Electronic reporting and recordkeeping have a strong mandate in federal policy and law. As stated in the March, 1996, Reinventing Environmental Information Report, electronic reporting supports the President's overall regulatory reinvention goals of reducing the burden of compliance and streamlining regulatory reporting. In addition, the Government Paperwork Elimination Act (GPEA) of 1998, Public Law 105277, requires that agencies be prepared to allow electronic reporting and recordkeeping under their regulatory programs by October 21, 2003. Given the enormous strides in data transfer and management technologies since 1990particularly in connection with the Internetreplacing paper with electronic data transfer now promises increased productivity across almost all facets of business and government.

B. What Will the Proposed Regulations Do?

The proposed rule will remove existing regulatory obstacles to electronic reporting and recordkeeping across a broad spectrum of EPA programs, and establish requirements to assure that electronic documents and electronic records arefor all purposesas valid and authentic as their paper counterparts. These proposed requirements will apply to regulated entities that choose to submit electronic documents and/or keep electronic records, and under today's proposal, the choice of using electronic rather than paper for future reports and records will remain purely voluntary. Today's proposal will not amend compliance requirements under existing regulations and statutes and will not affect whether a document must be created, submitted, or retained under the existing provisions of Title 40 of the Code of Federal Regulations. Similarly, today's proposal will not affect the period of required recordretention, whether the stored electronic document must be signed, who is entitled to receive copies of the record, the number of copies that must be maintained, or any other requirements imposed by the underlying EPA, State, tribal or local program regulations. Public access to environmental compliance information will not be adversely affected by today's proposal. Electronic reporting and recordkeeping provisions in this proposal will provide for continued public access to electronic documents equivalent to that provided for paper records under existing law.

For purposes of this proposal, EPA is using the term ``electronic reporting'' in a sense that excludes submission of a report via magnetic media, for example via diskette, compact disk, or tape; we are also excluding transmission via hard copy facsimile or ``fax''. Likewise, our use of the term ``electronic document'' throughout this Notice refers exclusively to documents that are transmitted via a telecommunications network, excluding hard copy facsimile. However, this proposal's exclusion of magnetic media submissions in no way indicates EPA's rejection of this technology as a valid approach to paperless reporting; we believe that in many cases magnetic media submission fulfills the goals of the Government Paperwork Elimination Act (GPEA). Many EPA programs have successfully used magnetic media submissions to implement their regulatory reporting,
[[Page 46164]]
including Hazardous Waste, Toxic Release Inventory, and Pesticide Registration. EPA expects these magnetic media approaches to paperless reporting to continue, and nothing in today's proposal should be understood to proscribe them.

For regulated entities that choose to submit electronic documents directly to EPA, today's proposal will require that these documents be submitted to a centralized Agencywide electronic document receiving system, called the `Central Data Exchange' (CDX), or to alternative systems designated by the Administrator. Regulated entities that wish to submit electronic documents directly to EPA will satisfy the requirements in today's proposal by successfully submitting their reports to the CDX. While we do not intend to codify any of the details of how CDX operates or how it is constructed, EPA does solicit comments on the characteristics of the CDX and the submission scenarios described in this preamble. In addition, the CDX design specifications will be included as a part of this rulemaking docket. For regulated entities that choose to keep records electronically, today's proposal requires the adoption of best practices for electronic records management. Importantly, today's proposal will not authorize the conversion of existing paper documents to an electronic format for recordretention purposes because no mechanism currently exists that can be relied upon in all cases to preserve the forensic data in an existing paper document when it is converted to an electronic form. However, today's proposal does not prohibit such conversions at the Administrator's discretion on a casebycase basis.

Many facilities do not submit documents directly to EPA, but rather to States, tribes or local governments that are approved, authorized or delegated to administer a federal environmental program on EPA's behalf or to administer a state environmental program in lieu of the federal regulatory program in that State. We will refer to these as ``authorized State and tribal programs.'' This proposal will allow for EPA approval of changes to authorized State and tribal programs to provide for electronic reporting, and EPA approval will be based largely on an assessment of the State's or tribe's ``electronic document receiving system'' that will be used to implement the electronic reporting provisions. For this purpose, today's proposal includes detailed criteria that EPA will use to determine that an electronic document receiving system is acceptable. These criteria address such issues as system security, the approach to electronic signature and certification, chainofcustody and archiving, including provisions that address how a State, tribe or local government manages electronic records that are directly associated with its electronic document receiving system, as well as certain data transfers between this system and regulated entities. Beyond this, today's proposal does not address State, tribal or local government electronic recordkeeping or data transfers carried out to administer their authorized programs. Today's proposal does not address any data transfers between EPA and States or tribes as a part of administrative arrangements to share data. Finally, it is worth noting that EPA can approve changes to authorized State or tribal programs that involve the use of CDX to receive data submissions from their regulated communities. CDX has been designed with the goal of fully satisfying the criteria that this proposal specifies for assessing State or tribal electronic document receiving systems; similarly, EPA will ensure that other systems the Administrator designates to receive electronic submissions will satisfy the criteria as well. In view of this, EPA is exploring opportunities to leverage CDX resources for use by States, tribes and local environmental agencies.

