From: Shelley E. Harms Executive Director Bell Atlantic
Re: Bell Atlantic's Comments on Safe Harbor Principles
Attention: Eric Fredell
Attached for filing are Bell Atlantic's Comments on Draft International Safe Harbor Principles. Thank you very much. -- Shelley Harms
(See attached file: ita1198.doc)
Before the
Department of Commerce
International Trade Administration
Washington, D. C. 20230
Draft International )
Safe Harbor Privacy Principles )
November 3, 1998 Draft )
COMMENTS OF BELL ATLANTIC
Bell Atlantic is pleased to submit comments in response to the ITA’s November 4, 1998 request for industry comments on the November 3, 1998 Draft International Safe Harbor Privacy Principles.
Bell Atlantic supports the establishment of “safe harbor principles” that, if voluntarily adhered to by U.S. companies, will establish a presumption of “adequate” protection for data transferred from Europe. We also applaud the efforts of the Department of Commerce to reach an understanding with the European Commission on the adequacy of U.S. data protection based upon self-regulation.
Many of the proposed principles appear to be reasonable. They are similar to Bell Atlantic’s own privacy policies and appear to incorporate suggestions from our prior comments on privacy issues. However, we have two major concerns with the current draft.
First, as a general matter, we are concerned that the document will not provide certainty for U.S. industry. Our concern here is especially informed by our experience with the Telecommunications Act of 1996’s rules on Customer Proprietary Network Information, which contained some similar concepts. Despite the good intentions of the Act’s drafters, it required a contentious two-year FCC proceeding to resolve the issues of interpretation of how and in connection with which services information could be used. In order to achieve the desired certainty here, we would propose the use of the language developed by the Online Privacy Alliance. The language of the OPA’s principles was developed and agreed to over hours of discussion among industry members. The words were chosen very carefully, and are based on a common understanding of what they mean. Commentary has been published to further explain them. The OPA principles represent a significant coming together of major industry players to implement meaningful self-regulation. We think these efforts should be utilized and reinforced by the U.S. government. Otherwise, the presumption may arise that the OPA language was for some reason insufficient. We believe that the OPA principles are more than “adequate” for the purpose if the goal is to protect data rather than import the EU Directive. In the alternative, the necessary certainty could be provided by explicitly stating in the safe harbor principles that the OPA’s principles are in compliance.
Second, Bell Atlantic has serious concerns about the requirement that a company must police the use of data by a third party to whom data is transferred (Principle 3). We cannot control the actions of a third party, and it is unreasonable to expect us to assume that potential liability. Once data has been transferred – by customer consent, by legal requirement, or by other appropriate means – its proper use must be the responsibility of the transferee. We are particularly concerned about how this obligation would apply to certain telecommunications services which involve the release of data to millions of persons every day. For example, our Directory Assistance service provides phone number or address information to any person who requests it. Customer name and address information is placed in our Directory Assistance database with our customers’ consent for its use for this purpose. But we cannot guarantee that a person requesting such information will use it only for the purpose of making a telephone call. Similar concerns arise with respect to the transfer of data using Caller ID, reverse directory services, and similar services – once a customer has consented to the release of this information for purposes of providing such a service, we simply cannot be responsible for the use of the data once it has been released. The potential liability of having to require limits to particular uses of information by third parties could chill the provision of useful services like these.
Bell Atlantic is committed to working with our government and
with the European Union and its member states to ensure that data flows
between Europe and the United States are not unreasonably interrupted,
to ensure reasonable privacy protection, and to foster electronic commerce.
We believe the draft safe harbor principles are a good start. We
hope they can be revised to the satisfaction of U.S. industry and the European
Commission.
Respectfully submitted,
/s/ Shelley E. Harms__
Shelley E. Harms
Executive Director
Bell Atlantic
1095 Avenue of the Americas
New York, NY 10036
212-395-8053
shelley.e.harms@bellatlantic.com
For Bell Atlantic
November 19, 1998
From: Anne K. Toth
Manager, Privacy Policy & Data Protection, Yahoo, Inc.
Re: Comments on Draft International Safe Harbor Principles
Please find attached to this email message, Yahoo!'s Comments on Draft
International Safe Harbor Principles and the Online Privacy Alliance's
Guidelines for Online Privacy Policies.
If you have difficulty retrieving any of the attachments to this e-mail
message, please contact me at (408) 616-3791 or reply to
annet@yahoo-inc.com. These documents are also being sent by facsimile.
Thank you,
Anne K. Toth
Manager, Privacy Policy & Data Protection
--
~~~~~~~~~~~~~~~~~~~~~ DO YOU YAHOO!? ~~~~~~~~~~~~~~~~~~~~~~~
Anne K. Toth
Yahoo! Inc.
Tel: 408-616-3791
3420 Central Expressway
Fax: 408-616-3650
Santa Clara, CA 95051
Pager: 800-315-4814
http://www.yahoo.com/
e-mail: annet@yahoo-inc.com
http://mail.yahoo.com/
November 19, 1998
VIA FACSIMILE
AND ELECTRONIC MAIL
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, D.C. 20230
RE: Request for Comments on Draft International Safe Harbor Principles
Dear Mr. Fredell:
Yahoo! Inc. (Yahoo!) files these comments in connection with the Draft International Safe Harbor Principles, Attachment B to Ambassador Aaron’s Letter on the EU Data Protection Directive (the “Principles”). Yahoo! endorses the concept of having a safe harbor for U.S. companies that adhere to a standard set of privacy principles. Likewise, Yahoo! supports the International Trade Administration’s (the “ITA”) efforts to date to craft a set of principles that U.S. businesses can apply to the electronic collection and cross-border transmission of personal data between the US and EU member states.
By way of background, Yahoo! is a global Internet media company that offers a branded network of comprehensive information, communication and shopping services to more than 40 million unique Internet users each month. As the first online navigational guide to the Web, Yahoo! is the single largest guide in terms of traffic, advertising, household and business user reach, and is a leading Internet brand name. Yahoo! maintains 15 international Internet properties outside the United States with offices in Europe, the Asia Pacific and Canada. Yahoo! is headquartered in Santa Clara, California.
The Internet has evolved into a global source of new media. As an Internet pioneer, Yahoo! has grown to include many international users. The corporation serves its international audience by offering Yahoo! services in multiple languages with localized and personalized content for users throughout the world, including the European Community. The corporation’s privacy policy is posted on Yahoo!’s sites, accessible to users throughout the network of properties in multiple languages.
This privacy policy meets guidelines set forth by both the Online Privacy Alliance (the “OPA”) and by TRUSTe. Yahoo! is a member of both organizations. These organizations have worked diligently to address privacy issues pertaining to online businesses. Yahoo! is proud to be a member of the OPA and to comply with their “Guidelines for Online Privacy Policies” (the “Guidelines”). The Guidelines reflect the consensus view of a diverse group of companies and industry organizations with respect to privacy principles for the online medium.
Yahoo! respectfully submits comments for two of the seven principles set forth in the Principles. Specifically the “Onward Transfer” principle and the “Access” principle. These comments reflect Yahoo!’s perspective as a company that makes its primary business on the Internet.
Onward Transfer
The Onward Transfer principle (the “Transfer Principle”) specifies
that:
“Individuals must be given the opportunity to choose whether and the manner in which a third party uses the personal information they provide (when such use is unrelated to the use(s) for which the individual originally disclosed it). When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual…”
Yahoo! recommends that the aforementioned section be revised in accordance with the OPA’s Guidelines, specifically the Notice and Disclosure principle and the Choice/Consent principle. These principles provide that:
“The [privacy] policy must state clearly: what information is being collected; the use of that information; possible third party distribution of that information; the choices available to an individual regarding collection, use and distribution of the collected information; a statement of the organization's commitment to data security; and what steps the organization takes to ensure data quality and access…
…where there is third party distribution of individually identifiable information, collected online from the individual, unrelated to the purpose for which it was collected, the individual should be given the opportunity to opt out.“
Yahoo! complies with the OPA’s Guidelines, and in accordance, maintains
a strict privacy policy. The OPA Guidelines were extensively reviewed
prior to issuance and were carefully constructed. Yahoo! supports
the OPA’s philosophy, advising companies to provide clear notice and choice
about how user information will be used and shared. This philosophy
allows the greatest freedom and choice for the user. The user can
always choose to refuse to allow personal data to be transferred if the
user is uncomfortable with the possible future uses of that data.
Yahoo! concurs that providing consumers with clear notice about how personal
data will be used and with whom it will be shared allows consumers to make
informed decisions about the use of their personal information. This
approach is consistent with the OPA Guidelines.
In addition, requiring partner companies to offer “at least the same
level of privacy protection” as the company that originally collected the
data does not take into consideration the varying ways that different companies
use and protect personal data. Yahoo! has a posted privacy policy,
and partnering companies are free to utilize and implement other proprietary
privacy policies. There is no way to assure consistency between Yahoo!’s
privacy practices and those of partnering companies, particularly if partnering
companies operate in a different business category, subject to different
regulatory requirements. Furthermore Yahoo!, as a matter of policy,
does not support companies being placed in the position of policing the
privacy practices of their partner companies. As a legal mater, this
could result in unforeseen liability issues for companies should a partner
or third party misuse personal data.
Access
The Access principle (the “Access Principle”), specifies that:
“Individuals must have reasonable access to information about them derived from non public records that an organization holds and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses. For instance, access must be provided to an individual where the information in question is sensitive or used for substantive decision-making purposes that affect that individual.”
Yahoo! recommends that this section be modified to be consistent with the OPA Guidelines that state:
“Organizations creating, maintaining, using or disseminating individually identifiable information should take reasonable steps to assure that the data are accurate, complete and timely for the purposes for which they are to be used.
Organizations should establish appropriate processes or mechanisms so that inaccuracies in material individually identifiable information, such as account or contact information, may be corrected. These processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. Other procedures to assure data quality may include use of reliable sources and collection methods, reasonable and appropriate consumer access and correction, and protections against accidental or unauthorized alteration.”
Users should be able to update and amend information that is no longer current or that is otherwise incorrect. The OPA Guidelines are clear on this point and establish a link between access to information and correcting inaccuracies in such information. In addition, to ensure a balance between the importance of data access and accuracy and the high cost to companies of providing access, the OPA created a standard of requiring companies to allow consumers to correct “material individually identifiable information.” Yahoo! appreciates that the proposed Access Principle includes a reasonableness standard for data access. The OPA language defines reasonableness, which is the ability to correct material individually identifiable information. Yahoo! strongly recommends that this language be incorporated into the Access Principle to define the use of the word “reasonable.”
Thank you very much for the opportunity to comment on the Principles.
Again, Yahoo! supports the ITA’s efforts to reach a safe harbor solution
for U.S. businesses engaged in the cross-border transfer of information.
Should you need further clarification on Yahoo!’s position, please do not
hesitate to contact me at (202) 887-6932.
Very sincerely yours,
John Scheibel
Washington Counsel and
Director of Government Affairs
Enclosures/Attachments:
OPA – “Guidelines for Online Privacy Policies”
Online Privacy Alliance
Guidelines for Online Privacy Policies
Upon joining the Online Privacy Alliance, each member organization agrees that its policies for protecting individually identifiable information in an online or electronic commerce environment will address at least the following elements, with customization and enhancement as appropriate to its own business or industry sector.
1. Adoption and Implementation of a Privacy Policy
An organization engaged in online activities or electronic commerce
has a responsibility to adopt and implement a policy for protecting the
privacy of individually identifiable information. Organizations should
also take steps that foster the adoption and implementation of effective
online privacy policies by the
organizations with which they interact; e.g., by sharing best practices
with business partners.
2. Notice and Disclosure
An organization's privacy policy must be easy to find, read and understand. The policy must be available prior to or at the time that individually identifiable information is collected or requested. The policy must state clearly: what information is being collected; the use of that information; possible third party distribution of that information; the choices available to an individual regarding collection, use and distribution of the collected information; a statement of the organization's commitment to data security; and what steps the organization takes to ensure data quality and access.
The policy should disclose the consequences, if any, of an individual's refusal to provide information. The policy should also include a clear statement of what accountability mechanism the organization uses, including how to contact the organization.
3. Choice/Consent
Individuals must be given the opportunity to exercise choice regarding how individually identifiable information collected from them online may be used when such use is unrelated to the purpose for which the information was collected. At a minimum, individuals should be given the opportunity to opt out of such use.
Additionally, in the vast majority of circumstances, where there is third party distribution of individually identifiable information, collected online from the individual, unrelated to the purpose for which it was collected, the individual should be given the opportunity to opt out.
Consent for such use or third party distribution may also be obtained through technological tools or opt-in.
4. Data Security
Organizations creating, maintaining, using or disseminating individually identifiable information should take appropriate measures to assure its reliability and should take reasonable precautions to protect it from loss, misuse or alteration. They should take reasonable steps to assure that third parties to which they transfer such information are aware of these security practices, and that the third parties also take reasonable precautions to protect any transferred information.
5. Data Quality and Access
Organizations creating, maintaining, using or disseminating individually identifiable information should take reasonable steps to assure that the data are accurate, complete and timely for the purposes for which they are to be used.
Organizations should establish appropriate processes or mechanisms so that inaccuracies in material individually identifiable information, such as account or contact information, may be corrected. These processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. Other procedures to assure data quality may include use of reliable sources and collection methods, reasonable and appropriate consumer access and correction, and protections against accidental or unauthorized alteration.
###
These guidelines are not intended to apply to proprietary, publicly available or public record information, nor to supersede obligations imposed by statute, regulation or legal process.
Other valuable resources available to Alliance members in the development of privacy policies include: the OECD's "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data"; the U.S. Department of Commerce's "Staff Discussion Paper of Privacy Self-Regulation"; and various industry association programs.
FROM: U.S. Council for International Business
From: Joseph Alhadeff
Vice President, Electronic Commerce
U.S. Council for International Business
Re: USCIB Comments
Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Attached as an unencoded MS Word 6.0 file, please find the comments
of
the U.S. Council for International Business on the Draft Safe Harbor
Principles. The comments are also cut and pasted below.
We thank you
for the opportunity to comment.
Joseph Alhadeff
Vice President, Electronic Commerce
U.S. Council for International Business
jalhadeff@uscib.org
**********************************************************************
USCIB COMMENTS ON THE DOC DRAFT INTERNATIONAL
SAFE HARBOR PRIVACY PRINCIPLES
Thank you for the opportunity to provide comments on the Draft
International Safe Harbor Privacy Principles. USCIB members greatly
appreciate the efforts of the Department of Commerce to resolve the
potential restrictions on the transborder flow of data from the E.U.
to the U.S. as a result of the implementation of the E.U. Privacy
Directive.
In theory, USCIB members support the concept of a safe harbor.
However, there are many unanswered questions that will ultimately
determine the support of our members for this draft solution, namely
the actual application of the safe harbor (how does it relate to a
private action, what does it commit the European Commission to do or
not do within its scope of authority under the Directive) and the
scope of the principles themselves.
In regard to the principles, the starting point should be the
consensus achieved by U.S. industry as represented in the Online
Privacy Alliance principles, as adapted where necessary to apply to
both the on-line and off-line environments. If there is a conflict
between these principles and E.U. demands, the resolution of the
conflict should be based on internationally agreed upon principles,
not adoption of the principles set forth in the E.U. Directive. The
U.S. position has consistently advocated that "adequacy" does not mean
equivalency, and that there are sector appropriate self-regulatory
solutions which can provide adequate protection. The OECD 1980
Guidelines provide the international consensus which should be used
to
resolve potential conflicts concerning adequacy. The principles should
be in keeping with the U.S. approach of self-regulation operating in
conjunction with existing laws and regulation.
The rationale for such an approach is twofold. First, the U.S.
will
be conceding that the OECD Guidelines and U.S. privacy protection
based on the OECD Guidelines do not represent adequate privacy
protection if we agree to safe harbor principles that exceed their
scope (the E.U. recognizes the OECD Guidelines as internationally
agreed upon principles). Second, it may be difficult for U.S.
companies to maintain two different privacy protection practices in
their databases -- one for U.S. and non-E.U. citizens and one for E.U.
citizens. In practical application it may very well force U.S.
companies to adopt privacy practices that exceed internationally
accepted principles and may restrict information flows. Moreover,
U.S. companies will have a difficult time rationalizing to U.S. and
non-E.U. consumers that E.U. consumers are offered additional privacy
protections . We must not forget the very real consumer education,
choice and convenience benefits that result from the freer flow
of
information that our self-regulatory approach provides through its
greater reliance on concepts of party autonomy and user empowerment.
Examples of where the Draft Safe Harbor Principles exceed the OECD
Guidelines:
· Generally: There should be a
general qualification and
limitation on the application of the safe
harbor principles to
personally identifiable information in order
to avoid confusion
with aggregated or otherwise "cleansed" information.
· Notice: The draft safe harbor
principles include notice of the
types of organizations to which information
is disclosed. The
OECD Guidelines do not have such a requirement.
Chapter II,
Section IV, Article 10(c) of the E.U. Directive
states that
"Members States shall provide . . . any further
information such
as --the recipients or categories of recipients
of the data."
However the Directive then qualifies this
by stating "in so far
as such further information is necessary.
. . " The draft safe
harbor principles therefore go beyond even
what the Directive
requires. The OPA addresses this by
calling for notice and
disclosure of "possible third-party distribution
of that
information." In addition, the OECD
Guidelines do not require
the identification of how information is collected
but rather
states that information should be "obtained
by lawful and fair
means. . ."
· Choice: The concept of
"unrelated uses" as set forth in the
parentheses is clearly stated in the OECD
Guidelines. Therefore,
it should be clearly stated in the safe harbor
principles without
parentheses which generally tracks the language
of the OPA.
Additionally, the OECD Guidelines and its
explanatory memorandum
do not state that absolute opt-in must be
offered for the
collection and use of sensitive data.
USCIB members recognize
that sensitive data, such as medical information
require greater
protection. However, greater protection
does not justify an
absolute presumption of opt-in for all sensitive
data.
· Onward Transfers: No such stand
alone principle exists in the
OECD Guidelines. The concept of "third-party
uses" is
incorporated in the "Purpose Specification"
and the "Use
Limitation" Principles of the OECD Guidelines.
In addition, the
OECD Guidelines do not provide that organizations
must require
third parties to whom they transfer information
to provide at
least the same level of privacy protection
as originally chosen
by the individual. Please also see above
for a discussion on
opt-in for sensitive data.
· Access: The OECD Guidelines
provide that an individual should
have the right to have "communicated to him,
data relating to
him. . ." Therefore access is through
a communication from the
data controller to the data subject.
The draft safe harbor
principle does not clearly reflect the "communication"
concept
which may be construed to allow an individual
to physically
review files/databases. It is important
to note that the
explanatory memorandum to the OECD Guidelines
(Paragraph 58)
states ". . . the right to access and challenge
is not absolute."
There must be reasonable limits on the
right to access,
especially where the access is not for data
quality purposes. At
a minimum, users requesting access must have
some obligation to
work with companies to tailor requests to
be reasonable in scope
and not prohibitive in terms of timeframe,
cost or technological
practicability.
· Enforcement: The OECD Guidelines
contain an "accountability
principle" that does not preclude effective
and viable
self-enforcing/auditing approaches.
Even if there may be a
preference for independent recourse mechanisms,
should there be
an absolute preclusion of an effective and
viable
self-enforcing/auditing approach?
We look forward to continuing our dialogue with the U.S. Government
on
this important effort. Please do not hesitate to contact us if
you
have any questions.
Submitted 11/19/98
Joseph H. Alhadeff
Vice President, Electronic Commerce
U.S. Council for International Business
jalhadeff@uscib.org
Tel: 212-703-5068
212-354-4480
Fax: 212-575-0327
FROM: Health Industry Manufacturers Association
November 19
From: Donna Slingluff
Director, Global Strategy and Analysis
Re: EU Data Protection Directive
Dear Mr. Fredell:
Attached please find comments submitted by HIMA.
<<dataprivacy1119.doc>>
The hard copy will follow shortly via facsimile.
Regards,
Stephanie
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Re: HIMA Comments on Proposed Safe Harbor for EU Data Protection Directive
Dear Mr. Fredell:
The Health Industry Manufacturers Association (HIMA) is pleased to submit the following comments on the Department of Commerce’s proposed international industry safe harbor to the European Data Protection Directive. HIMA is a Washington, D.C.-based national trade association representing more than 800 manufacturers of medical devices, diagnostic products, and health information systems.
HIMA supports efforts to protect the confidentiality of patient medical information and appreciates the European Union’s concerns about data privacy protections in other countries. HIMA is concerned, however, that the European Directive on Data Protection will impede the transfer of important patient data used for clinical research to develop innovative medical technologies, and will also impede post-vigilance activities, such as device tracking, that help manufacturers identify patients in the event of product recalls.
HIMA supports the efforts of the Department of Commerce to negotiate with the European Commission a workable solution to these and other problems created by the Directive, and we think the proposed safe harbor principles may offer some benefits to U.S. medical device companies concerned with the EU data privacy directive. Our recommendation, however, is for an amendment to the Directive -- or a statement from the European Commission -- clarifying that the transfer of data for clinical trials and post-vigilance activities is exempted from the Directive’s requirements.
We believe that clinical trial and post-vigilance activities should be exempted from the Directive, because sufficient data privacy safeguards already exist in the U.S. Many sections of the U.S. Code of Federal Regulations impose patient data privacy obligations on medical device companies involved in these activities.
Specifically, hospital-based clinical trials to test the effectiveness of a medical device must have the approval of the hospital’s institutional review board (IRB). An IRB is a committee formally designated by an institution to review, approve, and conduct periodic review of biomedical research involving human subjects (21 C.F.R. Section 56.102 (g)). Qualifications for IRB membership are described by regulation (21 C.F.R. Section 56.107). The IRB reviews the plan for the clinical study to ensure that the safety and welfare of the participating patients are protected. The IRB requires patients to first sign an informed consent document, acknowledging their understanding of the potential risks involved and agreeing to participate in the study. The informed consent form may provide for the confidentiality of patient records, consistent with the procedures of the institution conducting the research and/or applicable state law and regulations.
With regard to post-vigilance activities in the U.S., when patients receive an implantable device (such as an implantable pacemaker or defibrillator), the manufacturer is required to keep track of that person over the lifetime of the device. The Food and Drug Administration (FDA) requires tracking by manufacturers to ensure that if there is a notification about a device problem or recall, the manufacturer will know how to contact each patient who has received the device. It is to the patient’s advantage to share this information with the manufacturer and FDA; however, as a legal matter, a patient could refuse to be tracked by communicating that refusal in writing to the manufacturer.
