SHAPR00f

April 6, 2000

The Honorable Robert LaRussa
Acting Under Secretary for International Trade
U.S. Department of Commerce
14^th and Constitution Avenue, N.W.
Washington, D.C. 20230

Dear Mr. LaRussa:

The members of the United States Council for International Business (USCIB) thank the Department of Commerce again for its efforts to resolve outstanding issues regarding implementation of the E.U. Privacy Directive. In our comments submitted on December 3, 1999, the USCIB recognized the significant progress made since the April 19, 1999 draft and, therefore confined our comments to issues that our members believed were essential to ensure industry's support for the final safe harbor documents. Given that many of the outstanding issues set forth in our December 3 comments have been addressed and/or clarified, our members generally support the current version of the safe harbor documents as posted in March 2000.

With respect to financial services as set forth in Graham-Leach-Bliley (Financial Services Modernization Act - S.900) however, as discussed below in more detail, we urge you to continue your efforts at the highest levels to obtain a determination of adequacy, including the recognition that the financial services regulators are a third-party enforcement agent under the safe harbor. With some clarifications and revisions, our members generally believe that the current documents form a sound basis upon which many U.S. businesses can ensure a presumption of adequacy for the purposes of the Directive. We would like to address the following points, in some instances seeking technical clarifications in the documents:

Introduction to the Principles:

The last sentence in the second paragraph of the introductory language to the principles states: "The principles are not a substitute for the national provisions implementing the Directive in situations where those national provisions apply." We believe that this statement is an attempt to clarify:: that a U.S. company that subscribes to the safe harbor and is processing data in Europe is subject to the Directive as implemented in member state legislation; and; that E.U. subsidiaries of U.S. parent corporations that subscribe to the safe harbor are subject to the Directive as implemented in the member state legislation rather than the safe harbor for the subsidiary's processing of personally identifiable data in the E.U.
Given this understanding, we would suggest the following clarification to the end of that sentence: "to a U.S. company and/or an E.U. subsidiary of a U.S. parent company for its processing of personally identifiable data within the E.U."

Choice:

We understand that the addition of the last sentence of this principle is intended to ensure that personally identifiable data relating to European citizens is treated as such by an organization subscribing to the safe harbor if it is treated as sensitive by the European data exporter. Therefore, we recommend the following change to the last sentence of the second paragraph of the principle. "In any case, an organization should treat as sensitive any personally identifiable information relating to an E.U. citizen received from a third party where the European data exporter identifies and treats it as sensitive and is notified by the third party that the data is treated as such."

Onward Transfer:

The new clause at the end of this principle could create ex post facto liability for a company if the organization learns that the third party would process the personally identifiable data in a contrary way subsequent to the transfer. This would be inappropriate and beyond the reasonable application of this principle. Therefore we suggest the following amendment to the last clause: "unless prior to the transfer the organization knew or should have known . . ."

FAQ 5 - The Role of Data Protection Authorities:

In order to commit to cooperate with the panel of data protection authorities, an organization must, among other things, "comply with any advice given by the DPAs . . ." Procedurally, it would be more appropriate to qualify this in such a way to ensure that the subscribing organization at issue is given an opportunity to respond to the advice prior to it becoming final. Consequently, we would recommend the following change: "3. will comply with any advice given by the DPAs after a presentation of and discussion with the organization and where the DPAs take the view that the organization needs to take specific action to comply with the safe harbor principles. . ."
This FAQ also indicates that the FTC or other U.S. federal or state body will take enforcement actions against a subscribing organization that fails to comply with the advice of the DPAs within 25 days of the delivery of the advice. We believe that in such a review the FTC or other appropriate U.S. governmental body should consider the entire record of the dispute to determine whether the subscribing organization has or has not complied with its commitment to cooperate with the DPAs and recommend that such language be added to the FAQ.
Requiring compliance with advice from a DPA within 25 days fails to recognize the practical realities under which organizations operate. Attempting to address this by providing the organization an opportunity to give a "satisfactory explanation for the delay" is not an appropriate fix, as implementing virtually any advised modification to practices or disclosures would take more than 25 days to implement. Time frames for implementing DPA advice should be determined on a case by case basis with due regard to the operational and financial resources required for implementation.

FAQ 6 - Self-Certification:

USCIB members have three outstanding issues with FAQ 6:

We do not believe that organizations subscribing to the safe harbor should be required to provide self-certification letters "not less than annually." A more logical requirement would be to require notification to the Department of Commerce or its designee if there has been a material change in the subscribing organization's self-certification declaration. Moreover, this places a greater burden on U.S. companies over their European counterparts given that, to our knowledge, no member state law requires companies to register annually with their Data Protection Authority;
The FAQ requires companies in their self-certifying letter to identify "a contact person for handling complaints . . ." We suggest that the letter require the identification of "a contact point" rather than "a contact person." This minor change would recognize that companies often have a customer service department that consumers can contact. These departments often have numerous customer representatives not a single contact person.
We also recommend a minor word change, but an important revision, to the new paragraph in this FAQ that indicates that a self-certifying organization "must subject to the safe harbor principles all personal data received from the EU after it (perhaps it would be clearer if the immediately preceding "it" was replaced by "the organization") joins the safe harbor." The problem is that an organization will typically receive several kinds of personal data. Some of the data may be covered by a sectoral adequacy determination, such as consumer data covered by the Financial Services Modernization Act or the Fair Credit Reporting Act, but that would not apply to other personal information received by the US organization, such as employee data or consumer data from another line of business. Similarly, some of the data may already be covered by Article 26 derogations, especially those concerning transborder data transfers with consent, or as necessary to perform a contract, or subject to adequate contractual safeguards. The organization should be able to transfer data lawfully under Article 26 just as its European counterparts may, or under a sectoral adequacy determination, while still using the safe harbor principles and procedures to protect any EU personal data that are not otherwise covered. Therefore, the sentence should go on to say ," except to the extent that personal data received from the EU are covered by another adequacy determination or an Article 26 derogation."