Similarly, many facilities maintain records to satisfy the requirements of authorized State and tribal programs. This proposal will also allow for EPA approval of changes to authorized State and tribal programs to provide for electronic recordkeeping. EPA approval in this case will be based on a determination that the State's or tribe's program will require best practices for electronic records management, corresponding to EPA's provisions for electronic records maintained to satisfy EPA recordkeeping requirements.

For both document submission and recordkeeping, the point of the proposed requirements is primarily to ensure that the authenticity and integrity of these documents and records are preserved as they are created, submitted, and/or maintained electronically, so that they continue to provide strong evidence of what was intended by the individuals who created and/or signed and certified them. Among other things, today's proposal is intended to ensure that the federal laws regarding the falsification of information submitted to the government still apply to any and all electronic transactions, and that fraudulent electronic submissions or recordkeeping can be prosecuted to the fullest extent of the law. In establishing clear requirements for electronic reporting systems and electronic records, this proposed rule will help to minimize fraud by assuring that the responsible individuals can be readily identified.

While today's proposal will remove regulatory obstacles to electronic reporting and recordkeeping, EPA will make electronic submission available as an option for specific reports or other documents only as the systems become available to receive them. Similarly, EPA will make electronic recordkeeping available as an option for specific recordkeeping requirements only as programs become ready to adopt this change. In the case of electronic reporting, EPA plans to move aggressively toward implementation of CDX for high volume environmental reports submitted directly to EPA. EPA will publish announcements in the Federal Register as CDX and other systems become available for particular environmental reports and as programs become ready to make electronic recordkeeping an option. These points are discussed in more detail in Section III.C and D of this Preamble. To implement electronic reporting and recordkeeping under authorized State and tribal programs, EPA also plans to work with interested States and tribes to approve the necessary program changes as quickly and expeditiously as possible.
II. Background

A. What Is EPA's Current Electronic Reporting Policy?

On September 4, 1996, EPA published a document entitled ``Notice of Agency's General Policy for Accepting Filing of Environmental Reports via Electronic Data Interchange (EDI)'' (61 FR 46684) (hereinafter referred to as ``the 1996 Policy''), where ``EDI'' generally refers to the transmission, in a standard syntax, of unambiguous information between computers of organizations that may be completely external to each other (61 FR at 46685). This notice announced our basic policy for accepting electronically submitted environmental reports, and its scope was intended to include any regulatory, compliance, or informational (voluntary) reporting to EPA via EDI.

In the context of EDI, the ``syntax'' of the computertocomputer transmissions may be thought of as the structure or format of the transmitted data files. And, ``format'' here refers to such things as the ordering and labeling of the individual elements of data, the symbol used to separate elements, the way that related elements are grouped together, and so on. For example, for a file consisting of people's names, a simple
[[Page 46165]]
format specification might be that (i) the elements occur in order: firstname, middlename, lastname; (ii) the elements are labeled, respectively, ``F'', ``M'', and ``L''; (iii) each group of first, middle and last names is separated by a semicolon; and (iv) there is a comma between any two elements in a group.

For purposes of the 1996 policy, the standard transmission formats used by EPA were to be based on the EDI standards developed and maintained by the American National Standards Institute (ANSI) Accredited Standards Committee (ASC) X12. By linking our approach to the ANSI X12 standards, we hoped to take advantage of the robust ANSI based EDI infrastructure already in place for commercial transactions, including a wide array of commercial offtheshelf (COTS) software packages and communications network services, and a growing industry community of EDI experts available both to EPA and to the regulated community. At the time EPA was writing this policy, ANSIbased EDI was arguably the dominant mode of electronic commerce across almost all business sectors, from aerospace to wood products, at least in the United States. EDI was also widely used in the Federal Government, most notably at the Department of Defense, but also, increasingly, at other agencies, including the Social Security Administration, the General Services Administration, the Department of Transportation, the Health Care and Finance Administration, and the Department of Housing and Urban Development, and the Department of Health and Human Services.

However, as the 1996 policy made clear, no specific EPA reporting requirement can be satisfied via EDI until the Agency develops the corresponding programspecific implementation guidance (61 FR 46686). This guidance generally needs to do at least three things. First, it needs to address such procedural matters as the interactions with the communications network (for EDI purposes, usually stipulated as a controlledaccess, ``valueadded network'' or ``VAN''), schedule for submissions and acknowledgments, transaction records to be maintained, and so on. Second, it needs to stipulate the specific ANSI X12 standard transmission formatsreferred to as ``transaction sets''to be used for the specified reports. This stipulation is essential, since ANSI provides hundreds of different transaction sets, each corresponding to a distinct type of commercial document, e.g. invoices, purchase orders, shipping notices, product specifications, reports of test results, and so on. Third, the guidance also needs to say how the stipulated transactions sets are to be interpreted. X12 transaction sets are generally designed to be somewhat genericthey typically leave a number of their components as ``optional'', and use dataelement specifications that are open to multiple interpretations. (For a more detailed explanation of EDI and these implementation guidance documents, see section V.B.4 of this preamble.)