The FDA tracking regulation requires manufacturers to be able, when
called for, to produce a list of the distributors, prescribing physicians,
and patients (including their addresses) that have the device. The
regulation makes the individual manufacturer responsible for developing
its own procedures for storing and tracking this patient information.
In regard to patient information a manufacturer shares with FDA, certain
types of patient information are protected by FDA through exemptions from
the Freedom of Information Act and its implementing regulations.
Thus, patient information is available only to FDA, and the agency is prohibited
from releasing it to other parties.
The current process for device tracking serves the public well by allowing
patients to be contacted in the event of a recall.
Furthermore, our interpretation of several of the Directive’s exceptions is that they cover clinical trials and device tracking activities. For example, “transfer of data necessary to protect the vital interests of an individual” would seemingly apply to patient data for both clinical trials and post-vigilance activities. If the European Union agrees with our interpretation, a safe harbor would not be necessary for the medical device industry. In any case, HIMA believes a clarification is needed – either by the European Commission or through an industry-wide safe harbor -- that compliance with U.S. regulatory requirements protecting patient data are sufficient to exempt companies from the European Data Privacy Directive.
Finally, we would like to point out that although the draft safe harbor is considered “voluntary,” from a practical standpoint it would be mandatory for those U.S. medical device companies that wish to continue sharing clinical trial and post-vigilance data with Europe. For this and the other reasons mentioned above, we would urge the U.S. government to seek a clear exemption to the Directive for these activities of the medical device industry rather than a safe harbor.
We appreciate your consideration of our views.
Sincerely,
Donna Slingluff
Director, Global Strategy and Analysis
FROM: Information Industry Association
November 19
From: Charlene Flick, Information Industry Association's (IIA)
Re: IIA Safe Harbor Comments
Attached please find the Information Industry Association's (IIA) comments
on the draft International Safe Harbor Privacy Principles. A
duplicate of
this document has been faxed to Eric Fredell at 202/501-2548.
Please let me know that these comments have been received. Thank you.
Charlene Flick, IIA
Charlene B. Flick
Assistant Counsel
Information Industry Association
(202)319-0141
CFlick@infoindustry.org
Before the
United States Department of Commerce
Washington, D.C.
Comments of THE INFORMATION INDUSTRY ASSOCIATION
(IIA) on the International Safe Harbor Privacy Principles
November 19, 1998
Introduction
The Information Industry Association (IIA) would like to take
this opportunity to congratulate the Department on the progress that has
been made regarding the ongoing negotiations with the Europeans over the
implementation of the European Directive. Both Europe and America have
very venerable and distinct histories that have each generated slightly
different perspectives on governance, and we commend the Department of
Commerce for rising to the obvious challenges of these negotiations and
bringing us closer to a common ground. We would also like to thank
the Department for its tireless efforts to include the private sector in
this policymaking process, and for affording us the opportunity to submit
comments on the “International Safe Harbor Privacy Principles” draft before
pursuing this further with the Europeans. We hope you find our comments
insightful.
Discussion
IIA is very supportive of establishing safe harbors that offer companies
and consumers predictability in the global marketplace. The benefits
of the safe harbor approach extend beyond the obvious advantage of avoiding
disruption of existing flows of data into and out of the European Community.
Consumers could presume that organizations within an established “safe
harbor” would collect and use their personally identifiable information
responsibly, thereby fostering consumer trust and ultimately electronic
commerce. Companies within this safe-harbor would gain confidence
that their information practices are exemplary and would be encouraged
to extend these practices to innovative ways of doing business without
the fear of losing the transborder dataflow that is so vital to their business.
Although safe-harbor companies conceivably would not be free from privacy-related
challenges, the favorable presumption that such a category creates greatly
lessens the burden on responsible businesses who must address such challenges.
IIA companies are encouraged to adhere to Fair Information Practices Principles
and to post and enforce responsible privacy practices. Therefore,
such a model could be greatly beneficial to IIA companies who engage or
intend to engage in international transactions.
We understand and appreciate the necessity of drafting a fairly broad document that allows flexibility for a sectoral approach and for ongoing negotiations with the Europeans. However, we would like to underscore the importance of certain themes that, from our perspective, need to be amplified and memorialized throughout the document. One such theme is the need to exclude the collection and use of public records from the outset, citing time-tested First Amendment principles and the unfettered flow of expression that form the foundation of American government and American innovation. We would also recommend clear exclusion of data collected for journalistic purposes and publicly available information such as white pages. We acknowledge and applaud the Department’s incorporation of a public records exemption in the access principle, which stipulates “reasonable access to information about them derived from non public records.....,” but respectfully suggest that this distinction apply to the notice, choice, and data integrity provisions, as well. Ambassador Aaron has noted that the exemptions incorporated in Article 26 would be applicable to the safe-harbor document, as well. These exemptions include data coming directly from public records, but only immunizes transfers from a European public register to a non-European site. We believe a public records exemption needs to be broader than the exemption in Article 26. Unless public records are broadly exempted, a company could lose its safe harbor if, for instance, it does not offer a European the right to opt out of dissemination or use of material in a public record located in the United States concerning that European (e.g., property ownership records). Additionally, it is unclear if public records information that is transmitted several times, as is often necessary to conduct business, would be construed as coming “directly” from public records.
Another concern we have is how eligibility for a safe harbor is to be established and determined. As Ambassador Aaron notes in his letter to Industry Representatives, “organizations could come within the safe harbor by self certifying that they adhere to these privacy principles.” This self-certification process does not appear to be adequately addressed in the document itself, and we would urge the Department to explicitly incorporate this principle in subsequent drafts. IIA’s membership encompasses many business sectors and a wide array of companies ranging from Fortune 500 to technology start-ups. We have drafted our Fair Information Practices Principles, Implementation Guidelines, and Privacy Policy Template to reflect the diversity of our membership and to preserve a range of options so that companies can choose how they would like to address consumer privacy based on their resources and the sensitivity of the information they collect. While many IIA organizations have chosen to have their practices reviewed and certified by a third-party audit system, some organizations have chosen to establish internal review and certification mechanisms. If the latter set of companies self-certify that they are complying with responsible business practices as implemented within their company, they should be entitled to a safe harbor presumption, as well. Although we believe that this is what the Department intended, we would suggest that the scope of the safe harbor specifically include language directed to companies who have chosen this method of self-certification. This will eliminate the potential interpretation of the third paragraph of the draft safe harbor principles, which states that qualification may depend upon “membership in private sector developed privacy programs,” to mean that self-certification is precluded. Lastly, we would be interested in learning more about the procedure surrounding the certification process and the entity actually doing the certifying as these details are finalized.
Section-by-Section Analysis
The principles discussed in the “International Safe Harbor Privacy
Principles” draft effectively track those in the Department’s earlier “Elements
of Effective Self-Regulation” draft. IIA has previously submitted
comments on these principles and supports the inclusion of these elements
in formulating an effective self-regulatory regime. The following
reflects IIA commentary regarding each of the principles as they relate
to the “International Safe Harbor Privacy Principles” draft:
Notice: We believe truthful and informative notice or “transparency” coupled with proportionate accountability or substantiation forms the foundation of an effective self-regulatory framework. IIA agrees strongly that a company has an obligation to document and support the representations it makes to the user/consumer. With adequate disclosure through a prominently displayed privacy policy, there is a presumption that the company is offering truthful and nondeceptive information. If a consumer’s trust in such a disclosure is breached, the Federal Trade Commission (FTC), state authorities, and other government agencies have proven enforcement mechanisms already in place to address such circumstances. We would suggest, however, that rather than “information it collects about them,” this provision should read, “information it collects from them.” This distinction directly relates to the input of information at the point of collection where a privacy policy is posted.
Choice: There is a long tradition of allowing consumers to limit the use of individually identifiable information for marketing purposes. There may be other circumstances where it is appropriate to allow individuals to limit the use and dissemination of individually identifiable information including when the information contains certain types of personal financial or medical history information and most information about children. On the other hand, there may be circumstances where it is inappropriate to allow individuals to limit the dissemination and use of individually identifiable information such as when the information was originally obtained from public records; the information is being used for billing purposes; the information is being used in the investigation of a crime, or the information’s use is regulated by law. We believe that it is important that the Department recognize and communicate to the Europeans that choice may not always be feasible or prudent.
With respect to the wording of this provision, we would suggest that opt-out be permitted in instances where such use is unrelated to the purpose for which it is originally collected, rather than the uses for which the user originally disclosed it. With adequate notice detailing what uses will be made of this information, the consumer should be able to make an informed choice as to whether or not opt-out is desirable. Furthermore, the “purpose” formulation aligns the choice principle with the notice principle, since the collector should state its “purposes” for the collection, but not necessarily the specific use for which the initial collection is being made. We believe the imposition of an opt-out requirement to be the most effective and generally accepted method of providing choice to users. If opt-in is to be imposed, it should only be in limited and well-defined circumstances involving highly sensitive information, because an “opt-in” standard can seriously impede the free flow of information.
Onward Transfer: The IIA Fair Information Practices Principles encourage companies to do business only with those market players who provide a consistent level of privacy protection to the consumer as that of the IIA member organization. If individually identifiable information is disseminated, the disseminating organization should take reasonable steps with respect to affiliates or the unaffiliated third parties who are receiving the information to protect against security risks and other related privacy abuses. It may not be practical, however, to offer a consumer an opt-out of such transfers, as such an option could potentially hold important transactions in abeyance until such decisions are rendered. In other cases, it would be appropriate for the company to offer individuals the choice to limit onward disclosures, and this can be done as part of the choice provision. Companies that intend to do business with other entities should disclose this fact in a succinct and readily understandable privacy policy and consumers may or may not choose to do business with this particular company in light of these policies. Although companies can seek-out business partners who appear to uphold the same privacy principles, they should not be responsible for policing these entities and not held accountable for abuses beyond their control. Therefore, we would suggest that this provision be deleted and the important concepts be incorporated in the notice and choice provisions.
Security/ Data Integrity: Information security is a key feature of responsible collection, use and dissemination of individually identifiable information. Our Fair Information Practices Principles mandate that companies take reasonable and appropriate measures to secure information they collect and use. Therefore, we have no substantive revisions to the security provision as written in the current draft. With respect to the data integrity provision, we would suggest the insertion of “reasonably” preceding “accurate, current, and complete” because companies often are not the originators of such information and therefore do not always have control over these factors. A reasonableness requirement would preclude a scenario where a company would be investing a disproportionate amount of energy in pursuing and updating this information to meet an arbitrary standard of “current” or “complete.”
Access: Again, we would like to commend the Department for recognizing the importance of incorporating a flexible reasonableness standard and a public records exception in the access provision. We would also agree that reasonableness of access depends upon the sensitivity of the information collected and its intended uses. We would, however, broaden reasonableness to include a notion of feasibility. A great many IIA members have expressed difficulty in providing access and correction to consumers given the structure of their internal databases and the inability of the technology to perform the necessary function for providing the access that the Europeans envision. Many companies have embedded technology and an assortment of separate and distinct databases that are not currently integrated to perform such a comprehensive search. Revamping such a system all at once could, in some cases, result in closing business operations altogether and bringing commerce to a halt. This scenario is surely not what the Europeans envisioned, and we would urge the Department to communicate the differences between Europe’s business functionality and our own, as well as the difficulty inherent in changing our business models to accommodate comprehensive access.
Furthermore, the current draft could be construed to condition “reasonableness” on a unilateral consumer-driven decision. Each time an individual determines that the information a company holds in its possession could potentially be used for a “substantive decision-making purpose that affects that individual,” he or she may demand a right of access and correction. Even if it is left to the company to determine what information is utilized in a “substantive decision-making process,” predictability is still not accomplished. Although information that is the basis for affording credit may be clearly more “substantive” than information that determines whether or not an individual is included in a marketing list, creating a “bright-line” test for defining substantive remains problematic. Therefore, in keeping with the intended flexibility of the document and its intent to preserve the American sectoral model, we would suggest omitting the sentence that offers the example of what constitutes reasonable access and instead letting the nature and sensitivity of the information collected serve to steer the access debate towards a sector-by-sector or case-by-case approach. We would also suggest that access be limited to information collected from the consumer, rather than about the consumer.
Enforcement: As stated earlier, we believe that notice coupled with effective enforcement or accountability is at the heart of any self-regulatory regime. We agree that mechanisms for recourse for consumers, verification of business practices, and the imposition of consequences for noncompliance are essential components of this accountability. Furthermore, we would agree with Ambassador Aaron’s opening remarks regarding the compatibility of self-regulation with existing remedies at law. For example, companies continue to be held accountable for representations made pursuant to Section 5 of the Federal Trade Commission Act despite participation in a self-regulatory program. Certain highly-regulated sectors of industry continue to be regulated notwithstanding their participation in self-regulation. Self-regulation or safe harbor status complements the existing legal framework; it does not diminish the potency of these laws already providing recourse, verification, and accountability.
The draft enumerates what constitutes, at a minimum, effective enforcement of self-regulation, highlighting the importance of verification, recourse, and remedy or consequence. These are concepts that IIA has incorporated into its own Fair Information Practices Principles, encouraging companies to develop their own customized approach to enforcement derived from these tenets that adequately addresses the nature of their business, given the nature of the data the companies collect and use. As the Department has recognized in its earlier “Elements of Effective Self-Regulation” draft, the preservation of flexibility in this area is crucial. Enforcement mechanisms need to be carefully tailored to the nature of each particular business and the level of the sensitivity of the information collected. An effective enforcement scheme for a multinational credit agency would have very little resemblance to that of a tiny web-page operator who does not collect information other than who visits its site. While these general precepts are not troublesome, what is in need of further clarification is what is meant by an “independent” recourse mechanism. For example, if Company A employs specially trained Privacy Officers who review privacy complaints from within the organization and resolves disputes with customers, would that be deemed sufficiently independent? We would suggest striking the word “independent” so as not to exclude good actors who have selected to self-certify in light of the nature of their business rather than employing an outside auditor rendering an external review.
Lastly, we seek clarification with respect to the Note to the Enforcement Provision that “compliance with private sector developed privacy programs that include effective enforcement mechanisms” be applied as broadly as possible so as not to exclude internal self-certification program participants. Additionally, it is not clear by what is meant by “compliance with legal or regulatory supervisory authorities.” If a company is in compliance with existing legal and regulatory requirements, does this fact automatically constitute an effective enforcement mechanisms rendering eligibility for safe harbor status? We would suggest that the posting of a policy and the adherence to that policy constitutes the requisite self-regulatory program for safe harbor status. The fact that a company which flagrantly violates its stated policy can be pursued for deceptive trade practices under existing law should be enough to satisfy the Enforcement Principle.
Conclusion
The development of a safe harbor model is a positive step towards building
consensus with the European Community and preserving an uninterrupted transborder
dataflow that courses through the conduits of international commerce.
IIA supports the ongoing negotiations between the United States and Europe,
and is hopeful that a safe harbor model will ultimately be adopted.
We understand that this document represents a work-in-progress, and look
forward to further clarification as both the principles and the Q &
A commentary develop. It is clear that the Department understands
the importance of preserving flexibility and First Amendment values within
the context of a safe harbor approach. As content-producers, IIA
members are especially sensitive to these issues, and enthusiastically
support a dialogue that ultimately will achieve privacy protection worldwide
without sacrificing freedom of expression. We look forward to further
contributing to this debate in an effort to reach a speedy and satisfactory
solution for both industry and consumers worldwide.
Appendix A
INFORMATION INDUSTRY ASSOCIATION
MEMBER LIST
Abels, Dr. Eileen G. (University of Maryland)
Access Innovations, Inc.
Advanta Partners LP
AG Communications Systems
AGENCIA ESTADO LTDA
Allen & Company Incorporated
Allied Marketing Group, Inc.
Alpine Meridian, Inc.
AMA CPT Intellectual Property Services
America Online, Inc.
American Banker/Bond Buyer
American Health Consultants
American Stock Exchange
Amsterdam Exchanges N.V.
Andersen Consulting Media & Entertainment Group
Anthony Rudkin Associates
Arabian Advanced Systems
Architects First Source
Atlantic Accord
Autodesk Press
Australian Stock Exchange
Autex Systems Inc.
Aviation Week Group
Aviation/Aerospace Newsletter
Bancroft & Whitney
Bankers Trust Company
Bankstat
Barbados Investment & Development Corporation
Barclays Law Publishers
BC Telecom
Belden Associates
Berkery, Noyes & Co.
BETA SYSTEMS Inc.
BioInformatics Publishing
Bloomberg L.P.
Bloomberg Business News
Bloomberg Financial Markets
BNA Communications Inc.
BNA International, Inc.
Board of Trade of City of New York
BOVESPA
BPI Electronic Media
Breakwater Holdings, LLC
Brewer Consulting Group, Inc.
Bridge Information Systems
BRIDGE News
Bridge Telerate
Broadview Associates LLC
Brooks/Cole Publishing Company
Brussels Stock Exchange
Buckman Communications
Budapest Stock Exchange
The Bureau of National Affairs
Burlington Consultants
Burrelle's/VMS NewsAlert
Business Week Group
Butterworth-Heineman
Butterworth Asia
Byggfakta Scandinavia AB
BYTE
Cable One
Cahners Business Information
Cahners Electronic Media - Industrial Group
Cahners Travel Group
Cambridge Information Group
Cambridge Scientific Abstracts
Cape Cod Times
Carbo, Toni (University of Pittsburgh)
CARCO GROUP INC.
CareerBuilder Inc.
Carfax, Inc.
Cargill, Inc. Trading Technology
The Carswell Company Limited
CBOE Trading Operations
CCH Incorporated
CCH Legal Information Services
CCH Trademark Research Corp.
CCH Washington Service Bureau
CDA Investment Technologies
CDB Infotek
CD-ROM Information
CED BORSA S.C.p.A.
Chapman and Hall
Charles E. Simon & Company
Charles Schwab Electronic Services
Chescot Publishing, Inc.
Chester Chronicle & Associated
Chicago Board of Trade Market Data Services
Chicago Mercantile Exchange/
Market Data Services
Chin Shan
CIDEX International, Inc.
Claritas, Inc.
CLARITECH Corporation
Clark Boardman Callaghan
Clearnet/The Morris Group
CMD Group
Commercial Information Systems
Communication Products Ltd.
Communications Development Inc.
Compania Anonima Nacional Telefonos de Venezuela
Compania Dominicana de Telefonos
Compania de Telefonos del Internior
COMPASS Media, Inc.
Competitive Media Reporting
Compu-Mark (UK) Ltd.
Compu-Mark NV
COMTEX
Congressional Information Service
Continental Cablevision
Copyright Research Group
Corporate Technology Information Services
Course Technologies
Creative Communications
Crossaig Limited
CS First Boston Corporation
CSK Software Trading Systems
CT Corporation
The Cyber Solutions Group
Daily Star
Data Communications
Data Control Corporation
Data Conversion Specialists
Data Downlink Corporation
Database Technologies, Inc.
DATAFUSION
Datasource Reports
Delmar Publishers
Derwent Information LTD
Derwent North America
Deutsche Boerse AG
The Dialog Corporation
Direct Marketing Technology
Disclosure Incorporated
DonTech
Dow Jones & Company, Inc.
Dow Jones Financial News Services
Dow Jones Interactive Publishing
Dow Jones Newswires
DTN Financial Services
Dun & Bradstreet
DW Thorpe
EarthWeb
EASDAQ Limited
Editora McGraw-Hill do Brasil
Edutech Middle East
Edward Kaminski Associates
Electronic Information Group
Electronic Settlements Group
Elsevier Science
Engineering Information Inc.
ESI International, Publishing Division
Eugene Simonoff & Associates
Excalibur Technologies Corp.
Excerpta Medica, Inc.
Experian
Explore Information Service
Extel Financial Limited
F.W. Dodge
The Farragut Group
Faulkner & Gray
Faulkner Information Services
Faxon Informatics
Federal Document Clearing House
Federal Filings Inc.
Federal Information & News Dispatch (FIND)
Federal Publications, Inc.
Fidelity Investments
FIDES Information Services
Financial Information, Inc.
Financial InterGroup Holdings
FININFO SA
First Call Corporation
Fitzsimmons, Beth
Focus Enterprises
Folio Corporation
Frames Data, Inc.
FTSE International
The Gale Group
Gardner, Carton & Douglas
GARI Software Associates
Garvey, Schubert & Barer
Garvin Information Systems
Genesys Partners, Inc.
Ginn & Company
Glass's Dealer's Guide
Global Finance Information
GlobalSource
Globe Information Services
Goldberg, Morton David (Cowen, Liebowitz & Latman, PC)
Government Counseling Ltd.
GrayFire Information Services
Greenhouse Associates
Greenwood Publishing Group
GTE Airfone
GTE Business Development and Integration
GTE Card Services
GTE Communications Corporation
GTE Corporation
GTE Customer Networks
GTE Data Services, Inc.
GTE Directories Corporation
GTE Government Systems
GTE Information Services
GTE International Operations
GTE International Telecom Services
GTE Internetworking Services
GTE Laboratories, Inc.
GTE Long Distance
GTE Network Services
GTE New Media Services
GTE Paging
GTE Supply
GTE Technology and Systems
GTE Telecommunication Services
GTE Video Services
GTE Wireless
H. Donald Wilson LLC
The H.W. Wilson Company
Hallmark Capital Corporation
Hambrecht & Quist LLC
Heinemann Publishers (pty)
Heinemann Reference
Heinle & Heinle
Hinkley Enterprises
Horizon Media
Horton, Forest W.
HuebCore Communications Inc.
I.R.S.C., Inc.
IDD Information Services, Inc.
IFR Publishing
IHS Engineering Products Division
IHS Environmental Information
IHS Group, Inc.
ILX Systems Inc.
Industry Information Group
Infonautics, Inc.
Information Access Company
Information America
Information Access & Distribution Pte Ltd.
Information Connectivity Group
Information Handling Services
Information Please, LLC
Information Resources Group
Information Today, Inc.
Infosis Corporation
InfoTech, Inc.
