November 19, 1998
via Hand Delivery
Ambassador David L. Aaron
International Trade Administration
14th and Constitution Avenue, N.W.
Washington, DC 20230
Attention: Mr. Eric Fredell, Task Force on Electronic Commerce
Re: Draft International Safe Harbor Privacy Principles
Dear Ambassador Aaron:
We write to submit the comments of The Direct Marketing Association,
Inc. (“DMA”) in response to your November 4, 1998 letter to industry representatives.
The DMA believes that the Department of Commerce’s proposal of a safe harbor
approach may prove to be useful to the United States in its negotiations
with the European Union on the subject of privacy protection. However,
the approach requires some important changes in order for it to become
a viable means for the United States and the European Community countries
to continue engaging in trade. In fact, the outcome of this debate
could have significant economic impact on many U.S. companies and therefore
on the U.S. economy.
The United States protects the privacy of individuals through a network
of targeted privacy protection laws and segment specific self-regulation.
Our system, while different than the Europeans, is no less protective of
our common goal of personal privacy protection. In the United States,
use of information is a much bigger part of the U.S. economy than it is
in Europe, at this point in time. Therefore, the U.S. public sees
the value/ratio of receiving specific benefits in exchange for the use
of information.
We urge the Department of Commerce, in any discussions with the Europeans,
to continue to point to the different systems that achieve the same goal
of privacy protection while assuring the success and growth of global commerce.
The DMA has attached a new study to this letter, which demonstrates
the strength and vitality of the U.S. privacy protection system.
We set forth below our views on both the general approach and specific
provisions contained in the November 3, 1998 “Draft International Safe
Harbor Privacy Principles. ”
General Comments
The implementation of the European Union’s directive on the protection
of personal data has focused attention on the adequacy of privacy protection
in the United States. Although the differences between the European
and American approach to privacy protection are well documented, the United
States provides an extensive privacy protection system that affords individuals
a strong network of protections. To help demonstrate the extensive
network of privacy protections afforded to individuals in the United States,
the attached study on privacy protection includes a survey of U.S. federal
and state laws protecting privacy in the public and private sectors.
To help ensure that the implementation of the European Union’s data
protection directive does not disrupt trade between the United States and
Europe, the Department of Commerce has proposed a safe harbor approach
to accommodating the differences in privacy protection between the United
States and the European Union. Under this proposal, companies could
come within the safe harbor by self-certifying that they adhere to specified
privacy principles. Such companies would be presumed to provide an
“adequate” level of privacy protection and could continue transferring
personal data from the European Community. Data protection authorities
presumably would still be able to take steps to assure themselves that
companies are indeed adhering to the specified privacy principles.
An essential part of the proposal is the set of specific privacy principles
with which companies would have to comply in order to come within the safe
harbor. DMA has varying degrees of concern with many of the specific
privacy principles.
The DMA believes that the Department of Commerce’s approach should
be grounded in privacy principles that facilitate, rather than hinder,
a sectoral implementation of a safe harbor. Unlike the European omnibus
approach, the United States has traditionally addressed privacy protection
on an industry-by-industry basis. The privacy standards that are
applied in the United States private sector have emerged from focused inquiries
into the distinct role that a specific type of record plays in the lives
of individuals and the nature of any harm caused by their misuse.
Consequently, different standards apply to data collected and distributed
in connection with the decision to send a catalog to consumers than, for
example, in assessing their medical condition for insurance purposes.
Moreover, article 27 of the E.U. Directive encourages the development
of sectoral “codes of conduct.” Consequently, the Department of Commerce’s
proposal should leave room for industry groups to get their sectoral codes
of privacy protection approved, and for companies that adhere to the industry
group’s code to come within the safe harbor without recertification.
The DMA supports the safe harbor approach to the extent that its privacy
principles help clarify for the European Community the privacy protection
system that has been operating in the United and do not change the U.S.
system in fundamental or unnecessary ways. The United States privacy
protection system affords individuals with an extensive network of protections
and does not need to be substantially altered.
The DMA is concerned that many of the details contained in the safe
harbor approach inadvertently change both international and domestic privacy
policies. The principles in this proposal could likely become
the world’s dominant standard for privacy protection both domestically
and internationally. The significant changes that these proposed
privacy principles could set in motion, and their implications, must be
studied very carefully.
In addition, the Guidelines should not result in imposing burdens on
U.S. business greater than are imposed on European business under the Directive.
Parity should be sought and obtained. We are concerned that some
of the principles, such as notice and access, in many respects do impose
greater burdens on U.S. companies.
Finally, The DMA believes that a greater certainty is needed if the
safe harbor approach is to become a viable means for the United States
and the European Community countries to continue engaging in trade.
United States businesses need to know with certainty that if their sectoral
codes of privacy protection are approved for safe harbor treatment, and
if a company can demonstrate that it in fact adheres to its industry group’s
code, that all member countries of the European Union will expeditiously
authorize such a company to transfer data in a manner covered by the code
without an additional approval process. If the European Union cannot
provide such assurances, then it is doubtful that the result of any negotiations
about a safe harbor approach will prove to be useful to the United States
and to continued free trade.
Specific Recommendation
The DMA believes that the Department of Commerce’s safe harbor approach
should contain a specific provision creating a safe harbor for companies
that comply with industry-based codes. We recommend that the Department’s
safe harbor procedures incorporate the ability for companies to bring themselves
within the safe harbor by referring to their compliance with industry codes.