Given a public notice that the applicable implementation guidance is ready, the September, 1996, policy allows facilities to submit required reports electronically using EDI once they enter into a Terms and Conditions Agreement (TCA) with the Agency (61 FR 46685). Where the report in question requires a responsible individual at a facility to certify to the truthfulness of the submitted data, the TCA must provide for the use of a Personal Identification Number (PIN) as a form of electronic signature. Under the policy, the individual entering into the TCA is required to use a PIN assigned by EPA for this purpose (61 FR 46685). Finally, under the TCA, the facility is required to adhere to security and audit requirements as described in the notice (61 FR 46687).

Finally, the 1996 policy also explained that the various programs may require additional security procedures on a programbyprogram basis (61 FR 46684). Such procedures may be covered in the program specific implementation guidance, or can be provided through rule making.
B. How Would Today's Proposal Change EPA's Current Electronic Reporting Policy?

For practical purposes, the most important changes that today's proposal makes to current policy is in our technical approach to electronic reporting. Generally, we propose to greatly broaden the options available for electronic submission of data. For example, while we will continue to support data transfer via standardsbased EDI (as explained in section V.B.4 of this preamble), we will also provide options involving userfriendly ``smart'' electronic forms to be filled out online, on the Internet, or downloaded for completion offline at the user's personal computer. In addition, we propose to support data transfers through the Internet, via email, or via online interactions with Web sites, in a variety of common applicationbased formats, such as those output by spreadsheet packages. In terms of electronic signature technology, while we may continue to allow PINbased approaches, our plan is to emphasize digital signatures based on ``public key infrastructure'' (PKI) certificates, given the increasing support forand acceptance ofPKI for commercial purposes. (For an explanation of PKI, see Section V.B.1 of this preamble.) And, we plan to consider and allow for other signature technologies as they become viable for our applications.

This proposal also represents some important changes in EPA's regulatory strategy as well. To begin with, we are proposing to abandon any attempt to use regulations or formal policies to place technology specific or procedural requirements on regulated entities submitting electronic documents. In place of the technologyspecific/procedural provisions, our regulation will require that electronic submissions be made to designated EPA systems, or to State, tribal or local government systems that are determined to satisfy a certain set of functionbased criteria. Thus, as a rulemaking, today's proposal will govern electronic reporting by placing requirements on the systems that receive the electronic documentsrather than on the regulated entities submitting themand by specifying these requirement in terms of technologyneutral functionality.

This new regulatory strategy does not mean that we are proposing to abandon any control over how electronic documents are submitted. We are proposing instead to require the use of the ``Central Data Exchange'' (CDX) system or other EPA designated systems for submissions to EPA. While the rule may be technologyneutral, CDX itself will incorporate a suite of very specific technologies, including digital signatures based on ``public key infrastructure'' (PKI) certificates, described in detail below. In addition, while the rule itself will not require more than the use of CDX for electronic submissions to EPA, using CDX will as a practical matterimpose a very welldetermined set of
requirements on the reporting process for those who choose electronic submission instead of paper when reporting directly to EPA. Section V of this preamble will describe these requirements in some detail.

These changes in strategy are significant. They represent a decision that the mechanics of electronically submitting data should not be reflected in specific regulatory provisions. In addition, these changes give EPA the flexibility to adapt our electronic reporting systems to evolving technologies without having to amend our regulations with each technological innovation. That is, CDX or other [[Page 46166]]
designated systems can be changed as appropriate, so long as they continue to satisfy the functionbased criteria that the rule establishes. In general, we believe that this strategy will enable EPA, the States and tribes to offer regulated companies a very userfriendly approach to electronic reporting that can be tailored to the level of automation they wish to achieve, and can incorporate improved technologies as they become available without the delay associated with rulemaking.
C. Why Is EPA Proposing These Changes in Electronic Reporting Policy?

EPA is proposing these changes for three reasons. First, and most important, the technology environment has changed substantially since the September, 1996, policy was written. Webbased electronic commerce and Public Key Infrastructure (PKI) provide two obvious examples. While both were available and in use for some purposes in 1996, they had not yet achieved the level of acceptance and use that they enjoy today. We could not have anticipated in1996 that this evolution would occur as rapidly as it has. Clearly, these developments require that we extend our approach to electronic reporting beyond EDI and PINs. In addition, they teach us that it is generally unwise to base regulatory requirements on the existing information technology environment or on assumptions about the speed and direction of technological evolution.

Second, we believe that technologyspecific provisions would, of necessity, be very complex and unwieldy. The resulting regulation would likely place unacceptable burdens on regulated entities trying to understand and comply with it, and might also be difficult for EPA to administer and enforce.

Third, and finally, an electronic reporting architecture that makes a centralized EPA, State or tribal system the platform for such functions as electronic signature/certification is now quite viable and quite consistent with the standard practices of Webbased electronic commerce. In many ways, regulated entities' electronic transactions with the ``Central Data Exchange'' (CDX) will be similar to doing business with an online travel agency, book store, or brokerage, and with a similar clientserver architecture. Given the state of technology five years ago, we could not have considered this approach in the September, 1996, policy.

