The Honorable Robert La Russa
Acting Undersecretary for International Trade
United States Department of Commerce
14th Street & Constitution Avenue, N.W., Room 350
Washington DC 20230

Re: Proposed International Safe Harbor Data Privacy Principles

Dear Undersecretary La Russa:

This letter responds to the International Trade Administration's request for comments on the March 17, 2000 "International Safe Harbor Privacy Principles," which include the "Frequently Asked Questions."
 

As we have done in prior submissions on this matter, IBM wishes to express appreciation for the efforts of the International Trade Administration and the Commerce Department to create a framework for use by US organizations to comply with Article 25 of the European Union Data Protection Directive. We strongly support your ongoing efforts, as well as those of the European Union's, to finalize the Safe Harbor framework in the May-June timeframe. We also applaud your willingness to continue constructive discussions with the EU on additional implementation issues.
 

As to the March 17 draft package, we would submit the following two requests for clarification:
 

· Introduction to the Principles
 

As we understand the intent of the new ending to the second paragraph, it is to confirm that organizations operating within the European Union are covered by the applicable law of the Member State. However, it is also understood that transfers of personal data outside of the EU to the United States would, if the organization enrolled in the Safe Harbor, be covered by the Safe Harbor framework. We would appreciate confirmation of this understanding, and anticipate it being enunciated by the documents to be issued by the European Union.
 

· Cooperation with Data Protection Authorities (FAQ 5)
 

Under the Safe Harbor draft, organizations may choose to cooperate with the relevant Data Protection Authorities as a means of compliance with the Enforcement Principle. This is an important element of the Safe Harbor framework, and should be implemented via deliberate and fair processes in order to protect the interests of both European data subjects and US organizations. We therefore respectfully request that the Department of Commerce clarify that the process set out in FAQ 5 requires that the Data Protection Authorities advising US organizations that choose this option, do so in the form of a reasoned opinion, particularly when finding a lack of compliance with the Safe Harbor commitment. In addition, when the relevant US governmental agencies receive a referral from the Data Protection Authorities' panel, these agencies must be able to review all of the information relevant to the decisionmaking, and decide upon that basis.
 

Thank you for your consideration of these comments and best wishes for continued constructive and fruitful discussions with the European Union on this matter.
 
 
 

Sincerely,
 
 
 

Harriet P. Pearson

Director, Public Affairs

IBM Corporation

1301 K Street, N.W. Suite 1200

Washington, D.C. 20005
 

202-515-5036

hpearson@us.ibm.com