ING Barings Furman Selz LLC
INSTINET CORPORATION
Institute for Scientific Information
Intelpro
Interactive Connection
Interactive Data
Interactive Market Systems
Interactive Video Enterprises
Intermedia Advertising Solutions
International Database Group
International Information Services
International Thomson Business Press
International Thomson Distribution
International Thomson Organisation Ltd
International Thomson Publishing Japan
International Thomson Publishing Services, Ltd.
International Thomson Transportation
Internet Financial Network
Internet Industry Relations
The Investext Group
IPC Magazines Ltd.
ITP Education Group
ITP School Publishing
J.J. Kenny Company Inc.
J.P. Morgan Investment Management Inc.
Jane's Information Group
The Jordan, Edmiston Group
Journal of Commerce Limited
K G Saur Verlag
Kaplan Educational Center Ltd.
Keystone Venture Capital Management
Kinokunia Company Ltd.
KnowledgeLink infoMarket
KnowledgeLink Interactive, Inc.
KnowledgeLink NewsStand
KnowedgeMax, Inc.
KRT Business News
LAN Times
LBC Information Services
Law Offices of J.L. Ebersole
LEGI-SLATE, Inc.
Lehman Brothers Inc.
LEXIS Document Services
LEXIS Law Publishing
Lexis-Nexis
Liberty Brokerage, Inc.
LIFFE
Loan Pricing Corporation
Logos Corporation
Lokalbogsforlaget A/S
London Stock Exchange
LSW, Inc.
Luntz, Suleiman & Associates
Luxembourg Stock Exchange
MacRae's
The Mail Tribune
Management Decisions
Mandarin Offset
Manning & Napier Information Services
Markborough Development
Market Data Corporation
Market Data Retrieval
Market News Service, Inc.
Marketing Resources Plus
Martell, Terrence F. (Baruch College)
Maruzen Co. Ltd.
The Marx Group
Matthew Bender
McClure, Charles R. (Syracuse University)
MCG Credit Corporation
The McGraw Hill Companies, Inc.
McGraw-Hill Asia/Pacific Group
The McGraw-Hill Bookstore
McGraw-Hill Broadcasting
McGraw-Hill Construction Information Group
McGraw-Hill Continuing Education
McGraw-Hill Financial
McGraw-Hill Health Care Publications
McGraw-Hill Higher Education Group
McGraw-Hill Ibero-American
McGraw-Hill Information Services
McGraw-Hill Information System
McGraw-Hill Libri Italia, Srl
McGraw-Hill Lifetime Learning
McGraw-Hill Medical Publishing
McGraw-Hill Professional Publishing Group
McGraw-Hill Publication Services
McGraw-Hill Ryerson
McKnight Medical Communication
MDL Information Systems
MEDEC Dental Communications
Medical Economics
Medscape, Inc.
The MEDSTAT Group
Meridian Venture Partners
Merrill Lynch Asset Management
Merrill Lynch Capital Markets
Merrill Lynch Pierce Fenner & Smith, Inc.
Merrill Lynch Securities Pricing Service
Micromedex, Inc.
Micronesian Telephone Company
Mitchell International
Money Market Directories, Inc.
Morgan Grenfell Asset Management
Morgan Stanley & Co. Incorporated
The Moschovitis Group, Inc.
Mostrups Forlag A/S
Muller Data Corporation
Municipal Market Data, Inc.
N2K, Inc.
N2K Encoded Music
The Nasdaq Stock Market Trade Dissemination Services
National Auto Glass Specifications Inc.
National Quotation Bureau, Inc.
National Software Testing Laboratories, Inc.
NCCI Information Services
Nelson Canada
Nelson English Language Teaching
Nelson Price Milburn Limited
NERAC, Inc.
NET3 Technologies, Inc.
New Media Associates
New York InfoTech Capital Forum
New York Mercantile Exchange
New York Stock Exchange, Market Data Division
Newcastle Chronicle & Journal
NewsBank, inc.
NewsEdge Corporation
Newsweek, Inc.
NFER-Nelson
NIKKEI AMERICA/Electronic Media Dept.
Noble, J. Kendrick (NOBLE Consultants)
North American Marketing Intelligence Systems, Inc. (NAMIS)
North Eastern Evening Gazette
Northern Light Technology LLC
Oakley, Robert L. (Georgetown University Law Center)
Official Airline Guides, Inc.
OKI Business Digital
OPEN - Online Professional Electronic Network
Osborne/McGraw-Hill
Ottaway Newspapers, Inc.
Outsell, Inc.
Oy Rakennusalan Projektitiedos
PaineWebber Inc.
Parnassus Associates International
Parrys
The Parthenon Group
PC QUOTE, INC.
PennWell Information Technology
Perot Systems Corporation
PERQ Research Corporation
Peterson's
Physicians' Online, Inc.
Pike & Fischer, Inc.
Pinkerton Services Group
PLATT's/The Commodities Division
Pocono Record
The Police Review Publishing
The Polk Company
Post-Newsweek Business Information, Inc.
Practitioners Publishing Co.
Prentice, Anne E. (University of Maryland)
Price Waterhouse LLP - PW - Assist Group
PricewaterhouseCoopers LLP
Primark-Datastream/ICV
Primary Source Media
Primis Custom Publishing
PRN Associates
Prospex, Inc.
PsycINFO
Public Record Research Library
The Publishers' Consortium
Pubnet, LLC
PWS Publishing Company
QUAESTUS Management Corp.
Quebec Telephone Company
Qpass Inc.
Quotron Systems, Inc.
R. Shriver Associates
R.R. Bowker
R.S. Means Company, Inc.
Rapid Communications of Oxford
Rapid Patent Service
RCT Systems, Inc.
Reality Online, Inc.
Reed Academic Publishing Asia
Reed Business Information
Reed Elsevier
Reed Elsevier New Providence
Reed Elsevier Technology Group
Reed Telepublishing
Reed Travel Group
Regulatory Resource Center LLC
Research Information Systems
Research Institute of America
Retrieval Technologies, Inc.
Reuben H. Donnelley
Reuters America, Inc.
REUTERS Canada Ltd.
Reuters Limited
Reuters New Media Inc.
Reuters Singapore Ptd. Ltd.
Reuters:file Ltd.
Robbin, Alice (Florida State University)
Rockingham County Newspapers
Rotunda, Inc.
Routledge, Inc.
Russell Distributing Company
S&P’s CUSIP Service Bureau
S&P MarketScope
S&P Ratings Group
Salomon Smith Barney
Santa Cruz Sentinel
SaveSmart, Inc.
Sawabih Information Services
SBF - French Stock Exchange
Scarborough Research Corp.
Schaum
The Scotsman Publications Ltd.
Securities Data Company
Securities Data Publishing
Securities Industry News
Securities Information Corp.
Securities Valuation Company
Shepard's
Sheshunoff Information Service
Shinwon Datanet Inc.
SilverPlatter Information, Inc
Simba Information
SkyTeller L.L.C.
Sociedad de Bolsa, S.A.
Solbright, LLC
Soliton Associates
The Source Maythenyi, Inc.
Spectra-Market Metrics
Springhouse Corporation
SRA International, Inc.
Standard & Poor's Compustat
Standard & Poor's ComStock
Standard & Poor's Corporation
Standard & Poor’s/DRI
Standard & Poor's Information
Star Data Systems Inc.
Stockalert, Inc.
The Stockholm Stock Exchange
StockObjects
Strategic Advantage, LLC
Strategic Weather Services
TheStreet.com
Sun City, News-Sun
Sweet & Maxwell Ltd.
Sweets Group
Swiss Exchange
Sydney Futures Exchange Ltd.
Taiwan Stock Exchange Corp.
Tax Management Inc.
TBG Information Investors, LLC
TCI Software Research
Technical Data
Technimetrics, Inc.
tele.com
Telecommunications Reports
Telekurs Finance Information Ltd.
Telekurs USA Inc.
TFS Ventures
Thomas Nelson & Sons Ltd.
Thomas Register Online
Thomson & Thomson
Thomson BankWatch
Thomson Business Information Group
Thomson Business Publishing
Thomson Canada Limted
Thomson Consulting
Thomson Corporate Publishing International
The Thomson Corporation
Thomson Directories, Ltd.
Thomson ESG
Thomson Financial & Professional Publishing Group
Thomson Financial Database Group
Thomson Financial Information
Thomson Financial Services
Thomson Free Newspapers
Thomson Healthcare Communications
Thomson Information Resources
Thomson Information/Publishing Group
Thomson Institutional Services
Thomson Investment Software
Thomson Legal & Professional Publishing
Thomson Municipal Services
Thomson Newspapers Corporation
Thomson Newspapers Inc.
Thomson Publications Australia
Thomson Research Corporation
Thomson Science and Technology
Thomson Securities Information
Thomson Trading Services
Times Herald-Record
Toronto Stock Exchange
Tower Group International
Trade Data Reports, Inc.
Trade Dimensions
Transactions Marketing Inc.
Transmision Boos & Microforms
Transport Technology Publishing
The Trepp Group
Trident Capital, Inc.
U S WEST Advanced Technologies
U S WEST Communications, Inc.
U S WEST Dex
U S WEST Enterprises
U S WEST InterAct!
U S WEST International
U S WEST, Inc.
UMI
UMI/Data Courier
UMI/DataTimes Company
University Publications of America
Utility Data Institute
Valorinform
Ventresca, Marc J. (Northwestern University)
Veronis, Suhler & Associates, Inc.
VerticalNet, Inc.
Veterinary Medicine Publishing
VISTA Information Solutions
VNU Marketing Information Services
Volt Directory Marketing
VS&A Communication Partners
vwd Vereinigte Wirschaftsdiens
Wadsworth Publishing Company
Wadsworth, Inc.
Wall Street Computer Review
The Wall Street Journal
Warren, Gorham & Lamont, Inc.
Warsaw Stock Exchange
The Washington Post Company
Washington Post Newsweek Interactive
Waters Information Services
Wave Systems Corp.
WavePhore, Inc., Newscast Division
Wellington Management Co., LLP
West Group
Western Mail & Echo Ltd.
Wigand, Rolf T. (Syracuse University)
Winstar Telebase Inc.
World Aviation Directory
Xcitek, Inc.
From: Tess Koleczek
Website Data Protection Manager
Netscape Communications Corporation
Re: safe harbor comments
Attached are comments from Netscape. Hard copy to follow via Fedex,
copy
faxed this morning.
November 17, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230
Dear Mr. Fredell:
On behalf of Netscape Communications Corporation, I would like to submit the following comments on the November 03 draft International Safe Harbor Privacy Principles.
Netscape takes a special interest in the draft principles because of our commitment to the privacy and security of personally identifiable information submitted by users to our site. Aside from our browser and server components, we have developed a rapidly growing portal site, Netcenter, which provides users a gateway to the world wide web. A feature of this site is the opportunity to become a member of Netcenter, which provides valuable services such as free email accounts and page personalization. Netcenter has always taken the issue of privacy seriously. We have had a privacy policy for users to review since the inception of Netcenter in August of 1997, and we update it as needed to conform to our practices as the content and services offered on Netcenter evolve. We are members of TRUSTe, carrying their seal on both our main site and our KidZone pages, and are active members of the Online Privacy Alliance and the board of directors for BBB Online.
Our greatest concern is with the safe harbor principle of Onward Transfer. We provide members of Netcenter with the choice of sharing their personal information with third parties. If the member makes this selection, the principle as written would require us to police the privacy practices of any third party with whom we share that data at the customer’s request. This would burden Netscape with an unreasonable level of liability, and lead to the question of who is responsible for any misuse of that user’s data by a third party.
A broad interpretation of what constitutes a “third party” could have a crippling effect on the business models of innumerable online companies. Any partnerships or affiliations would automatically be questioned when data transfer is involved and possibly subject to additional and cumbersome layers of consumer notification and acceptance.
The principle of access also needs a clearer definition. Much of the information collected online can be maintained for accuracy by allowing the customer access to correct and update certain personally identifiable data. This maintenance is clearly in the best interests of both the customer and the organization collecting the data. But the definition as stated in the principle would cover any information that an organization holds about that individual, including IP logs and transactional data which is held in separate databases and may not be considered “sensitive” information. Some data is not relevant to the sensitive or personal identity concerns inherent in the principle, and provision of such upon request would be not only burdensome to the organization, but unnecessary for the purpose of correction and accuracy of data stored.
We suggest that the definition of access be limited to relevant, individually identifiable information which should be maintained for quality and accuracy. And as suggested by many of our colleagues, “sensitive” data should be clearly defined as medical information, financial information, and the personally identifiable information of children.
We thank you for your efforts, as well as your inclusion of the business
sector in drafting these safe harbor principles. We hope that our comments
are of assistance to you in developing an effective and acceptable safe
harbor approach to the EU Directive.
Sincerely,
Tess Koleczek
Website Data Protection Manager
Netscape Communications Corporation
FROM: National Fraud Center
November
From: Norman Willox
President and CEO
National Fraud Center
Re:International Safe Harbor Principles
Eric,
Attached please find the comments of The National Fraud Center, in two
different formats. Please use which ever format works best for
you.
I have also sent you an original copy in the mail with Norman Willox
signature.
Best regards,
Patt Cumberbatch
Assistant to N. Willox
(See attached file: Safe Harbor Provisions II.doc)
(See attached file: Safe Harbor Provisions III.wpd)
Before the
United States Department of Commerce
Washington, D.C.
COMMENTS
OF
THE NATIONAL FRAUD CENTER
ON DRAFT
INTERNATIONAL
SAFE HARBOR PRINCIPLES
Norman Willox
President and CEO
National Fraud Center
300 Welsh Road
Suite 200
Horsham, PA 19044
Phone: (215) 657-0800
Fax: (215) 657-7991
Date: November 19, 1998
The Honorable David L. Aaron
Undersecretary of Commerce
U.S. Department of Commerce
Washington, DC
Dear Secretary Aaron:
The National Fraud Center (“NFC”) is the internationally recognized private sector leader in risk management and fraud prevention solutions. NFC’s experienced personnel cumulatively have over two hundred years of experience in law enforcement and fighting fraud. This vast experience gives NFC an in-depth understanding of economic crime and how businesses, consumers and governmental agencies can minimize their exposure to fraud and risks. In short, NFC helps catch the bad guys that prey on innocent people. As economic crime continues to grow both nationally and internationally, NFC will continue to develop and market products and services that will help businesses save hundreds of millions of dollars per year which would be otherwise lost to fraud. This in turn saves American consumers from having to pay what is in essence a hidden “fraud tax” as businesses and governmental agencies pass along losses caused by economic criminals.
Efforts to fight economic crimes depend in large part upon the ability to access, accumulate and process data from a variety of sources. Personal information is required in order to identify individuals and validate data they provide in both electronic and non-electronic transactions. Without access to a wide variety of accurate data and the ability to use those data to fight fraud and other economic crimes, business and consumer losses will continue to increase. In recent years, the increase in fraud has been astronomical. Analysts and law enforcement agencies estimate yearly losses due to such fraud to be over $800 billion. American consumers, taxpayers and businesses will pay for these huge losses.
National Fraud Center is a founding member of the Individual Reference Services Group (“IRSG”) which has adopted a set of self-regulation guidelines in cooperation with the Federal Trade Commission. NFC is strongly committed to the principles of industry self-regulation that the Administration wisely continues to pursue. Self-regulation is the most practicable way to protect legitimate privacy concerns because it recognizes that in the real world, there can be no one single solution to govern every situation in which personal data are collected and analyzed. This is particularly true as new technology develops new products and new services rapidly enter the marketplace. The rapidly developing technology of the information age requires flexible and easy to administer procedures with minimal delays imposed by unnecessary government intervention.
The IRSG Principles recognize that the use of personally identifiable information to detect and prevent fraud is an appropriate use for that information. Use of such data for fraud prevention has also been recognized in state and federal legislation which often exempt fraud prevention from limitations that would otherwise be imposed upon the use of personal data. Neither the Safe Harbor Principles nor the European Union Data Protection Directive makes any specific mention of the provisions for using data for fighting fraud and economic crimes. The DOC should, after consulting with the Department of Justice and private industry, ensure that the Safe Harbor Principles specifically exempt use of data for fraud prevention and interdiction. Without such exemptions, literal application of the Safe Harbor Principles or the European Directive would render ineffective industry efforts to fight fraud.
Article 26(1)(d) of the European Union Data Directive allows the transfer of personal data to a third country which does not ensure a level of protection deemed “adequate” by the European Union if the “transfer is necessary or legally required on important public interest grounds or for the establishment, exercise or defense of legal claims. We understand that the EU tradition would apply this exemption only to public bodies. In the United States, however, activities to defend the public interest are the province of both private and public agencies. The DOC should ensure that the Safe Harbor Principles and the European Union specifically recognize that the transfer of data to the United States for purposes of fighting fraud and economic crimes, and for enforcing legal claims, is permitted by both public and private organizations under Article 26 or pursuant to agreement. Without such access to European data, American corporations and financial institutions will become the targets of increased efforts to commit fraud or other crimes.
A simple example makes this clear. Consider pre-employment background checks for individuals who work with children’s organizations such as day care centers. In the United States, the Fair Credit Reporting Act was recently amended to allow the use of information relating to civil suits, civil judgments and records of arrest for seven years from the date of entry or until the governing statue of limitations expires, whichever is longer. The FCRA was also amended to permit convictions of crimes to be used and reported no matter how old the conviction. The reason for this amendment was to ensure that such information could be used when deciding whether to offer employment since such information is clearly relevant and important to know.
The European Union Data Directive, however, does not permit the use and reporting of such information. The Data Directive mandates that a organization must give an individual notice of the types of information it has on an individual, how it collects the information, the purposes for which it collects the information and the types of organizations to which it discloses the information. If the organization does not provide this information, then its procedures are not “adequate” under the European Union approach. The EU Directive also provides that governmental authorities subject to “specific safeguards” may only process criminal conviction information, which must be notified to the European Commission. In the example of the pre-employment verification for the day care position, the European Union’s Directive would not permit the use of information relating to sexual abuse of a child.
In the world of economic crime or due diligence relating to financial and banking regulations, the European Union’s Directive again makes no specific exception for use of data for fraud prevention. Given the requirement to provide notice of the information gathered on an individual, it is not difficult to understand that criminals will be forewarned about the information a financial institution has and, therefore, better equipped to circumvent fraud prevention efforts. Similarly, since the European Union’s Directive would not allow the use of historical data, it will not be possible to gather and use information over a period of time in order to help consumers and corporations fight fraud.
The implications for increased fraud, however, are not limited to American
corporations. In the United States, both state and federal agencies
often partner with private entities and investigative organizations in
order to share information necessary to fight economic crimes. Limitations
on the availability of data from the European Union has significant implications
for the United States and our ability to enforce laws and regulations such
as the “Know Your Customer” rules which require businesses to gather information
relating to financial transactions. Neither the Safe Harbor Principles
nor the European Union Directive make any exceptions to ensure the uninterrupted
flow of information to the United States although gathering such information
may well be “legally required on important public interest grounds” in
the U.S. Interestingly, pursuant to Article 7 of the Directive, such
information can be processed in Europe if the information is “necessary
for the performance of a task carried out in the public interest or in
the exercise of official authority.” Processing of such information
in the United States or other third countries, however, is permitted only
by the incompletely- defined “important public interest grounds.”
Financial and investment statutes that require strong auditing and
compliance procedures provide additional examples of important public policy
grounds for permitting access to personally identifiable data for fraud
detection and prevention. The European Union Directive does not specifically
permit transfers of financial information that may contain personal information.
The vague terms of Article 26(1)(d), without negotiated understandings
that clarify the public and private pursuit of the public interest, may
not help. The DOC must ensure that the European Union recognizes
the importance and need for free flow of information necessary to allow
auditing procedures. A ban on transfers of information obtained from
internal or external auditors could undermine the ability of U.S. management
to oversee European operations. This would not only tend to deter
American investment in Europe by making it potentially riskier, it would
also tend to increase the opportunities for fraud against such companies.
This could also increase the risk of hiding losses overseas, much like
the example of the Bank of Credit and Commerce International where billions
of dollars in losses were hidden when auditing operations were confined
to specific countries.
National Fraud Center believes that the Safe Harbor Principles must recognize the importance of data availability for fraud prevention by emphasizing that “opt out” provisions must still allow legitimate and properly regulated companies and industries – including self-regulated industries as the founding members of the IRSG – to use personal data to detect and prevent illegal activities. The IRSG principles emphasize that the information member companies such as NFC make available will be protected by ensuring that the recipients of that information have legitimate and verifiable uses for such information. The IRSG also ensures compliance with the integrity of personal data and adherence to privacy interests of the individuals whose data is involved.
NFC believes that it is important to focus privacy protection on how information is used rather than simply on how it is collected. Such an approach allows legitimate security interests to be adequately balanced with the desire of individuals that personal information not be used inappropriately. We believe that this can be accomplished by negotiating specific understandings of the meaning of “public interest” in Article 26, and by adding fraud detection, interdiction and prevention to the list of obligations, authorizations and exceptions in the preamble to the Safe Harbor Principles.
The DOC must also recognize the importance of publicly reported information in the fight against crime. Newspaper stories, magazine articles, wire reports and other media reports provide vital sources of information in the fight against crime. By piecing together information from stories around the world, skilled investigators and law enforcement personnel can put together pieces of a puzzle on criminal organizations and their operations. The DOC must ensure that the Safe Harbor Principles protect American news organizations and their ability to gather personal information on residents of the European Union for their publications. Currently, Article 9 of the Directive provides only that “Member States shall provide for the exemptions . . . for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.” This is scant protection when compared with the prohibitions enshrined in the First Amendment of the U.S. Constitution. The DOC must ensure that the Safe Harbor Principles and the European Union spell out specific rights of American news organizations to process personal data without the unworkable constraints the Directive would impose.
National Fraud Center intends to lead the information industry by protecting individual privacy while enabling responsible and appropriate use of that information. We recognize that the threat of fraud and loss of personal assets is as real as the threats of the inappropriate disclosure of private information. We encourage the Department of Commerce to work not only with the Department of Justice, but others in the law enforcement and investigative communities to ensure that the Safe Harbor Principles adequately recognize and balance these threats. Failure to do so will most certainly increase the risks and losses of American consumers and businesses. We also encourage the DOC to continue to recognize the importance of self-regulation in this complex area and commend it and the Administration for their efforts to allow industry the opportunity to develop and implement such self-regulatory programs.
Thank you for the opportunity to comment.