D. What Is EPA's Approach to Electronic RecordKeeping?

Today's proposal sets forth the criteria under which the Agency considers electronic records to be trustworthy, reliable, and generally equivalent to paper records in satisfying regulatory requirements. The intended effect of this proposed rule is to permit use of electronic technologies in a manner that is consistent with EPA's overall mission and that preserves the integrity of the Agency's enforcement activities.
E. What Information Is EPA Seeking About Electronic Reporting and RecordKeeping Proposals?

In proposing to allow regulated entities to submit electronic documents and maintain electronic records, EPA has, at least, the following three goals:

EPA is seeking comment and information on how well today's proposed regulatory provisions and the associated Central Data Exchange infrastructure will serve to fulfill these three goals. Concerning the firstaddressing cost and burdenEPA is particularly interested in and seeks comment on whether today's proposal will make electronic reporting and recordkeeping a practical and attractive option for smaller regulated entities, especially small businesses. Concerning the secondaddressing the data and the associated business processwe are especially interested in comments on how our proposed approach to electronic reporting and recordkeeping will affect third parties, for example State and local agencies that may collect and/or use the data in implementing EPA programs as well as members of the public who have an interest in the data as concerned citizens.

Concerning our third goal, it is essential that we continue to ensure sufficient personal and corporate responsibility and accountability in the submission of electronic reports and the maintenance of electronic records; otherwise we place at risk the continuing viability of selfmonitoring and selfreporting that provides the framework for compliance under most of our environmental programs. Therefore, EPA is especially interested in any concerns or issues that commenters may wish to raise about the effect that moving from paper to the electronic medium may have on this compliance structureas well as assessments of the approaches EPA is proposing to address these concerns.
F. How Were Stakeholders Consulted in Developing Today's Proposal?

Today's proposal reflects more than eight years of interaction with stakeholdersincluding State and local governments, industry groups, the legal community, environmental nongovernment organizations, ANSI ASC X12 subcommittees, and other federal agencies. Many of our most significant interactions involved electronic reporting pilot projects conducted with State agency partners, including the States of Pennsylvania, New York, Arizona, and several others. In addition, over a twoyear period beginning in May, 1997, EPA worked together with approximately 35 States on the State Electronic Commerce/Electronic Data Interchange Steering Committee (SEES) convened by the National Governors' Association (NGA) Center for Best Practices (CBP). The product of the SEES effort was a document entitled, ``A State Guide for Electronic Reporting of Environmental Data,'' available in the docket for this rulemaking, along with reports on some of the more recent state/EPA electronic reporting pilots. Information on SEES is also available at: www.nga.org/CBP/Activities/EnviroReporting.asp. Today's proposal has benefitted greatly from the SEES discussions, and EPA believes that the proposal is generally consistent with the SEES ``State Guide''.

Beginning in June, 1999, EPA also sponsored a series of conferences and meetings with the explicit purpose of seeking stakeholder advice on today's rulemaking. These included:

Reports of these conferences and meetings are also available in the rulemaking docket.
[[Page 46167]]
III. Scope of Today's Proposal
A. Who May Submit Electronic Documents and Maintain Electronic Records?

Any regulated company or other entity that submits documents addressed by today's proposal (see section III.B., below) directly to EPA can submit them electronically as soon as EPA announces that the Central Data Exchange or a designated alternative system is ready to receive these reports. Any regulated company or other entity that maintains records addressed by today's proposal (see section III.C., below) under EPA regulations can store them in an electronic form subject to the proposed criteria for electronic recordkeeping as soon as EPA announces that the specified records may be kept electronically. As noted in section I.B of this preamble, the rule will not authorize the conversion of existing paper records to an electronic format. Regulated companies or other entities that submit documents or maintain records under authorized State or tribal programs may submit or maintain them electronically as soon as EPA approves the changes to the authorized programs that are necessary to implement the State's or tribe's provisions for electronic reporting or recordkeeping.

Under today's proposal, the entities that can use electronic reporting and recordkeeping will not be required to do so; they can still use the medium of paper for document submissions and records if they choose. Nonetheless, nothing in this proposal will prohibit State, tribal or local authorities from requiring electronic reporting or recordkeeping under applicable State, tribal and local law. B. How Does Today's Proposal Relate to the New ESIGN Legislation?

The environmental reports and records that are the subject of this rule are generally not subject to the recently enacted ``Electronic Signatures in Global and National Commerce Act of 2000'' (``ESIGN'' or ``the Act''), Public Law 106229, because most of these governmentally mandated documents are not amongst the ``transactions'' to which ESIGN applies. However, the EPA has authority to permit electronic reporting under the statutes it administers and under the Government Paperwork Elimination Act (GPEA) of 1998, Public Law 105277, http://ec.fed.gove/ gpedoc.htm. ESIGN, establishes the legal equivalence between: (1) Contracts written on paper and contracts in electronic form; (2) pen andink signatures and electronic signatures; and (3) other legally required written documents (termed ``records'' in the statute) and the same information in electronic form. As a general rule, if parties to a transaction in interstate commerce choose to use electronic signatures and records, ESIGN grants legal recognition to those methods. ESIGN provides that no contract, signature, or record relating to such a transaction shall be denied legal effect solely because it is in electronic form, nor may such a document be denied legal effect solely because an electronic signature or record was used in its formation. GPEA also provides such language for government filings covered by this rule and provides similar legal validity for associated electronic signatures. When ESIGN takes effect on October 1, 2000, statutes or agency rules containing paperbased requirements that might otherwise deny effect to electronic signatures and records in consumer, commercial or business transactions between two or more parties will be superseded. ESIGN does, however, permit federal and State agencies to set technologyneutral standards and formats for the submission and retention of electronic documents.

