Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Re: International "Safe Harbor" Privacy Principles - November 15, 1999 Revisions
Dear Mr. Fredell:
These comments are submitted by the American Insurance Association ("AIA") on behalf of its member companies(1) as well as other constituent elements of the property/casualty insurance, life insurance, and property/casualty reinsurance sectors. These comments respond to the Department of Commerce's November 15th revised international "safe harbor" privacy principles ("safe harbor principles" or "principles") and the accompanying frequently asked questions ("FAQs"). As we understand those principles, they are designed as one voluntary avenue of meeting the European Union Data Privacy Directive ("EU Directive" or "Directive") Article 25 adequacy standard applicable to certain third country personal information handling practices.
Because of the short time frame for public comments and the intervening Thanksgiving holiday, our member companies have not had an opportunity to review the latest safe harbor principles in detail. As a result, we will comment only generally and highlight our most prominent concerns.
A. Impact of Federal Financial Services Modernization Legislation
We note that the recent passage of the Gramm-Leach-Bliley Act of 1999, which contains new personal information privacy protections for financial services customers, adds yet another layer to the existing statutory, regulatory and other privacy protections already available to insurance consumers nationwide. We have detailed those protections in numerous submissions to the Department and need not repeat them here.
The financial privacy provisions of the new federal law were the subject of intense, prolonged negotiations among the Clinton Administration, the financial services industry, Congress, and others. It is safe to say that the law attempts to strike a balance between the informational needs of the financial services sector and the privacy concerns of financial services customers. The safe harbor principles should not advance any concept that upsets this legislative balance.
Because the preamble to the safe harbor principles still states that an organization qualifies for the safe harbor if it is "subject to a statutory, regulatory, administrative, or other body of law . . . that effectively protects personal data privacy," enactment of the new federal law adds even more substance to the creation of a safe harbor for those in the insurance industry who are governed by United States privacy oversight set forth in statute, regulation, administrative practice, or industry standard. Indeed, there are some who have interpreted the privacy provisions of the new federal law as allowing more restrictive state privacy standards. While we do not agree with this interpretation, such views will spur renewed interest in more legislative activity on privacy issues.
B. The Safe Harbor Transition Period Must Be Commensurate With The Importance Of The Issues
We agree with the Coalition of Service Industries' call for a transition period of at least 18 months for implementation of the safe harbor principles. Any change in industry practice as a result of new legislative or regulatory standards (or, in this instance, voluntary principles) requires a significant period of time for organizations to determine the most efficient and effective way to mesh the new standard with business practice. We note that even some EU member nations have not yet enacted national legislation implementing the EU Directive, although the Directive has been in effect for more than one year. Certainly, implementation of the safe harbor principles and voluntary adherence to those principles should be at least as forgiving.
We further note that enactment of the Gramm-Leach-Bliley Act of 1999 produces additional practical implementation problems for those who would self-certify that they are within the safe harbor. Under that law, federal and state financial services regulators - including state insurance commissioners - must promulgate new privacy regulations implementing the federal law within six months, but with an effective date six months after the regulations are promulgated. Thus, the insurance industry will be subject to a brand new privacy scheme in one year. Coupled with the normal amount of time needed to come into compliance, 18 months would be a minimum transition period for businesses. Without this transition period, companies, organizations, agents, and brokers would not likely participate in the safe harbor for fear that the principles may be applied inconsistently with, or override, current legal obligations.
C. Resolving Industry Concerns With The Safe Harbor Principles Themselves
Turning to the actual revisions to the safe harbor principles and FAQs, we note that some of our concerns have been addressed while others continue to linger. We are encouraged that a specific reference has been added to "exceptions or derogations" recognized by the Directive or EU Member State law. As we have stated to the Department on numerous occasions, we interpret those derogations to permit many legitimate information sharing activities within the insurance industry.(2)
We further agree with Ambassador Aaron's statement that a risk management FAQ is no longer necessary because of the extensive treatment of this concept in other law, including the new federal financial services law. However, we would continue to deem it beneficial to include a preamble reference to information sharing for "risk management" purposes. A simple reference would clarify that information sharing in order to evaluate and manage risk is a legitimate business objective.
We are also encouraged that the notice principle has been clarified to accommodate the industry's concern that requiring notice every time information is shared with third parties would be unworkable in certain lines of insurance (i.e., workers' compensation insurance). We now read the notice principle as requiring disclosure of information handling practices (1) when the individual is first asked for personal information, (2) at other, more appropriate times (i.e., in workers' compensation, for example, at the time of hire and/or as part of the workers' compensation notice posted in the employee's place of work), or (3) where the organization "uses or discloses such information for a purpose" other than that for which it was originally collected or disclosed to the individual.