Sincerely,
Normal A. Willox
President and CEO
FROM: Better Business Bureaus
November 19
From: Steven J. Cole, Council of Better Business Bureaus and
BBBOnLine
Re: Safe Harbor Comments
Attached are the comments from the Council of Better Business Bureaus
and
BBBOnLine on the November 3, 1998 safe harbor draft.
COUNCIL OF BETTER BUSINESS BUREAUS, INC. 4200 Wilson Blvd.
Arlington, VA. 22203 703.247.9346
November 19, 1998
Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, NW
Washington, D.C. 20230
email to ecommerce@ita.doc.gov and
fax to 202.501.2548
Dear Mr. Fredell:
Thank you for the opportunity to comment on the November 3, 1998 “Draft International Safe Harbor Privacy Principles” circulated by Assistant Secretary David Aaron on November 4th. BBBOnLine, the online activity of the Council of Better Business Bureaus and the 135 Better Business Bureaus throughout the nation, is now in the process of establishing a self-regulatory mechanism for assuring compliance with required privacy principles, providing recourse to individuals and significant consequences for non-compliance or non-cooperation with the self- regulation program.
We applaud Secretary Daley’s and Under Secretary Aaron’s dialogue with the European Commission, and their efforts to negotiate an acceptable online privacy protection approach that rewards business participation in meaningful self-regulation mechanisms. We believe that the framework for a “safe harbor” included in the November 3d draft is a good start, but that additional provisions are needed to assure that self-regulation is not an empty promise.
We do not feel it necessary for BBBOnLine to comment extensively on the aspects of the draft pertaining to the contents of acceptable privacy notices, choice, transfer, security and data integrity, and access insofar as they affect information collected from individuals online. BBBOnLine is prepared to administer an enforcement program that will be flexible enough to incorporate whatever reasonable standards are required by appropriate governmental organizations, the business community, and the needs of the public for online privacy protection. We expect that our program standards, when finalized in the coming weeks, will be fully consistent with the minimum protections set forth in the November 3d draft, earlier Department of Commerce “elements” papers, and the principles enunciated by the Online Privacy Alliance. Indeed, our program standards are expected to clarify areas in these standards needing more specificity, and may, in certain cases, go beyond these general guidelines to provide additional protection to the public.
However, we note that the November 3d draft does not explicitly confine its reach to online information practices, but appears to extend its scope to the full reach of the European Union’s Directive on Data Protection. To the extent that the premise of the safe harbor negotiations is reliance, in part, on private sector self-regulation activities, it is crucial to recognize that the U.S. business community has not chosen to request that BBBOnLine (or any other third party mechanism for that matter) to administer a program reaching information collected in channels other than online, and that it should not be expected by the Administration that such programs will develop in the near term on a voluntary basis.
EU representatives appear to recognize that in the short term it is desirable to put important and reliable online privacy protections in place, and the U.S. business community similarly appears to recognize that in the longer term it is possible that some or all of the online protections might extend as a practical matter and natural progression to information collected in other ways. In short, we recommend that a safe harbor be available to companies that participate in third party programs offering adequate protection of online privacy, and also available on a voluntary basis to companies that offer broader protections through whatever enforcement techniques are available to them.
BBBOnLine does believe, however, that additional and more specific measures are required to assure the adequacy of enforcement mechanisms, and that a procedure is needed to certify mechanisms that purport to meet the requirements. Initially, while Ambassador Aaron’s November 4th letter indicates that the safe harbor proposals are not intended to “govern or affect U.S. privacy regimes,” our view is that it is realistic to expect that protocols endorsed by the Department of Commerce and the EU will enjoy wide currency and acceptance in the business community, Congress and the Federal Trade Commission, each of which will have an opportunity to measure the acceptability of self-regulation mechanisms over the coming months. It is important, therefore, that the safe harbor requirements for enforcement be of the highest quality.
Our experience in operating a “seal” program online in connection with
helping consumers find reliable companies (http://www.bbbonline.org) is
that many new companies, inexperienced in the consumer protection field,
have seen the Internet as an attractive entrepreneurial opportunity, but
too many do not deliver or even attempt to deliver a high integrity service.
There have even been occasional “seal givers” that appear to be “shills”
for their participating companies. The result in these situations,
of course, is improper and dangerous reliance on these “seals” by
unwary consumers, and a risk of lessening respect for online consumer
protection efforts in general. It can be expected that online privacy seal
and other private sector enforcement efforts will
encounter similar problems, and these may even be greater because of
the likely widespread public education efforts underway or planned by the
private sector and government aimed at recommending to consumers that they
look for a “seal” or other indicator of an online privacy enforcement
mechanism. Moreover, without rigorous and somewhat more detailed
standards defining acceptable enforcement programs, a principle of “adverse
selection” may drive businesses to the weakest or less demanding of the
programs, thereby depriving the public of needed minimum protections and
risking the eventual collapse of the safe harbor concept.
It is our opinion that the following minimum standards in addition to
those outlined in the
November 3d draft ought to be required for a private mechanism to qualify
as a safe harbor:
Moreover, unless there is reasonable prior review and approval of the
mechanism itself by some entity, the business community will be at great
risk if businesses join programs only later to discover that the enforcement
standards were determined not to be sufficient. At the same
time, less-than-responsible programs will unfairly compete for business,
and while the long term effect of the marketplace should help weed out
these inadequate programs, the short term impact of low integrity programs
could be disastrous for the public and the responsible business community,
and
could well eliminate respect for, and support of, self-regulation as
a concept.. A “certification” procedure, perhaps administered by
the FTC or other agency, would go a long way to assure integrity and fair
competition in the online privacy protection business.
Again, thank you for the chance to comment, and please be assured of the BBB’s cooperation in future activities to protect the public’s online privacy.
Sincerely,
Steven J. Cole
Senior Vice President and General Counsel
Attach ATTACHMENT A
(The comments in this letter are those of the Council of Better Business
Bureaus and its
BBBOnLine subsidiary, and are not intended to represent the views of
BBBOnLine sponsors.)
BBBOnLine Founding and Corporate Sponsors and Board Companies:
Ameritech Corporation
AT&T Corp.
Dun & Bradstreet, Inc.
Eastman Kodak Company
GTE Internetworking
Hewlett-Packard Company
IBM Corporation
Microsoft Corporation
NationsBank Corporation
Netscape Communications Corporation
The Procter & Gamble Company
Reed Elsevier Inc.
Road Runner Group
Sony Electronics, Inc.
US West
Visa, U.S.A.
Xerox Corporation
BBBOnLine Privacy Program Sponsors and Steering Committee Companies:
America Online, Inc.
American Express Company
AMR Corporation
AT&T Corp.
Dell Computer Corporation
Dun & Bradstreet
Eastman Kodak Company
Equifax Inc.
Experian Information Solutions
Ford Motor Co.
Hewlett-Packard Company
IBM Corporation
Intel Corporation
J.C. Penney Company, Inc.
MCI WorldCom, Inc.
Microsoft Corporation
NationsBank Corporation
New York Times Electronic Media
The Procter & Gamble Company
Reed Elsevier Inc.
Sony Electronics, Inc.
U S WEST
Viacom Inc.
Visa U.S.A.
Wells Fargo & Co.
Xerox Corporation
FROM: Stone Investments
November 19
From: Stone Investments
Re:Comments on Safe Harbor Principles.
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution, N.W.
Washington, D.C. 20230
Attached is a copy of the comments by Stone Investments, Inc. to the
Draft
Safe Harbor Principles. I have attached a copy of the response
in both
Word97 and Word Perfect 8. An additional copy of the comments
is being sent
via fax and overnight delivery.
Please let me know if you have any questions or if you need any additional
information.
Gary E. Clayton
Before the
United States Department of Commerce
Washington, D.C.
COMMENTS
OF
STONE INVESTMENTS, INC.
ON THE DRAFT
INTERNATIONAL
SAFE HARBOR PRINCIPLES
Gary E. Clayton
Vice President, General Counsel and Senior Privacy Analyst
Stone Investments, Inc.
8150 N. Central Expressway
Suite 1901
Dallas, Texas 75206
Phone: (214) 365-1977
Fax: (214) 365-6977
November 19, 1998
The Honorable David L. Aaron
Undersecretary of Commerce
U.S. Department of Commerce
Washington, D.C.
Dear Secretary Aaron:
Stone Investments, Inc. ("Stone") is a private investment firm located
in Dallas, Texas. Stone advises and invests in a wide variety of
technology companies including some that responsibly use personal data
for fraud and risk detection, interdiction and prevention. Stone
also advises and invests in companies that provide services over the Internet.
Stone welcomes this opportunity to respond to the request of the Department
of Commerce ("DOC") for public comment on the "Draft International Safe
Harbor Privacy Principles" (Draft Principles). Stone appreciates
the serious effort that DOC is making to address the concerns of American
business regarding the European Union Data Directive.
Introduction:
The European Data Directive seems poorly matched to the reality
of today's information flows. The Directive's approach is designed
for the regulation of mainframe computers. The world has changed dramatically
since the Directive was written. Today, the Internet and the client/server
distributed networks present a world that the Directive did not contemplate.
New technologies have made the definitions of processing, data system,
controller, processor, recipient and even transfer too narrow and limiting.
Therein lies the problem for the European Union, the DOC and businesses
generally. How do you draft provisions to address concerns of the
moment yet provide enough flexibility to allow the inevitable changes
brought by technology? One step is to realize that there cannot be
one single approach to these complex data and privacy issues. Second,
there must be a recognition that industry and its consumers are best able
to address these concerns in the specific contexts in which they occur
as part of commercial and other transactions. And third, is to promote
and enforce self-regulatory programs by individual sectors of the economy.
Self-Regulation:
Article 27 of the European Union's Data Directive instructs the
European "Member States and the Commission" to encourage the development
of codes of conduct regarding privacy. Stone encourages the DOC to
promote such codes of conduct such as that adopted by the Individual Reference
Services Group (AIRSG@). The IRSG Principles were developed in coordination
with the Federal Trade Commission. The advantage of codes of conduct
such as the IRSG Principles is that they are specifically tailored to address
the needs and concerns of businesses, consumers and government in a single
industry sector rather than the one-size-fits-all or cross-sectoral approach
proposed in the Draft Principles. Stone believes that the cross-sectoral
approach is not the most effective way to protect privacy in the rapidly
changing technology age. The reality is that different sectors of
the economy use information differently. And, as the DOC is aware,
the issues involving the use of information are incredibly complex and
evolving. Stone believes that markets and self-regulatory regimes
will allow industries that have a firsthand understanding of the desires
of their customers and the operational requirements of their practices
to most effectively regulate their own particular industries. Such
an approach will avoid the temptation to freeze the information age and
the Internet into a fixed position based only upon today's limited understanding
of the future development of electronic commerce. And it will allow
different approaches depending upon the needs of each industry. Industries
that handle more sensitive information should have more stringent requirements
than industries that handle less sensitive information. And most
importantly, it recognizes that in the end, the market will reward industries
and companies that address the needs and desires of consumers to balance
their privacy concerns with the reduction of economic and other risks involved
in commercial transactions.
Any agreement ultimately reached with the European Community should allow for data flow to continue uninterrupted for companies that comply with the existing self-regulatory codes such as the IRSG's. The DOC should ensure that there is a pre-approval process to determine which self-regulatory programs comply with the safe harbor principles. The DOC should also ensure that the safe harbor principles' pre-approval process is easy to administer and eliminates unneeded governmental involvement.
The DOC must also recognize that there are legitimate uses of personal information in the process of fraud detection, interdiction and prevention. In the United States, state, local and federal governments as well as private industry use information in order to prevent fraud and to avoid risks. For example, personally-identifiable information is used to prevent credit card fraud and cellular phone fraud. It is also used to ensure that fraudsters are not abusing governmental programs. And in today's world, with increased travel and transnational flows of information and funds, it is a reality that data from nations around the world is needed to help prevent criminal fraud. Because of the unique operational requirements for fighting fraud and other economic crimes, the DOC should ensure that any safe harbor agreement with the European Union takes into account the unique situation of those entities using data to help fight fraud and to prevent risks.
The Draft Principles propose that organizations allow individuals an opportunity to "opt out" of data collection or use. Without an exception for legitimate public interest activities to prevent fraud, such a requirement poses significant problems for fraud prevention since presumably those most likely to commit fraud will also be those most likely to "opt out" of any databases which are intended to fight fraud and prevent risks. The current Draft Principles require an opt out whenever the uses of information are unrelated to the uses for which the individual originally disclosed the personal data. Again, this poses significant problems in the effort to fight fraud since those most likely to commit fraud are also most likely to be those who are unlikely to provide personal information that could be used for fraud prevention.
Stone recommends a change in the term "unrelated" as used in the current
Draft Principles. Currently, the Draft Principles provide an opt
out whenever information is used in a manner which is unrelated to the
uses for which the individual originally disclosed the personal data.
This is a difficult standard for any business to follow since it is tied
to the subjective intent of the individual. This creates an ambiguity
regarding when an opt out is required. The DOC should instead tie
the ability to opt out whenever the use was not revealed in the original
privacy notice. This will provide an objective standard for both
the individual and the business organization using the information.
An additional change is that the DOC use the term "purpose" rather than
"use." This would be more consistent with the Directive which uses
the term "purpose."
The scope of the access principles needs to be more restricted.
Generally, access should be provided to individuals when an organization
collects information from the individual directly rather than when it collects
information about the individual. Requiring that organizations provide
individuals with access to any information about them would not only be
unreasonably burdensome, but also could thwart the ability of organizations
that collect information (for example, from public records) intended to
fight fraud.
The DOC should more clearly define the term "current" when dealing with
data integrity. In the United States, data up to seven years old
may be considered "current" to be used to make substantial decisions about
individuals. The recent amendments to the Fair Credit Reporting Act
provide that certain information may be reported for seven years from date
of entry or until the governing statute of limitations expires, whichever
is longer. Convictions of crimes may be reported no matter how far
back they were entered. These amendments reflect a recognition that
in certain circumstances, there is value in retaining historical data in
addition to more recent information. This is particularly true in
the area of fighting fraud and preventing crimes. Consequently, the
DOC should recognize that complete data may include both historical and
current data.
Stone supports the concept of applying the safe harbor principles,
particularly the access principle, only to non-public records. In
order to avoid confusion, however, the DOC should consider defining what
constitutes a public record. Further, the DOC should ensure that
the safe harbor principles do not require businesses to delete or correct
information about an individual which was gathered from public records
or such publicly available sources such as telephone or professional directories,
newspapers and magazines, or other such similar sources.
Internet Issues:
Neither the Data Directive nor the Draft Principles address many of
the issues raised by the Internet, extranets, intranets, e-mail and the
Web. The DOC should work with the European Union to more adequately
address information sent via these media. The decentralized processing
of information on the Internet, for example, does not seem to fit within
the Data Directive's model nor does it appear to be adequately covered
by the Draft Principles. Stone would encourage the DOC to work closely
with major Internet companies, Internet service providers and suppliers
of technology and equipment for the Internet and networks. The DOC
should expand the coverage of the safe harbor provisions to ensure that
small and start-up companies using the Internet can be deemed compliant
if they operate within jointly-developed safe harbor principles.
The DOC should also ensure that the Draft Principles exempt individuals
who send or receive an e-mail outside of Europe and who fail to follow
the European data protection directive. The Directive was clearly
drafted before e-mail became such a common means of communication.
The DOC should work with the European Union to spell out which rules if
any apply to individuals who send and/or receive e-mails containing the
types of personal information governed by the Directive.
The DOC should include provisions in the Safe Harbor Principles to confirm that the European Union Directive does not apply to non-European Web sites. At least one senior official of the European Union has commented that the Europeans would attempt to shut down non-European Web sites that are viewed by Europeans if the sites do not comply with the requirements of the EU Directive. Setting aside the issue of whether or not the European Union or its Member States would have jurisdiction to enforce its Directive in such circumstances, the European official stated that the EU would attempt to block the Internet sites of those American companies and individuals failing to meet the requirements of the Directive.
The DOC should also include provisions in the Draft Principles to confirm
that Americans who travel to Europe with laptop or palm computers are not
subject to the European Directive. The typical American business
traveler going to Europe is almost certain to have information which would
be deemed personal data. This means that the business traveler who
carries that information from Europe to countries like the United States
that do not have "adequate" protection would presumably violate the terms
of the Directive. The derogations contained in Article 26 do not
seem to provide adequate protection to American business travelers.
Americans, therefore, will have to rely upon the discretion of enforcement
officials in each of the 15 Member States in Europe. Stone Investments
proposes that the Draft Principles expressly permit individual business
travelers and tourists to be exempt from the European Union Data Directive.
In response to any concerns raised by the Europeans, perhaps the Data Directive
could be held to apply if tourists and business travelers were attempting
to circumvent the EU Data Directive by transferring personal data to floppy
disks, personal organizers, laptops or similar devices. The issue
must be addressed since laptops and personal organizers will become more
prevalent and more powerful over time. It is important for the DOC
to work to guarantee that the rules relating to such devices are more transparent
in order to ensure that Americans visiting Europe are not subject to the
unilateral discretion of enforcement officials in each of the European
Member States.
Stone encourages the DOC to incorporate some threshold before the Safe
Harbor Principles apply. The European Union Directive currently applies
the same rules to large American multinational corporations as it
does to small companies of only a few employees. While data protection
officials can undoubtedly suggest concerns over such a threshold, the DOC
should be wary of promoting rules that would place expensive or undue burdens
on small American businesses from competing in Europe. Stone Investments
encourages the DOC to work with representatives of small enterprises to
develop a workable approach to this issue.
Conclusion:
Stone Investments applauds the progress that the Department of Commerce
has made in addressing these issues, and is encouraged that the DOC is
continuing to consult with industry as it proceeds to negotiate with the
European Union. The DOC should insist upon a solution that recognizes
a sectoral approach to privacy as well as recognizing the essential role
of self-regulation. The DOC should also insist that the European
Union recognize the special issues related to the use of personal information
for fraud and risk prevention. These issues are not addressed in
the current draft of the safe harbor principles nor in the European Directive.
On behalf of Stone Investment, Inc., the primary concern over the European
Directive and the Safe Harbor Principles is that they will fail to adequately
foster continued dynamic economic growth of the Internet and electronic
commerce. This is particularly of concern for American companies
which are leading the world in the deployment of these newly emerging technologies.
In the long run, this will hurt not only American businesses, but American
consumers.
Sincerely,
Gary E. Clayton
Vice President, General Counsel and
Senior Privacy Analyst
FROM: Information Technology Industry Council
November 19
From: Information Technology Industry Council
Re:Comments on Safe Harbor
ITI's comments in response to the 11/4/98 letter on International
Safe
Harbor Privacy Principles are attached in Word format and also pasted
below.
Fiona Branton, ITI
<<Safe HarbComm.doc>>
November 19, 1998
Via email to: ecommerce@ita.doc.gov
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street & Constitution Avenue
Washington, D.C. 20230
Re: ITI's Comments on November 4, 1998 Letter on International Safe
Harbor Principles
Dear Mr. Fredell:
The Information Technology Industry Council (ITI) is pleased to offer
these
comments on the Department of Commerce's draft proposal for international
safe harbor privacy principles. ITI represents the leading U.S.
providers
of information technology products and services. Its members
had worldwide
revenue of $420 billion in 1997 and employ more than 15 million people
throughout the world.
As global suppliers of information technology, and ultimately, as users
of
the information superhighway, ITI's member companies have a significant
business interest in the international development and success of the
Internet and electronic commerce. In particular, we have a direct
interest
in identifying and providing solutions, including a variety of technical
solutions, to protect the privacy of all users and customers, both
online
and off. Accordingly, ITI is a strong advocate of private sector
leadership
in establishing a self-regulatory program for the protection of privacy,
complemented by appropriate governmental enforcement of privacy-related
laws. To that end, ITI is a founding member and active participant
of the
Online Privacy Alliance (OPA).
ITI applauds the Department of Commerce for its efforts to craft a means
to
ensure that data flows will continue unimpeded from the European Union
(EU)
to the United States under the EU's new privacy regime. ITI believes
the
"safe harbor" approach proposed in Under
Secretary Aaron's November 4, 1998 letter is both a positive step and
a
generally sound concept. However, we reserve final judgment on
the
proposal's acceptability pending the availability of additional information,
as well as based on the resolution of the comments provided herein.
Further, we understand that a series of questions and answers addressing
specific situations that could arise under the proposal will be negotiated
with EU officials. We look forward to having an opportunity to
review those
questions and answers, as well as any other supplemental material that
would
be integral to the proposal.
Interpretational Concerns
The following are some general points about the safe harbor proposal
that we
understand to be true, and for which we would like confirmation and/or
clarification.
* Participation in the safe harbor approach is strictly voluntary.
* There is no requirement of a finding that the U.S. lacks adequate
data protection under Article 25 as a prerequisite of safe harbor
negotiations or effectiveness. The safe harbor approach is an
additional
means to comply with Article 25, without prejudice to the compliance
an
organization may achieve within its EU operations, under other U.S.
laws,
voluntary actions, contract, or otherwise.
* There would be no adverse consequences or penalties in the U.S. or
EU for companies that choose not to adopt the safe harbor approach.
* Vendors of information technology (IT) equipment that is used to
collect, process or store personal data would not be liable for actions
by
users of that equipment if the IT equipment vendor has no control over
the
actual collection, processing or storage of the information.
* The proposal applies only to transfers of information from Europe
to
the United States, and it is not intended to influence law or information
policy within the United States.
* A company that applies for safe harbor protection does not, simply
as a result of doing so, create a new jurisdictional hook for the nations
of
the European Union.
General Concerns
In this section, we highlight general concerns about the safe harbor
proposal, for which additional dialogue may be required before ITI
can
endorse the proposal.
1. The international safe harbor principles should not require U.S.
businesses to exceed the requirements imposed by the EU Data Protection
Directive ("EU Directive") in order to enter the safe harbor.
The
principles should support and be consistent with existing U.S.
self-regulation policies and statutes, including the Department of
Commerce's own "Elements of Effective Self-Regulation" statement for
electronic commerce. In the section below outlining our specific
comments
on the proposed safe harbor principles, we note several areas in which
the
principles appear to depart from established U.S. policy. We
urge the
Department to consider making the necessary revisions to more closely
align
the principles with existing policies.