We believe that the guidelines developed by The DMA and the Online Privacy
Alliance would fit into the category of codes of conduct that adequately
protect privacy and take into account the specific features of their industry
sectors.
Specific Comments
Notice
We note at the outset that, in those cases where personal information
has been collected by a “data controller” in Europe, the data collection
has already been subject to the requirements of the Directive and national
law in connection with notices and choices to be given to data subjects.
Consequently, U.S. companies using data from the European Union should
be able to assume that the data supplier has complied with these E.U. and
national law requirements and, therefore, the safe harbor principles need
not specify anything further about notice.
Nevertheless, there are important implications associated with the
proposed safe harbor notice provision, which would require an organization
to inform individuals about “what types of personal information it collects
about them, how it collects that information, and the choices and means
for limiting its disclosure.” As proposed, this notice would be required
when individuals are first asked to provide personal information to the
organization. This timing requirement, while appropriate for electronic
media such as the Internet, is impractical in traditional media.
For example, informing consumers of an organization’s information practices
prior to collecting their name and address to send a catalogue in response
to a request or to process a subscription received over the telephone would
be burdensome both to businesses and consumers. It presupposes that
any collection of information is an invasion of privacy, which the
marketplace, for decades, has clearly demonstrated not to be true.
By comparison, apprising individuals of information practices and policies
through a hyperlink on a Web site is viable. In fact, The DMA promotes
the use of such links to notify web site visitors of an organization’s
privacy policy. Its members are among the pioneers of such practices.
The timing of notice requirement, however, is unworkable in other settings,
such as in face-to-face and telephone and mail transactions where notice
of information collection would be an obvious burden on the customer who
may not be concerned with information practices. Instead, in these
other contexts, greater flexibility would still enable consumers to learn
about organization’s information practices in a timely manner and give
them the opportunity to opt out of transfers to third parties.
Defining a guideline that is so specific that it is appropriate only
for some media but not others is the wrong paradigm for the proposed safe
harbor. As demonstrated above, the timing requirement can have unintended
consequences for different industry sectors. Although the Internet
is a dynamic and interactive tool, conveniences and advantages inherent
in offline catalog shopping would be lost if a consumer were always inundated
with the informational requirements proposed in the notification obligations.
Moreover, the notice principle, as currently drafted, exceeds the obligations
under the EU Directive. The proposed notice principle requires a
company to notify consumers “how it collects [personal] information.”
The Directive does not even impose such a requirement. See Articles
10 and 11, EU Data Protection Directive. In addition, this portion
of the notice requirement fails to distinguish among the various means
by which information is collected, including those situations where notification
is unnecessary given the consensual nature of the transaction or the obvious
and apparent collection of information. For example, if a marketer
is collecting information from a consumer over the telephone, informing
the consumer of the type of information it is collecting (and how it is
collecting the information) is unnecessary as the consumer is actively
participating in this exchange. As this example illustrates, a “one
size fits all” notification approach does not offer the flexibility necessary
to accommodate various information collection settings.
In addition, in the direct marketing context, it should be sufficient
for the notice simply to state that the organization intends to transfer
the personal data to a third party for marketing purposes and to offer
the opportunity to opt out of the process, rather than describe the potential
types of recipients of the data. Under the DMA’s guidelines, the
consumer has the right to opt out of third-party transfers for direct marketing,
regardless of the type of third party. Adding the “type of recipient”
to the notice requirement imposes an additional burden on the organization
but provides no additional benefit to the consumer.
Choice
The proposed choice principle could be interpreted to allow the consumer
to determine when the use of information is unrelated to the “use(s) for
which [the individual] disclosed it.” This very subjective approach
to choice is impractical, as it would require companies to guess what is
in the minds of the specific individual consumers. We think that
choice should be defined by the notice. That is, individuals can
exercise choice through their decisions to interact with the terms as stated
in the notice. Thus, whether a use is “unrelated” should be determined
by whether it is a use disclosed in the privacy notice. Allowing
choice to be driven by the uses provided in the notice will provide companies
with an objective way of providing consumers with legitimate choices.
Consequently, for the same considerations set out above with respect
to notice, because "choices" are an inherent part of the notices, we believe
it should be clarified in this principle also that it does not apply where
data has been gathered, and notice given with due provision for choice
exercise, in accordance with relevant European law.
In all other cases, the proposed principle on “choice” should be sufficiently
flexible to relieve companies from having to provide an opt-out for transfers
of information to third parties when such transfers are for necessary business
activities and incident to a use disclosed in their privacy notices.
We believe this concept is important to preserve, as companies must be
able to use data for uses necessarily related to legitimate business activities
surrounding transactions. For example, companies should be able to
use information when necessary for debt collection, for processing an individual’s
workers compensation claim, or for delivering a product to them.
In The DMA’s Privacy Promise, effective July 1, 1999, the association
will require, as a mandatory condition of DMA membership, that an organization
transferring information on customers to unaffiliated third parties for
marketing purposes must provide individuals with the ability to opt out
of such transfers.
Onward Transfer
The DMA believes that the principles for both notice and choice already
accomplish the principal objectives of the onward transfer principle and,
therefore, its inclusion as a separate principle would be duplicative.