Other concerns detailed in our May 11th submission remain unresolved. First, the Department's statement in the preamble (a) does not explicitly provide that industry practice recognized by state officials rises to the level of a privacy "body of law" and (b) makes it difficult to determine what is "effective" privacy protection. The first concern is primarily raised by intermediaries (agents and brokers) and property/casualty insurers who place and write workers' compensation insurance pursuant to a mandatory state system. Some of the information handling practices used within the workers' compensation insurance industry may not be explicitly set forth by statute, but are nonetheless recognized by state insurance regulators as a matter of industry or administrative practice in furtherance of sound disability management. The Department's discussion of safe harbor principles should explicitly recognize instances where industry or administrative practice rises to the level of effective privacy protection. This is especially true in the workers' compensation setting where industry and administrative practices effectively protect personal privacy while promoting sound return to work policies that serve the public interest.
Explicit recognition by the Department of effective industry practice would not alter the intent of the exception. The Department has already added a parenthetical to the exception that recognizes the "body of rules" issued by securities industry oversight organizations. We are merely saying that such recognition should not be limited to the securities industry alone - for other situations in other industries may arise that are covered by the exception, but may not technically be considered a "body of law." Therefore, we respectfully urge the Department to clarify that industry practice, enforced by a regulatory body, may rise to the level of effective consumer privacy protection.
With regard to the second concern, we are unsure what is meant by a body of law "that effectively protects personal data privacy." Because we understand that the safe harbor principles are not intended to govern or affect U.S. privacy regimes, we assume that the multiple layers of privacy protection applicable to the insurance industry qualify as effective privacy protection. However, it would be helpful for the Department to include either in the preamble or as part of the clarifying questions and answers concrete examples of industries that meet the effective protection standard.
Second, the preamble now provides that "[a]dherence to these principles may be limited: . . . (b) by statute, government regulation, or case law." We understand this sentence to limit the application of the safe harbor principles to the extent adherence to the principles conflicts with or impedes statutory, legal, or regulatory obligations. Such limitations may arise even where the law, regulation, or court decision does not specifically address privacy, but where adherence to a specific safe harbor principle makes it impractical or impossible to carry out a business function lawfully. Our understanding is consistent with the Department's position that the safe harbor principles were not meant to impair the operation of U.S. laws and regulations. We would respectfully request that the Department confirm that our understanding on this point is correct.
Third, with respect to the choice principle, the language has changed in at least one significant respect since the April 19th iteration. The first sentence of the April 19th version of the choice principle read: "An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties (where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice)." The November 15th version deletes the last phrase in the parenthetical - "or with any other purpose disclosed to the individual in a notice" - and replaces it with the following: "or subsequently authorized by the individual". This revision is unduly narrow and invites a narrow interpretation of the phrase "the purpose for which it was originally collected." It also contradicts clear language in the notice principle. We respectfully request that the Department clarify that choice need not be offered where the information was collected for a purpose disclosed to the individual in a notice or clarify that the phrase "the purpose for which it was originally collected" includes information uses disclosed to the individual in a notice.(3)
With respect to "opt in" choice for sensitive information, we agree with the qualifications on such choice and the draft FAQ on sensitive data. We do believe, however, that the FAQ must be broadened to include all of the exceptions recognized by the EU Directive. This is consistent with the preamble to the safe harbor principles, which recognizes limitations on those principles "if the effect of the Directive or Member State law is to allow exceptions or derogations." Among other relevant exceptions, the Directive (i.e., Article 26) permits derogation from the Article 25 "adequacy" standard where (a) "the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;" (b) "the transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party;" or (c) "the transfer is necessary on important public interest grounds, or for the establishment, exercise, or defence of legal claims."
Because insurance involves a contractual arrangement between policyholder and insurer, which may or may not include benefits potentially available to a third party claimant, all of these exceptions apply to the information handling practices of the insurance industry. This assertion is especially true where personal information is necessary to carry out the terms of the insurance contract, to resolve a claim arising out of that contract, for the detection and prevention of fraud, and in the renewal process. Using workers' compensation insurance again as an example, workers' compensation insurers are permitted, without prior authorization from the employee-claimant, to gather personal information about the injured employee and to forward that information to others as permitted by the applicable state workers' compensation system. In this situation, the workers' compensation insurer is accessing personal information to further the performance of a contract between the insurer and the claimant's employer and the information is being transferred to satisfy a legal claim. The EU Directive itself states that exceptions are appropriate "where the transfer is necessary in relation to a contract or a legal claim." The clarifying language sought by the insurance industry would be relatively simple: add a reference in the sensitive data FAQ which cross-references the relevant preamble language.
