In Re: Draft International Privacy Principles
Comments of Cable & Wireless
Cable & Wireless hereby submits these Comments to the Department of Commerce's ("DOC") November 15, 1999, Draft International Safe Harbor Privacy Principles. Cable & Wireless applauds the Department of Commerce's efforts to create a reasonable set of principles to ensure the free flow of data and commerce between the United States and the European Union ("EU") in light of the EU's Directive on Data Protection ("Directive").
Headquartered in the United Kingdom, Cable & Wireless plc has been a world leader in developing and providing integrated communications around the world for over 125 years. Today, the company is the world's fourth largest carrier of international telecommunications traffic worldwide, serving 17 million customers in more than 70 countries. In the United States, Cable & Wireless owns and operates one of the world's largest Internet backbone networks, providing high speed bandwidth to thousands of ISPs and end users.
Generally, Cable & Wireless is pleased with the progress the DOC has made and applauds the proposed approach of self-regulation. The Directive does not seek to micro-manage the information systems of organizations receiving personal data from the EU; but instead provides a set of reasonable guidelines that can be adopted with minimal disruption or compliance costs.
Specifically, the DOC should examine the following issues in the November 15, 1999, Letter from Ambassador David L. Aaron ("Letter"), the Directive, and the Frequently Asked Questions ("FAQs").
Enforcement Jurisdiction
In the area of enforcement jurisdiction, the Letter mentions that "the EC proposed that all enforcement [of the Directive] be carried out in the United States, subject to very limited exceptions." Cable & Wireless urges the DOC to ensure the Directive, as a U.S. government guideline, be enforced exclusively through U.S. administrative and judicial bodies. U.S. organizations subject to these guidelines would rightfully expect any enforcement action involving these principles to be governed by U.S. administrative and judicial procedures.
Cable & Wireless has operations in both the United States and in the EU and is concerned that without clear jurisdictional enforcement boundaries, it could be subject to multiple international enforcement actions for the same alleged violation. With more and more companies establishing separate affiliates in these jurisdictions, the Directive should clearly recognize separate affiliates are subject exclusively to the rules and enforcement procedures of the jurisdiction in which they operate.
Qualification for Safe Harbor
The third paragraph of the Directive discusses means to qualify for the safe harbor. The Directive should explicitly state that the means discussed are not exhaustive, and the burden of compliance is on the individual organization. For example, organizations may use a variety of means to qualify for the safe harbor, such as statutory compliance in areas governed by domestic privacy laws, self-regulation for certain areas, and the subscription to a self regulatory privacy program for others. Organizations should be confident they are free to choose the compliance mechanisms, or combination of differing mechanisms, that will qualify them for the safe harbor.
CPNI Reliance
The Directive mentions the FCC's Customer Proprietary Network Information ("CPNI") rules and the recent 10th Circuit decision which held these rules violate the First Amendment and are not currently enforceable by the FCC.(1) However, Section 222 of the Communications Act(2) was not addressed by this decision and remains in effect. As the language in this statute does not qualify its effectiveness on the validity of a rulemaking by the FCC, the guidelines should clarify that the statutory provisions of §222, which protect personal privacy, provide telecommunications carriers safe harbor benefits.
Secondary Liability
FAQ 3 provides guidance on the secondary liability of those telecommunications carriers or Internet Service Providers that simply transmit information on behalf of third parties. In order to provide more guidance, this answer should be broadened to state "to the extent that any organization acts as a mere conduit of the data with no control over its content or its use, it would not be liable for any violation of the Directive." Organizations that comply with the safe harbor provisions should be assured that any action violating the directive by a party that has subsequent control of the personal data would not impose any secondary liability on this compliant organization.
Verification Statement
FAQ 7 states the verification statement should be made available upon request by individuals. This request does not have to be in the context of an investigation and no reason for the request has to be provided.
FAQ 7 should be amended to include reasonableness and balance conditions similar to those in FAQ 8 - right of access. In FAQ 8, the right of access to the individual's information is balanced with the expense and burden incurred by the organization that possesses the information. Similar balancing should be applied to requests for verification statements outside the context of an investigation or complaint in order to discourage frivolous or repeated request
Dated: December 3, 1999
1. US West v. FCC, No. 98-9518 (10th Cir., August 18, 1999).