------------------------------------------

[[Page 17577]]

    12. We also propose modifying how an individual may verify their 
identity when requesting access to records. Currently, paragraph (b)(1) 
requires an individual requesting access to records to verify their 
identity by submitting two of the following forms of identification: 
Social Security card; driver's license; employee identification card; 
Medicare card; birth certificate; bank credit card; or similar form of 
identification. This requirement seems inconsistent with recent OMB 
guidance explaining that while ``agencies may customize the [personally 
identifiable information (PII)] required by their access and consent 
forms [to verify identity for access to or consent to disclose records] 
in accordance with applicable law and policy requirements and 
assessment of privacy risks,'' ``agencies shall accept [access or 
consent forms [developed by OMB] from individuals,'' and ``limit the 
collection of PII to the minimum that is directly relevant and 
necessary.'' Therefore, we seek comment on deleting the requirement for 
requesters to provide two forms of identification and allowing 
individuals to verify their identity by submitting an Identity 
Affirmation form, based on the template provided by OMB. The Privacy 
Analyst reviewing the request would be responsible for determining 
whether the form has been properly completed before any disclosure is 
made. Would relying on an Identity Affirmation form increase the risk 
of fraudulent requests? We note that the Commission could safeguard 
against such fraud, while minimizing the Commission's collection of 
PII, by requiring that the Identify Affirmation form be notarized. We 
request comment on requiring that the Identity Affirmation form be 
notarized in lieu of the Commission collecting identification 
documentation from requesters.
    13. We also propose making the Privacy Act request submission 
process consistent with the submission process established in the 
Commission's most recent revision of the Freedom of Information Act 
(FOIA) rules. In current practice, the Commission receives almost all 
of its Privacy Act requests through its FOIAOnline web portal. Both 
Congress and Federal courts have acknowledged that the access 
provisions of the FOIA and the Privacy Act are somewhat overlapping. 
Congress amended subsection (t) of the Privacy Act in 1984 to clarify 
that agencies cannot use FOIA exemptions to deny access to records 
requesters have access to under the Privacy Act, or vice versa. 
Likewise, DOJ published a comprehensive analysis of the legislative 
history and judicial precedent on this question, which concluded that 
``[a]n individual's access request for his own record maintained in a 
system of records should be processed under both the Privacy Act and 
the FOIA, regardless of the statute(s) cited.'' We find persuasive 
DOJ's Privacy Act analysis, and believe that a best practice would be 
to structure our process to ensure that any requester can efficiently 
get the benefits of both statutes. For example, it may be appropriate 
to process parts of a request under the Privacy Act and parts of it 
under the FOIA. We seek comment on this interpretation.
    14. Finally, we propose updates to paragraphs (c) and (d) of this 
section. Paragraph (c) currently requires individuals to deliver their 
requests for notification and access to a specific system manager or to 
the Associate Managing Director. Our proposed amendments to paragraph 
(a) would make this requirement obsolete by permitting individuals to 
submit requests via the Commission's website, by email, or by mail to 
the Commission. We propose removing the option to hand deliver requests 
for access to the Commission because the Commission's new headquarters 
building does not have a public filing window and cannot accept hand 
deliveries. Therefore, we propose combining current paragraphs (c) and 
(d) and removing reference to the method through which individuals 
submit requests.

D. Section 0.555--Disclosure of Record Information to Individuals

    15. We propose making changes to Sec.  0.555 to reflect current 
Commission practices. The current rule describes how individuals can 
access the records that the Commission maintains about them in its 
systems of records. It also lists reasons why the Commission might 
limit this access and describes how individuals may contest a 
Commission decision to deny their access to records.
    16. While most individuals currently seek to access their records 
remotely through correspondence--whether electronically or via first-
class mail--they still have a right to review records in person. The 
current rules urge individuals to make an appointment with the specific 
system manager responsible for the system of records they are 
interested in reviewing. The proposed new rules would create a single 
point of contact for requesters who would like to inspect their records 
in person by stating that individuals who wish to review their records 
should contact the Privacy Analyst. The proposed changes also include 
modifying paragraph (a)(1) to correct a grammatical error and conform 
the language to subsection (d)(1) of the Privacy Act, which specifies 
who may accompany individuals to view records. Specifically, the 
proposed language, ``However, in such cases, the individual must 
provide written consent authorizing discussion of their record in the 
accompanying person's presence,'' would replace the seemingly 
incomplete sentence currently in (a)(1), ``However, in such cases, a 
written statement authorizing discussion of their record in the 
presence of a Commission representative having physical custody of the 
records.''
    17. Paragraph (b)(1) provides the Commission discretion to limit 
access to medical records where the Commission staff, in consultation 
with a medical professional, has determined that access to the records 
could have an adverse impact on the individual. But with very limited 
exceptions, FCC systems of records do not contain personal health 
information. Therefore, we propose deleting the medical records 
provision (paragraph (b)(1)). In addition, a 1993 D.C. Circuit case 
invalidated a similar provision on the ground that it effectively 
created a new substantive exemption to an individual's Privacy Act 
right of access.
    18. Paragraph (b)(2) discusses exempting classified material, 
investigative material compiled for law enforcement purposes, 
investigatory material compiled solely for determining suitability for 
Federal employment or access to classified information, and certain 
testing or examination material from disclosure and refers to Sec.  
0.561, which lists the Commission's exempt systems of records. Here, we 
propose a limited edit that would replace the current general reference 
to the Privacy Act with a specific cite to subsections (j) and (k) of 
the Privacy Act, upon which the Commission's authority to make 
``specific'' or ``general'' exemptions for certain types of sensitive 
information is based.\2\ We also propose to strike some

[[Page 17578]]

seemingly extraneous phrases from the final sentence of this 
paragraph--for example, by removing the unnecessary phrase ``totally or 
partially.''
---------------------------------------------------------------------------

    \2\ In order to promote accountability in agencies' use of these 
exemptions, the Act requires agencies claiming either subsection (j) 
or subsection (k) exemptions for a particular system of records to 
do so through notice-and-comment rulemaking. 5 U.S.C. 552a(j), (k) 
(requiring that exemption rules must be promulgated ``in accordance 
with the requirements (including general notice) of section 
553(b)(1), (2), and (3), (c), and (e) of this title''). Both 
subsections require agencies to explain, in their APA-required 
general statements, ``the reasons why the system of records is to be 
exempted from a provision of this section.'' Id.; see Office of 
Mgmt. & Budget, Privacy Act and Implementation, Guidelines and 
Responsibilities, 40 FR 28949, 28971 (July 9, 1975) (reviewing 
legislative history of the exemption provisions).
---------------------------------------------------------------------------