As explained above, in the marketing context, notices would disclose
that the company intends to transfer the data for marketing purposes, without
describing these other third parties. As additional protection for
consumers, The DMA guidelines say that its members should transfer marketing
lists only to other marketing companies that comply with its guidelines.
Data Integrity
The DMA agrees with the concept embodied in the data integrity
guideline that personal information collected for marketing should be
used only for marketing purposes. Indeed, The DMA’s self-regulatory
guidelines prohibit providing marketing data for non-marketing purposes
and require marketing list providers to ascertain intended uses of a list
before providing such lists. The DMA also believes that, consistent
with the data integrity principle, information should be accurate and complete
to the extent possible.
The DMA believes that requiring organizations that collect data to
ensure that this data is “current” brings with it an overly demanding obligation
to verify information on a continuous basis. The term “current” connotes
the most recent data, even though organizations tend to update data on
a periodic rather than a continuous basis. A requirement to maintain
“currency” of information could prove unworkable: Even though certain
information may exist that more accurately reflects the status quo, a company
cannot always have immediate access to it. Furthermore, current data
may not be relevant to some companies for marketing purposes.
In addition, organizations tend to maintain historic or archival data
because of its usefulness in evaluating or predicting consumer behavior.
This non-current data is vital in helping to build a valued relationship
between a consumer and business over time. In the marketing context,
it is the marketer who pays the consequences for decisions made on out-dated
data. In other contexts, for example, credit, the accuracy of information
is more important; however, even in that context information is updated
only periodically.
Access
The “access” principle raises very important issues for The DMA.
Marketing data is valuable in bulk—that is, in identifying large numbers
of consumers that meet a particular criteria. Marketing data is not
used outside of a specific marketing solicitation nor used to identify
a particular individual. Requiring marketers to make this information
available in response to a consumer's exercise of his or her "access" right
would require companies to organize marketing data in a manner that would
permit retrieval of data on an individual basis, which does not now happen.
Privacy principles should not have the inadvertent effect of pushing companies
that do not maintain detailed files on consumers into building "dossiers"
on individuals.
The DMA tends to evaluate proposals for “access” principles in light
of the burdens associated with requiring marketers to make available inconsequential
information to consumers. The safe harbor proposal’s principle of
“reasonable access,” if clarified, might avoid some of these burdens.
Clearly, how “reasonable access” is defined and sectorally how this access
should be applied, are two major concerns of marketers.
The key to the proposed principle of “reasonable access” is the term
“reasonable.” In the Department of Commerce’s current version of
the access principle, only two factors are critical to determining reasonableness:
the nature and sensitivity of the information collected and its intended
uses. Examples are then offered where access must be given:
when the information is sensitive or when information is used for substantive
decisions about the individual.
We commend the Department of Commerce for proposing a principle that,
in gauging the extent to which a company must comply with it, takes into
account the sensitivity of the information it maintains about consumers
and the level of consequence to the consumer by its use. This is
similar to the sliding scale proposed in 1995 by the Privacy Working Group
of Vice President Gore’s Information Infrastructure Task Force.
We suggest that this sliding scale approach be incorporated into the “access”
principle, as well as the principles of security and data integrity.
We believe that marketers should not be required to make available
to the public the type of information used for making market segmentation
decisions. First, we submit that the type of information used for making
market segmentation decisions—such as names, addresses, demographic data,
purchasing patterns, and professional or other affiliations—is not of a
sensitive nature. In fact, the U.S. marketplace employs such information
freely to help target offers for products and services to consumers in
a manner that educates them when and where they have relevant interests.
Such types of information clearly exclude credit card account numbers,
patient medical record data, and other similar information that is deemed
sensitive.
Second, this information is proprietary. Direct marketers should
not have to supply competitively valuable information. For
example, marketers use proprietary prediction models to identify groups
of individuals that have a greater propensity than others to purchase certain
products or services. This analysis is proprietary, reflects company
strategy, and poses no harm to consumers. A marketer should not be
required to reveal this proprietary information under the guise of privacy
protection.
Finally, The DMA also submits that market segmentation decisions made
for directing marketing solicitations are not substantive decisions to
the consumer—the end result, for example, is whether or not the consumer
receives a catalogue. Such decisions do not affect, for example,
whether or not a person is eligible for employment, promotion, or governmental
benefits.
The extent to which a company must comply with a privacy principle
should take into account the seriousness of any harm to the individual
arising from the use of the information. We note that the consequences
to the individual when a company uses information about him or her for
marketing purposes are not harmful or serious. In fact, the worst
thing that happens is that someone gets information they do not want which
they can throw away. Of course, DMA members do respond to inquiries
by consumers seeking to correct or amend marketing records in order to
ensure that they have accurate information about the consumer’s name, address,
telephone number, or related billing information before directing any further
marketing solicitations to him or her or engaging in additional transactions.
In improving the principle as drafted, we suggest that the Department
of Commerce include other factors in the determination of reasonableness.
As examples, the cost and the technical feasibility of making the information
accessible to consumers are relevant. Consider the difficulty of
a diversified company, with a number of divisions that provide, auto repair,
general merchandise, appliance repair, and photography services.
And consider that same company has been in business for 75 years.
Is it reasonable to expect such a company to produce an historic record
of every bit of information ever collected about the consumer? We
think not.