Fourth, the onward transfer principle allows disclosure to third parties "consistent with the principles of notice and choice." However, where information is transferred absent "opt in" or "opt out" choice, the revised principle seems to impose responsibility on the disclosing entity unless that entity (1) "ascertains" that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding, or (2) enters into an agreement with the third party to provide equivalent privacy protection. The revisions have failed to cure the most obvious problem with this principle: an entity to which personal information is disclosed cannot be responsible for the information handling practices of those to which it discloses personal information in order to carry out a business function. The most that can be done is to hold a third party responsible under applicable laws governing or related to insurance information privacy. As we have stated many times, the insurance industry is heavily regulated for privacy purposes and we are confident that state insurance regulators have the enforcement authority to address and resolve individual consumer privacy complaints, and to discourage abusive information handling practices by those associated with the business of insurance. To this end, we would respectfully ask the Department to clarify that the onward transfer principle does not impose an affirmative duty on any entity or individual in the insurance industry to stand behind the information handling practices of others. Without such assurances, it is doubtful that any company would take advantage of the safe harbor principles.
Fifth, we are generally satisfied with the data security principle because it is consistent with obligations already imposed by the examination provisions of most state insurance codes. However, we would note that many states have record retention provisions that would limit the extent to which information could be protected from alteration or destruction. In this regard, we would ask the Department to clarify that the "reasonable precautions" referenced in the data security principle permit adherence to existing record retention requirements, whether imposed by statute, regulation, or industry practice.
Sixth, we have reviewed the revised access principle and note that any references to the "reasonableness" of the access have been deleted. While we find these deletions unfortunate, our concerns might be resolved by clarifying the access FAQ. Under the FAQ ("Is the right of access absolute?"), the following paragraph appears:
"Expense and burden are important factors and should be taken into account but they are not controlling in determining whether providing access is reasonable. For example, if the information is used for decisions that will significantly affect the individual (e.g., the denial or grant of important benefits, such as insurance, a mortgage, or a job), then the organization would have to disclose that information even if it is relatively difficult or expensive to provide."
Access FAQ at 1(November 15, 1999 Draft) (emphasis added). While the FAQ later describes exceptions to an individual's access rights, this does not diminish the reality that individuals are not always entitled to access information where insurance is involved. For example, current U.S. law provides a prohibition on access in connection with insurance claims or civil or criminal cases. We would respectfully ask that the Department modify this FAQ to permit U.S. standards to continue to govern reasonable rights of access. Such clarification might be accomplished by changing the referenced FAQ language to read as follows: "Expense and burden are important factors and should be taken into account but they are not controlling in determining whether providing access is reasonable, especially where the information is used for decisions that will significantly affect the individual. Rights of access, of course, are tempered by exceptions, which are discussed later in this FAQ." Alternatively, the word "reasonable" could be re-inserted in the access principle before the word "access."
CONCLUSION
We believe that our concerns and corresponding requests for clarification
restate what has been the Department's consistent position: that industries
already well-regulated by U.S. privacy standards can continue to adhere
to those standards without fear of running afoul of the EU Directive, and
that the principles are flexible enough to strike an appropriate balance
between the privacy concerns of individuals and the legitimate informational
needs of business. We appreciate the opportunity to submit comments on
this important public and business issue, and we look forward to resolving
our concerns in a productive way that will ensure the success and utility
of the safe harbor principles.
Respectfully submitted,
J. Stephen Zielezienski
Senior Counsel
American Insurance Association
On behalf of
American Insurance Association
1130 Connecticut Ave., N.W
Suite 1000
Washington, DC 20036
American Council of Life Insurance
1001 Pennsylvania Ave., N.W.
Washington, DC 20004-2599
Reinsurance Association of America
1301 Pennsylvania Ave., N.W.
Washington, DC 20004
Alliance of American Insurers
1211 Connecticut Ave., N.W.
Washington, DC 20036
The Council of Insurance Agents & Brokers
701 Pennsylvania Ave., N.W., Suite 750
Washington, DC 20004
Independent Insurance Agents of America
412 First Street, S.E.
Washington, DC 20003
National Ass'n of Independent Insurers
444 N. Capitol Street, N.W.
Washington, DC 20001
Insurance Services Office, Inc.
1825 K Street, N.W.
Washington, DC 20006-1202
cc: George Brady (NAIC)
1. AIA is a trade association that represents more than 380 of the Nation's most prominent property/casualty insurers.
2. Director General Mogg's Article 25.6 decision letter to Ambassador Aaron seems to infer that EU Member States might have some authority to hold up transfers of data accomplished under an Article 26 derogation, including those transfers excepted under Article 26.1. We have consistently read the Article 26 derogations as freely permitting - without government intervention - the transfer of data occurring under the conditions set forth in Article 26.1. Any different reading would make transborder data flows difficult, if not impossible.
3. We note that a similar problem exists throughout the safe harbor principles. For example, in the onward transfer principle, the reference to uses of information "disclosed in a notice" has been deleted.