    19. Paragraph (c) states that ``requests involving more than 25 
pages shall be submitted to the duplicating contractor.'' While the 
Commission has never charged a fee for the search and review time for 
responsive records, the Commission has charged fees for copying 
responsive records that exceeded 25 pages. Because the Commission no 
longer employs a copying contractor, we propose eliminating the 
reference in paragraph (c). At the same time, we propose to make clear, 
consistent with the Privacy Act's prohibition on charging fees for 
searching for and reviewing records in response to a Privacy Act 
request, that we will not charge a fee for such activities in 
connection with records requested pursuant to Sec.  0.554. However, we 
seek comment on whether the Commission should charge fees for producing 
copies of records. What is a reasonable fee structure for producing 
copies of records in response to a Privacy Act request?
    20. Finally, we propose amending paragraph (e) to modify the 
procedures under which requesters may contest an initial staff decision 
denying them access to records. The Privacy Act does not specify an 
administrative appeal process in the case of a denial of access. The 
Commission addressed this silence in 1975 with a rule (paragraph 
0.555(e)) that gave unsatisfied requesters the option of (1) seeking an 
administrative review from the system manager who denied the initial 
access request, or (2) immediately seeking judicial relief under the 
Privacy Act. This rule appears to be inconsistent with court rulings 
holding that requesters should exhaust their administrative remedies 
before filing suit under the Act. Further, it appears to conflict with 
the Communications Act's requirement that the filing of an application 
for review to the Commission is ``a condition precedent for judicial 
review'' of any decision made by staff.
    21. To address these problems, we propose an administrative review 
process that would treat denials of requests to access or amend a 
record under the Privacy Act in the same way the Commission treats 
other appeals of decisions made under delegated authority. 
Specifically, the proposed rules would explain that an aggrieved 
requester may file a petition for reconsideration to the Senior Agency 
Official for Privacy or file an application for review before the 
Commission pursuant to the procedures specified in Sec.  0.557. While a 
requester would retain the option of seeking further review by 
Commission staff (in the form of a petition for reconsideration), the 
alternative would be to file an application for review under the 
Commission's existing procedures.
    22. Our proposal would strike what is now paragraph (e)(2) from 
Sec.  0.555, which currently provides that an individual whose request 
for access has been denied may ``[s]eek judicial relief in the district 
courts of the United States pursuant to paragraph (g)(1)(B) of the 
Act.'' Instead of suggesting that an aggrieved requester could 
immediately seek judicial review, the proposed revisions make clear 
that a requester has two options: Seek further review by Commission 
staff (in the form of a petition for reconsideration), or file an 
application for review under the Commission's existing procedures. Only 
after the Commission has been given the opportunity to review a staff 
decision--through the filing of an application for review pursuant to 
our proposed revision to Sec.  0.557, discussed below--would judicial 
review become available. We seek comment on whether this approach to 
managing appeals to denials of access is both practical and consistent 
with the rights individuals have under the Privacy Act.

E. Section 0.556--Request To Correct or Amend Records

    23. We propose to amend Sec.  0.556 of the Commission's rules to 
clarify the requester's procedural rights when a request to amend a 
record is denied. This section of the rules implements the Act's 
requirement that individuals be able to request amendments or 
corrections to records an agency maintains about them in a system of 
records. The Act requires agencies to promptly respond to such requests 
and to give individuals the ability to appeal a denial of an amendment 
request. Individuals may place statements of disagreement with such 
decisions in their records, and the statements must be included in 
subsequent agency disclosures of the records.
    24. Throughout Sec.  0.556, the system manager is referred to as 
the decision maker on requests to correct or amend records and requests 
to amend certain types of records (e.g., official personnel records of 
current or former employees) are required to be submitted to an 
Associate Managing Director and the Assistant Director for Work Force 
Information, Compliance and Investigations at the Office of Personnel 
Management. The amendments we propose to this subsection would 
streamline the process for requesters by directing all requests to 
correct or amend to the Privacy Analyst and centralizing the decision 
making process. Just as in the case of access requests, this would 
reflect current practice, in which these requests are received and 
processed by the Privacy Analyst, who works with relevant Commission 
staff to locate the disputed records and consider the requests.
    25. Paragraph (a) permits individuals to request an amendment of 
information contained in their record by submitting (1) identity 
verification, (2) a brief description of the information to be amended, 
and (3) ``the reason for the requested change.'' We propose to more 
closely mirror the statutory language, which permits requests to 
correct or amend information that ``the individual believes is not 
accurate, relevant, timely, or complete.'' We tentatively find that the 
statutory language more precisely explains the reasons for which 
individuals may request correction or amendment of records and 
therefore propose adding this language to paragraphs (a) and (b). 
Additionally, we propose removing the option to hand deliver requests 
to correct or amend records to the Commission for the reason stated 
above--the Commission's new headquarters building does not have a 
public filing window and cannot accept hand deliveries.
    26. Finally, the current paragraph (c)(2) provides, among other 
things, that the ``system manager'' advise an individual whose request 
to correct or amend a record has been denied that ``review of the 
initial decision by the full Commission may be sought pursuant to the 
procedures set forth in Sec.  0.557.'' These rules could be read to 
suggest that an aggrieved requester must appeal directly to the 
Commission, rather than seeking reconsideration of the denial at the 
staff level under the Commission's ordinary procedures. In order to 
clarify the procedural rights the requester has under the FCC's rules, 
we propose adding language in a new paragraph (d)(2) that requires the 
Privacy Analyst to inform requesters that they have the right to seek 
reconsideration by the Senior Agency Official for Privacy or file an 
application with the Commission for review of a denial of a request to 
amend a record. This addition would match the description of the 
appeals process proposed for Sec.  0.555(e), harmonizing both processes 
and making each more clearly consistent with the ordinary process for 
seeking review of staff-level actions under the Commission's rules.