The safe harbor approach should focus its efforts in areas where privacy
protection is needed most and consumers have shown the greatest concern.
In the area of access to records, experience in Europe and elsewhere, consumer
interest is greatest with credit, law enforcement, and medical records.
By comparison, there is little or no consumer interest in access to data
used for direct marketing solicitations.
Enforcement
The DMA understands that an effective enforcement mechanism is critical
for the success of the proposed safe harbor principles. The note
immediately following the enforcement principle enumerates three specific
alternatives in which a U.S. company may satisfy the requirements of this
principle: compliance with a private sector privacy program; compliance
with laws or regulations; or committing to cooperate with EU data protection
authorities. We believe that all three alternatives and flexibility
are fundamental to enforcement and should be incorporated into the enforcement
principle. Each of these alternatives accomplishes the goals of the
enforcement principles: independent recourse mechanisms for individuals,
verification systems to ensure compliance with appropriate privacy practices
with obligations to remedy problems, and appropriate consequences or sanctions.
In addition to implementation procedures, we agree that the enforcement
principles must include sufficient sanctions or consequences. However,
the concept of sanctions should not be reduced to only monetary penalties
or private rights of action.
One sanction we believe to be sufficient is a loss of privileges and
benefits associated with an endorsement by a private sector privacy program.
For example, The DMA has successfully brought potentially recalcitrant
companies into compliance with the association’s privacy guidelines by
threatening censure, suspension, or expulsion and following through with
such action from The DMA Board. Member companies take such threats
seriously because significant consequences are associated with the public
expulsion from an association, including the lack of confidence in the
expelled company by consumers and other businesses alike, and a negative
image among professional peers.
Finally, one should not lose sight of the fact that a company’s assertion
of qualification for the safe harbor, and thus its implementation of the
guidelines, exposes it both to potential civil liability under our court
system and possible FTC enforcement action.
* * *
The DMA encourages the continued efforts of the Department of Commerce
to negotiate a safe harbor. We support the proposed concept of a
safe harbor provided that the principles are broad enough to encompass
the direct marketing sector and do not radically change the privacy protection
system that has evolved and is successful in fostering growth and consumer
confidence in our $1.4 trillion industry. We believe that such clarification
will be necessary on an industry-by-industry basis. In addition,
the uses of industry privacy programs are a means of consumer protection
and should fall within any safe harbor. We appreciate the opportunity
to express our views to the Department of Commerce and we look forward
to participating in future discussions.
The DMA
The DMA is the largest trade association for businesses interested
in direct marketing and database marketing. The DMA represents more
than 4,300 companies in the United States and 54 other nations. Our members
are leaders in the development of global commerce, supported by the exchange
of information across borders. Founded in 1917, its members include
direct mailers and direct marketers from almost every consumer and business-to-business
segment, as well as the non-profit sector. Included are catalogers,
financial service companies, book and magazine publishers, retail stores,
industrial manufacturers, Internet marketers and a host of other vertical
segments as well as the service industries that support them. Many
of our members have for decades engaged in the transfer of data from the
E.U. and include what we believe are the majority of the companies that
will be affected by any agreement reached with the European Union.
The DMA has worked for many years on numerous successful consumer protection
initiatives on behalf of our members. Led by The DMA, and in coordination
with the federal government, industry has been able to develop practices
that protect the consumer while at the same time preserving the leadership
of our members in the information age. Through peer review The DMA
sets standards, enforces, and educates. The DMA’s Ethics Policy Committee
sets privacy standards. A different DMA body, the Committee on Ethical
Business Practice, responds to cases of alleged violations of Association
Guidelines on Ethical Business Practice. This committee, composed
of a cross section of companies in the industry, enforces the guidelines.
Most cases that are brought are resolved through this Committee and its
recommendations.
To educate consumers, The DMA has been very active in creating educational
material on and off the Web to empower consumers in their understanding
of information practices. Through our mail, telephone, and soon to
be developed e-Mail Preference Services, we facilitate consumer choice
over their information. In fact, this past year in cooperation with
Vice President Gore, The DMA recently linked the FTC’s privacy Web page
to facilitate opt-outs via our Mail and Telephone Preference Services.
To educate industry, The DMA has developed tools, resources, and seminars,
and adopted the Privacy Promise—a far-reaching membership requirement program.
Sincerely,
_________________________________
Jerry Cerasale
Senior Vice President
Government Affairs
From:Harriet P. Pearson
Director, Public Affairs
November 18, 1998
Via email to: ecommerce@ita.doc.gov
Honorable David L. Aaron
ATTN: Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street & Constitution Avenue
Washington, D.C. 20230
Re: November 4, 1998 Request for Comments on International Privacy Principles
Dear Ambassador Aaron:
Thank you for the opportunity to comment on the Department of Commerce’s draft proposal for international principles in support of United States commerce with the European Union nations under the EU Data Protection Directive (“EU Directive”).
IBM is the world’s largest information technology company, with 1997 revenues over $78 billion. In more than 160 countries, over 240,000 IBM employees deliver to our customers information technology products, software, and professional services. As the leading provider of “e-business” solutions and services, we have a significant stake in the development and success of the Internet and electronic commerce.