2. While Under Secretary Aaron's cover letter acknowledges that the
United States relies largely on a sectoral approach to privacy protection,
we recommend including in the proposal an explicit acknowledgment of
the
sectoral approach. This could be achieved by adding a sentence
as follows
at the end of the second paragraph of Attachment B (International Safe
Harbor Privacy Principles): "It is expected that industry sectors
will
customize or tailor these principles as appropriate to meet their particular
needs."
3. Many key terms and concepts used in the proposal are not defined,
while others are addressed in only very vague terms. Without
definitions of
key terms and greater specificity about how the proposal will be interpreted
and implemented, including a more detailed description of how the process
of
obtaining the safe harbor protection would work, and what processes
would be
applied if disputes were to arise or complaints filed, it is impossible
to
fully understand the impact of the proposal.
4. The EU Directive applies broadly to all information, regardless of
how it is gathered or used, including data beyond that used in or for
electronic commerce, such as human resource and employee data.
Consequently, we believe the safe harbor should apply just as broadly
to all
nonproprietary information, including any information that is processed
electronically, even if it is not used in online applications.
5. We believe that a company certifying its compliance with the safe
harbor principles should be able to choose whether the certification
covers
its other corporate entities, including affiliates and subsidiaries,
located
in other nations. This way, a compliant company may transfer
data to its
other corporate entities regardless of their physical location.
Comments on the International Safe Harbor Privacy Principles
As a starting point, ITI associates itself with the comments of the
Online
Privacy Alliance (OPA) and urges you to adopt those comments.
That said,
however, the following comments would require satisfactory resolution
before
ITI could support the safe harbor proposal.
1. Choice -- We suggest deleting the parentheses around the phrase
"where such use is unrelated to the use(s) for which they originally
disclosed it," because the parenthetical phrase actually is the governing
thought in the sentence. In addition, to increase the principle's
consistency with the OPA's guidelines, as well as to make it possible
to
implement the requirement, we suggest changing the words "for which
they
originally disclosed it" to read "for which it was originally collected,"
because it may often be difficult, or impossible, for a company to
ascertain
why an individual provided certain information.
We also suggest inclusion of a clear definition of "sensitive information,"
as that term is subject to very different meanings in the U.S. and
Europe.
ITI suggests a narrow definition that focuses on medical information,
which
is generally considered sensitive in both Europe and the United States.
2. Onward Transfer -- In mandating that an organization must require
that third parties provide at least the same level of privacy protection
as
originally chosen by the individual, this principle would create significant
difficulties for industry, and, in fact, might create secondary liability
for the company that originally collects the information. To
address this
problem, ITI recommends replacing this principle with a notice and
consent
approach, similar to that taken by the OPA. The OPA guidelines
require
organizations to provide notice of the company's policy about what
information is collected and how it will be used, including whether
it will
be transferred to third parties. The individual thus would be
able to
choose whether to provide the requested information. If the company's
policy regarding transfer of the information were to be unacceptable
to the
individual, he or she could choose not to provide the requested information,
or to prevent the transfer of the information if that option is available.
Further, in the phrase "at least the same level of privacy protection,"
the
term "privacy protection" is not defined. If the existing language
is
retained, ITI suggests replacing this phrase with a reference to a
particular set of principles or polices, such as "a level of privacy
consistent with these principles," or, alternatively, "a level of privacy
consistent with the OECD Guidelines."
3. Data Integrity -- The purpose of this principle is not clear as it
is presently constructed, particularly because of the ambiguous placement
of
the modifier "only" in the middle of the first sentence. Does
the principle
seek to create a requirement to retain only certain types of data,
and thus
to delete other types after some period of time (or when they are no
longer
"relevant")? If the goal is retention of only relevant information,
ITI
recommends defining "relevant," and redrafting the principle to clearly
show
the scope of limiting words such as "only." Further, the inclusion
of the
term "complete" in the last sentence does not make sense in the context
in
which it is used, and should be deleted. We believe that requiring
data to
be "accurate and current" is sufficient.
4. Access -- This principle raises serious compliance difficulties,
as
it would require companies to allow "reasonable access" to any and
all
information about an individual held by an organization, for any purpose.
Requiring such broad access creates serious operational difficulties
for
companies. Instead, the goal should be ensuring that consumers
can access
information about themselves that is used to make substantive or material
decisions, so consumers can make corrections to that data. To
achieve this
goal, we suggest replacing the first sentence of the Access principle
with
the following: "Individuals must have reasonable access to information
collected from them in order to be able to correct or amend that information
when it is inaccurate." We believe this is a suitable compromise
between
the OPA's guidelines and what we understand to be the EU's concerns.
We
also request clarification that this principles applies only to personal
information collected from individuals, and not to databases compiled
from
that information.
5. Enforcement -- In general, the enforcement principle, which seems
to
allow compliance through membership in seal programs as well as through
contract arrangements or self-certification, appears reasonable.
However,
there are a number of points of confusion due to the construction of
the
principle and its relationship with the note that follows it.
To clarify,
we suggest rewriting the principle as follows, which includes the points
made in the note in the body of the principle, and deletes the second
sentence as it is redundant and contains many undefined terms:
"Effective privacy protection must include mechanisms for
assuring compliance with the principles, recourse for individuals,
and
consequences for the organization when the principles are not followed.
Organizations may satisfy these requirements: (a) through compliance
with
private sector developed privacy programs that include effective enforcement
mechanisms (which, as a minimum, must include means for recourse and
dispute
resolution mechanisms); or (b) through compliance with legal or regulatory
supervisory authorities; or (c) by committing to cooperate with data
protection authorities located in the European Community. Sanctions
must be sufficient to ensure compliance by organizations."
We recommend deleting the phrase at the end of the last sentence, "
. . .
and must provide individuals the means for enforcement," as it is unclear
how sanctions provide a means for individuals to enforce privacy protection
measures.
Conclusion
ITI appreciates the opportunity to provide these comments, and we look
forward to continuing our dialogue with the Department of Commerce
on this
proposal. If you have questions or need additional information,
please do
not hesitate to contact Fiona Branton at ITI at 202-626-5751 or
fbranton@itic.org.
Sincerely,
Fiona Branton
Vice President and Chief Counsel
Information Technology Industry Council
_____________________________
Fiona Branton
Information Technology Industry Council
fbranton@itic.org
202-626-5751
From:Ram Avrahami, Director, The NAMED, Inc.
Re: Comments to Safe Harbor Principles
November 18, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Dear Mr. Fredell,
This message provides comments to the November 4, 1998, letter of David
L.
Aaron, regarding the proposal of Safe Harbor Principles.
(http://www.ita.doc.gov/ecom/com.htm)
This letter correctly states that the US relies largely on self regulatory
(though not effective) approach to privacy. The letter also correctly
implies that the European Directive on Data Protection, having become
effective on October 25, can pose problems for US companies that do
not meet
the standards set by the Directive. Unfortunately, the letter continues
on
the false track that the US government should attempt to protect American
companies that fail the threshold of privacy set by the Directive by
providing an alternative and lower set of standards. The US government
could
have provided a more constructive role had it urged American companies
and
self-regulatory bodies to raise their standards to the level recommended
by
the EU.
I would like to highlight one specific deficiency in the proposal. It
is the
redefinition of Consent (Article 7 of the Directive) with Choice (Principle
2 of the proposal). This redefinition converts a basic right of the
individual to a right of the organization to have free hand with the
information, as long as they provide an opt-out mechanism. This conversion
of rights can not be justified by any reasonable reading of the Directive
and would likely be rejected by the EU. Further, it misleads American
companies to believe that they can continue with their current actions
rather than attempt to improve them. Finally, such redefinition harms
American citizens who overwhelmingly object to unauthorized use in
their
information and want their government to mandate actions consistent
with
Article 7. For example, a 6/96 survey by Direct, a direct marketing
magazine, found that 83% of them want the government to pass a law
that
requires opt-in procedures for names to be included on mailing lists.
Other
surveys show same or higher desire by the public for preventing unauthorized
sale or disclosure of personal information.
The American public would be better served if the US government focused
on
improving the privacy standard of American companies, rather than redefining
it for an assumed short term benefit of commerce with Europe.
I urge the Commerce Department to rethink its proposal for Safe Harbor
Principles.
Sincerely,
Ram Avrahami
Director, The NAMED, Inc.
http://www.named.org/
avrahami@named.org
FROM: Interactive Digital Software Association
From: Gail Littlejohn
Re:Draft International Safe Harbor Privacy Principles
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street and Constitution Ave., NW
Washington, DC 20230
RE: Draft U.S.-E.C. Safe Harbor Privacy Principles
Dear Mr. Fredell:
The Interactive Digital Software Association (IDSA) appreciates the opportunity to comment on the Draft International Safe Harbor Privacy Principles (“Draft Principles”) distributed by Undersecretary Aaron on November 4. The IDSA commends the Commerce Department for its hard work in advancing the safe harbor approach in discussions with the European Commission (EC). We believe that the Draft Principles have the potential to offer a solid basis for reaching an acceptable accord with the EC which will vindicate the legitimate privacy interests of consumers on both sides of the Atlantic without unduly impeding the free flow of information.
About the IDSA and its Guidelines
Formed in 1994, the IDSA serves the business and public affairs needs of companies that publish video and computer games for consoles, personal computers, and the Internet. Member companies of the IDSA collectively account for more than 85 per cent of the $5.1 billion in entertainment software sold in the U.S. in 1997, and billions more in export sales of U.S.-made PC and video games.
On October 14, 1998, the IDSA Board of Directors unanimously approved the IDSA Principles and Guidelines for Fair Information Practices (“IDSA Guidelines”). These self-regulatory guidelines are intended to serve as a basis upon which IDSA member companies will build their own policies for the online protection of personally identifiable information. A copy of these guidelines, with their accompanying commentary or implementation guidance (“commentary”), is attached to this letter. IDSA has now embarked on a vigorous campaign to encourage and assist its member companies to implement information policies consistent with the IDSA Guidelines.
The entertainment software industry is one of the most dynamic and fastest-growing sectors of the U.S. economy. In 1997, the industry grew by 38%, to over $5 billion in sales, and there is no sign that this surge of growth is slackening. For major U.S. entertainment software companies, more than 35% of 1998 revenue is projected to come from sales outside the United States.
IDSA member companies were among the earliest active participants in electronic commerce over the Internet. Today, the online presence of these companies is crucial to their business operations, not only for promotion and marketing and for online sales of their products, but also for the development of virtual communities of game players, and for actual online delivery of the companies’ products. In fact, online gaming, in which computer games are actually played online, in real time, by pairs, scores or even hundreds of simultaneous users who may be scattered across the globe, is a rapidly expanding segment of the entertainment software markets, and is expected to be even more important after the year 2000, as network performance and bandwidth are upgraded. The consumers who visit the web sites of IDSA member companies, and those who participate in online gaming, come from all over the world, including the European Union. Thus, questions of how IDSA member companies collect, use and disseminate personal information online, and how these companies can best comply with data protection regulations adopted by various governments, are not peripheral matters, but go to the very heart of their businesses.
The adoption of the IDSA Guidelines is thus a significant step forward in the effort to protect the privacy of consumers online through voluntary self regulation by responsible industry players. The primary criterion used by the IDSA in evaluating the Draft Principles is to ensure that a company which voluntarily takes this significant step, by adopting online information practices that comport with the IDSA Guidelines, will also be in a position to take advantage of a safe harbor with respect to compliance with the EU Data Protection Directive (and with implementing national legislation adopted by EU Member States). To the extent that it appears that this cannot be achieved — in other words, to the extent that a company’s compliance with the IDSA Guidelines is insufficient to achieve safe harbor status for its online data collection activities — IDSA urges that the safe harbor criteria be modified. With appropriate modifications to the qualifying criteria, IDSA believes that the safe harbor approach is a promising means of harmonizing the differing U.S. and European approaches to information privacy in a way that should minimize disruptions in the flow of personally identifiable information into and out of the European Union.
Comments on Safe Harbor Principles
To a considerable degree, the IDSA Guidelines closely conform to the Draft Principles. In some cases, a company whose information policies follow the IDSA Guidelines will find itself doing even more to protect the privacy of consumers than appears to be required under the Draft Principles. For example, while the Data Integrity Principle of the Draft Principles provides that organizations should keep personal data only if it is “relevant for the purposes for which it has been gathered,” the corresponding item in the IDSA Guidelines, entitled “Limiting Data Collection and Retention,” limits those purposes to “valid business reasons.” The accompanying commentary further calls on companies to “periodically reevaluate whether a valid business reason continues to exist for collection or retention of certain business data,” a requirement that does not appear in the Draft Principles.
While the IDSA Guidelines and the Draft Principles use slightly different formulations, the two documents appear to share the same intent with respect to several issues, such as notice, security, and data integrity. As to these points, we would not anticipate that a company whose policies conform to the IDSA Guidelines would have great difficulty in satisfying the requirements for a safe harbor under the Draft Principles. At the same time, problematic ambiguities appear in some areas, which we urge be clarified before the Draft Principles take final form. In the analysis which follows, we track the organization and headings of the Draft Principles.
1. Notice
With three minor caveats, we believe that the Notice Principle
of the Draft Principles and the IDSA Notice/Disclosure Guideline are substantially
similar.
First, we assume that this principle is focused on the collection
of information directly from an individual data subject, or at least that
the disclosure obligation is triggered by the individual being “asked to
provide personal information [directly] to the organization.”
Second, we assume that a requirement to disclose “the purposes for which it collects such information [and] the types of organizations to which it discloses the information” is congruent with the IDSA Guideline provision that a privacy policy should state “how the information may be used, including those outside the company with whom it may be shared” (emphasis added). Of course, a company should not be bound to use information for a stated purpose or to share it with an identified type of third party so long as the anticipated uses are disclosed.
Finally, we assume that the requirement that the notice be “made available” is satisfied (in the online environment) by establishing a hyperlink from the first page of the company’s Web site, as contemplated in the commentary to the IDSA Notice/Disclosure Guideline.
2. Choice
As do the Draft Principles, the IDSA Guidelines call on companies to ensure thatindividuals be given the opportunity to choose whether and how personal information is used. However, it appears that there may be potential discrepancies between the ways the two documents propose to implement their choice principles.
The Draft Principles appear to rigidly require that companies offer this choice in specified ways. For instance, the Draft Principles require that individuals be allowed to opt out of any use of personal information that is “unrelated to the use(s) for which they originally disclosed it.” An opt out seems to be required even if the use in question is one that was disclosed to the data subject (in accordance with the Notice Principle) at the time of collection.
By contrast, the IDSA guidelines do not dictate what mechanism a company will employ to offer the requisite choice, but rather suggest use of “opt-in, opt-out, or equally effective approaches.” When deciding what mechanisms for exercising choice will be offered to consumers, the IDSA guidelines recommend that its companies consider a variety of factors, including the necessity of the collection or use of personal data for completing a transaction initiated by the consumer, the sensitivity of the data, the possibility of a “secondary use” (defined as “use for purposes not directly related to the purpose for which the information was collected), the burden created by offering choice, and other applicable legal requirements.
A related difference between the IDSA and Draft Principles on Choice involves the consequences that result if the personal information is used in a manner unrelated to the use for which it was originally disclosed. For example, personally identifiable information may be disclosed for one immediate use - e.g., ordering delivery of a computer game - with conspicuous notice that this information may be used later for other purposes - e.g., for notifying the consumer of debugged versions, upgrades, or the existence of structured competitions for players of the game in question. Under the Draft Principles, it seems that such a disclosure would disqualify a company from safe harbor status unless it included an “opt out” opportunity from all disclosed uses other than the initial use to which the information would be put.
Alternatively, the Draft Principle on Choice might require a company to re-contact the customer at a later time - when the upgraded version is actually available, for example -- and offer him or her an opt-out from the previously disclosed intended use, with the actual offer of the upgrade being delayed to a third contact once the opt-out had been declined. Thus, the Choice Principle may invite gamesmanship over whether a particular use, fully disclosed at the time of collection of information, is or is not “unrelated to the use for which [the consumer] originally disclosed” personal information.
By contrast, the IDSA Guidelines use a more practical and flexible standard. The IDSA Guidelines recommend that companies consider the necessity of the “use of personal data for completing a transaction initiated by the consumer” when determining the mechanism for choice they will offer. The IDSA Guidelines also allow a company to consider whether or not the use in question is (or is related to) one that was properly disclosed to the consumer at the time of data collection. After consideration of these factors, a company implementing the IDSA Guidelines will create an appropriate choice mechanism, which may very well be offering an opt-out.
We believe the approach taken in the IDSA Guidelines is an effective means of providing choice to individuals while allowing companies certain flexibility. The approach taken in the Draft Choice Principle amounts to either an unacceptable micromanagement of the particulars of a company’s notice and disclosure, or else a requirement for unproductive repetitive contacts with the customer, all for a minimal or non-existent gain in consumer privacy. They also appear to go beyond even the substantive requirements of the Data Protection Directive, which merely require that the purposes of collection of personal data be “specified, explicit and legitimate” and that “further process[ing]” of such data not be carried out “in a way incompatible with those purposes.” Data Protection Directive, Article 6.1(b).
At a minimum, the Choice principle within the Draft Principles should
be changed to conform with the Notice Principle, by requiring an opt out
only when the use is “unrelated to the purpose(s) for which the information
was originally collected.” Optimally, the Choice Principle should be further
modified to recognize that companies need flexibility in determining the
scope of choice and the mechanism to be employed - whether opt-in, opt-out,
or another means.
3. Onward Transfer
In part, this Draft Principle appears to be redundant of the Choice Principle: transfer to a third party is a use of personal information that should be disclosed to the data subject and in appropriate circumstances should be subject to an opt out. (The IDSA Guideline on Choice explicitly notes “third party distribution” as a factor in determining the appropriate choice mechanism.) The comments in the preceding section concerning the formulation “unrelated to the use(s) for which the individual originally disclosed it” apply here as well. If onward transfer is disclosed as a purpose for which the information was originally collected, there should not be a rigid requirement to offer an opt out.
The issue addressed in the second sentence of this Draft Principle is addressed in the commentary to the IDSA Guideline on Data Integrity/Security, which calls on transferees of data to take “reasonable precautions to protect transferred information.” The commentary also encourages IDSA member companies that do intend to share personal data with third parties to notify data subjects of the risk of security breaches, so that the consumer may make an informed choice about onward transfer. As a practical matter, such a disclosure would be more beneficial to the consumer than any obligation that the company “require” certain conduct of its transferee. In any event, we assume that the obligation that the transferor “require” that transferees respect privacy choices does not mean that the transferor is strictly liable if the transferee does not do so, particularly when the risk has been disclosed to the consumer. This assumption should be confirmed before the Draft Principles become final.
4. Security
The provisions of the two documents are almost identical on this issue. We assume that the adjective “unauthorized” applies to “alteration” and “destruction,” since, for instance, authorized destruction of data once its retention is no longer justified should be encouraged, not discouraged.
5. Data Integrity
The wording of the first sentence of this principle is somewhat obscure, and the phrase “consistent with the principles of notice and choice” is ambiguous. In practice, a company should be granted broad discretion to determine both the purposes for information collection and the relevance of particular data to those purposes. The touchstone, as the IDSA Guideline on Limiting Data Collection and Retention makes clear, is a “valid business reason” for collection and retention of data. It does not appear that this Draft Principle is inconsistent with the IDSA Guidelines, and indeed, as noted above, the latter document may go further in this area in limiting a company’s information practices.
6. Access
The IDSA Guideline seems fully consistent with the Draft Principle on this topic, and indeed the commentary to the former document goes into some detail about what is needed to make a consumer’s access “meaningful.”
The Draft Principle could be improved in two respects. First, the ability to correct or amend inaccurate data should turn on the significance of the inaccuracy; meaningful data correction (which includes notifying data recipients of the change) can be an expensive and time consuming process, and resources should not be needlessly squandered on correcting immaterial inaccuracies. Thus, the IDSA Guideline on Data Access requires correction or amendment of information “when necessary,” not simply in all cases “where it is inaccurate.”
Second, and more importantly, it would be desirable to include in the list of factors to be considered in determining reasonableness of access some of those cited in the commentary to the IDSA Guideline on Data Access, e.g., “burden (e.g., cost);” the locations where the data is stored; the nature of the enterprise and how its information is used; and considerations of information security. While many of these factors may be subsumed under the general Draft Principles rubric of “the nature and sensitivity of the information collected and its intended uses,” not all are. Cost, security, and the nature of the organization in question are all highly relevant to the circumstances and conditions under which individuals should obtain access to this data. If the Draft Principle were to be read to forbid consideration of these factors in fashioning “reasonableness of access,” it would be unacceptable.
7. Enforcement
This is the most complex of the Draft Principles, but as we read it, it appears fully compatible with the corresponding IDSA Guideline on Enforcement/Accountability. The cornerstone of that guideline, as explained in the last paragraph of the accompanying commentary, is that “IDSA members must seek qualification for certification seals provided by third party entities if affordable and appropriate certification seals are available.” The commentary further specifies the characteristics of acceptable seal programs, which include “submission to mediation or arbitration of consumer concerns”; “submission to a monitoring and verification program designed by the seal provider”; and the possibility of revocation of seals or imposition of fines for substantial non-compliance with the seal program requirements. These features correspond respectively to points (a) (independent recourse mechanisms), (b) (verification systems), and (c) (consequences for failure to implement stated privacy principles) of the minimum requirements established for enforcement mechanisms by this Draft Principle. Consequently, to the extent that certification seal programs meeting these requirements are available (and assuming that the substantive rules underlying such seals are consistent with the final version of the safe harbor principles), IDSA members who participate in them would satisfy the requirements of the Enforcement Principle through method (a) (“compliance with private sector developed privacy programs....”) set forth in the note following the Draft Principle.
However, even if adequate certification seal programs are not developed for some reason or in a timely fashion, the commentary to this IDSA Guideline requires internal company mechanisms that may fulfill the objectives of the Draft Principle on Enforcement. These mechanisms, set out in detail in the first four paragraphs of the commentary to the IDSA Guideline on Enforcement/Accountability, provide for compliance assurances; recourse for individuals (including where necessary referral to outside arbitration or mediation); and consequences for non-compliance. Under these circumstances, it is not clear whether, under the concluding Note to the Draft Principles, these internal mechanisms alone, no matter how rigorous, would qualify as a “private sector developed program” sufficient to constitute fulfillment of method (a). This question should be clarified in the affirmative.