[[Page 17579]]

F. Section 0.557--Administrative Review of an Initial Decision Not To 
Provide Access or Amend a Record

    27. In the preceding two sections, we have proposed additions to 
both Sec.  0.555, regarding denials of access, and Sec.  0.556, 
regarding denials of amendment or correction, providing that an 
aggrieved requester under the Privacy Act may either seek (1) staff-
level review by filing a petition for reconsideration under Sec.  
1.106, or (2) review from the full Commission by filing an application 
for review under Sec.  1.115 and consistent with the procedures in 
Sec.  0.557. Section 0.557 currently establishes the process for 
seeking review of the denial of a request to amend or correct 
Commission records. We now propose updates to this section to harmonize 
it with our proposals for Sec. Sec.  0.555 and 0.556, and establish a 
process for seeking Commission-level review of denials both of requests 
to amend or correct records, as well as requests to access them.
    28. Subsection (d)(3) of the Privacy Act provides requesters who 
are dissatisfied with an agency response to their amendment requests 
the right to file an administrative appeal, but it is silent on the 
availability of administrative appeals of denial of access requests 
made under subsection (d)(1) of the Act. When it published its Privacy 
Act rules in 1975, the Commission created two separate appeals 
processes--one for denied access requests, and another for denied 
amendment or correction requests. Section 0.555(e) establishes the 
procedure for challenging a denial of a request to access records. That 
section currently provides that individuals may either submit their 
request for administrative review to the system manager, who under the 
current rules makes the determination on whether to grant access to the 
records, or ``seek judicial relief pursuant to paragraph (g)(1)(B) of 
the [Privacy] Act.'' Meanwhile, Sec.  0.557 establishes a separate 
procedure for challenging a denial of a request to amend or correct 
records. Among other requirements, Sec.  0.557 of the current rules 
requires individuals to file their appeal to the full Commission within 
30 days of the denial and ``specify with particularity why the decision 
reached by the system manager is erroneous or inequitable.'' Section 
0.557 explicitly states that such a review is a prerequisite to seeking 
judicial review in a district court of the United States.
    29. These procedures differ in two important respects: The 30-day 
deadline to file an appeal and the requirement to appeal to the full 
Commission. Both are explicit requirements for an appeal made under 
Sec.  0.557, but are not mentioned in Sec.  0.555. We see no clear 
reason for the differences in these processes. We further note that 
both current sections seem to depart from yet another process for 
challenging staff-level action--namely, the familiar procedures for 
review established under Sec. Sec.  1.106 and 1.115 of our rules, which 
provide for petitions for reconsideration and applications for review, 
respectively. The current dual tracks for review seem to serve only to 
confound those aggrieved by denials of Privacy Act requests. We seek 
comment on these tentative conclusions.
    30. Our proposed edits would, along with the edits discussed above, 
harmonize the process for seeking review under these two sections. 
Specifically, we propose to repurpose Sec.  0.557: Instead of 
establishing only the process for Commission-level review of denials of 
a decision to amend or correct a record, our proposed edits would 
establish the process for Commission-level review of all Privacy Act 
requests--whether requests for access or requests for amendment or 
correction. The proposed edits to Sec. Sec.  0.555 and 0.556, discussed 
above, would point requesters aggrieved under either section to Sec.  
0.557 for Commission-level review. To reflect the proposed change in 
the purpose of this section, we propose changing the title from the 
current ``Administrative review of an initial decision not to amend a 
record'' to ``Commission review of a staff decision.'' We believe that 
this change would more accurately reflect the broader scope of this 
section and seek comment on this proposal.
    31. We also propose edits to certain paragraphs in Sec.  0.557, to 
reflect that this section would serve as the procedure for seeking 
Commission level review of all Privacy Act-related appeals. In addition 
to the proposed amendments to Sec.  0.555(e) regarding denials of 
requests for access discussed above, we propose simplifying the appeals 
process by requiring an application for review to the full Commission 
for denials of requests for both access and amendment or correction as 
a condition precedent to judicial review. This would harmonize the 
process for challenging denials of Privacy Act requests with the 
procedure for challenging other Commission decisions--reducing 
confusion and inconsistency. Specifically, we propose updating Sec.  
0.557(a) by removing the text regarding the 30-day deadline and the 
requirement that the appeal be addressed to the system manager or an 
official at the Office of Personnel Management, and instead simply 
citing to Sec.  1.115 of the Commission's rules, which sets forth 
standard procedures for applications for review. We also propose moving 
paragraphs (a)(1)-(3), which discuss additional requirements for an 
appeal of a denial of amendment or correction, to a new paragraph (b) 
and updating them to include denials of access. For example, paragraph 
(a)(1) would no longer ask whether the information at issue is accurate 
and instead require an application for review to ``clearly identify the 
adverse decision that is the subject of the review request.''
    32. Current paragraph (b) of Sec.  0.557 states that the Commission 
``final administrative review shall be completed not later than 30 days 
. . . from the date on which the individual requests such review unless 
the Chairman determines that a fair and equitable review cannot be made 
within the 30 day period'' and requires that the Commission inform the 
individual in writing of the reasons for the delay and an approximate 
date on which the review is expected to be completed. We propose to 
modify this language to conform with current practice and the statutory 
requirements of the Privacy Act, which allows the head of an agency to 
extend the 30-day period, ``for good cause shown,'' and does not 
require notification in writing of a delay or an anticipated date of 
completion for a decision on appeal. Our proposal would be reflected in 
an updated paragraph (c) stating that the Commission will make every 
effort to act on an application for review within 30 business days 
after it is filed. We believe this would be consistent with Sec.  1.115 
of the Commission's rules and the Commission's obligations under the 
Privacy Act.
    33. Next, we propose updating paragraph (d) and adding a new 
paragraph (e) to describe the potential outcomes for an application for 
review. The current paragraph (d) only discusses Commission actions 
regarding an application for review of a denial of amendment; however, 
as discussed, we propose to expand Sec.  0.557 to be inclusive of both 
types of appeals under the Privacy Act: Appeals of denials of access 
and denials of amendment or correction. Under both proposed 
subsections, the Commission would notify individuals of their right to 
pursue judicial review of the Commission's decision. Additionally, 
proposed paragraph (e) would retain the notice requirements listed 
under current paragraph (d) regarding an individual's right to provide 
a signed statement disagreeing with the Commission's

[[Page 17580]]

decision, but update the addressee of the statement from the ``system 
manager,'' to the Privacy Analyst. Finally, proposed paragraph (e)(3) 
would reflect the requirement under the Privacy Act that the statement 
of disagreement be annotated so that the disputed portion of a record 
becomes apparent to anyone who may subsequently have access to, use, or 
disclose the record and that a copy of the statement accompany any 
subsequent disclosure of the record. We seek comment on these 
proposals, which we believe would simplify the process for seeking 
review.
    34. Furthermore, we propose delegating to the General Counsel 
authority to dismiss Privacy Act applications for review that do not 
contain any statement required under Sec.  1.115(a) or (b), or does not 
comply with the filing requirements of Sec.  1.115(d) or (f) of this 
chapter. We seek comment on whether this proposal to create a single 
administrative review process is practical and consistent with 
individuals' rights under the Privacy Act.
    35. Because part of this section addresses the disposition of 
appeals of requests to amend records, we propose to move the contents 
of Sec.  0.559, which pertains to an individual's right to file a 
statement of disagreement with the Commission's decision not to amend a 
record, to Sec.  0.557, the rule that describes the administrative 
review process. As a result, we additionally propose deleting and 
reserving Sec.  0.559 to avoid repetition in our rules.