Accordingly, we have advocated active industry leadership in tackling some of the policy issues raised by the growth of electronic commerce. In the area of online privacy IBM was a founding member of the Online Privacy Alliance, TRUSTe, and the BBBOnline privacy seal program. With respect to other media and sectors, IBM complies as appropriate with applicable statutes, self-regulatory programs such as the Direct Marketing Association’s, and our own internal privacy policies.
For purposes of these comments, IBM aligns itself with the written comments of the Information Technology Industry Council (ITI) and the Online Privacy Alliance (OPA). We write to express our additional, broader views.
IBM strongly supports the Department’s efforts to create a predictable and simplified framework for data transfers under the EU Directive. Clearly, both the United States and the European Union place a high priority on individual privacy protection, both within our respective jursidictions and when personal data travel across borders. The discussions in which you have engaged are very important to articulate an approach for U.S. companies that seek a predictable and easily understood manner in which to handle data from the European Union. These discussions are even more significant, given the potential for the results to be applied by other nations of the world.
Generally speaking, therefore, IBM supports the international “safe harbor” principles approach. We have specific concerns with the current language and mechanics of the approach, however, and incoporporate by reference the comments of the ITI and OPA as to those. In this submission we will suggest some basic thoughts that ought to underlie the Department’s negotiations of the “safe harbor” principles with the European Union:
Ÿ The International Principles Ought to Support Existing U.S. Self-Regulation
and Statutes, Consistent with Stated Administration Position.
A number of self-regulatory programs and statutes effectively
protect individual privacy in the United States. The Department’s
draft proposal ought to be consistent with these programs and statutes,
and the Department’s own “Elements of Effective Self-Regulation” statement
for electronic commerce. The stated purpose should be to achieve
recognition by the European Union that participation or compliance with
such programs and statutes is presumed adequate under the EU Directive.
Particularly with respect to industry guidelines such as the
Online Privacy Alliance and the direct marketing industry we recommend
that the Department’s international principles allow for companies to enter
the “safe harbor” by their adoption of such programs. The specific
suggestions made by the comments of the OPA and ITI (attached) address
the areas in which the current draft proposal may depart from such programs
and we request the Department to consider these comments.
Ÿ If Necessary, Negotiate Recognition of “Transborder Data Transfer
Frameworks” on a Sectoral Basis, Perhaps Beginning with the Online Medium.
If the negotiations with the European Union cannot successfully
recognize a general, cross-sectoral approach that supports existing self-regulatory
programs and statutes, then the Department should proceed on a sectoral
basis to achieve EU recognition of “transborder data transfer frameworks”
(TDTF) that would offer the same benefits of the current “safe harbor”
proposal. The online sector, as represented by the guidelines of
the Online Privacy Alliance and the implementing enforcement programs offered
by TRUSTe and BBBOnline, should be a high-priority sector to address in
this fashion.
There are several reasons to give priority to the online sector:
Ÿ as the Department and the Administration have recognized, electronic
commerce represents a significant growth opportunity for the U.S. and global
economies, only increasing in importance in the future;
Ÿ U.S. industry has proactively responded to address privacy protection
in this medium by forming the Online Privacy Alliance and supporting programs;
Ÿ the medium is uniquely global, making the EU Directive or other national
laws or programs difficult if not impossible to apply without some mutual
recognition of different approaches; and
Ÿ while U.S. industry has some experience with applying European data
protection laws to other sectors, the Internet and online commerce raise
unique and difficult issues that an agreed-upon TDTF would help to address.
Ÿ Recognizing that More-Traditional Methods of Compliance with the EU
Directive (e.g. Contractual Arrangements) Will be Deployed by Many U.S.
Companies, Pursue Predictable Framework to Employ Those Methods Simultaneously
with Other Negotiations.
Particularly in global companies such as IBM, knowledge management
requires sharing of information between and among employees. Increasingly,
such information may reside in centralized databases accessible by those
with need to know located in many different countries. These databases
can contain, for example, employee contact information; employee skills
databases; company asset management information; and customer records.
If the contractual approach to compliance with the EU Directive is used, the practical difficulties of executing individual contracts between and among each entity in the corporate group will result in significant administrative burden. IBM suggests that the Department seek explicit recognition from the European Union of the possibility of a single master agreement that could be used for intra-company transfers (i.e. parent company and its wholly owned subsidiaries). Such a master agreement would be
Ÿ signed by all entities in corporate family;
Ÿ signed only once; and
Ÿ commit the company to comply with its corporate policy for all data
Once again, IBM appreciates the opportunity to offer comments on the draft proposal. Please contact me at 202-515-5036 if you have any questions or require additional information.
Sincerely,
Harriet P. Pearson
Director, Public Affairs
From: PATRICIA ALBERTO (THE CHASE MANHATTAN
BANK)
November 19, 1998
Eric Fredell
Task Force On Electronic Commerce
US Department of Commerce
Re: Comments on International Safe Harbor Principles
Dear Mr. Fredell:
As requested by Under Secretary Aaron,
in his November 4, 1998 letter
to Industry Representatives, please accept these comments
on the November
3rd draft of the International Safe Harbor Privacy Principles.
Notice
1. Language must
be "readily understood". The term "readily
understood" is extremely subjective and for that reason
it is a term that
is not commonly used as a
standard in US law. Most US statutes and
regulations utilize the standard that
language must be "clear and
conspicuous", which is already included in the draft's
section on Notice.