ESIGN applies broadly to commercial, consumer, and business transactions in or affecting interstate or foreign commerce, including transactions regulated by both federal and State government. However, the conferees who drafted this legislation specifically excluded ``governmental transactions'' from the definition of transactions that are subject to ESIGN; accordingly, ESIGN does not cover transactions that are uniquely governmental, such as the transmission of a compliance report to a federal or State agency. Nonetheless, ESIGN does cover documents that are created in a commercial, consumer, or business transaction, even if those documents are also submitted to a governmental agency or retained by the regulated community for governmental purposes. For example, an insurance contract that is commemorated in an electronic document will be covered by the provisions of ESIGN, even if EPA or an authorized State requires that the policyholder maintain proof of insurance as part of a federal or State environmental program. In order to ensure that these documents will meet governmental needs, the Act permits the government to set technologyneutral standards and formats for such records. In order that governmental agencies have time to promulgate these standards and formats, ESIGN has a delayed effective date for its recordretention provisions of March 1, 2001. If a federal or State regulatory agency has proposed a standard or format for document retention by March 1, 2001, the Act will take effect with respect to those records on June 1, 2001.
C. Which Documents Could Be Filed Electronically?

With the exception of the Hazardous Waste Manifest (which EPA is addressing in a separate electronic reporting rule), today's proposal addresses document submissions required by or permitted under any EPA or authorized State, tribal or local program governed by EPA's regulations in Title 40 of the Code of Federal Regulations (CFR). Nonetheless, EPA will need time to develop the hardware and software components required for each individual type of document. Similarly, EPA will need time to evaluate State, tribal, and local electronic document receiving systems to ensure that they meet the criteria articulated in today's proposal. Accordingly, once this rule takes effect, documents subject to this rule submitted directly to EPA can only be submitted electronically after EPA announces in the Federal Register that the Central Data Exchange (CDX) or an alternative system is ready to receive them. Documents subject to this rule submitted under an authorized State or tribal program can only be submitted electronically once EPA has approved the necessary changes to the authorized program.

Both in developing the CDX, and in approving changes to authorized State and tribal programs related to electronic reporting, EPA plans to give priority to receipt of the relatively high volume environmental compliance reports that do not involve the submission of confidential business information (CBI). EPA believes that receipt of electronically transmitted CBI requires considerably stronger security measures than the initial version of CDX may be able to support, including provisions for encryption. While EPA does plan to enhance CDX to accommodate CBI, we will first want to gain experience implementing CDX in the nonCBI arena and also take the time to explore CBI security issues with companies that submit confidential data. EPA seeks comments and advice on priorities for electronic reporting implementation. EPA also seeks comments on this proposal's global approach, and whether specific exclusions should be added to the rule.
[[Page 46168]]
D. Which Records Can Be Maintained Electronically and Which Can Not?

Today's proposal addresses records that EPA or authorized State, tribal or local programs require regulated entities to maintain under any of the environmental programs governed by Title 40 of the CFR or related State, tribal and local laws and regulations. Nonetheless, individual EPA programs may need additional time to consider more specific provisions for administering the maintenance of electronic records under their regulations. Similarly, EPA will need time to evaluate State, tribal, and local programs' provisions for administering electronic records maintenance to ensure that such records will meet the criteria articulated in today's proposal.

Accordingly, once this rule takes effect, any records subject to this rule submitted directly to EPA can only be maintained electronically after EPA announces in the Federal Register that EPA is ready to allow electronic records maintenance to satisfy the specified recordkeeping requirements. Records subject to this rule maintained under an authorized State or tribal program can only be maintained electronically once EPA has approved the necessary changes to the authorized program. For electronic records specified in such Federal Register announcements or authorized program changes, they can be maintained in lieu of paper records so long as they meet the requirements in this proposal, unless paper records are specifically required in regulations promulgated on or after promulgation of this final rule. However, today's proposal will not apply to paper records that are already in existencewhether these are maintained under EPA programs or under authorized State, tribal or local programsand will not provide that any of these paper records can be converted to an electronic format. In addition, today's proposal does not address contracts, grants, or financial management regulations contained in Title 48 of the CFR. EPA is addressing such procurementrelated activities separately. Accordingly, today's proposal does not apply to records maintained under these Title 48 regulations, whether this recordkeeping was administered by EPA or by a State, tribal or local program under EPA authorization.
E. How Would Today's Proposal Implement Electronic Reporting and RecordKeeping?