G. Section 0.558--Advice and Assistance

    36. Section 0.558 directs individuals who have questions about or 
need assistance with the procedures set forth in this subpart or the 
notices described in Sec.  0.552 to contact the Privacy Liaison 
Officer, a position that no longer exists.
    37. We propose to amend Sec.  0.558 to update the rules' 
description of where to find contact information when an individual 
needs advice or assistance on their rights under the Privacy Act with 
respect to records held by the Commission. The proposed revision would 
refer individuals to the Privacy Analyst, the Senior Agency Official 
for Privacy, and the Privacy Act Information page on the FCC website. 
We believe that providing this updated information will make clear the 
avenues available to the public to exercise fully their rights under 
the Privacy Act.

H. Section 0.560--Penalty for False Representation of Identity

    38. This section restates the Privacy Act's criminal penalty for an 
individual who fraudulently requests or obtains information from an 
agency about an individual. The section provides, ``any individual who 
knowingly and willfully requests or obtains under false pretenses any 
record concerning an individual from any system of records maintained 
by the Commission shall be guilty of a misdemeanor and subject to a 
fine of not more than $5,000.''
    39. Following OMB guidance, we propose adding language restating 
the criminal penalty under 18 U.S.C. 1001 for providing false 
information to the federal government. Notably, this statute provides 
more serious consequences than those recited in the current rules--
including a fine of not more than $10,000, imprisonment of not more 
than five years, or both. We believe that this proposed edit should, 
among other things, serve as a greater deterrent to fraudulent requests 
by making clear the serious criminal penalties for doing so.

I. Section 0.561--Exemptions

    40. Section 0.561 currently asserts exemptions for seven separate 
systems of records. The listed systems of records include: FCC/FOB-1, 
Radio Operator Records; FCC/FOB-2, Violators File; FCC/OGC-2, Attorney 
Misconduct Files; FCC/Central-6, Personnel Investigation Records; FCC/
OIG-1, Criminal Investigative Files; FCC/OIG-2, General Investigative 
Files; and an unnumbered system called Licensees or Unlicensed Persons 
Operating Radio Equipment Improperly. The listed systems, however, no 
longer correspond to systems of records that the Commission maintains.
    41. After reviewing the Commission's current systems of records, it 
appears that there are only five systems of records that contain 
exemptible information. These systems of records include: FCC/EB-5, 
Enforcement Bureau Activity Tracking System; FCC/OMD-16, Personnel 
Security Files; FCC/WTB-5, Application Review List for Present or 
Former Licensees, Operators, or Unlicensed Persons Operating Radio 
Equipment Improperly; FCC/WTB-6, Archival Radio Operator Records; and 
FCC/OIG-3, Investigative Files. We propose updating this section to 
strike the seven outdated lists from this section and list and describe 
the five current systems, which contain exemptible information. In 
order to comply with the requirement that agencies explicitly explain 
``the reasons why the system of records is to be exempted from a 
provision of [the Privacy Act],'' we also propose rules that more fully 
justify each exemption we propose to claim. We seek comment on these 
proposals.
    42. Four systems contain information that is exemptible under 
certain ``specific exemptions'' listed in subsection (k) of the Privacy 
Act. The Enforcement Bureau Activity Tracking System (EBATS) (FCC/EB-5) 
and the other supportive platforms to the EBATS boundary contain 
investigatory material compiled for law enforcement purposes, which is 
covered by exemption (k)(2).\3\ The Security Operations Center's 
Personnel Security Files (FCC/OMD-16) contains information covered by 
exemption (k)(5) including investigatory material related to 
suitability determinations for Federal employment.\4\ The Commission 
also maintains WTB-5, Application Review List for Present or Former 
Licensees, Operators, or Unlicensed Persons Operating Radio Equipment 
Improperly and WTB-6, Archival Radio Operator Records, both of which 
contain investigatory material compiled for law enforcement purposes 
covered by exemption (k)(2).
---------------------------------------------------------------------------

    \3\ An agency head can exempt a system of records from certain 
portions of the Privacy Act by promulgating regulations when the 
system of records maintains ``investigatory material compiled for 
law enforcement purposes, other than material within the scope of 
subsection (j)(2) of this section: Provided, however, That if any 
individual is denied any right, privilege, or benefit that he would 
otherwise be entitled by Federal law, or for which he would 
otherwise be eligible, as a result of the maintenance of such 
material, such material shall be provided to such individual, except 
to the extent that the disclosure of such material would reveal the 
identity of a source who furnished information to the Government 
under an express promise that the identity of the source would be 
held in confidence, or, prior to the effective date of this section, 
under an implied promise that the identity of the source would be 
held in confidence.'' 5 U.S.C. 552a(k)(2).
    \4\ An agency head can exempt a system of records from certain 
portions of the Privacy Act by promulgating regulations when the 
system of records maintains ``investigatory material compiled solely 
for the purpose of determining suitability, eligibility, or 
qualifications for Federal civilian employment, military service, 
Federal contracts, or access to classified information, but only to 
the extent that the disclosure of such material would reveal the 
identity of a source who furnished information to the Government 
under an express promise that the identity of the source would be 
held in confidence, or, prior to the effective date of this section, 
under an implied promise that the identity of the source would be 
held in confidence.'' 5 U.S.C. 552a(k)(5).
---------------------------------------------------------------------------

    43. Finally, the Office of Inspector General's investigative files 
(OIG-3) contains information that is exemptible under both subsections 
(j) and (k). Following the guidance of courts that Inspector General 
offices can be viewed as agency components whose principal function is 
to perform an activity

[[Page 17581]]

pertaining to the enforcement of criminal laws, we propose that this 
system is exempt under both general exemption (j)(2) and the specific 
exemption (k)(2), which exempts investigatory material compiled for law 
enforcement purposes. Additionally, FCC/OIG-3 supersedes FCC/OIG-1 and 
FCC/OIG-2 referenced in the current section 0.561 of the Commission's 
rules. We seek comment on these exemptions.

