Ambassador David L. Aaron
International Trade Administration
U.S. Department of Commerce
Washington, D.C. 20230
Dear Ambassador Aaron:
In response to the Department of Commerce's recent release of newly revised Safe Harbor Principles, Frequently Asked Questions and your subsequent briefing on May 7, 1999, the Associated Credit Bureaus(1) provides the following comments.
We appreciate your efforts to bring consensus to this complex trade issue; however ACB members continue to share a serious concern about the very nature of the EU Directive on Data Protection, which takes a one-size-fits-all approach to privacy law. Our members believe that the U.S. economy enjoys many benefits resulting from its current approach to data privacy. Market place dynamics, contracts, sectoral and common law, and, most importantly, industry self-regulation provide a flexible, balanced and fair privacy protection system that benefits consumers, business and the economy.
Our members are equally concerned about the use of Frequently Asked Questions as a means to amplify by example how the Safe Harbor Principles work for different types of information. Ultimately, the FAQs become an ill-defined extension of the Safe Harbor and, for the sake of some hoped-for clarity; they unintentionally lead to a more inflexible, less responsive data protection regime.
For a number of more specific reasons as outlined below, we propose that continuing negotiations on the Safe Harbor Principles be tied to resolving questions about the FAQs, or that negotiations on FAQs should continue beyond an agreement on the Safe Harbor Principles, themselves.
· First, there is debate about the ultimate value of the FAQs. It may be decided that this component of the trade negotiation should not be brought to conclusion.
· Further, the weight to be given the FAQs in the trade negotiation is not an easy question to answer, particularly since some sets of FAQs have just been released within the past month.
· Phrases in the FAQs raise compliance questions, such as charging a fee that isn't "excessive" for disclosure. Or, ensuring that a response to a request is provided "without delay and within a reasonable time." Our thirty years' of experience with similar phrases in U.S. laws reveals that such phrases are vague and thus conflict with the premise that the intent of the FAQs is to add clarity.
· It is unclear how disputes over interpretations of FAQs would be resolved. If the understanding of the FAQs isn't harmonized between the EU member countries, then the FAQs create more layers of negotiations.
· Concerns about specific FAQs are unresolved. For example, our members are concerned about the FAQ on Access, which imposes the possibility of tremendous costs, where access is controlled by the concepts of expense and burden. It is unclear how these concepts provide protection for consumers, where such information isn't used for significant decisions, or isn't likely to be harmful to or considered sensitive by the consumer. Our members support access to sensitive data, such as consumer reports. We do not believe that access to general lists with names and addresses is warranted in light of the expenses involved.
It is our current view, for the reasons discussed above, that the Safe Harbor Principles are best applied by U.S. firms on a sector-by-sector basis without FAQs.
Regarding current U.S. law, our members are regulated by the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), which was enacted in 1970. The FCRA is likely the oldest privacy law in the U.S., if not the world. It has worked effectively in maintaining a balance between individual privacy concerns and the flow of information necessary for an information economy to function effectively. Congress spent eight years refining proposals to amend the law, resulting in the 1997 amendments, which changed the scope of the law by adding additional significant consumer protections. ACB and its members are concerned that the phrasing of the current Safe Harbor proposal does not ensure that the FCRA is a "law that effectively protects personal data privacy" as stated in the preamble to the principles released April 29, 1999. Any negotiated agreement with the European Union should state clearly that the Fair Credit Reporting Act provides adequate data protection. This is a matter of recognizing sovereignty of a robust U.S. privacy law.
In closing, we urge the Department of Commerce to be aggressive in communicating that this negotiation isn't an endorsement of the Directive on Data Protection. The Safe Harbor is a bridging between US private sector practices and European law that comes from a different legal tradition and experience set. It is this very fact that makes it a difficult effort to explore how to work with a rigid regime of data protection that in all likelihood will continue to contribute to constraining the growth of a true service economy and which is in fundamental conflict with our balance between market forces and consumer protection. We must state more strongly that the Safe Harbor and FAQs are not an appropriate model for domestic law or regulation.
Sincerely,
Stuart K. Pratt
Vice President
Government Relations
1Associated Credit Bureaus is an international trade association representing more than 1000 small and large businesses including credit reporting agencies, mortgage reporting companies, tenant and employment screening agencies as well as third-party debt collection firms. More information on our association is available by visiting our web site at www.acb-credit.com.