Accordingly, we recommend deletion of the phrase "readily understood".
2. Timing for Delivering of Notice
Specifying
that Notice must be delivered when an individual is
"first asked to provide personal information to the
organization" is not
practical. Providing the type of notice in a clear and
conspicuous manner
as specified in the draft may be difficult or impossible
to achieve when
soliciting information from a customer,
or a potential customer, in
different circumstances such as, by
telephone. In order to meet the
intended purpose of providing notice, it should suffice
if the Notice is
provided to the customer when the
organization first provides written
materials to the customer which may be part of the initial
application or
account disclosure, or contained in the customer's first statement.
Choice
The choice (in the
form of an opt-out mechanism) given
to an
individual is predicated upon the Notice given to
that individual of how
the personal information will be used. Accordingly, the
first sentence in
the section on Choice should be linked to the content of the
Notice and we
suggest that it be modified to read as follows:
"An organization
must give individuals the opportunity to choose
(opt-out choice) whether
or not their personal information may be
used in the
manner described in the Notice provided
to the
individual."
Onward Transfers
1. As with the section relating
to Choice, the customers' ability to
choose or limit onward transfers
through an opt-out mechanism is also
predicated upon the Notice given
to that individual. Accordingly, we
suggest that the first sentence in the Onward Transfer section
be modified
to read as follows:
"To the
extent that onward transfer was not specified in the
original customer Notice
and Choice (opt-out), then the individual
must be given the
opportunity to choose (opt-out) whether an
unaffiliated third party
uses the personal information they provide
if other than for the purpose originally
intended."
2. An organization
that transfers information to a third party
should seek to have that information kept confidential
and used only for
the purpose which the third party is
engaged. Accordingly, the second
sentence in the section of Onward Transfer should
be modified to read as
follows:
"When transferring
information to unaffiliated third parties, an
organization must require
assurances that the information will be
used only for the purposes for
which the information is given to the
third party (unless required by law
to do otherwise)."
Security and Data Integrity
1. In the section
on Security, the language that "must take
reasonable measures to assure its reliability
for its intended use and"
appears to be a provision that
more appropriately belongs in the next
section on Data Integrity.
2. In the section
on Data Integrity, when incorporating the
above-referenced language from the section
on Security, and in keeping
with the premise that data should be relevant for the purpose
for which it
was gathered, we would recommend that
the section on Data Integrity be
reworded as follows:
"Any organization
must take reasonable measures to assure that
personal data is accurate, complete
and current when using that data
for its intended purpose."
Access
Inherent
in an individual's ability to access information is the
concept that an individual will
be accessing that information for a
relevant purpose, in particular, to correct or amend relevant
information
that is inaccurate. Accordingly, there should be incorporated
into either
the section on Access, or the explanatory
materials in the "Q & A" the
concept that customers are provided reasonable access to
information that
is used as the basis for decisions regarding
applications for products
services, and the ability to correct
information demonstrated, to the
reasonable satisfaction of the
organization, to be incorrect. In
addition, information that may be
accessed must take into account
exclusions for proprietary information.
As a technical point, in the
current draft version of Access, reference to "information"
in the first
sentence should be preceded with "personal".
In addition to these
specific comments, we wish to take
this
opportunity to express our agreement
and support for the comments
submitted by the Coalition of Service Industries.
Very truly yours,
P.Alberto, SVP
The Chase Manhattan
Bank
Eric Fredell
Task Force On Electronic Commerce
ITA
Dear Eric,
On behalf of the International Electronic Trade Steering Committee,
the
Joint Industry Group Automation Committee and IFAC I, Customs, I am
providing the following comments in response to Ambassador Aaron's
Letter
of November 4, 1998. We support the proposed Safe Harbor Principles
as the
negotiating position of the US for its talks with the European Union.
The International Electronic Trade Steering Committee is a coalition
of
industry representatives dedicated to the automation of trade-related
transactions. The Steering Committee's mission is to promote
cooperation
between the private sector and domestic and foreign governments so
that
international trade via electronic commerce is facilitated.
JIG is a coalition with more than 130 members including Fortune 500
companies, trade associations, professionals and businesses actively
involved in international trade. We both examine and reflect
the concerns
of the business community relative to current and proposed international
trade-related policies, actions, legislation, and regulations, and
undertake to improve them through dialogue with several Executive Branch
departments and agencies and the Congress. JIG membership represents
more
that $250 billion in trade. The Automation Committee has the
responsibility for review and development of recommendations about
customs
international automation initiatives.
IFAC I, Customs, is part of the Public Advisory Committee program.
Its
charter is to provide advice to Commerce and USTR about international
customs issues. Over the last several years this advice includes
electronic commerce issues.
The proposed Principles adopt many of the recommendations previously
made
by our groups. We do have concerns about the EU Directive on
Data
Protection. We continue to advocate a voluntary self-regulation system,
under which businesses are responsible for developing their own privacy
rules. The Federal Trade Commission study suggested self-regulatory
schemes were not in place in the overwhelming majority of websites.
That
is improving. We believe with the FTC ultimatum industry will
continue to
take appropriate actions toward immediate voluntary self-regulation
in
order to avoid legislative action. We recognize that some level
of
self-regulation is inevitable given the tremendous resources needed
to
effectively monitor the Web.