Procedural Matters

    44. People With Disabilities. To request materials in accessible 
formats for people with disabilities (braille, large print, electronic 
files, audio format), send an email to [email protected]fcc.gov or call the 
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-
418-0432 (TTY).
    45. Ex Parte Presentations. The proceeding this Notice initiates 
shall be treated as a ``permit-but-disclose'' proceeding in accordance 
with the Commission's ex parte rules. Persons making ex parte 
presentations must file a copy of any written presentation or a 
memorandum summarizing any oral presentation within two business days 
after the presentation (unless a different deadline applicable to the 
Sunshine period applies). Persons making oral ex parte presentations 
are reminded that memoranda summarizing the presentation must (1) list 
all persons attending or otherwise participating in the meeting at 
which the ex parte presentation was made, and (2) summarize all data 
presented and arguments made during the presentation. If the 
presentation consisted in whole or in part of the presentation of data 
or arguments already reflected in the presenter's written comments, 
memoranda or other filings in the proceeding, the presenter may provide 
citations to such data or arguments in his or her prior comments, 
memoranda, or other filings (specifying the relevant page and/or 
paragraph numbers where such data or arguments can be found) in lieu of 
summarizing them in the memorandum. Documents shown or given to 
Commission staff during ex parte meetings are deemed to be written ex 
parte presentations and must be filed consistent with rule 1.1206(b). 
In proceedings governed by rule 1.49(f) or for which the Commission has 
made available a method of electronic filing, written ex parte 
presentations and memoranda summarizing oral ex parte presentations, 
and all attachments thereto, must be filed through the electronic 
comment filing system available for that proceeding, and must be filed 
in their native format (e.g., .docx, .xml, .ppt, searchable .pdf). 
Participants in this proceeding should familiarize themselves with the 
Commission's ex parte rules.
    46. Initial Regulatory Flexibility Certification. The Regulatory 
Flexibility Act of 1980 (RFA), as amended, requires agencies to prepare 
a regulatory flexibility analysis for rulemaking proceedings, unless 
the agency certifies that ``the rule will not have a significant 
economic impact on a substantial number of small entities.'' 5 U.S.C. 
605(b).
    47. In this NPRM, we propose to amend the Commission's Privacy Act 
rules in order to modernize them and conform them to current Commission 
practice. The process of seeking to access or amend records under the 
Privacy Act is generally undertaken by individuals, who are not 
categorized as ``small entities'' under the Regulatory Flexibility Act. 
Furthermore, the rule changes proposed herein consist primarily of 
minor procedural adjustments to how the Commission handles and responds 
to Privacy Act matters. Such changes are unlikely to have any 
significant economic impact. Therefore, we certify that the proposals 
in this NPRM, if adopted, will not have a significant economic impact 
on a substantial number of small entities.
    48. Paperwork Reduction Act. This document does not contain new or 
revised information collection requirements subject to the Paperwork 
Reduction Act of 1995 (PRA), Public Law 104-13.\5\ In addition, 
therefore, it does not contain any new or modified ``information burden 
for small business concerns with fewer than 25 employees'' pursuant to 
the Small Business Paperwork Relief Act of 2002.\6\
---------------------------------------------------------------------------

    \5\ 44 U.S.C. 3501-3520.
    \6\ See 44 U.S.C. 3506(c)(4).
---------------------------------------------------------------------------

List of Subjects in 47 CFR Part 0

    Administrative practice and procedure, Classified Information, 
Health records, Information, Personally identifiable information, 
Privacy, Reporting and recordkeeping requirements.

Federal Communications Commission.
Marlene Dortch,
Secretary.

Proposed Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission proposes to amend 47 part 0 as follows:

PART 0--COMMISSION ORGANIZATION

0
1. The authority citation for part 0 continues to read as follows:

    Authority:  47 U.S.C. 151, 154(i), 154(j), 155, 225, and 409, 
unless otherwise noted.

0
2. Section 0.251 is amended by adding paragraph (k) to read as follows:


Sec.  0.251   Authority delegated.

* * * * *
    (k) The General Counsel is delegated authority to dismiss Privacy 
Act applications for review that do not contain any statement required 
under Sec.  1.115(a) or (b), or do not comply with the filing 
requirements of Sec.  1.115(d) or (f) of this chapter.
0
3. Revise Subpart E, consisting of Sec. Sec.  0.551 through 0.561, to 
read as follows:

Subpart E--Privacy Act Regulations

Sec.
0.551 Purpose and scope; definitions.
0.552 Notice.
0.553 [Removed and Reserved]
0.554 Requests for notification of and access to records.
0.555 Disclosure of record information to individuals.
0.556 Request to correct or amend records.
0.557 Administrative review of an initial decision not to amend a 
record.
0.558 Privacy Act assistance.
0.559 [Removed and Reserved]
0.560 Penalty for false representation of identity.
0.561 Exemptions.

    Authority:  47 U.S.C. 154, 303; 5 U.S.C. 552a(f).


Sec.  0.551   Purpose and scope; definitions.

    (a) The purpose of this subpart is to implement the Privacy Act of 
1974, 5 U.S.C. 552a, which regulates the collection, maintenance, use, 
and dissemination of information about individuals identified in 
Federal agencies' information systems. As required by subsection (f) of 
the Privacy Act, these rules establish procedures individuals may 
follow to be notified of and gain access to records pertaining to 
themselves that are maintained in the FCC's systems of records, and to 
request amendment of any portion of these records that they believe are 
not accurate, relevant, timely, or complete. The rules in this subpart 
should be read together with the Privacy Act, which provides additional 
information about records maintained on individuals.
    (b) In this subpart:
    Individual means a citizen of the United States or an alien 
lawfully admitted for permanent residence. Privacy Analyst means a 
Commission

[[Page 17582]]

official responsible for processing and responding to requests by 
individuals to be notified of, to access, or to amend records 
pertaining to them that are maintained in the FCC's systems of records.
    Record means any item, collection, or grouping of information about 
an individual that is maintained by the Commission, including but not 
limited to, such individual's education, financial transactions, 
medical history, and criminal or employment history, and that contains 
such individual's name, or the identifying number, symbol, or other 
identifying particular assigned to the individual, such as a finger or 
voice print or a photograph.
    Routine Use means, with respect to the disclosure of a record, the 
use of such record for a purpose which is compatible with the purpose 
for which it was collected.
    Senior Agency Official for Privacy means the senior Commission 
official who has agency-wide responsibility and accountability for the 
Commission's privacy program.
    System of Records means a group of any records under the control of 
the Commission from which information is retrieved by the name of the 
individual or by some identifying number, symbol, or other identifying 
particular assigned to the individual.


Sec.  0.552   Notice.

    Upon establishment, rescission, or revision of a system of records, 
including the establishment of a new routine use of a system of 
records, the Commission publishes in the Federal Register the notice 
required by 5 U.S.C. 552a(e).


Sec.  0.553   [Removed and Reserved]


Sec.  0.554   Requests for notification of and access to records.