EPA proposes our overall policy and requirements for electronic reporting and recordkeeping as a new 40 CFR part 3, which consists of four (4) Subparts. Subpart A provides that any reporting requirement in Title 40 can be satisfied with an electronic submission to EPA that meets certain conditions (specified in Subpart B) once EPA publishes a notice that electronic document submission is available for this requirement. Similarly, Subpart A provides that any recordkeeping requirement in Title 40 can be satisfied with electronic records that meet certain conditions (specified in Subpart C) once EPA publishes a notice that electronic recordkeeping is available for this requirement. Subpart A also provides that electronic reporting and recordkeeping can be made available under EPAauthorized State, tribal or local environmental programs as soon as EPA approves the necessary changes to these authorized programs (in accordance with Subpart D). In addition, subpart A makes clear: (1) That electronic document submission or recordkeeping, while permissible under the terms of this part, will not be required; and (2) that this regulation will confer no right or privilege to submit data electronically and will not obligate EPA or State, tribal or local agencies to accept electronic data except as provided under this regulation.

Subpart B sets forth the general requirements for acceptable electronic documents submitted to EPA. It provides that electronic documents must be submitted either to EPA's Central Data Exchange (CDX) or other EPA designated systems. It also includes general requirements for electronic signatures. Subpart C sets forth requirements that regulated entities must satisfy if they wish to maintain their electronic records in satisfaction of EPA recordkeeping requirements. Finally, subpart D sets forth the process and criteria for EPA approval of changes to authorized State, tribal and local environmental programs to allow electronic document submissions or recordkeeping to satisfy requirements under these programs. With respect to electronic document submissions, subpart D includes detailed criteria for acceptable State, tribal or local agency electronic document receiving systems against which EPA will assess authorized program implementations of electronic reporting.

The table below describes the applicability of each of these proposed new subparts.
Subpart Applicability A. General Provisions............. Companies and other entities regulated under Title 40 of the Code of Federal Regulations, and State, tribal and local agencies with electronic document receiving systems used to receive documents under their authorized programs. B. Electronic Reporting to EPA.... Companies and other entities regulated under Title 40 of the Code of Federal Regulations. C. Electronic Recordkeeping under Companies and other entities EPA Programs. regulated under Title 40 of the Code of Federal Regulations. D. Approval of Electronic State, tribal and local agencies Reporting and Recordkeeping with electronic document receiving under State Programs. systems or electronic record keeping programs for which EPA approval is required.

Given the proposed provisions of Subpart A, a regulated entity wishing to determine whether electronic reporting or recordkeeping was available under some specific regulation will have to verify that EPA has published a Federal Register notice announcing their availability and will have to locate any additional provisions or instructions governing the electronic option for the particular reporting or record keeping requirements. EPA seeks comments on whether the new Part 3 should include specific crossreferences to such announcements and instructions to the extent that these are codified elsewhere in Title 40. The cross references could be organized by CFR subparts of Title 40, and could provide a simple listing of programspecific regulations for which EPA has implemented electronic reporting or recordkeeping under the provisions of today's proposal. EPA invites suggestions on the most helpful crossreferencing scheme.
IV. The Requirements in Today's Proposal
A. What Are the Proposed Requirements for Electronic Reporting to EPA?

Today's proposal specifies just two requirements for electronic reporting to
[[Page 46169]]
EPA. First, electronic documents must be submitted to an appropriate EPA electronic document receiving system; generally this will be EPA's Central Data Exchange (CDX), although EPA can also designate additional systems for the receipt of electronic documents. Second, where an electronic document must bear a signature under existing regulations or guidance, it must be signed (by the person authorized to sign under the current applicable provision) with an electronic signature that can be validated using the appropriate EPA electronic document receiving system. The proposal stipulates that the electronic signature will make the person who signs the document responsible, or bound, or obligated to the same extent as he or she would be signing the corresponding paper document by hand. Only electronic submissions that meet these two requirements will be recognized as satisfying a federal environmental reporting requirement, although failure to satisfy these requirements will not preclude EPA from bringing an enforcement action based on the submission.

It should be noted that the second requirement, concerning signatures, will apply only where the document would have to bear a signature were it to be submitted on paper, either because this is stipulated in regulations or guidance, or because a signature is required to complete the paper form. Today's proposal is not intended to require additional signatures on documents when they are migrated from paper to electronic submission. The EPA electronic document receiving system will indicate to the submitter whether a signature is required to complete submission of an electronic documentalthough the presence or absence of this indication will not affect whether or not a signature is required for a document to have legal effect.

Beyond these two requirements, the proposed rule does not specify any required hardware or software. Accordingly, the proposed rule text does not include any detail about CDX per se or about what will be required of regulated entities who wish to use it. Nonetheless, in publishing today's proposal, one of EPA's goals is to share our plans for the CDX and to invite comments on the technical approaches that it represents. Therefore, section V, below, explains the details of CDX as it is currently plannedincluding CDX technical approaches to satisfying our proposed functional criteria, and what use of CDX to submit electronic documents will require of the users. We are also including the draft CDX design specifications in the docket for today's proposed rule. In reviewing these materials, however, the reader should bear in mind that the details of CDX that they specify have not been finalized, and may be affected by the comments received on today's proposal. In the preamble to the notice of final rulemaking for today's proposal, EPA will describe the details of CDX as it will actually be implemented, and will highlight any significant changes from the design as described in this proposal.