The EU approach to the assurance of privacy protection focuses on
protecting European citizens without regard for business-to-business
transactions that occur via electronic commerce. This approach
lacks a
balance between the protection of individual rights and the free flow
of
information. The Directive stipulates that the transmission of
data will
be prohibited unless the receiving country exhibits "adequate" data
protection. This regulation has the potential to disrupt international
trade flows and hinder global communication networks.
The "safe harbor" approach will allow US companies to sign on to certain
privacy practices approved by EU officials. It is essential to
have such a
mechanism for US companies striving to comply with the Directive.
We look forward to continuing to participate in this critical dialogue
with
the European Commission. Let us know how we can help further.
With best regards,
Jim Clawson
Chairman and CEO
JBC International
From: A. Cassidy Sehgal-Kolbet, Public Policy Counsel
Cyber-Liberties Task Force American Civil Liberties Union
November 18, 1998
Task Force On Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, NW
Washington, DC 20230
RE: Draft International Safe Harbor Privacy Principles
Members of the Task Force on Electronic Commerce:
We are writing to express our serious concerns with the "International
Safe Harbor Privacy Principles" proposed on November 4, 1998. Our
concerns relate both to substantive problems with the proposal itself
and the Department of Commerce's oversight in failing to seek public
comment on an issue of such overwhelming importance. Thus, even though
*only industry* perspectives have been sought, the American Civil
Liberties Union (ACLU) submits these informal comments on the Safe
Harbor Privacy Principles to ensure that the interests of the public
are
not completely left out of this discussion.
After reviewing the draft proposal and the introductory letter
by
Ambassador David Aaron, it is clear that the Safe Harbor is designed
primarily to ameliorate European Union concerns that the United States
does not offer "adequate" legal protections for personally identifiable
data -- and not to offer genuine data protections for the American
public. While we appreciate that the Safe Harbor proposal attempts
to
reconcile the very difficult debate over the level of data protections
that should be afforded by government and the private sector, and how
such protections can be implemented, we are left with many questions
concerning the ambiguity and scope of the proposal. We
are unconvinced
that the proposal can satisfy the requirements of Article 25 and 26
of
the EU Directive 95/46/EC and believe that it will fail to create a
safety net that will protect Americans and European Union citizens
alike
against poor information practices.
There is also the troubling question of whether the adoption of
a Safe
Harbor proposal will provide European Union citizens greater protection
than Americans against privacy violations committed by US firms.
There
are also jurisdictional questions about whether organizations that
voluntarily comply with the Safe Harbor principles and make affirmative
representations about their information practices will thereby subject
themselves to the jurisdiction of the Federal Trade Commission under
Section 5 of the FTC Act, which provides them general authority to
investigate "unfair or deceptive acts or practices in or affecting
commerce..." (15 U.S.C. Sec. 45(a)(1)). At a minimum, there must be
explicit guidance on what rights, if any, a Safe Harbor proposal will
confer to Americans and whether organizations will also be subject
to
further regulatory review as a result.
Self Regulation / Certification Alone Has Not Worked
As a general observation, the ACLU does not believe that the type
of
self certification or self regulatory solutions endorsed in the Safe
Harbor proposal are effective standing on their own. There
are
certainly recognizable advantages to the self regulatory solutions
offered to industry as a means to comply with the EU Directive in the
Safe Harbor proposal. From a business perspective, the ability
to self
certify is financially appealing and requires less expenditure of time
and resources than compliance with government regulation that requires
documentation of compliance beyond promissory assurances. There
are
also some public education benefits where such initiatives can promote
awareness and provide clearly articulated and user friendly
information. However, we remain unconvinced that self-regulation
and
self-certification alone can provide an acceptable answer. In addition,
the American public has repeatedly made clear that they believe that
government regulation is necessary in order to facilitate the trust
that
is necessary to the growth of electronic commerce.
To date, self regulation has proven ineffective in the absence
of a
legal framework that will ensure that claims about fair information
practices are actually practiced and not merely an advertising ploy.
Certification and accreditation are helpful to the extent that they
provide a means of labeling that make it easier for consumers to make
choices, but such accreditation offers little comfort where there are
no
legally enforceable rights. There is simply no proof that such
accreditation procedures will actually prevent abuse of information.
For example, this summer's Federal Trade Commission complaint
against
the Internet Service Provider, GeoCities, alleged that the company
misrepresented that the personal identifying information it collected
through a membership application form was used only to provide members
the specific advertising offers and products or services they requested,
and that the "optional" information (education level, income, marital
status, occupation, and interests) would not be released to anyone
without the member's permission. In fact, the FTC found that the
information was disclosed to third parties, who used it to target
members for solicitations beyond those agreed to. (In the Matter of
GeoCities, a corporation, FILE NO. 9823015, Federal Trade Commission
Agreement Containing Consent Order, August 13, 1988). We highlight
this
example, because GeoCities was a member of the certification program
TRUST-e. Thus, GeoCities' privacy violations underscore the practical
ineffectiveness of such programs. Even third party certification
did
not catch the poor information practices of GeoCities.