    (a) Individuals may ask the Commission if it maintains any records 
pertaining to them in the Commission's Systems of Records, and, subject 
to the provisions of Sec.  0.555(b), the Commission will notify the 
requesting individuals of any responsive records and permit them to 
gain access to such records. A proper request must identify the 
System(s) of Records the individual wants searched. All requests for 
notification and access made under this subsection shall be:
    Filed electronically using the web portal identified on the FOIA 
page of the Federal Communications Commission's website (www.fcc.gov) 
or by email to fcc.gov">[email protected]fcc.gov; or
    Mailed to the Privacy Analyst, Office of the General Counsel, at 
the appropriate address listed in Sec.  0.401(a).

    Note 1 to paragraph (a):  Regardless of the statute cited in the 
request, an individual's request for access to records pertaining to 
him or her will be processed under both the Privacy Act, following 
the rules contained in this subpart, and the Freedom of Information 
Act (5 U.S.C. 552), following the rules contained in Sec. Sec.  
0.441-0.470 of this part, as appropriate.

    (b) Reasonable identification is required of all individuals making 
requests pursuant to paragraph (a) of this section in order to assure 
that disclosure of any information is made to the proper person.
    (1) Individuals may verify their identity by submitting the 
Identity Affirmation form found on the Commission privacy web page.
    (2) If positive identification cannot be made on the basis of the 
information submitted, and if data in the record is so sensitive that 
unauthorized access could cause harm or embarrassment to the individual 
to whom the record pertains, the Commission reserves the right to deny 
access to the record pending the production of additional more 
satisfactory evidence of identity.

    Note 2 to paragraph (b):  The Commission will require 
verification of identity only where it has determined that knowledge 
of the existence of record information or its substance is not 
subject to the public disclosure requirements of the Freedom of 
Information Act, 5 U.S.C. 552, as amended.

    (c) A written acknowledgement of receipt of a request for 
notification and/or access will be provided within 10 days (excluding 
Saturdays, Sundays, and federal holidays) to the individual making the 
request. Such an acknowledgement may request that the individual 
specify the systems of records to be searched and, if necessary, any 
additional information needed to locate a record. A search of all 
systems of records identified in the individual's request will be made 
to determine if any records pertaining to the individual are contained 
therein, and the individual will be notified of the search results as 
soon as the search has been completed. Normally, a request will be 
processed and the individual notified of the search results within 30 
days (excluding Saturdays, Sundays, and legal holidays) from the date 
the inquiry is received. However, in some cases, as where records have 
to be recalled from Federal Record Centers, notification may be 
delayed. If it is determined that a record pertaining to the individual 
making the request does exist, the notification will include the 
responsive record(s) or state approximately when the record(s) will be 
available for review. No separate acknowledgement is required if the 
request can be processed and the individual notified of the search 
results within the ten-day period.


Sec.  0.555   Disclosure of record information to individuals.

    (a) Individuals having been notified that the Commission maintains 
a record pertaining to them in a system of records may access such 
record either by in-person inspection at Commission headquarters in 
Washington, DC, or by correspondence with the Privacy Analyst by postal 
or electronic mail.
    (1) Individuals who wish to review their records at Commission 
headquarters should contact the Privacy Analyst to arrange a time 
during regular Commission business hours when they can review and 
request copies of such records. Verification of identity is required as 
in Sec.  0.554(b) before access will be granted to an individual 
appearing in person. Individuals may be accompanied by a person of 
their own choosing when reviewing a record. However, in such cases, the 
individual must provide written consent authorizing discussion of their 
record in the accompanying person's presence.
    (2) Individuals may request that copies of records be sent directly 
to them. In such cases, individuals must verify their identity as 
described in Sec.  0.554(b) and provide an accurate return postal or 
electronic mail address. Records shall be sent only to that address.
    (b) Records pertaining to the enforcement of criminal laws, 
classified material, investigative material compiled for law 
enforcement purposes, investigatory material compiled solely for 
determining suitability for Federal employment or access to classified 
information, and certain testing or examination material may be removed 
from the records to the extent permitted by subsections (j) and (k) of 
the Privacy Act of 1974, 5 U.S.C. 552a(j), (k). Section 0.561 of this 
subpart sets forth the systems of records which the Commission has 
exempted from disclosure.
    (c) The Commission will not charge a fee for searching for and 
reviewing records requested pursuant to Sec.  0.554.

    Note 3 to paragraph (c):  Requests processed under the Freedom 
of Information Act will be subject to the fee provisions detailed in 
Sec.  0.467 of this part.

    (d) The provisions of this section in no way give an individual the 
right to access any information compiled in reasonable anticipation of 
a civil action or proceeding.
    (e) In the event that a determination is made denying an individual 
access to records pertaining to that individual for any reason, such 
individual may file a

[[Page 17583]]

petition for reconsideration to the Senior Agency Official for Privacy 
under Sec.  1.106 of this chapter, or an application for review by the 
Commission following the procedures set forth in Sec.  0.557 of this 
subpart and in Sec.  1.115 of this chapter.


Sec.  0.556   Request to correct or amend records.

    (a) An individual may request the amendment of information 
contained in a record pertaining to that individual if the individual 
believes the information is not accurate, relevant, timely, or 
complete. Amendment requests should be submitted in writing to the 
FCC's Privacy Analyst either:
    Via postal mail to the appropriate address listed in Sec.  
0.401(a), or
    Via electronic mail to the email address listed on the Privacy Act 
Information section of the Commission's public website (fcc.gov).
    (b) Any request to amend should contain at a minimum:
    (1) The identity verification information required by Sec.  
0.554(b);
    (2) A brief description of the item or items of information to be 
amended; and
    (3) A brief statement explaining why the individual believes the 
information is not accurate, relevant, timely, or complete.
    (c) A written acknowledgement of the receipt of a request to amend 
a record will be provided within 10 days (excluding Saturdays, Sundays, 
and federal holidays) to the individual requesting the amendment. Such 
an acknowledgement may, if necessary, request any additional 
information needed to make a determination. There will be no 
acknowledgement if the request can be reviewed, processed, and the 
individual notified of compliance or denial within the 10-day period.
    (d) A Privacy Analyst will (normally within 30 days) take one of 
the following actions regarding a request to amend:
    (1) If the FCC agrees that an amendment to the record is warranted, 
the Privacy Analyst will:
    (i) So advise the individual in writing;
    (ii) Verify with the system manager that the record has been 
corrected in compliance with the individual's request; and
    (iii) If an accounting of disclosures has been made, advise all 
previous recipients of the fact that the record has been corrected and 
of the substance of the correction.
    (2) If the FCC does not agree that all or any portion of the record 
merits amendment, the Privacy Analyst will:
    (i) Notify the individual in writing of such refusal to amend and 
the reasons therefor;
    (ii) Advise the individual of the right to file a petition for 
reconsideration to the Senior Agency Official for Privacy under Sec.  
1.106 of this chapter, or an application for review by the Commission 
following the procedures set forth in Sec.  0.557 of this subpart and 
Sec.  1.115 of this chapter.
    (e) In reviewing a record in response to a request to amend, the 
FCC will assess the accuracy, relevance, timeliness, or completeness of 
the record in light of each data element placed into controversy and 
the use of the record in making decisions that could possibly affect 
the individual. Moreover, the FCC will adjudge the merits of any 
request to delete information based on whether or not the information 
in controversy is both relevant and necessary to accomplish a statutory 
purpose required of the Commission by law or executive order of the 
President.


