The Honorable David Aaron
Undersecretary for International Trade
U.S. Department of Commerce
14th Street & Constitution Avenue, Northwest, Room 3850
Washington D.C. 20230
Dear Ambassador Aaron:
This letter on behalf of members of the Coalition of Service Industries (CSI), responds to your request, dated April 19, for comment on the latest draft of the Safe Harbor Principles, and related documents, including Frequently Asked Questions (FAQs) recently made available on the Department's Website.
Because the position of the highly regulated banking, securities, fund management, and insurance industries is of particular concern, much of the commentary below will reflect issues of interest to this group of CSI members.
May I, however, on behalf of all the members of CSI, express our appreciation of the effort you and your associates have expended on reaching agreement with the European Commission on the Safe Harbor proposal.
We particularly appreciate the fact that a number of our previously expressed concerns about the November 4 draft of the Principles have been taken into account and specific changes made to reflect those concerns.
With regard to financial services, it is of course by now accepted that these industries are highly regulated - that the numerous governmental and self-regulatory institutions amply ensure the industry's compliance with US and state law and regulation, and protect the interests of consumers, including European consumers.
It is clear that consumers of these services may seek redress against perceived violations of their privacy through existing procedures.
Securities firms and investment companies are subject to the jurisdiction of the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC). They have departments that investigate customer complaints.
The insurance industry is subject to extensive regulation of its information handling practices by state insurance departments and the FTC by virtue of the application of the Fair Credit Reporting Act. All state insurance departments have regulatory authority to respond to individual consumer complaints regarding privacy under state insurance unfair trade practices statutes. This regulation, from a wide variety of sources previously described to the Department, covers the ideas expressed in all seven safe harbor principles.
Bank regulators are required to establish consumer affairs offices and conduct periodic bank examinations of bank practices including adherence to stated customer information practices. The bank regulatory agencies have issued substantial guidance regarding the principles of fair information practices that should underpin effective privacy policies and their enforcement.
Because these institutions now comply with a panoply of requirements policed and enforced by powerful Federal and State agencies, some of them are understandably reluctant to agree with different standards as expressed in the Principles. You and others have been careful to state that the Principles are intended to apply only to data received from citizens of Member States of the EU. But as a practical matter, the Principles will likely create a new underpinning of support for efforts to write or revise
Federal legislation imposing further regulations on a sector of the economy with rules already firmly in place.
This dissonance between the requirements of US law and regulation, and the standards currently embodied in some of the Principles, underlies the concept of "deference." This is the idea that the Department and the Principles should defer to the decisions of the Congress and the US regulatory authorities, and not attempt, through an international understanding, to force the industry to a different level of practice for one segment of its customer base.
As you are aware, the US financial industry, led by its large banks, securities houses, fund management organizations, and insurance companies, has an extensive and consolidated global reach. This industry, relying on second by second transfers of information about markets and customers, depends on instantaneous access to information as essential to stay abreast of markets, fulfill contractual obligations, respond to customer needs, protect customers' assets, and maintain the soundness of their own institutions.
We therefore recommend that a consultative procedure be agreed among European and US central banking institutions, providing that in any case where a stoppage of data flows among financial institutions is imminent, a consultation among the affected banking regulators be undertaken with the purpose of delaying data stoppage until a resolution of the underlying issue can be found.
With regard to the section on Safe Harbor Benefits in your April 19 letter, we appreciate particularly the requirement that Europeans will be expected to exhaust their recourse first with US organizations, and that only the European Commission (EC), as opposed to data commissioners of Member States, will be able to interrupt personal data flows.
However, we would like to inquire about the intent of the qualifier that "generally" only the EC will be able to interrupt data flows. What exceptions might be envisaged? Are there instances in which it would be possible for a data commissioner to stop a data flow to a Safe Harbor organization without having to secure the consent of the Article 31 Committee?
It was suggested in a recent meeting with EC officials that there might be three, rather than just two, choices for US companies contemplating entry to the Safe Harbor. One would be self-certification, the second an "interim" acceptance of Safe Harbor Principles accompanied by "partial protections," and the third a decision not to enter the Harbor. We would appreciate more detail on the second option regarding the nature of the partial protections. We believe this option could well be useful to firms or industries that believe themselves to be already substantially, if not completely compliant, and that have an intention to move toward full acceptance of the principles, consistent with the evolving standards of their regulatory authorities.