Alternatively (or additionally), the Draft Principles should make clear the circumstances under which companies could satisfy the Enforcement Principle’s requirements through method (b) of the concluding Note (“compliance with legal or regulatory supervisory authorities”). To the extent that the Federal Trade Commission and/or state agencies have the ability to pursue, as deceptive trade practices, a company’s material non-compliance (resulting in harm to specific individuals) with its own stated information practices with respect to personally identifiable information, the company affected should be deemed to have satisfied the requirements of this Enforcement Principle through method (b). Similarly, a company whose policies entitle it to safe harbor treatment under the recently enacted Children’s Online Privacy Protection Act should be deemed to come within the negotiated safe harbor with the E.C. with respect to information collected online from children.
* * * *
The IDSA appreciates the Commerce Department’s consideration
of our comments. Please let me know if you have questions concerning
this submission, the IDSA Guidelines, or the information practices of the
entertainment software industry.
Respectfully submitted,
Douglas Lowenstein
President, IDSA
Of Counsel:
Steven J. Metalitz
Smith & Metalitz, L.L.P.
1747 Pennsylvania Ave., NW, Suite 825
Washington, DC 20006
metalitz@iipa.com
FROM: Mark Silbergeld Comments for:
Honorable David L. Aaron
Under Secretary for International Trade
U.S. Department of Commerce
14th Street at Constitution Avenue NW
Washington DC 20230
Dear Under Secretary Aaron:
The undersigned organizations request to meet with you within the next few days to discuss the Administration’s proposed “Safe Harbor” principles for electronic commerce privacy standards as embodied in European Commission Directive 95/46/EC. We are very concerned at reports that you personally developed this proposal in private consultation with industry representatives. There has been no similar consultation with consumer or privacy advocates.
We had thought, based in part on the Administration’s welcome response to the establishment of the Transatlantic Consumer Dialogue this past September, that there would be an Administration commitment to consulting all “civil society” stakeholders in the development of proposals. Instead, we continue to find that proposals emanate from the Administration after consultation only with industry.
We are certain that you would be happy to have consumers ride aboard your train. However, it appears that, once again, the train has left the station unannounced and the industry, as represented by the Transatlantic Business Dialogue, is the engineer in the cab. Consumer and privacy interest representatives are left to the limited device of filing comments in response to a departmental notice about a policy that was shaped behind closed doors by business interests.
Honorable David L. Aaron
Page Two
A number of consumer and privacy organizations will have filed comments on the safe harbor principles by the time you receive this letter. We have also prepared additional comments on the substance of the proposal. Those preliminary comments are attached. However, the direction in which the Administration’s policy is headed has been set by industry concerns alone. We consider it imperative that we meet with you to discuss our process concerns and our substantive concerns about this issue.
To make arrangements for a meeting, please contact Mark Silbergeld, Co-Director of Consumers Union’s Washington Office at (202)-462-6262, 1666 Connecticut Avenue NW, Washington DC 20009 (e-mail:silbma@consumer.org).
Sincerely,
Katharina Kopp Jean Ann Fox
Center for Media Education Consumer Federation of America
Mark Budnitz James Love
Consumer Law Center of the South Consumer Project On Technology
Mark Silbergeld Marc Rotenberg
Consumers Union Electronic Privacy Information Center
Jason Catlett Robert Biggerstaff
Junkbusters The NAMED, Inc
David Banisar Robert Ellis Smith
Privacy International Privacy Journal
Beth Givens Evan Hendricks
Privacy Rights Clearinghouse Privacy Times
Edmund Mierzwinski
U.S. Public Interest Research Group
Honorable David L. Aaron
Page Three
CC: Honorable William M. Daley
Secretary of Commerce
Honorable Charlene Barshefsky
United States Trade Representative
Honorable Stuart Eizenstat
Under Secretary of State
Honorable Gene Sperling
National Economic Council
Honorable Robert Pitofsky
U.S. Federal Trade Commission
ADDITIONAL PRELIMINARY COMMENTS OF
CONSUMER AND PRIVACY GROUPS
ON THE DEPARTMENT OF COMMERCE “SAFE HARBOR” PROPOSAL
19 Nov 98
(1) LETTER AND ADDITIONAL PRELIMINARY COMMENTS MUST BE READ TOGETHER: These additional preliminary comments are in addition to, and intended to be considered in combination with, the detailed process concerns raised in the above letter. The concerns of the undersigned consumer and privacy groups with the Department of Commerce proposal extend both to process and to substance. Due to the unacceptable nature of the Department’s request for comments, the undersigned groups retain the right to submit additional detailed comments at a later date.
(2) THE SAFE HARBOR PROPOSAL COULD JEOPARDIZE DOMESTIC EFFORTS TO STRENGTHEN PRIVACY RULES: Acceptance of this weak safe harbor proposal will make it harder for Congress and state legislatures to consider new laws that protect U.S. citizens better than it does. Many of our organizations have worked for years to expand and extend privacy protections. Despite the rhetoric of Undersecretary Aaron’s cover letter, which accepts as gospel the view of some industry observers that the “United States relies largely on a sectoral and self-regulatory, rather than legislative, approach to effective privacy protection,” in fact, the United States has a long and rich history of privacy protection, starting in 1890 with Brandeis and Warren and then running through a series of laws designed to respond to privacy threats. These laws include the Fair Credit Reporting Act, the Privacy Act of 1974, the Video Privacy Act of 1988, and numerous others. It is also becoming increasingly clear that the large industry mergers in the telecommunications and financial services sectors have made the sectoral approach increasingly obsolete. Firms now obtain information about individuals from many different sources. Even if there is some merit to an analysis that holds that the sectoral approach has been used historically, its time is done. We need a comprehensive approach to privacy protection.
More important, however, than its reinterpretation of history, is the
proposal’s chilling effect on consideration of new privacy laws. Technological
and marketplace changes have brought a flurry of privacy proposals forward.
In the 105th Congress, at least 90 privacy laws were considered. At the
end of the Congress, for example, the House and Senate Banking Committees
and the House Commerce Committee considered broad proposals requiring consumer
opt-ins before financial information could be shared or sold by financial
holding company affiliates. Other privacy threats under Congressional consideration
include credit headers, affiliate sharing, information brokers, etc.).
Other privacy proposals were on issues including genetic privacy, medical
records, encryption and other issues. Legislation on identity theft was
signed into law. The Federal Trade Commission has threatened legislation
next year to protect privacy on the Internet, due to the failure of voluntary
self-regulation efforts to do the job. State legislatures are considering
many of the same problems as Congress, and others. Adoption of a safe harbor
proposal that lowers the standards the American public deserves and expects
American businesses to live up to, is both inappropriate and bad public
policy.
1
(3) PROMULGATING A SAFE HARBOR THAT COMPLIES WITH THE DIRECTIVE
RATHER THAN CIRCUMVENTS IT WOULD BE IN THE BEST INTERESTS OF EXPANDING
ELECTRONIC COMMERCE: U.S. consumers want to participate in electronic commerce.
They have chosen not to do so because of concerns over the privacy of information
about them and the security of their transactions. True compliance with
the Data Directive would go a long way toward reassuring U.S. consumers.
Such a position would be pro-business, and pro-consumer. Instead,
the Department has made a proposal that falls short of adequate protection,
will undermine consumer confidence in e-commerce, and will actually run
counter to efforts to expand it. As EPIC has pointed out, one interesting
lesson that has been learned from looking at the early impact of the EU
Data Directive is that a privacy law can help encourage the development
of good privacy techniques, while the absence of a privacy law will lead
to weaker technical standards. For example, the European Commission is
actively promoting anonymous payment systems that could spur electronic
commerce as well as protect privacy interests. The new German multi-media
law encourages the adoption of similar techniques to protect privacy
(4) THE SAFE HARBOR PROPOSAL FALLS SHORT OF THE 1980 OECD PRIVACY PRINCIPLES: The United States endorsed the OECD Privacy Principles almost twenty years ago and recently pledged to continue to support them. The safe harbor proposal would undermine this support.
(5) PRIVACY IS A RIGHT UNDER THE DIRECTIVE, NOT A CHOICE OR A VALUE: A country such as ours that prides itself on human rights should not be proposing to weaken privacy—which is one of the most important rights in the information age. Yet, perversely, the “safe harbor” includes a presumption that consumers be provided only the ability to “opt-out.” This view is entirely inconsistent with the Directive’s clear requirement for consumer consent prior to use of information. It is also inconsistent with numerous laws under consideration in the United States.
(6) SELF REGULATION HAS NOT WORKED. In the United States, self-regulation has not worked. For example, Geocities received a certification from TrustE, even while under investigation for violating the privacy of its users.
(7) THE SAFE HARBOR DISCRIMINATES AGAINST SMALL BUSINESSES: The Safe Harbor principles discriminate against small and medium sized companies operating on the Internet that may not be able to self-certify.
(8) THE SAFE HARBOR PRINCIPLES UNDERMINE KEY ELEMENTS OF DATA PROTECTION. As above, "consent" is redefined as "choice." There is no reference to "use limitation" or "purpose specification," even though both principles are found in the 1980 OECD Privacy Guidelines. There is no real means of enforcement for the Safe Harbor Principles.
(9) PRIVACY PROTECTION AGENCY NEEDED: The Safe Harbor principles do
not address the fundamental need to create a permanent privacy agency to
represent consumer interests on privacy protection.
2
(10) THE PRINCIPLES ONLY PROTECT EUROPEAN CITIZENS: The letter
accompanying the safe harbor principles states that “Such principles must
provide “adequate” privacy protection for European citizens.” While the
principles are deficient in many ways, where stronger protections are provided
than in U.S. law, or in the absence of U.S. law, then U.S. citizens should
gain the same protections. U.S. companies should be required to protect
all their customers.
(11) THE SAFE HARBOR DOES NOT COMPLY WITH THE CODE OF FAIR INFORMATION PRACTICES THAT U.S. PRIVACY LAWS AND THE DATA DIRECTIVE ARE DERIVED FROM: Among the problems in the 7 Safe Harbor Principles are the following:
A. LACK OF ACCOUNTABILITY: Organizations should be required to designate an individual or individuals who are accountable for the organization's compliance with the principles. The identity of this person must be made known to individuals upon request. Also, organizations must remain responsible for information under their control, including information that has been transferred to a third party for processing.
B. FAILURE TO LIMIT USES: Uses should be limited to those that (a) are legitimate and reasonably expected by individuals given the transaction or service in question, and (b) have been consented to by the individual in advance of collection.
C. NECESSARY COLLECTION ONLY: The proposal fails to limit collection of personal information to that which is necessary for the purposes identified by the organization and consented to by the individual.
D.SECONDARY USE: The proposal fails to limit disclosure of personal
information to that which has been consented to by the individual in advance
of the disclosure. (The "Onward
Transfer" principle talks about limits on "use" by third parties, but
totally ignores the preliminary question of disclosure to the third party
in the first place and fails to explain whether affiliates are third parties.)
E. RIGHT OF INDIVIDUAL TO CONDUCT BUSINESS: The proposal does not protect an individual’s by preventing an organization from refusing service if a customer refuses to provide information which is not necessary for the purpose/transaction in question.
F. RIGHT TO REVIEW AND CORRECT: The proposal does not guarantee an individual’s access to review and correct all information about them in the organization's records, whether derived from public or non-public sources, except in very limited circumstances (e.g., solicitor-client privilege, commercial confidentiality, criminal investigations, prohibitive cost, reasonable expectation of consequential danger to life or security of another individual).
The undersigned organizations respectfully reserve the right to submit additional comments.
Marina Kopp Jean Ann Fox
Center for Media Education Consumer Federation of America
Mark Budnitz James Love
Consumer Law Center of the South Consumer Project On Technology
Mark Silbergeld Marc Rotenberg
Consumers Union Electronic Privacy Information Center
Jason Catlett Robert Biggerstaff
Junkbusters The NAMED, Inc
David Banisar Robert Ellis Smith
Privacy International Privacy Journal
Beth Givens Evan Hendricks
Privacy Rights Clearinghouse Privacy Times
Edmund Mierzwinski
U.S. Public Interest Research Group
November 19, 1998
via Facsimile (202/501-2548)
and Hand-Delivery
Ambassador David L. Aaron
International Trade Administration
14th and Constitution Avenue, N.W.
Washington, DC 20230
Attention: Mr. Eric Fredell, Task Force on Electronic Commerce
Re: Draft International Safe Harbor Privacy Principles
Dear Ambassador Aaron:
On behalf of Time Warner Inc. (“Time Warner”), I am pleased to submit
these comments in response to your November 4, 1998 letter to industry
representatives. As a conceptual matter, Time Warner supports the
Department of Commerce (“Commerce”) exploration of a safe harbor approach
to bridging the differences in privacy protection approaches taken by the
United States and the European Union. Contingent upon how, of course,
it is formulated, a safe harbor approach offers an important and constructive
opportunity to close any gaps and assure no disruption of data transfers
or commerce.
We set forth below our views on both the general approach and a number
of the specific provisions contained in the November 3, 1998 “Draft International
Safe Harbor Privacy Principles.”
Time Warner
Time Warner is the leading media and entertainment company, with four
fundamental businesses: entertainment, cable networks, publishing,
and cable, including interests in filmed entertainment, television production,
broadcasting, recorded music, music publishing, cable television programming,
sports franchises, magazines, book publishing and cable television systems.
Time Warner is one of the world’s largest providers of content in some of the most popular sites online, with about 150 million page views in the aggregate every week. We are also an online service provider, including Internet access, through our Road Runner cable modem service, with subscribers in communities around the country. In addition, Time Warner is also one of the largest direct marketers in the United States through mail and telephone solicitations and television advertising.
Time Warner’s global business activities include substantial operations in Europe. Both as a provider of media and entertainment products and services, and as an employer, Time Warner transfers personal information to the United States from locations in the European Union. Time Warner's European operations that would be most affected by the safe harbor proposal relate mainly to book clubs and magazine publishing. Time Warner has a large direct marketing operation in Europe and, as in the United States, uses a variety of media to reach its customer base.
Overview of the Safe Harbor Approach
Although many have discussed the differences between the United States
and the European Union in their approaches to personal privacy protection,
continued trade between Europe and the United States substantially depends
upon the common elements of privacy protection in our respective approaches.
Thus, Commerce has wisely focused on the result: how the privacy
of affected individuals is protected.
Under the Commerce proposal, companies could come within the safe harbor
by self-certifying that they adhere to specified privacy principles.
Such companies would be presumed to provide an “adequate” level of privacy
protection and could continue transferring personal information from the
EU. Data protection authorities presumably would still take steps
to assure themselves that companies are indeed adhering to the specified
privacy principles.
A necessary part of the safe harbor approach is agreement on the specific privacy principles to which companies must adhere. Commerce has attempted in its November 3 document to distill the essence of a long and detailed Directive. The several fundamental principles identified offer a basis, with further refinement, for substantially simplifying the process whereby U.S. companies contract with organizations located in the EU for the transfer of data. Indeed, if consensus can be reached about the privacy principles that determine whether a company comes within a safe harbor, the safe harbor approach could become a framework for an international agreement on privacy protection: the principles would reflect a global standard of privacy protection, not just a standard between the EU and the United States. Such a standard would further facilitate international commerce.
Need for Sectoral Approach
The proposed safe harbor approach attempts to establish a single standard
without regard to sectoral differences. This one-size-fits-all approach
may hinder rather than facilitate adoption of a safe harbor. The
potential for harm to an individual that can result from a particular disclosure
or use of personal information by a company in one sector is far greater
than the adverse consequences that could result from a use or disclosure
by a company in another sector. For example, the disclosure of health
information may engender consequences, such as the denial of insurance
coverage, that simply are not present in the entertainment or marketing
contexts.
Laws and privacy principles in the United States and elsewhere require an organization to expend greater cost and effort to protect more sensitive information than to protect less sensitive information. Indeed, this difference in applicable standards was explicitly recognized by the Privacy Working Group of the Information Policy Committee of Vice President Gore’s Information Infrastructure Task Force in its “Principles for Providing and Using Personal Information.”
We believe, therefore, that sectoral distinctions must be recognized in the safe harbor. One significant possibility might be separate safe harbors for certain sectors, notably including direct marketing. Perhaps more consistently with the current proposal and the Directive, there could be explicit recognition that various industry codes fulfill the general safe harbor provisions. This latter approach would have to be coupled with a very streamlined and general set of principles in the safe harbor itself.
Need for Explicit Assurances
Finally, U.S. businesses need better, more explicit assurances that
data flow between the EU and the U.S. will continue if they comply with
a safe harbor. Companies must have a high level of confidence that,
if they volunteer to comply with the safe harbor, then they indeed will
be complying with the laws of the EU Member States. If a safe harbor
is approved by the EU, then the Member States must not inhibit or bar the
transfer of personal information in a manner consistent with the safe harbor.
Without such assurances, then the safe harbor approach may not be useful
or viable for U.S. companies.
Specific Comments
A safe harbor should not impose obligations that the Directive does
not require
Although Time Warner supports the safe harbor approach, we believe
that a safe harbor certainly should impose no obligations that the Directive
does not. However, as currently drafted, some of the proposed safe
harbor principles are more onerous than the Directive. Time Warner
believes that these principles need to be redrafted so that the safe harbor
obligations are, at the most, no more demanding than the requirements of
the Directive.
For example, under the notice principle, the safe harbor goes further than the Directive by requiring an organization to disclose “how” it collects information. The Directive does not contain such a requirement, and thus, the safe harbor should not. In addition, this principle of the safe harbor requires that organizations notify individuals of the “choices and means” for opting out. This requirement should not be included in the principles because the Directive does not require that the notice include the “choices and means” of the opt-out.
The access principle of the safe harbor, as currently worded, implies a broader notion of access to personal information than contemplated in the Directive. In describing the right of access, the Directive places limits on the extent to which an individual can access personal information. For example, the Directive requires that individuals have -- at “reasonable intervals and without excessive delay or expense” -- communication of the personal information undergoing processing, along with the right to correct inaccurate or incomplete information. By comparison, the safe harbor principle on access focuses on the sensitivity of the data, but does not take into account other reasonableness factors that the Directive does, such as cost, frequency of access requests, or response time.
The proposed enforcement principle requires that organizations have
mechanisms in place for assuring compliance with the safe harbor principles,
recourse for individuals, and consequences for an organization’s failure
to comply with the safe harbor principles. It requires that recourse
mechanisms be “readily available and affordable.” Although we support
the use of acceptable independent recourse mechanisms through our voluntary
subscriptions to the Online Privacy Alliance and Direct Marketing Association
guidelines, nothing in the Directive requires that such a mechanism be
readily available and affordable. Consequently, we believe this requirement
as well goes further than the Directive and should not be included in the
safe harbor principles.
In addition to these observations about where the principles are more
demanding than the Directive, we have some more technical comments regarding
the principles.
Notice
Time Warner is concerned that the proposed safe harbor principles are
drafted for an increasingly online world and will have unintended consequences
in the offline world for entertainment and direct marketing. Time
Warner fully supports the principle that an organization should inform
an individual about the organization’s use of personal information.
For the online world, Time Warner believes that it is appropriate for such
notice to be given when the information is first collected. In fact,
we pioneered the timing of notice in such a manner in all of its online
activities: Time Warner not only posts such notices on its home page
but also at every point of data collection.
Nonetheless, such an approach, although preferred and practical in the
online context, is unworkable in traditional media. Time Warner is
particularly concerned with the timing of the notice requirement as articulated
in the proposed safe harbor. The safe harbor provisions state that
notice must be given to individuals when individuals are first asked to
provide information. Such an obligation is impractical in many offline
settings and would constrain marketing efforts or the provision of customer
service. Moreover, the notice principle does not distinguish among the
various means by which information is collected and fails to take into
account those situations where the contemplated notification is unnecessary
given the consensual nature of certain transactions.
For example, it is not practical to inform consumers about all of an
organization’s information practices prior to requesting information in
order to send a catalog or to process an order or request. If a consumer
asks for a catalog or places an order by telephone, informing that consumer
of all of the organization’s privacy practices prior to processing the
request would be burdensome to both the business and the consumer.
Similarly, when a consumer orders a magazine subscription by mail or
telephone, apprising that consumer of the magazine’s privacy practices
may not be practical until the request is received. Many subscriptions
are ordered through subscription postcards contained in magazines (so-called
“blow-ins”). Such postcards provide a convenient means for consumers
to order magazines. However, requiring prior notification of the
privacy policy effectively means that the consumer must send in one request
for the privacy policy and then a second request to subscribe to the magazine.
The delay is not only burdensome in and of itself, but it may well stop
the order altogether, frustrating both the business and the consumer.
Likewise, apprising a consumer of a cable company’s privacy practices when the consumer telephones the company to install cable service may not be practical, particularly from the consumer’s perspective. Before collecting any information from the consumer, the cable company would be required to inform the consumer of all of the organization’s privacy practices even if the consumer were simply inquiring about the availability or pricing of service at the consumer’s address.
Instead of requiring that notice be provided when the information is first collected, we recommend that the notice be given in a timely fashion and before disseminating information to a third party. This approach could allow companies to fulfill requests and provide customer service quickly and efficiently while fully and effectively protecting the privacy interests of the individual. For example, under the 1984 Cable Act, a new cable customer may always cancel the cable service after receiving the privacy notice of the cable company and objecting to some of the company’s information practices.
Choice
The proposed safe harbor requires that companies provide individuals
with the opportunity to choose whether and how the organization may use
personal information. This choice is required when the use is “unrelated”
to the uses for which the individual originally disclosed the personal
information. The safe harbor does not, however, clearly delineate
the parameters of what constitutes an unrelated use. Thus, unrelated
uses may be defined subjectively rather than objectively. This could
be remedied by defining an unrelated use as a use of personal information
that was not disclosed within the original notice to the individual.
Such a definition could provide an objective standard for both the individual
and the organization, eliminating the vagueness of what constitutes an
unrelated use. Moreover, this definition could create an incentive
for companies to be very precise with the information contained in the
notice which, in turn, would benefit consumers. More precise notices
enable consumers to make better informed decisions about their submission
of data and whether to use the opportunities available to object to certain
processing of the data.