Of course, even after the current CDX design is finalized and implemented, the system may changeto take advantage of opportunities offered by evolving technologies, as well as to correct any deficiencies that operational experience reveals. Our proposed regulatory strategyavoiding the codification of technologyspecific/ procedural provisionsis meant to accommodate such changes without requiring that we amend our regulations. Nonetheless, EPA recognizes that such changes can be disruptive to regulated entities that participate in electronic reporting; therefore, we are adding provisions that commit EPA to provide adequate public notice where a contemplated change may have this impact. In general, we foresee four kinds of cases:

Our approach will then be to provide public notice and seek comment on major changes at least a year in advance of contemplated implementation. For minor changes we will provide public notice at least 60 days in advance of implementation. For transparent changes and emergency changes we will make decisions on whether and when to provide public notice on a casebycase basis. EPA seeks comment on this approach, including the kinds of cases we distinguish and the proposed timeframes for notice. We are especially interested in views on the appropriateness of the timeframe for notice of major changesand specifically on whether a shorter timeframe, e.g. 9 months or 6 months, would provide adequate notice while giving EPA greater flexibility to make timely responses to changes in the technological environment. We also seek comment on the more general question of whether it is in the best interests of EPA and our regulated entities to codify these public notice provisions at all, or whether they may place at risk our ability to be sufficiently responsive to the changing needs of our user community. We are also interested in the question of whether the different kinds of cases are or can be defined with sufficient precision to form the basis for workable regulatory provisions, and we welcome any suggestions for alternative regulatory language.
B. What Requirements Must Electronically Maintained Records Satisfy?

1. General Approach. In today's proposed rule, EPA is proposing a set of criteria that will have to be met by regulated entities that maintain electronic records in lieu of paper records, to satisfy recordkeeping requirements under EPA regulations in Title 40 of the CFR. The proposed criteria address the minimal functional capabilities that an electronic recordretention system must possess in order for an electronic record or document to meet a federal environmental record keeping requirement. Regulated entities that use electronic systems to create, modify, maintain, or transmit electronic records will need to employ procedures and controls designed to meet the minimum criteria in today's rule. These criteria are designed to insure that electronic records are trustworthy and reliable, available to EPA and other agencies and their authorized representatives in accordance with applicable federal law, and admissible as evidence in a court of law to the same extent as a corresponding paper record.

2. EPA's Proposed Criteria for Electronic RecordRetention Systems. In general, EPA believes that for electronic records to be trustworthy and reliable,
[[Page 46170]]
their corresponding electronic recordretention system must: (1) Generate and maintain accurate and complete copies of records and documents in a form that does not allow alteration of the record without detection; (2) ensure that records are not altered throughout the records' retention period; (3) produce accurate and complete copies of an electronic record and render these copies readily available, in both human readable and electronic form as required by predicate regulations, throughout the entire retention period; (4) ensure that any record bearing an electronic signature contains the name of the signatory, the date and time of signature, and any information that explains the meaning affixed to the signature; (5) protect electronic signatures so that any signature that has been affixed to a record cannot be detached, copied, or otherwise compromised; (6) use secure, computergenerated, timestamped audit trails to automatically record the date and time of operator entries and actions that create, modify, or delete electronic records; (An audit trail is an important element of any acceptable electronic record, for it provides an electronic record of key entries and actions to a record throughout its life cycle. Such audit trail documentation needs to be retained for a period at least as long as that required for the subject electronic records. Audit trail documentation also needs to be available for agency review.) (7) ensure that records are searchable and retrievable for reference and secondary uses, including inspections, audits, legal proceedings, third party disclosures, as required by predicate regulations, throughout the entire retention period; (8) archive electronic records in an electronic form that preserves the context, metadata, and audit trail; (Depending on the record retention period required in predicate regulations, regulated entities must insure that the complete records, including the related metadata, can be maintained in secure and accessible form on the preexisting system or migrated to a new system, as needed, throughout the required retention period.) and (9) make computer systems (including hardware and software), controls, and attendant documentation readily available for agency inspection. EPA believes that where these 9 criteria are met, records required to be maintained under EPA regulations, can be kept electronically, including where they involve or incorporate signatures.

3. Electronic Records with Electronic Signatures. Where electronic records involve or incorporate electronic signatures meeting the requirements under Subpart C of this proposal, EPA will consider the electronic signatures to be equivalent to handwritten signatures. EPA believes the criteria described in paragraph B.2. above address the conditions for cases of electronic records involving signatures, such as: first, a signed electronic record must contain information associated with the signing that clearly indicates the name of the signer, the date and time when the electronic record was signed, and, the meaning associated with the signature (such as review, approval, responsibility, authorship, etc.); second, electronic signatures must be linked to their respective electronic records to ensure that the signatures cannot be excised, copied or otherwise transferred so as to falsify an electronic record by ordinary means; third, this information will be subject to the same controls as those for electronic records and must be included as part of any human readable form of the electronic record (such as electronic display or printout). EPA seeks comment on whether these criteria are appropriate and whethertaken together with the general criteriathey are sufficient to ensure that signatures associated with records fulfill their purpose. EPA also seeks comment on whether these criteria are appropriate for the maintenance of electronic records containing digital signatures. (For an explanation of digital signatures, and their role in CDX, see Section V.B.1 of this preamble.) The special issues involved in maintaining digitally signed records are discussed in Section IV.D.6 of this preamblein connection with archiving requirements for electronic document receiving systemsand EPA is interested in views on whether these issues need to be more explicitly addressed by the criteria for electronic recordretention systems discussed here, especially the criterion provided in Sec. 3.100(5), which addresses the maintenance of the electronic signature as a part of the electronic record. EPA seeks comment on whether this provision should be expanded to accommodate some of possible procedures for archiving digital signatures referred to at the end of Section IV.D.6.