Transition Period
With regard to the transition period for US companies, the proposal of a six-month transition period is insufficient in light of ongoing technical upgrades due to wide consolidation in the industry, Year 2000 compliance requirements, and decimalization in the securities industry. Furthermore, the transition period should reflect the fact that EU Member States' laws and regulations are still being formulated and that European companies are allowed a longer transition period for existing processing activities.
The Directive allows Member States to provide for a transition period of up to three years for existing processing operations. Member States may interpret this differently in national law. Indeed, the UK data protection act provides a three-year transition for existing processing operations. New processing operations are immediately subject to the law (as permitted by the Directive) and there is no further transition period for them.
We believe a six-month transition period is unfair in light of treatment afforded European competitors by the Directive and Member State implementing laws. It would appear fair to US companies to allow a three-year transition for existing operations. US companies deserve comparable treatment with their European counterparts.
Preamble to Safe Harbor Privacy Principles
We appreciate the inclusion of the material in the preamble specifically relating to organizations that are highly regulated. Here the phrase "adherence to these principles may be limited to the extent necessary to meet...US statutory and regulatory provisions" is helpful.
In the third paragraph, we suggest deleting the word "effectively". It is unnecessary: something is either protected or it isn't. However, inserting a modifier such as "specifically", as suggested by the Investment Company Institute, would make it clear that if an organization is subject to a US statutory or regulatory provision that specifically addresses privacy, it would qualify for the Safe Harbor even if that provision does not comply in all respects with the specific elements contained in the Principles.
Notice Principle
This Principle requires explicit notification to consumers about the collection and use of personal information and how to contact the organization with any inquiries or complaints. The final phrase of the Principle beginning with "but in any event before the organization uses such information" puts undue burden on companies that do not have systems in place for immediate notification. CSI recommends deleting the final clause of this paragraph beginning after the word "practicable".
Choice Principle
The term "third party" is not defined in the Principles or FAQs. We believe it would be helpful to define it, and that the definition should exclude affiliates.
Considering affiliates as third parties would contravene the Fair Credit Reporting Act, and would place US financial services firms at a significant competitive disadvantage with European universal banks, which are not required to be organized along an affiliate-based holding company structure.
In addition, the definition should exclude agents to which banks outsource functions such as check printing, statement printing and mailing, and escrow services. Individuals who elect to opt-out, would force some organizations to internalize all such operations with resulting loss of efficiency.
Onward Transfer Principle
CSI is concerned that the requirement that organizations ensure the third parties to which they transfer information comply with the Safe Harbor or sign a contract that encompasses all the Principles of the Safe Harbor is unworkable. From a practical standpoint, the onward transfer principle should simply require that organizations ensure that the third party keep the information confidential and use it only for the purpose for which the third party was engaged.
In addition, we urge you to include a FAQ that exempts from this Principle all of the following activities that may involve the use or transfer of personal data. These include: (1) transfers of information to law enforcement authorities in the case of fraud or other violations of law; (2) transfers pursuant to legal process; (3) transfers of information to agents pursuant to confidentiality obligations, such as attorneys, accountants or other outsource vendors performing services for the financial institution in servicing or providing products to the customer or collecting accounts; (4) transfers of information in connection with business transactions or potential business transactions, subject to confidentiality agreements, such as account transfers; (5) transfers of information to complete a transaction initiated by the customer; (6) transfers of information authorized by the customer; (7) transfers of information to governmental, regulatory or self-regulatory authorities having jurisdiction over the member for examination, compliance, investigation or other authorized purposes; (8) transfers of information to a consumer reporting agencies; (9) transfers of credit information in the regular course of business between a financial institution and other financial institutions or commercial enterprises; and (10) transfers of customer information for analysis purposes.
Security Principle
This Principle states that organizations must take reasonable measures to insure that personal information is reliable for its intended use. This requirement strays from what is generally considered a data "security" matter and becomes a data integrity requirement. Thus, we recommend deleting "reasonable measures to assure its reliability for its intended use and" from this section.
Data Integrity Principle
This Principle should be modified to make clear that it requires an organization to take reasonable steps to ensure that data that is being used to make decisions specific to an individual is accurate, complete, and current. The first sentence in this principle does not speak to data integrity and should be eliminated.
Access Principle
The word "reasonable" should be made an integral part of this principle. The last sentence in brackets is helpful in clarifying the principle and should also be made a part of the principle.