Onward Transfer
Although the onward transfer principle requires no obligations not
imposed by the Directive, establishing a separate principle for onward
transfers is unnecessary. The concept embodied in the onward transfer
principle is addressed under the notice and choice provisions. The
notice principle requires that the company inform the individual of the
purposes for which the information is collected. If the company contemplates
transferring personal information to third parties, that purpose must be
disclosed in the notice, eliminating the need for any additional notice
requirement under the onward transfer principle. Similarly, if an
appropriate opt-out choice is provided to the individual, such a choice
must allow individuals to indicate how their personal information may be
used. This choice includes whether information may be transferred
to third parties. Therefore, listing a separate onward transfer principle
is redundant.
Access
Time Warner provides individuals with reasonable access to information collected from them. Time Warner has always provided its customers, in both the EU and the U.S., with the opportunity to make corrections or changes to their personal information. The vast majority of the relatively small number of such customer inquiries concern corrections to names or addresses. Such access is part of the Time Warner customer service package and is reasonable.
Time Warner supports the sliding scale notion of access as contemplated in the proposed safe harbor. The more sensitive the information, the more individuals should be able to have access to it. However, many industries, including media and entertainment, and the marketing sector generally do not handle sensitive information. Moreover, we believe that whether access is deemed to be reasonable depends on several additional factors, including the frequency of the requests for access and the cost to fulfill such requests.
As the Directive itself effectively indicates, requests for access to personal information should be permitted only when those requests are made at reasonable intervals and under reasonable conditions. Consistent with this indication, we believe that whether the frequency of the requests are reasonable may also depend on the sensitivity of the information involved, the level of verification needed before access is provided, and the timeliness in which requests may be filled.
* * *
Time Warner believes that the proposed safe harbor provides a solid
basis for negotiating with the European Union to ensure that the flow of
data between the EU and the U.S. will not be disrupted, with all its attendant
consequences on businesses, livelihoods and consumer choices. With
some modifications, including a sectoral approach to the safe harbor principles,
and corresponding approaches to the notice and access provisions, the proposed
safe harbor facilitates the transfer of personal information while protecting
individual privacy. We applaud the continued efforts by the Department
of Commerce to ensure that data flow between the European Union and the
United States continues uninterrupted, and we appreciate the opportunity
to provide input to assist in these efforts.
Sincerely,
Arthur B. Sackler
Vice President Law and Public Policy
cc: Mr. Ira Magaziner
FROM: Associated Credit Bureaus
October 14, 1998
Eric Fredell
U.S. Department of Commerce
International Trade Administration
Task Force on Electronic Commerce
14th & Constitution Avenue
Washington, D.C. 20230
RE: Draft International Safe Harbor Principles
Dear Mr. Fredell:
On behalf of the 1000 members of Associated Credit Bureaus, the international trade association representing the consumer reporting industry we submit the following comments on the "International Safe Harbor Privacy Principles" as proposed by the Department of Commerce on November 4, 1998.
We applaud the efforts of the Administration to attempt to find common ground with Europe on the issue of data privacy. It is the sentiment of our membership that in the continued dialogue with the European Union must be guided by two important tenets.
First, in general, the principles to which the United States will agree must not embrace a "one size fits all" approach. In this regard, the proposal should acknowledge that all seven principles might not apply in the same way to all industry sectors. The idea of sectoral law and self-regulation are foundational in a robust information economy. The United States should continue to be a thought-leader in advocating this approach to the world.
Second, any principle regarding secondary use of information must be thoughtfully constructed. The approach proposed by the Department of Commerce in the area of "onward transfer" may inhibit efforts by the financial services sector to prevent fraud, for example. Our country is the business case to the world when it comes to the development of innovative information products. We should be cautious about acceding to any global precedent, which appears antithetical to our country's domestic core values regarding information use.
We appreciate the opportunity to comment and look forward to the Administration's continued efforts to preserve a balance between appropriate data protection and the continued growth of a global information-based economy.
Sincerely,
Stuart K. Pratt
Vice President
Government Relations
Individual Reference Services Group
Before the
United States Department of Commerce
Washington, D.C.
COMMENTS
OF
THE INDIVIDUAL REFERENCE SERVICES GROUP
ON DRAFT
INTERNATIONAL
SAFE HARBOR PRINCIPLES
Ronald L. Plesser
Susan B. Ross
Stuart P. Ingis
Piper & Marbury L.L.P.
1200 Nineteenth St., N.W.
Washington, D.C. 20036
(202) 861-3900
Date: November 19, 1998
The Individual Reference Services Group (“IRSG”) welcomes this
opportunity to respond to the request of the Department of Commerce (“DOC”)
for public comment on the “Draft International Safe Harbor Privacy Principles”
(“Draft Principles”). The IRSG appreciates the DOC’s tireless
efforts in addressing the concerns of American business in relation to
the European Union Data Directive.
In many ways, the IRSG model originated the safe harbor approach that
the DOC proposes. The IRSG’s experience can highlight the value and
benefits of a safe harbor approach. We are very supportive of the
concept of safe harbor as it is developing within the U.S. and are confident
that, if applied appropriately, the IRSG principles can be extended abroad
to cover data transferred from Europe. We particularly commend the
DOC for reflecting the fundamental American value of freedom of expression
by excluding public records from the scope of the Draft Principles.
I. Summary
To be of value to U.S. industry, the safe harbor must allow for a sectoral
approach to privacy protection that is based on the nature and sensitivity
of the information. Additionally, for the safe harbor to be most
effective for self-regulatory codes such as ours, the principles should
contain a provision creating a safe harbor for companies that comply with
industry-based codes.
In our analysis, the IRSG principles comply with the Draft Principles.
We do believe, however, that specific provisions within the Draft Principles
can be improved and trust that our comments will be of value as the Draft
Principles are revised and guidance on their implementation is drafted.
II. The Individual Reference Services Group
A. The Individual Reference Services Industry
The IRSG is a group of the leading individual reference services companies
and the companies that supply information to them. The IRSG companies
are in the business of providing information that assists users in identifying
and locating individuals for a variety of beneficial purposes.
The customers of IRSG members include law enforcement agents, the media,
attorneys, and private investigators. Government agencies that have
evaluated the IRSG services have recognized their value and important contributions
to our society.
In response to the heightened interests in issues related to their
services, member companies came together to develop and implement a comprehensive
set of self-regulatory principles that effectively address privacy concerns.
B. Effective Self-Regulation Backed by Government Enforcement
Although called self-regulation, the IRSG principles are much
more than an industry-adopted standard or guideline. The real value
of the IRSG is that our principles are both enforceable and backed by independent
assurance reviews. The principles were developed in coordination
with the Federal Trade Commission (“FTC”) and rely heavily upon well-established
consumer protection laws. In the case of the IRSG, companies are
required to commit publicly to a set of privacy practices, which in turn
subjects the companies to government enforcement actions through both the
power of the FTC to prosecute unfair or deceptive business practices and
the consumer protection laws of the 50 states. Additionally, by backing
the enforceability of the principles with assurance reviews, each company’s
compliance with the principles will be verified independently. This
coupling of independent assurance reviews with the principles strengthens
the concept of “self” regulation by adding an effective enforcement mechanism.
Similarly, the effect of the IRSG principles extends beyond those
companies that elect to be governed by the principles. Signatories
of the principles contractually require that all companies buying non-public
data from them for resale abide by the Principles. Non-complying
companies risk losing access to the data. The FTC’s estimate that
IRSG signatories control 90 percent of all relevant information highlights
the adverse impact to a company of noncompliance with the IRSG principles.
III. IRSG and the European Safe Harbor
A. Sectoral Approach to Privacy
The IRSG privacy principles are specifically tailored for a single
industry sector, which is generally the approach taken within the U.S.
privacy protection system. Privacy within the United States has never
been protected through a cross-sectoral or omnibus approach. The
sectoral approach is very effective in its ability to evolve and respond
to changes in industry and society. The capability to tailor privacy
restrictions to the unique circumstances found within different industries
results in highly effective protections for our citizens. This effectiveness
is apparent in the numerous privacy protection regimes in the United States.
These regimes resulted from focused deliberations when new protections
were necessary to prevent actual or potential abuses of personal information.
In their present form, however, the draft safe harbor principles are
cross-sectoral in approach. To enable the benefits that result from
the U.S. sectoral approach as it relates to the Data Directive to continue,
the safe harbor principles must make room for different industry sectors
to have different privacy regimes that reflect the nature and sensitivity
of the information involved. Industries that handle more sensitive
information may require more stringent requirements than industries that
handle less sensitive information.
Industry self-regulation fits naturally within the sectoral approach,
and we believe it is also the most effective way to protect privacy internationally
as the information age continues to develop. It allows specific industries
to use their experience to most effectively regulate their particular industries.
After all, these industries have a firsthand understanding of the level
of sensitivity of the information they use as well as the needs of their
customers and the operational requirements of their practices, and can
use this experience to most effectively regulate their particular industries.
The self-regulatory approach also would provide companies with the
advantage of knowing that they are in compliance with both U.S. and European
privacy law by subscribing to a particular self-regulatory scheme.
B. Self-Regulation within the Safe Harbor
The IRSG exemplifies the successful self-regulatory approach that is
maturing within the United States privacy framework. It is essential
that self-regulatory schemes be encouraged. To this end, companies
seeking to come within safe harbors through a self-regulatory scheme should
be able to know that compliance with their principles will satisfy the
safe harbor principles. Under such an arrangement, organizations
that voluntarily agree to comply with the safe harbor could be challenged
with respect to compliance, but not with respect to the adequacy of the
principles. Otherwise, member companies could be subjected to a two-step
process: (1) demonstration of compliance with the self-regulatory principles,
and (2) demonstration that the self-regulatory principles satisfy the safe
harbor principles.
To avoid this situation, the principles should contain a provision
creating a safe harbor for companies who comply with industry-based codes.
As the self-regulatory codes are sectoral, such a provision would further
allow for the adequacy of industry privacy protection to be determined
according to industry specifications. We believe that the guidelines
developed by the IRSG would fit into this category of codes of conduct
that adequately protect privacy and take into account the specific features
of their industry sectors. If adherence to a self-regulatory code
were expressly permitted by the safe harbor, reliance on that code would
allow for a simple means of demonstrating compliance with the Directive.
We believe that any agreement ultimately reached with the European
Community should allow for data flow to continue uninterrupted for companies
that comply with the existing self-regulatory codes. Inclusion within
the safe harbor of industry codes will allow companies that adhere to such
codes to immediately recognize the various benefits of a safe harbor.
Safe harbor implemented in this manner will simplify contracts between
data exporters and importers and allow self-certification to work.
In addition, using the Draft Principles with some modification may serve
as a template to develop safe harbors for various industry sectors.
For example, the IRSG principles, although not specifically tailored to
comply with the Directive, form a substantially similar template to the
Draft Principles. At the same time, the IRSG principles are tailored
to handle the specific industry needs of its members.
IV. Specific Substantive Criteria
We believe that the final safe harbor proposal should make clear that
the express exclusion of public record information found in the draft access
provision applies to all of the principles. There are three reasons
that support such a clarification. First, through the privacy provisions
of open access statutes and other laws, public records are subject to “other
legal and regulatory obligations” that satisfy compliance with the safe
harbor. Second, there are practical considerations that militate
against requiring private-sector entities to assume responsibility most
appropriately left to the government. For example, the consumer benefits
when the initial source of information corrects the information before
it is distributed. In the context of public records, that source
is the government. Finally, the public records exception reflects
an honored American tradition that should continue to govern privacy practices
in the United States.
In addition to this public records clarification, we offer some
specific recommendations below that we believe will clarify the proposed
safe harbor template. Specifically, we offer suggestions on Notice,
Choice, Onward Transfer, Data Integrity, and Access.
A. Notice
The draft principle states that organizations must provide notice describing
the types of personal information it collects “about them.” Consistent
with the requirement that notice must be made available when individuals
“are first asked to provide personal information to the organization,”
it should be clarified that notice is not required when data is obtained
from third parties rather than from the data subject. Such notice
would be impractical. So long as notice is provided by the entity
that obtains the information directly from the subject, the protection
provided by this principle will be satisfied.
B. Choice
The safe harbor proposes that organizations adhering to it provide
individuals with the opportunity to “opt out.” Requiring an organization
to provide individuals a meaningful opportunity to choose whether and how
the organization may use personal information requires that individuals
know how the organization intends to use information.
As currently drafted, this provision requires an opt out whenever the
uses are unrelated to the uses for which the individual originally disclosed
the personal data. Because the term is tied to the individual’s state
of mind, whether a use is “unrelated” to the original use becomes a subjective
decision determined by each individual. Such subjectivity creates
ambiguity as to what constitutes an unrelated use and when an opt out must
be provided. On the other hand, tying the definition of unrelated
use to uses not revealed in the privacy notice would provide an objective
standard for both the individual and the organization. Such an objective
standard is necessary if this principle is to work effectively.
A suggested change is to use the term “purpose” rather than “use.”
Such a change is consistent with the Directive, which uses the term “purpose”
in describing the Principles Relating to Data Quality, Special Categories
of Processing, and elsewhere in the document.
This principle works most effectively when the entity that collects
the data from the individual also is the user of the information.
The IRSG members usually do not collect information directly from individuals.
Consequently, the IRSG principles offer a more limited choice to data subjects.
C. Onward Transfer
In general, we support the notion that an organization that collects
data from an individual should provide notice and choice to individuals
before it transfers information to third parties. In addition, in
connection with the bulk transfer of information from data suppliers to
data sellers, we endorse the concept that personal information should not
be transferred to third parties that do not provide a similar level of
privacy protection as the organization to whom the individual provided
the information. In fact, the IRSG principles provide greater protection
than this guideline by requiring that IRSG members only partner with organizations
that subscribe to similar principles.
As explained more fully under the access principle below, we do not
believe that all privacy principles should apply to public record and publicly
available information. For example, we do not believe that a government
agency’s imposition of restrictions on a person’s use of public record
information is consistent with the First Amendment and its values.
However, listing onward transfer as a separate principle under the
proposed safe harbor could create confusion and compliance difficulty.
The concept of onward transfer is covered more effectively within the notice
and choice provisions. The onward transfer provision is subsumed
if the following are provided: 1) adequate notice to the individual
that personal data may be transferred to third parties when data is initially
collected, and 2) if appropriate, an opt out from onward transfers to third
parties for any unrelated use not disclosed in that original notice.
In fact, the proposed language for the onward transfer provision begins
by repeating the choice provision almost verbatim.
Incorporating the concept of onward transfer into the notice and choice
provisions allows organizations to notify individuals whether information
will be transferred to third parties, whether these third parties follow
similar privacy practices as those of the organization providing the notice,
and allows individuals the opportunity to opt out if they object.
Based on this disclosure, individuals can make an informed choice as to
whether they wish to have their personal data disclosed to third parties.
Having an independent provision serves no purpose and, in fact, appears
more restrictive than any obligation under the Directive. The language
suggests liability for the uses of information by companies to which the
personal data is transferred. This level of control is not practical
and we are unaware of its existence anywhere else.
D. Data Integrity
The business success of IRSG members depends substantially on the reliability
of the data they distribute and, therefore, we agree that data should be
accurate and complete. Whether the data is accurate should depend
on the accuracy of the information when compared to the source from which
it is obtained. This is particularly true when public records are
the source of the information. We recommend modifying the data integrity
principle to incorporate whether data is current into the concept of whether
data is complete. First, the definition of the term “current” is
unclear: in the United States, for example, data up to seven years
old is considered sufficiently “current” to be used to make substantial
decisions about individuals. Moreover, organizations may find some
value in retaining historical data in addition to more recent information.
Consequently, complete data may include both historical and current data.
E. Access
The scope of the access principle needs to be more limited. Access
generally should be provided to individuals when an organization collects
information directly from the individual rather than when it collects information
about the individual. Requiring that organizations provide individuals
access to any information about them may place an unreasonable burden and
unachievable obligation on organizations. We support basing the reasonableness
of access on a sliding scale as outlined in the proposed safe harbor:
the more sensitive the information and its intended use, the greater the
obligation that an organization should have to protect the information.
Whether information is considered to be sensitive varies from industry
to industry and, thus, providing a sliding scale that varies according
to the industry is a more practical and reasonable approach.
In addition, as provided in the Directive, the cost and difficulty
in providing the access are important factors in determining the reasonableness
of the access. Cost may depend on several factors, including the
frequency of an individual’s requests and the nature of the information.
Again, these factors may vary from case to case and among market segments
and given the sensitivity of the information being stored.
The IRSG commends the DOC for recognizing that any right of correction,
and the ancillary right of access to the information to be amended or corrected,
should not apply to public record information. As noted above, we
believe that public record information should be excluded from all of the
safe harbor principles.
In connection with access, the organization that receives the public
record information is not in a position to evaluate the person's contention
that the information is inaccurate. Moreover, expunging an alleged
inaccuracy from the public record information contained in an organization's
file does little to prevent the same information from being circulated
to other organizations. An error in a person's birth certificate
or property tax assessment needs to be corrected at the source—the government
agency that created the record and makes it available for public inspection.
Indeed, for similar reasons, the DOC’s principles also should exclude
publicly available information such as articles from newspapers and magazines,
or entries from telephone or professional directories, from the access/correction
principle. Why, for example, should an organization be under a duty
to make available to an individual a copy of a news article about him from
Le Monde or the London Times and enable the individual to delete the references
with which he disagrees and contends are inaccurate?
V. Conclusion
Any safe harbor must minimize the possibility of interference with
transborder data flow. The Department of Commerce should continue
in its positive discussions with the European Union. As these negotiations
proceed, the Department of Commerce should focus on a solution that allows
for sectoral privacy protections. Additionally, a safe harbor should
encourage self-regulation by including a provision creating a safe harbor
for companies that comply with industry based codes. The IRSG looks
forward to continuing to work with the Department of Commerce as it proceeds
with negotiations and refines its Draft Principles.
FROM: McGraw-Hill Companies
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, NW
Washington, DC 20230
Re: Response to Draft International Safe Harbor Privacy Principles
Dear Mr. Fredell:
The McGraw-Hill Companies is pleased to respond to the U.S. Department of Commerce’s (“DOC”) draft International Safe Harbor Privacy Principles (“Principles”), issued for public comment on November 3, 1998. We commend the DOC for its leadership in negotiating with representatives of the European Communities’ DG XV delegation to assure uninterrupted transborder data flow between the U.S. and the European Union (“EU”) following implementation of the EU Data Protection Directive. Continued data flows are critical to all of our economies, to the businesses that collect or exchange data across borders, and to consumers who depend on access to information and services. It is also imperative that there be a consistent and predictable legal environment in which U.S. and EU organizations and customers may conduct business. We recognize the draft Principles is a meaningful attempt to establish such a framework.
We further commend the DOC for its intense efforts to consult with industry and privacy advocates to better understand business realities, technology solutions and consumer expectations. The knowledge gained from this experience by all parties is reflected in the DOC’s Elements of Effective Self-Regulation for the Protection of Privacy (“Elements”), comments previously submitted in response to the draft Elements paper, and in the proposed draft Principles. These and other public efforts have clearly helped industry dialogue to progress and increased the number of U.S. organizations that have developed and implemented effective privacy policies.
The McGraw-Hill Companies is a global publishing, information and media, and financial services company with 16,000 employees located in over 40 states and 30 countries. We distribute our products and service via traditional media, as well as electronically, to customers around the globe. We are committed to working with consumers, government and industry to ensure that consumers understand the legitimate business uses of personal information and that appropriate fair information practices are in place – both at home and abroad – to ensure that global commerce and transborder data flow continues and thrives. The collection, use and transfer of personal data are central to the basic tenets of an information society and form the basis of our relationships with our customers.
As a general matter, we support the implementation of a clearly stated safe harbor system that will offer the predictability and stability required by business and customers. However, we would suggest some modifications to the current draft of the Principles that reflect the business realities of implementing the Principles’ requirements. Our comments are limited to the applicability of the Principles to customer and prospect information and do not address employee data. We also support comments submitted by the Direct Marketing Association (DMA), Information Industry Association (IIA) and U.S. Council for International Business.
General Overview
The U.S. digital economy is growing at a phenomenal rate, in large
part because of our American tradition of combining creative entrepreneurial
efforts with pioneering spirit, strong business ethics and established
legal precedents that have proven adaptable for preventing abuses in new
forms of commerce. Further, as pointed out in the study attached
to the DMA’s comments on the Principles, there is already an elaborate
patchwork of privacy law and regulation in the U.S. protecting certain
types of sensitive data. It is also important to note that the Federal
Trade Commission has the authority – and recently wielded that authority
in a highly publicized settlement – to pursue organizations that engage
in fraudulent and deceptive practices.
In light of the above, The McGraw-Hill Companies strongly supports effective industry self-regulation to protect customer and prospective customer privacy. Our own experience has shown that self-regulation can be an effective means of protecting customer privacy in the U.S. while still giving business the flexibility needed to fashion appropriate solutions for different types of business and customer relationships. Self-regulation also allows businesses to develop and implement privacy practices that are evolutionary and can be adapted to reflect changes in consumer expectations and values, business practices, technology and evolving legal regimes around the world. The core principles of fair information likely will remain the same over time. However, ongoing adjustments to practices should be encouraged, not precluded by rigid mandates. An effective self-regulatory model encourages businesses to be innovative, customer friendly and proactive.
Our own comprehensive Customer Privacy Policy, developed and implemented in 1997, is designed to protect customer data in all of our U.S. operations, including on our more than 80 Web sites. Our Policy balances legitimate business uses of personally-identifiable information against reasonable consumer concerns and expectations. The Corporation’s Policy applies to our consumer as well as business-to-business products and services.
After a year’s experience with the Corporation’s Customer Privacy Policy, we have learned many lessons. Based on changes in business plans, new technology solutions and customer and government expectations, we already are updating our Policy and making some substantial changes as we apply the lessons we learned from implementation in the U.S. to our global operations.
Significantly, even within our own Corporation, we have had to develop
additional “customized” guidelines and safeguards for selected business
units that collect more sensitive data.
Our experience represents a good case study of how important
it is to have flexibility when applying fair information practices, privacy
policies and effective compliance mechanisms in order to meet specific
business and market needs as well as evolving concepts of privacy.
This flexibility is essential to the continued availability of robust customized
products and services as well as creative and effective privacy protection.
We firmly believe that organizations such as ours, with established brands
and long term relationships built on trust, have the ability to develop
and “self-certify” compliance with responsible privacy policies. For other
businesses, it may be easier and better to work with third party groups
to ensure that their policies are being followed.