4. The Relation of These Requirements to Food and Drug Administration (FDA) Criteria. The criteria set forth in today's proposed ruleboth the general and those specific to records with associated signaturesare intended to be consistent with criteria set forth for electronic document systems in other relevant regulations, such as FDA's criteria in 21 CFR part 11. EPA seeks comment on whether today's proposed requirements achieve this consistency, and whether this consistency is an appropriate goal for this rulemaking.

5. Storage Media Issues. Given the fastpaced evolution of technology, it is realistic to expect that electronic records will be transferred from one media format to another during the required period of record retention. While EPA allows for such transfers in today's propose rule, any such transfer must occur in a fashion that ensures that the entire electronic record is preserved without modification. As noted earlier, the electronic record will include not only the electronic document itself, but also the required information regarding time of receipt, date of receipt, etc. Any method of migrating electronic records from one electronic storage medium to another that fails to meet this criterion will not produce records that meet federal environmental recordretention requirements. For example, a CDROM version of a record originally stored on electromagnetic tape will not satisfy federal recordkeeping requirements unless the method for transferring the record from one medium to the other employs error checking software to ensure that the data is completely and faithfully transcribed. EPA seeks comment on whether this criterion is sufficient to ensure that the integrity and authenticity of the electronic record is maintained throughout its required record retention period.

6. Additional Options. In addition to the criteria discussed above, EPA is currently evaluating the need for additional controls for electronic records under this rule. Over the course of the next five (5) months, EPA plans to conduct additional analysis, and based on the results of this analysis and the public comments received on the electronic record provisions contained in today's proposal, EPA may determine that additional provisions are required for electronic records. If such a determination is made, prior to proposal of the final rule, EPA will publish a supplemental notice detailing any additional electronic record provisions to be included in the final rule. We realize that the electronic records criteria in today's rule are not as detailed as that contained in FDA's 21 CFR part 11 and seeks comments on whether our proposed criteria are sufficient to ensure the authenticity, integrity, and nonrepudiation of electronic records maintained by regulated facilities in fulfillment of their compliance obligations. EPA is considering whether or not to include
[[Page 46171]]
additional provisions found in the FDA regulations in our final rule. Such provisions could include the following: (1) Establishment and implementation of written policies that limit system access to authorized individuals, as well as the use of authority checks to ensure that only authorized individuals can use the system, electronically sign a document, access the operation or computer system input or output device, alter a record, or perform the operation at hand; (2) establishment and implementation of written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification; (3) use of device (e.g., terminal) checks to determine the validity of the source of data input or operational instruction; (4) use of additional measures such as document encryption and use of appropriate digital signature standards to ensure, record authenticity, integrity, and nonrepudiation; (5) routine and documented validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records; (6) establishment and implementation of written policies governing education and training of personal and certification that persons who develop, maintain, or use electronic record signature systems have the education, training, and experience to perform their assigned tasks. EPA is also seeking comment on the general feasibility of converting existing paper documentsincluding litigationsensitive recordsto electronic documents, as well as comments on the strengths and weakness of existing technologies available for this purpose. C. What Is the Process That EPA Will Use To Approve Changes To Authorized State and Tribal Programs Related to Electronic Reporting and RecordKeeping?

EPA expects that States, tribes and local agencies that administer EPAauthorized environmental programs will wish to implement electronic reporting and recordkeeping at least as quickly and extensively as EPA. Therefore, in overseeing these programs, EPA wishes to balance multiple objectives of minimizing administrative burden on States, providing State flexibility for varying State approaches, and ensuring that State systems are robust enough to meet the demands of a strong enforcement capability. EPA considered several options for meeting these needs, including programbyprogram approval processesin each case under applicable EPA programspecific regulationsState selfcertifications, and a centralized approval process. This proposal provides for State flexibility by specifying performance criteria rather than requiring specific technologies, and balances other objectives though use of a hybrid process for approving changes to authorized State and tribal programs.

Under this process, EPA will provide a single set of substantive performance cri

FOR FURTHER INFORMATION CONTACT For general information on this proposed rule, contact the docket above. For more detailed information on specific aspects of this rulemaking, contact David Schwarz (2823), Office of Environmental Information, U.S. Environmental Protection Agency, 1200 Pennsylvania Avenue NW, Washington, DC 20460, (202) 260 2710, schwarz.david@epa.gov, or Evi Huffer (2823), Office of Environmental Information, U.S. Environmental Protection Agency, 1200 Pennsylvania Avenue NW., Washington, DC 20460, (202) 2608791, huffer.evi@epa.gov.