Access FAQ
Endnote 7 proposes exempting only US public records from the access principle. CSI urges Commerce to exempt both US and EU public records from the access principle. The access principle includes a requirement that companies correct or amend factual inaccuracies. Under no circumstances would companies be willing to correct or change public record data without the public record custodian's intervention. If the data subject requires a correction of a bankruptcy listing, for example, they must first work with the appropriate public agency to correct the record. As a matter of business practice, after confirmation from the public entity, a US company would amend the record.
In the first question, fourth paragraph, we have an observation with regard to requested information that "is not sensitive or not used for decisions that will significantly affect the individual.. 2) but if readily available and inexpensive to provide, an organization would have to provide access to factual information that the organization stores about the individual." This provision puts a heavier burden on technologically sophisticated companies that might be able to provide information more inexpensively than other companies. It may inhibit technological advances.
Most of the conclusions expressed in this FAQ are useful. We would suggest adding fraud in the response to Question 5, after public security. We also strongly endorse the Department's position on "confidential commercial information."
Enforcement Principle & Verification FAQ
These comments apply both to the Enforcement Principle and the FAQ on Verification. Clause (b) of the principle stipulates that organizations in the Safe Harbor will adopt procedures for verifying that statements by businesses are true and that privacy practices have been implemented as presented. The Verification FAQ amplifies this requirement to provide that annual internal or external audits will be performed and will be provided as part of the annual renewal of an organization's self-certification by the Department. CSI objects to this aspect of the Enforcement Principle and to the Verification FAQ.
In Europe, the enforcement of organizations' privacy practices is driven by complaints by individuals. There is no requirement of which we are aware, that European companies either self certify their compliance with European data protection laws, or that they verify their compliance with these laws. In the case of US companies entering the Safe Harbor and certifying their compliance with its principles to the Department, there should be no requirement for verification or audit. This is an extra layer of administrative burden that is unnecessary in a complaint driven system. Furthermore, it imposes on US companies obligations not borne by European corporate competitors.
Furthermore, Note (3) to the Enforcement Principle seems to give discretion to Member States to act in conflict with the Commission's Article 25 (6) finding of adequacy and vitiates the "binding" of Member States to the Safe Harbor agreement by the Commission. The words "provided those authorities agree" should be eliminated from Note (3).
Self Certification FAQ
Combined with the Enforcement Principle and Verification FAQ, this FAQ creates an oversight process in which the Department will become the regulator of industry compliance with the Safe Harbor Principles.
CSI recommends that the Department instead rely on actual self-certification through public declaration, which is sufficient to trigger traditional regulatory review. The Department should require only a simple procedural notification.
US companies are accustomed to addressing consumer complaints, and using third parties to help resolve them. US companies request the option to work cooperatively with EU data protection authorities in the process of complaint resolution. Such cooperatives arrangements may operate in the Safe Harbor as a means of filling any perceived gaps in enforcement. We request that it be explicitly provided in this FAQ.
Human Resources Data FAQ
In this FAQ, the answer to how enforcement will be handled for employee data within the Safe Harbor seems to imply that the FAQ's explanation of enforcement would supplant the normal contractual agreements used between U.S. companies and their European employees to address privacy.
For example, in the case where a US Safe Harbor company has a contract with a European employee, would the contract continue to govern the relationship between the US company and the European employee?
It is possible that a former employee of a Safe Harbor company would appear on a marketing list independent of having been an employee. It would be helpful to clarify that former employees need not be singled out for special notice.
The concepts of "non-employment" and "punitive action " need further explanation. If an individual decided not to permit the transfer of "non employment-related" data that would be necessary to make decisions about an employees participation in a stock option plan, would denying stock options be considered punitive? If so, would the institution be required to set up parallel processing for this corporate program in each jurisdiction?
Financial and Insurance Risk Management FAQ
CSI appreciates the inclusion of this FAQ in the Safe Harbor package and believes it will be helpful in giving guidance on financial and insurance risk management.
Weight of Principles versus FAQ's
CSI believes that the FAQs provide needed clarification on particular points and that their inclusion in the Safe Harbor package gives useful guidance to companies doing business in Europe. Companies would like to be able to rely on the FAQs in the case of a challenge. But there is currently a lack of consensus within CSI on the degree of weight to be given the Principles versus the FAQ's.
Thank you for the opportunity to present our views on these highly important matters.
Sincerely,
J. Robert Vastine
President