Sec.  0.557   Commission review of a staff decision.

    (a) Upon the FCC's determination not to grant an individual access 
to a record under Sec.  0.555 of this subpart or a determination not to 
grant an individual's request to amend a record under Sec.  0.556 of 
this subpart, the individual may file an application for review by the 
Commission following the procedures described in Sec.  1.115 of this 
chapter.
    (b) In addition to the requirements contained in Sec.  1.115 of 
this chapter, any application for review must:
    (1) Clearly identify the adverse decision that is the subject of 
the review request;
    (2) Specify with particularity why the decision reached by the FCC 
is erroneous or inequitable; and
    (3) In the case of an amendment request made under Sec.  0.556 of 
this subpart, clearly state how the record should be amended or 
corrected.
    (c) The Commission will make every effort to act on an application 
for review within 30 business days after it is filed. The Commission 
may seek such additional information as is necessary to make a 
determination.
    (d) In the case of a request for access to a record under Sec.  
0.554 of this subpart:
    (1) If upon review of the application, the Commission agrees that 
the individual is entitled to access to the requested record, the 
Commission will provide the individual access to the requested record;
    (2) If instead the Commission finds that the individual is not 
entitled to access to the requested record, it will notify the 
individual in writing of its determination and the reasons therefor; 
the Commission will also advise the individual that judicial review of 
this determination is available in a district court of the United 
States.
    (e) In the case of a request to amend a record under Sec.  0.556 of 
this subpart:
    (1) If upon review of the application, the Commission agrees with 
the individual that the requested amendment is warranted, it will 
proceed in accordance with Sec.  0.556(d)(1)(i) through (iii).
    (2) If after reviewing the application, the Commission refuses to 
amend the record as requested, it shall:
    (i) Notify the individual in writing of this determination and the 
reasons therefor;
    (ii) Advise the individual that a concise statement of the reasons 
for disagreeing with the determination of the Commission may be filed;
    (iii) Inform the individual:
    (A) That such a statement should be signed and addressed to the 
Privacy Analyst;
    (B) That the statement will be made available to anyone to whom the 
record is subsequently disclosed together with, at the Commission's 
discretion, a summary of the Commission's reasons for refusing to amend 
the record; and
    (C) That prior recipients of the record will be provided a copy of 
the statement of dispute to the extent that an accounting of such 
disclosures is maintained;
    (iv) Advise the individual that judicial review of the Commission's 
determination not to amend the record is available in a district court 
of the United States.
    (3) If the Commission determines not to amend a record consistent 
with an individual's request, and if the individual files a statement 
of disagreement pursuant to Sec.  0.557(e)(2) of this subpart, the 
record shall be clearly annotated so that the disputed portion becomes 
apparent to anyone who may subsequently have access to, use, or 
disclose the record. A copy of the individual's statement of 
disagreement shall accompany any subsequent disclosure of the record. 
If the Commission has chosen to include a written summary of its 
reasons for refusing to amend the record, it shall also accompany any 
subsequent disclosure. Such statements become part of the individual's 
record for granting access, but are not subject to the amendment 
procedures of Sec.  0.556 of this subpart.


Sec.  0.558   Privacy Act assistance.

    (a) In order to assist individuals in exercising their rights under 
the Privacy Act, the Commission maintains a

[[Page 17584]]

Privacy Act Information web page on its public website (fcc.gov). In 
addition, the Commission's privacy officials will endeavor to provide 
assistance to any individual who requests information about the 
Commission's systems of records or the procedures contained in this 
subpart for gaining access to a particular system of records or for 
contesting the content of a record, either administratively or 
judicially. Individuals can seek such advice:
    (1) Via postal mail to the appropriate address listed in Sec.  
0.401(a) of this chapter, or
    (2) Via the telephone numbers or electronic mail addresses of the 
Senior Agency Official for Privacy (SAOP) or the Privacy Analyst, which 
are listed on the Privacy Act Information page of the FCC's public 
website (fcc.gov).
    (b) [Reserved]


Sec.  0.559   [Removed and Reserved]


Sec.  0.560   Penalty for false representation of identity.

    Under subsection (i)(3) of the Privacy Act, any individual who 
knowingly and willfully requests or obtains under false pretenses any 
record concerning an individual from any system of records maintained 
by the Commission shall be guilty of a misdemeanor and subject to a 
fine of not more than $5,000. Under 18 U.S.C. 1001, an individual who 
knowingly and willfully provides false information to the United States 
Government shall be fined not more than $10,000 or imprisoned for not 
more than five years, or both.


Sec.  0.561   Exemptions.