Notice
The McGraw-Hill Companies supports the principle of providing individuals
with notice when personally-identifiable information is collected from
them. All organizations that collect, store, use or transfer personally-identifiable
information should provide individuals with a clearly stated and easy to
find notice describing the nature of the information being collected, the
uses to be made of the information and a general description of the types
of organizations to whom the information will be transferred. When applicable,
the notice should also instruct the individual on the means of limiting
the use and disclosure of the information.
All of our customized business unit privacy notices refer the recipient to the Corporation’s Customer Privacy Policy Summary on the Corporate Home Page. This summary is available within two clicks from each business unit’s home page. The summary includes an explanation of the Corporation’s commitment to customer privacy and the key Policy elements, including Notice, Opt Out, Security, Review and Correction, as well as an explanation of our customer recourse and compliance mechanisms. It also explains our additional safeguards for sensitive data. In 1999 we will add a statement about our implementation and business experiences with the Policy.
The proposed Principles specify that the notice should be made available when individuals are first asked to provide personal information to an organization, however, in practice this may be impractical in some instances.
It is The McGraw-Hill Companies’ policy to provide a privacy notice at or near the point of collection. In an online environment, this is a practical approach and makes good business sense in that medium. However, there are limited instances when it may not be practical or appropriate to provide the notice at this point, such as when conducting business in the print environment or through telemarketing. For example, when a promotional mailing for a magazine is sent to a prospective customer, and the prospect chooses not to subscribe, no notice is required because no data is collected. If however, the prospect does subscribe, a subsequent notice should be provided as close to the time of subscription as practical. We believe that effective notice can be communicated through a printed announcement in our magazines or through order confirmation documents. We also believe that it is sufficient in the telemarketing environment to send the notice in a confirmation document.
The Principles also call for a business to notify individuals about the “types of personal information it collects” about individuals from all sources, in addition to the information that it collects directly from the individual.
We are concerned that requiring “downstream” organizations to notify customers about the broad “types” of information collected about them by unrelated third parties located two, three or more levels “upstream” is highly impractical in a number of circumstances and would raise unrealistic customer expectations. In addition, it would actually require a data collecting organization to assemble a much more comprehensive customer profile than would otherwise be necessary in order to simply notify the customer about data collected from them directly by that organization. In short, requiring organizations to assemble a single “collective” profile on each customer, in our view, constitutes a far from optimal way to protect a customer’s privacy.
Choice:
The McGraw-Hill Companies supports the principle of providing consumers
with appropriate choices about how their personal information is used.
When organizations collect information directly from an individual, it
is appropriate to give the customer a degree of choice about how that information
subsequently will be used.
The McGraw-Hill Companies Policy provides for consumer choice – or opt out – to restrict external sharing of personal information collected from the customer. This option is provided in clear and conspicuous language and can be exercised at no cost to the customer.
Assuming the individual has been informed as to the uses to be made of his or her personally-identifiable information, the customer is then in a good position to make an informed decision as to whether the data may be used in other contexts. We concur in the DMA’s view that whether a use is “unrelated” should be determined by whether the use is disclosed in the notice and not be left to the subjective determination of the customer.
Our Policy prohibits the transmission of sensitive data outside our organization. We also give customers the ability to opt out of internal sharing of sensitive data among the family members of The McGraw-Hill Companies. In actual practice, to date our businesses have chosen to not share sensitive data even with other units of The McGraw-Hill Companies.
We currently require parental consent prior to collecting information from children under 16. We also treat specific financial information (such as an individual’s salary or specific investment decisions) as sensitive data that can never be transferred outside of The McGraw-Hill Companies nor even within the McGraw-Hill Companies without first providing the customer with an opt out. We will treat all other types of sensitive data with similar care and with procedures that suit the specific nature of the sensitive data. We believe that these types of practices effectively achieve the same goals as an opt in approach.
Onward Transfer
Organizations that share information with outside entities should take
all reasonable steps to ensure that the receiving organization has a privacy
policy in place with comparable privacy protection. We are currently working
with receiving organizations, including vendors that perform a variety
of functions on our behalf, to ensure that the data we collected directly
from customers is protected from misuse and that the use choices exercised
by the customer are honored.
However, while we support the Principles’ general approach in
this regard, we are concerned that the language does not include a concept
of reasonableness and goes so far as to suggest that the data collector
may not receive the benefits of the safe harbor if the receiving organization
fails in its obligations, notwithstanding our reasonable efforts to prevent
such an occurrence. Further, it should be recognized that there may be
longstanding contractual arrangements between data collecting organizations
and data receiving organizations that cannot be immediately renegotiated
to impose new obligations on receiving organizations.
Security/Data Integrity
Organizations that collect, store and transfer data should develop
and institute strict data security and integrity mechanisms and procedures
to safeguard information collected about customers. Technology undoubtedly
will play an important role in ensuring that data is handled in a secure
fashion. In addition, organizations should establish internal guidelines
to restrict the collection of customer information to only that which is
needed to fulfill a legitimate business purpose.
We note that the draft Principles refer to an obligation to keep information “current”. Although much of the data we collect and use about individuals (such as billing information) must be kept current in order to serve the purpose for which it was collected, organizations should not be precluded from maintaining “historical” information about customers so long as they abide by restrictions placed on its subsequent use by the data subject. For example, noting that three years ago a customer expressed interest in particular edition of Business Week may be useful in future customer profiling and provides a tangible benefit when it results in more tailored product offerings.
It should also be recognized in the language of the Principles that
an organization should not be held liable for data inaccuracies or omissions
that occur notwithstanding an organization’s reasonable efforts to prevent
such occurrences.
Access
The McGraw-Hill Companies strongly supports the concept of “reasonable”
access. The level or degree of access, however, should take into
account the nature of the data and the intended uses to be made of it by
an organization. Because of the unique nature of individual business
practices and market needs, it is important for organizations to have flexibility
in providing customers with this type of access.
In this regard, providing individuals with broad access “to information
about them derived from non public records that an organization holds”
is very problematic for companies such as ours that have multiple, unrelated
databases extending across a variety of disparate businesses. Further,
because the structures of many databases are not product specific, a significant
time and resource investment would be necessary to achieve the required
programming changes. For instance, customer service records are coded
and would require extensive translation to be understood by or useful to
customers. On balance, these investments may not be merited based
on the limited number of customers who, in our experience, actually request
such comprehensive access. Further, as noted above, it would
not be privacy-friendly to compel the construction of “collective” customer
profiles for the sole purpose of providing comprehensive access to those
few individuals who request it.
In addition, providing consumers with access and correction to
personal data provided by a third party offers the consumer limited benefits.
For example, many lists and databases rented from third parties are based
on a combination of public and non-public records. Specific use restrictions
are placed on licensees of this data to limit the number of times it can
be used. This is done in order to protect the investment of the list
supplier and to help ensure that licensees only have access to the most
current data. If organizations are required to provide access and
correction to all information held about an individual - including rented
lists and databases - the customer may end up correcting data that will
never be used by the licensee again, while still not achieving the goal
of correcting the data at its source. Only by changing the data at the
source can an individual reasonably assure that incorrect data will not
continue to be distributed. Indeed, allowing an individual to correct data
other than at the source may instill a false sense of customer “satisfaction”
by creating the impression that inaccurate information has been “fixed”,
when in fact, only a temporary bandage has been placed on the problem.
Additionally, there are instances when it would not be practical for the customer to see all data about them held by an organization. The limited value of some records, coupled with the cost of providing access to certain data in a useful manner, should be carefully balanced. We strongly urge that the Principles explicitly recognize that there may be circumstances when access should not be required. For example, we support limiting individual’s access to non-proprietary information.
The McGraw-Hill Companies’ Policy balances the concerns detailed above with the general needs of customers to provide access to data collected directly from the individual. In some instances, we are not able to provide immediate and direct access to electronic databases. In these cases we do provide hard copy access to an individual’s personally-identifiable information upon written request. In other instances, we provide a verbal recitation of data to customers via customer service representatives.
We further note that the Principles specifically require providing access to information that is “sensitive or used for substantive decision-making purposes that affect that individual.” We commend the DOC for recognizing that this concept must rest on a standard of reasonableness. However, as noted in comments submitted by the DMA, much marketing data falls outside of this definition. We encourage the inclusion of an explicit statement to the effect that organizations should have flexibility when establishing the scope of access to information that falls outside the category of “sensitive” or being “used for substantive decision-making” purposes.
Enforcement
The DOC has established enforcement parameters that recognize several
different options for demonstrating an organization’s compliance with its
privacy policy. This approach recognizes that there is no “one-size-fits-all”
approach to privacy protection and enforcement. It reflects the marketplace
reality that the right enforcement approach for an organization should
be determined in the light of its specific lines of business and the potential
for consumer harm.
The McGraw-Hill Companies commends the DOC for recognizing that organizations
that implement strong privacy policies should be able to self-certify their
practices to be consistent with the proposed Principles as well as their
compliance with their stated policies. The ability of organizations
to self-certify should be more clearly stated in the Principles and should
be consistent with Ambassador Aaron’s statement on this point in his November
4, 1998 letter to industry.
The Principles very appropriately recognize that an organization should be able to qualify for the safe harbor by working with EU member states to resolve privacy-related disputes and establishing a system for verifying that stated privacy Principles are being followed. However, it should be clarified that organizations with processes in place such as comprehensive internal reviews of privacy practices meet the standard of having “readily available and affordable independent recourse mechanisms.” Any enforcement mechanism also should take into account the level of harm associated with a particular violation of a stated privacy policy. Often, distinctions should be made between policy violations that cause material harm to individuals as opposed to mere inconvenience. In many instances, the appropriate remedy may be for a business simply to “right the wrong”.
We further encourage the DOC to clarify either within the proposed Principles specific procedures for determining how an organization qualifies for the Safe Harbor.
Additional Comments/Suggestions
Lastly, we urge DOC to incorporate in the proposed Principles an explicit
exemption for journalistic and newsgathering uses of personal information.
As you are well aware, the United States has a longstanding tradition of
providing specific protections for the press. As currently drafted,
the Principles would not apply this traditional protection to journalistic
uses of information. We strongly encourage adding journalistic uses to
the exemptions listed in the preamble to the Principles.
Conclusion
Again, we commend the DOC for its forward thinking in developing the
draft Principles and its clear understanding of how U.S. businesses collect,
use, store and transfer personally-identifiable information. This
understanding has resulted in a draft that allows organizations the flexibility
to self-regulate their privacy practices within a reasonable framework
while providing customers with appropriate safeguards against unfair or
inappropriate uses of personal information. We look forward to continuing
to work with the DOC as it finalizes the International Safe Harbor and
Privacy Principles and continues to work with key stakeholders – including
government, individuals and the business community – to develop and implement
effective self-regulation mechanisms for consumer privacy protections in
a global setting.
Additionally, industry, governments and consumer advocates each have an important role to play in educating consumers and other businesses if self-regulation of consumer privacy – at home and abroad – is to be effective. The McGraw-Hill Companies has worked closely with numerous trade associations and others to educate industry about the importance of establishing and implementing effective privacy policies and aggressively communicating them to consumers. We encourage the DOC to continue its educational and outreach efforts in this area.
Sincerely,
Cynthia H. Braddon Katherine D. Roome
Co-Chair, The McGraw-Hill Companies Co-Chair, The McGraw-Hill
Privacy Steering Committee
Privacy Steering Committee
Vice President Washington Affairs Vice President and Associate
General Counsel
W:/privacy/misc/SFHRB4)
FROM: Information Technology Association of
America
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230
Dear Mr. Fredell:
On behalf of the over 11,000 direct and indirect members of the
Information Technology Association of America (ITAA), I respectfully
submit the following comments on the November 3rd draft International
Safe Harbor Privacy Principles.
About ITAA
Originally known as the Association of Data Processing Service
Organizations (ADAPSO), ITAA members have long been and continue to
be
dedicated to providing an effective level of data protection, consistent
with customer expectations. The organization has a long and active
role
in privacy issues relevant to the IT industry and our members were
among
the first to establish actual privacy guidelines, adopted by the ITAA
Board in 1992. More recently, together with 11 other IT trade
associations, ITAA endorsed a set of industry privacy principles, and
ITAA was a founding member of the Online Privacy Alliance (OPA).
Virtually all of our members with any operations in Europe or who
process information related to citizens of the E.U. member states will
be affected by the E.U. Directive on the Protection of Personal Data.
It will affect human resource record keeping, marketing information,
database products and services, information gathered while providing
telecommunications, financial services, and information services and
virtually every aspect of day-to-day business. While reviewing
the Safe
Harbor Principles, we ask that you carefully consider their potential
impact on all business activities, both within and outside of the IT
sector and electronic commerce.
Our comments appear in two parts. The initial comments address
the
current dialogue between the U.S. Administration and the European
Commission and the overall safe harbor approach. The second section
provides more detailed comments on each of the draft Safe Harbor
Principles.
General Comments
We support the ongoing dialogue between the U.S. Administration and
DGXV
of the European Commission on the implementation of the EU Data
Protection Directive and its effect on transborder data flows to the
U.S. We hope the dialogue will reflect the U.S. adaptable, sectoral
approach to protecting privacy while at the same time ensuring the
free
flow of data across national borders. Furthermore, the current
dialogue
could provide a framework that will accommodate different cultural
beliefs regarding privacy and meet divergent expectations. We encourage
the U.S. Administration and the European Commission and E.U. member
states to continue to pursue a flexible and practical implementation
of
the EU Directive on the Protection of Personal Data with regard to
data
transfers to the U.S; an approach that recognizes means other
than
statutory law to protect personal data. That being said,
Article 25 of
the EU directive provides for negotiations between the European
Commission and a third country, but only after the European Commission
has found a third country's data protection to be inadequate.
ITAA
firmly believes that under no condition should the negotiations of
safe
harbor guidelines be premised on the U.S. Administration position that
privacy protection in the U.S. is less than adequate.
The effective protection of privacy is essential to the successful
operation of ITAA member companies . Lapses in privacy protection
are a
potential source of customer dissatisfaction and mistrust. Our members
have been working in several fora to devise innovative technological
and
self-regulatory approaches to continually improve and fine tune privacy
protection to meet the divergent expectations of their customers.
In
fact, effective, responsive and responsible privacy protection is a
competitive advantage. Recognizing this, we would caution against
an
overly stringent set of principles that would in effect, stymie future
innovation.
We recognize the complexity inherent in trying to craft a set of safe
harbor principles that will achieve the level of predictability required
by business to operate effectively, while at the same time being broad
enough to accommodate the concerns of a wide spectrum of U.S. industry.
Recognizing that the safe harbor principles are still in draft form,
we
have several concerns regarding the nature of the document. Of
primary
concern is what, if any, formal legal status a safe harbor agreement
negotiated between the European Commission and the U.S. would have?
Would there be a legal instrument that would bind the European
Commission to recognize the safe harbor principles as fulfilling the
definition of adequate privacy protection under the directive?
Would
this in turn bind the 15 member states? We are also unclear about
what
status the list of frequently asked questions would have and what level
of detail the questions/answers would include.
In addition, it would be helpful if the Department of Commerce could
clarify the process by which a complaint filed by a citizen of a
European Union member state would work under the safe harbor principles
and what added benefit a company subscribing to the principles would
receive. It would be useful if the safe harbor principles also
contained language that required confidentiality of consumer complaints.
Ambassador Aaron in his November 4th letter also states that
organizations which take advantage of the safe harbor would also have
access to streamlined and expedited procedures in the event of a
dispute, but this is not reflected in the principles themselves.
It
would be useful to have a clarification of the expedited dispute
process.
While the November 4th letter explicitly states that the Safe Harbor
Principles are designed only to address the effect of the EU data
protection directive on the U.S., we are sensitive to the fact that
regardless of its intent, the safe harbor principles will inevitably
have an impact on the domestic debate on privacy. With this in
mind, we
urge the Department of Commerce to ensure that the principles reflect
the importance of maintaining a flexible, sector-based approach to
privacy. Existing U.S. laws and regulations already substantially
cover
many sectoral uses of data that involve substantive decision-making
about individuals (e.g., Fair Credit Reporting Act).
Notice
As currently drafted, the notice principle is too broad. On the
one
hand, the principle could be interpreted as allowing companies to
determine how much detail they disclose about their information
collection. Alternatively, if strictly interpreted and certainly
in the
context of the online environment, the principle goes well beyond
current industry self-regulatory initiatives, for example those espoused
in the OPA guidelines and it could be interpreted as requiring
organizations to divulge a deep level of information. For
example, the
proposed principle could require a significant level of disclosure
of
information, for online as well as traditional business, regarding:
1). How an organization collects information about an individual.
This
could be broadly interpreted to require companies to disclose the types
of technologies and processes they use to collect data and maintain
data
quality. This level of detail would be burdensome on the business
organization and too sensitive to reveal to potential competitors.
2). Types of organizations to which it discloses the information
collected. Again, this could be interpreted to require a company
to
provide an unlimited amount of information on third party organizations
We recommend the principle clearly state the level of information
companies would be required to disclose and that this level be a balance
between meeting the needs of privacy protection while at the same time
not being too onerous or detailed as to have a negative effect on
business. To the extent possible, the safe harbor principles
should
afford companies enough flexibility to determine what level of
disclosure bests meets the varying needs of their customers.
Choice
ITAA supports the definition of choice as stated in the OPA Guidelines.
This includes process provides for informed consent and consumer opt
out. Informed consent, under OPA Guidelines, requires disclosure
of
unrelated or third party uses of information. However, we understand
that the Safe Harbor choice principle needs to be flexible enough to
accommodate the intricacies of many sectors. In the U.S. sensitive
information usually refers to medical information, financial
information, and information related to children under 13, whereas
in
many European countries sensitive information can include information
on
race, gender, age, which is standard marketing information in the U.S.
At a minimum, we would urge you to tighten the definition of "sensitive
information" to cover medical and health information as well as
information related to children under the age of 13.
Onward Transfer
It is important that the Safe Harbor Principles reflect the flexible,
sectoral U.S. approach to privacy, while at the same time addressing
the
concerns of the European Union and its member states. As currently,
phrased, however, the Onward Transfer principle does not reflect current
U.S. industry practice and standards for data protection. For
example,
the OPA Guidelines provide consumers with an opt out provision for
the
disclosure of information to third parties.
Equally important, a broad interpretation of the phrase third party,
could mean that transfers of data to affiliates or subsidiaries would
require sign-off from the consumer. Given the inherently global
nature
of the IT industry and the frequency and speed with which information
is
transported, tracking the number of transfers of date to what might
be
interpreted as "third parties" could be virtually impossible.
Finally, under the principle, it is unclear who is obligated to protect
the consumer's privacy and where (or if) the liability of the original
data collector extends through to any use of the information by a "third
party." Certainly holding the initial company responsible for
actions
of an unrelated third party, is an unreasonable amount of liability.
The high level of uncertainty contained in the principle could have
a
negative effect on the free flow of data.
We recommend the principle be revised based on concepts found in the
OPA
guidelines, which provide a process for informed consent and consumer
opt out. Informed consent, under OPA Guidelines, requires
disclosure
of unrelated or third party uses of information.
Security
While the Security Principle is largely consistent with current U.S.
industry practice, it is important to note that the availability and
use
of robust cryptography perhaps best serve security and privacy.
Data Integrity
Provisions for maintaining data integrity are included in nearly all
privacy principles. Maintaining accurate, complete and current
information on customers, vendors, employees, suppliers and other
parties is important to the effective operation of nearly every
business. As a result, companies make every effort to maintain
data
integrity as a business interest. However, the draft principle
should
not be interpreted to allow for stringent guidelines on how companies
maintain data. To achieve its goal of allowing data subjects
to have
accurate information, the principle should provide that companies
complete and update records at a data subject's request. Companies
ought not to be required, however, to resolve conflicts between a data
subject and information provided by a third party or from public
records.
Access
Access should be provided only to maintain the quality and accuracy
of
data and as such, is in the best interest of both the consumer and
the
data collector. It is imperative that the access principle is narrowly
defined, tied to data quality, and takes into consideration the
practicalities of businesses, particularly in the online environment.
Many business entities maintain information in separate databases,
making access to all information onerous. Additionally, in the
online
environment data -- ranging from IP addresses to billing information
--
is collected for different reasons. Connecting all this data in a
central point to provide for ready access could ultimately result in
less privacy.
Data subjects should have access to ensure that relevant, individually
identifiable data is accurate. We urge the Department of Commerce
to
revise the principle so that it contains a clearer, narrower definition
of access.
As with the choice, the principle should clearly state that sensitive
data is medical information, financial information and information
related to children.
Enforcement
The language of the Enforcement Principle is so broad that it provides
little incentive for the private sector to pursue sectoral specific,
more flexible methods of ensuring compliance with privacy principles.
For example, the principle seems to require an open ended readily
available and affordable independent recourse. This could be
interpreted to require third party arbitration. Similarly, provisions
calling for a system for verifying that attestations and assertions
are
true could also be interpreted to mean external audits, and require
a
high level of disclosure on the behalf of business organizations.
Finally, the provision for sanctions is unclear and could open the
door
to sanctions by the European Commission and/or its member states.
Consistent with the enforcement statement released by the OPA in July
1998, ITAA recommends this principle rely on industry verification
and
monitoring, complaint resolution, and education and outreach.
This
formula provides enough flexibility for industry to work efficiently
with customers to resolve complaints quickly, determine what process
is
most suitable to monitor the effectiveness of their privacy policy,
and
to actively work to educate its customers on protecting their privacy.
These elements are also broad enough to be used effectively by a wide
variety of industry sectors, if they are provided enough room to
implement them to meet their customers needs. We suggest that
for the
online environment, enforcement principle be based on the OPA
enforcement statement. For traditional transactions, this might
be
supplemented by allowing for contractual arrangements as well.
Finally, the note to principle 7 should be included either in the
principle or the preamble to the principles so that it is clear this
is
part of the document and enjoys the same status as the principles
themselves.
We appreciate the Department of Commerce's continued outreach and
consultation with U.S. industry and hope you will to continue to consult
with a broad cross-section of U.S. industry as discussions on the
implementation of the EU Directive and its effect on transborder data
flows to the U.S. continue.
Sincerely,
Sheila C. O'Neill
Vice President, Global Affairs
Information Technology Association of America (ITAA)
1616 North Fort Myer Drive, Suite 1300
Arlington, VA 22209-3106
Tel: + 1 (703) 284-5329
Fax: + 1 (703) 525-2279
E-mail: soneill@itaa.org
URL: http://www.itaa.org