FAQ 8 - Access:
In the answer to question one (the last sentence in paragraph 3 and the first sentence of paragraph 4), there is a reference to the use of information for decisions. Given the strong statement that such information would have to be disclosed, the standard for such a requirement should be raised. Therefore, we suggest the following changes to the two sentences respectively:

"For example, if the information constitutes a material basis for decisions that will significantly affect the individual. . ."

"If the information requested is not sensitive or does not constitute a material basis for decisions that will significantly affect the individual. . ."

We suggest that human resource data relating to salary and salary change information be included as a circumstance when an organization may deny an individual access to their personal information.

FAQ 11 - Dispute Resolution and Enforcement:

The response to the first question in this FAQ indicates in brackets that data protection authorities must agree to serve as an enforcement mechanism when subscribing organizations commit to cooperate with them. As stated in our comments of December 3, we believe it is important to clarify that the phrase "[provided those authorities agree]" does not mean that each data protection authority has the choice to serve as an enforcement body. This would effectively require subscribing companies to seek the agreement of every member state authority, a requirement that would defeat the purpose of the safe harbor, which is a harmonized resolution to the potential restriction on the transborder flow of data. Moreover, the language in question is arguably unnecessary at this juncture since the current documents indicate that the E.U. will create an informal panel of data protection authorities to serve as an enforcement mechanism, thereby recognizing the agreement of the panel.

Draft Letter from the Department of Commerce to the European Commission:

The draft letter states that ". . . the Commission and Member States will use the flexibility of Article 26 and any discretion regarding enforcement to avoid disrupting data flows to U.S. organizations during the implementation phase of the safe harbor and that the situation will be reviewed in mid 2001." USCIB members believe that, in order to be able to adapt their business practices to comply with the safe harbor principles and to ensure the continued flow of data from the E.U. to the U.S., the agreement by the E.U. not to enforce the Directive against U.S. companies should be 18 months and in no event expire prior to the approval of a model contract by the Commission.

Regulated Industries - Financial Services:

The heavily regulated U.S. financial services industry will be subject to significant new privacy regulations stemming from Title V of the just-enacted S. 900. The Act imposes new privacy and security obligations on financial services institutions, requires disclosures and choice for the sharing of customer information, and directs both federal and state regulators to adopt rules and examination guidelines to assure compliance with the new law and with the Fair Credit Reporting Act. Financial services companies will be required to publicize their privacy policies and update or restate them at least annually, subjecting them to potential civil liability and regulatory action if they do not live up to their commitments. The Act does not preempt more restrictive state laws and regulations, which are already under consideration in a number of states. Given the extensive new privacy requirements under the Act, we recommended in our December 3 comments that: a) the Commission find that the total privacy regulatory framework applicable to the U.S. financial services sector is adequate under the terms of the E.U. Data Protection Directive; or b) the Commission review that regulatory framework after all state and federal regulations pursuant to the act have been implemented (roughly a year to 18 months from now) in order to make an adequacy determination at that time; and c) the Commission immediately finds that U.S. financial services regulators constitute a third-party enforcement agent under the terms of the safe harbor agreement.

Therefore, USCIB members are disappointed that the E.U. is not prepared at this time to find the financial services regulations "adequate." However, we are encouraged that there will be ongoing discussions between the Department of Commerce and the European Commission on this issue. Financial data is a very important element of transatlantic data flows and a determination of adequacy of the financial regulations at the soonest possible opportunity is critically important to transatlantic trade. It is our understanding that the determination of adequacy of the regulations implementing the Financial Services Modernization Act (S. 900) will include both the consumer and customer information and the activities covered by the Act.

Similar consideration should be given to other regulated industries, such as healthcare products and services, for which regulations are being developed under the auspices of the Department of Health and Human Services. The regulations are under development and are expected to be issued within approximately one year, with implementation to be required within 24 months thereafter.

The Use of Contracts for Human Resource Data

As companies look to how to implement the safe harbor, questions arise as to how the safe harbor might be used in relation to human resources (HR) information. This information, which is often copied to servers or Databases in the U.S., is clearly subject to the Directive. Application of the Safe harbor would either require the review of third parties (Trust-e, BBB) or the cooperation with a panel of E.U. DPAs in order to ensure compliance with the safe harbor documents. Some companies may be uncomfortable with either of these solutions being applied to internal HR data. It would be useful to explore the potential of a model HR contract as a way of enforcing the Safe Harbor as it relates to internal corporate information. An HR contract would presumably have Safe Harbor principles incorporated into an enforcement mechanism that would rely on the legal ability of the data exporter to bind the data importer. The Directive also makes possible the consideration of a model contract for HR outside of the scope of the Safe Harbor. Both options should be pursued.

Thank you for your consideration and your continued efforts on behalf of U.S. industry. Please do not hesitate to contact me or David Fares (212/ 703-5061) if you have any questions regarding these comments.

Sincerely,

Charles Prescott Chair, Working Group on Privacy and Transborder Data Flows