    Because the Commission has determined that applying certain 
requirements of the Privacy Act to certain Commission records would 
have an undesirable and unacceptable effect on the conduct of its 
business, the Commission exempts the following systems of records from 
the listed requirements of the Act.
    (a) FCC/EB-5, Enforcement Bureau Activity Tracking System (EBATS). 
Pursuant to subsection (k)(2) of the Privacy Act, this system of 
records is exempt from subsections (c)(3), (d), (e)(1), (e)(4) (G), 
(H), and (I), and (f) of the Privacy Act, and from Sec. Sec.  0.554 
through 0.557 of this subpart insofar as it contains investigatory 
material compiled for law enforcement purposes. These exemptions are 
justified for the following reasons:
    (1) From subsection (c)(3) because providing an accounting of 
disclosures to an individual could alert that person that he or she is 
the subject of an investigation by the Enforcement Bureau (EB) or by 
the recipient entity and allow that person to take actions to impede or 
compromise the investigation.
    (2) From subsection (e)(1) because in the early stages of an 
investigation it is not always possible to determine if specific 
information is relevant or necessary for the investigation. It is also 
possible that information collected during an investigation turns out 
not to be relevant or necessary for that investigation, but helps EB 
establish patterns of misconduct or suggests that other laws or rules 
have been violated.
    (3) From subsections (d), (e)(4)(G) and (H), and (f) because giving 
an individual access to information in this system could notify the 
individual that he or she is the subject of an EB investigation and 
provide information about the sources, witnesses, tactics, and 
procedures EB employs to conduct the investigation, which could allow 
that person to take actions to impede or compromise the investigation.
    (4) From subsection (e)(4)(I) because disclosing the categories of 
sources of records in the system would risk disclosing the methods EB 
uses to select investigation targets and the techniques and procedures 
EB uses to conduct investigations. It could also compromise the 
confidentiality of the EB's sources and witnesses.
    (b) FCC/OIG-3, Investigative Files. Pursuant to sections (j)(2) and 
(k)(2) of the Privacy Act, this system of records is exempt from 
subsections (c)(3)-(4), (d), (e)(1), (2), (3), (5), and (8), (e)(4)(G), 
(H), and (I), (f), and (g) of the Privacy Act, 5 U.S.C. 552a, and from 
Sec. Sec.  0.554 through 0.557 of this subpart insofar as it contains 
information related to the enforcement of criminal laws, classified 
information, and investigatory material compiled for law enforcement 
purposes. These exemptions are justified for the following reasons:
    (1) From subsection (c)(3) because providing an accounting of 
disclosures to an individual could alert that person that he or she is 
the subject of an investigation by the Office of Inspector General 
(OIG) or that the OIG shared the individual's information with another 
law enforcement entity;
    (2) From subsections (d), (c)(4), (e)(4)(G) and (H), (f), and (g) 
because giving an individual access to and the right to amend 
information in this system could notify the individual that he or she 
is the subject of an OIG investigation and provide information about 
the sources, witnesses, tactics, and procedures OIG employs to conduct 
the investigation, which could allow that person to take actions to 
impede or compromise the investigation.
    (3) From subsections (e)(1) and (5) because in the early stages of 
an investigation it is not always possible to determine if specific 
information is relevant, accurate, timely, or complete. It is also 
possible that information collected during an investigation turns out 
not to be relevant or necessary for that investigation, but helps OIG 
establish patterns of misconduct or suggests that other laws or rules 
have been violated.
    (4) From subsections (e)(2) and (3) because collecting information 
directly from an individual and/or notifying the individual of the 
purposes of the collection could impair investigations by alerting the 
individual that he or she is the subject of an investigation. It may 
also be necessary to collect information from sources other than the 
individual to verify the accuracy of evidence. Furthermore, in some 
situations, the subject of an investigation cannot be required to 
provide information about him or herself.
    (5) From subsection (e)(8) because notifying an individual that a 
record has been made available to a person through compulsory process 
could prematurely reveal an ongoing investigation to the subject of the 
investigation.
    (6) From subsection (e)(4)(I) because disclosing the categories of 
sources of records in the system would risk disclosing the methods OIG 
uses to select investigation targets and the techniques and procedures 
OIG uses to conduct investigations.
    (c) FCC/OMD-16, Personnel Security Files. Pursuant to sections 
(k)(1), (k)(2), and (k)(5) of the Privacy Act, this system of records 
is exempt from subsections (c)(3), (d), (e)(1), (e)(4) (G), (H), and 
(I), and (f) of the Privacy Act, and from Sec. Sec.  0.554 through 
0.557 of this subpart insofar as it contains classified material or 
investigatory material compiled for the purpose of Federal employment 
eligibility to the extent that the disclosure of such material would 
reveal the identity of a source who furnished information to the 
Government under an express promise that the identity of the source 
would be held in confidence. These exemptions are justified for the 
following reasons:
    (1) From subsection (c)(3) because providing an accounting of 
disclosures to an individual could identify other individuals who 
received information about the subject individual to elicit information 
in connection with a personnel background investigation.
    (2) From subsections (d), (e)(4)(G) and (H), and (f) because giving 
an individual access to information in this system could reveal the 
identity of persons who confidentially provided information as

[[Page 17585]]

part of a personnel background investigation, which could restrict the 
flow of information necessary to determine the suitability of an 
employee candidate.
    (3) From subsection (e)(4)(I) because disclosing the categories of 
sources of records in the system would risk disclosing the techniques 
and procedures used to conduct investigations.
    (4) From subsection (e)(1) because it is impossible to determine in 
advance what exact information may be necessary to collect in order to 
determine the suitability of an employee candidate.
    (d) FCC/WTB-5, Application Review List for Present or Former 
Licensees, Operators, or Unlicensed Persons Operating Radio Equipment 
Improperly. Pursuant to section (k)(2) of the Privacy Act, this system 
of records is exempt from subsections (c)(3), (d), (e)(4) (G), (H), and 
(I), and (f) of the Privacy Act, and from Sec. Sec.  0.554 through 
0.557 of this subpart insofar as it contains classified material or 
investigatory material compiled for the purpose of determining whether 
the license application for an individual who operated radio equipment 
improperly should be granted, denied, or set for a hearing. These 
exemptions are justified for the following reasons:
    (1) From subsection (c)(3) because providing an accounting of 
disclosure to an individual could identify other individuals who 
received information about the subject individual to elicit information 
in connection with an investigation into the improper operation of 
radio equipment.
    (2) From subsections (d), (e)(4)(G) and (H), and (f) because giving 
an individual access to information in this system could reveal the 
identity of persons who confidentially provided information as part of 
an investigation into the improper operation of radio equipment, which 
could restrict the flow of information necessary to determine whether a 
license should be granted.
    (3) From subsection (e)(4)(I) because disclosure of sources of 
records in the system would risk disclosing the techniques and 
procedures used to conduct investigations.
    (e) FCC/WTB-6, Archival Radio Operator Records. Pursuant to 
sections (k)(1) and (k)(2) of the Privacy Act, this system of records 
is exempt from subsections (c)(3), (d), (e)(4) (G), (H), and (I), and 
(f) of the Privacy Act, and from Sec. Sec.  0.554 through 0.557 of this 
subpart insofar as it contains classified material or investigatory 
material compiled for the purpose of determining whether the license 
application for an individual who operated radio equipment improperly 
should be granted, denied, or set for a hearing and the referral of 
possible violations to the FCC's Enforcement Bureau, Office of General 
Counsel, or another agency. These exemptions are justified for the 
following reasons:
    (1) From subsection (c)(3) because providing an accounting of 
disclosure to an individual could identify other individuals who 
received information about the subject individual to elicit information 
in connection with an investigation into the violation of law.
    (2) From subsections (d), (e)(4)(G) and (H), and (f) because giving 
an individual access to information in this system could reveal the 
identity of persons who confidentially provided information as part of 
an investigation into a violation of law.
    (3) From subsection (e)(4)(I) because disclosure of sources of 
records in the system would risk disclosing the techniques and 
procedures used to conduct investigations.

[FR Doc. 2021-06152 Filed 4-2-21; 8:45 am]
BILLING CODE 6712-01-P