There are numerous other examples of information abuses that highlight
the tremendous need for public protections.1 This summer, in
a Report
to Congress on Online Privacy, the Federal Trade Commission confirmed
the position of privacy advocates that self regulation has not been
effective in offering privacy protection that will improve consumer
confidence and trust. The FCC stated: the "[d]evelopment
of the online
marketplace is at a critical juncture. If growing consumer concerns
about online privacy are not addressed, electronic commerce will not
reach its full potential. To date, industry has had only limited success
in implementing fair information practices and adopting self-regulatory
regimes with respect to the online collection, use, and dissemination
of
personal information."
Thus, based on real life experience, we reject the notion that
self
certification assurances absent legally enforceable rights can provide
protection to personally identifiable information. We are also
not
optimistic that such mechanisms will ultimately be acceptable to the
members of the European Union -- as they have been repeatedly rejected
in the three years since the Privacy Directive's adoption.
Ambiguities of the Draft Safe Harbor Principles
It is very difficult to comprehend the scope of the Safe Harbor
proposal. For a proposal that is intended to maintain the free flow
of
information, it offers few details or citations to make clear what
US
obligations are. As a starting point, the Safe Harbor proposal
should
clearly explain which data collectors will have to comply with the
Principles to avoid EU liabilities. It should also clearly explain
the
scope of information that is covered both by the EU Directive and the
Safe Harbor.
The proposal states that Safe Harbor applies to "organizations
that are
subject to statutory, regulatory, administrative, or other body of
law
that effectively protects personal information privacy."
It is unclear
what industry groups would be covered by this statement and which laws
this pertains to.
For organizations not covered by existing regulation, the proposal
states that "membership in private sector privacy programs that adhere
to these principles" will also qualify organizations for safe harbor
protection. While we are aware of programs that provide third
party
verification for online industry / organizations that collect personally
identifiable information on the World Wide Web (e.g. TRUST-e, the Better
Business Bureau's BBBOnLine Privacy Program and the Online Privacy
Alliance), we are not aware of any such organization that provides
certification or accreditation for industry that collects personally
identifiable information through avenues other than the World Wide
Web.
The Commerce Department should explain whether the Safe Harbor proposal
and the EU Directive applies only to online collection of data, or,
alternatively whether there are programs that certify the privacy
protection practices of organizations beyond web site practices.
An explanation of what type of information qualifies as "proprietary"
or "manually processed information" under the Safe Harbor is also
completely missing. There needs to be a specific explanation of whether
personally identifiable information about individuals can be considered
proprietary information.
For example, the EU Directive states that it "lays down common
rules,
to be observed by those who collect, hold or transmit personal data
as
part of their economic or administrative activities or in the course
of
the activities of their association. There is an obligation to collect
and process personal data only for specified, explicit and legitimate
purposes, and to ensure that such data is relevant, accurate and
up-to-date."
While we are uncertain about the meaning and scope of the EU Directive,
and the what the definition of "legitimate purposes" covers or how
such
limitations would effect the First Amendment rights of actors that
collect information outside of commercial transactions, there are no
such definitions in the Safe Harbor proposal either.
A good place to start in improving the seven principles set out
in the
Safe Harbor proposal is to closely track the fair information practice
principles as set out by the Organisation for Economic Co-operation
and
Development (OECD) Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data (adopted in 1980, and endorsed by
the
United States as a member of the OECD). The OECD Guidelines are intended
to be the minimum standards for the protection of privacy and individual
liberties and offer more detailed explanations of the principles set
out
in the Safe Harbor.
We have briefly provided a few illustrative examples where greater
clarity and fidelity to the OECD guidelines would make the Safe Harbor
Principles more effective:
1. 'Notice' should more closely follow the 'Openness Principle' of the
OECD guidelines which requires providing the identity of the collecting
party with contact information for questions on the data collection
process and use. The Safe Harbor proposal does not include openness
requirements of such minimal information. And while such a requirement
may seem self-explanatory, proper identification is often absent from
both sites and direct marketing solicitations that seek personally
identifiable information.
2. The Safe Harbor proposal should also incorporate the OECD principles
on data collection limitations or limitations on the purpose for which
data that is collected can be used. The OECD Purpose Specification
Principle states:
The purposes for which personal data are collected should be specified
not later than at the time of data collection and the subsequent
use
limited to the fulfillment of those purposes or such others as
are not
incompatible with those purposes and as are specified on each occasion
of change of purpose.
Without an explicit understanding of how data may be used and
an
understanding of what types of uses it is subject to, the proposal
does
not offer significant clarity for users. Thus, the Safe Harbor
proposal
should more closely mirror the OECD Guideline sections on data
collection and use.
3. The principles on 'access' in the Safe Harbor proposal do not
cover
the scope of rights as delineated in the OECD guidelines. In
addition
to providing that users have the right to view and correct their own
information, the OECD guidelines explicitly states that an individual
should be permitted:
a) to obtain from a data controller, or otherwise, confirmation of
whether or not the data controller has data relating to him;
b) to have communicated to him, data relating to him within a reasonable
time; and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs(a) and
(b)
is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful
to have the data erased, rectified, completed or amended.
Suggestions for Strengthening Protections Under a Safe Harbor Proposal
Below are some further comments for consideration in the ongoing
effort
to develop adequate fair information practices in the private and public
sector here in the United States. We believe that these
elements may
be necessary in order to safeguard privacy for Americans while offering
greater compliance with the Directive.
1. Effective verification, recourse and consequences for misuse of
personally identifiable data requires some level of oversight by the
government beyond private verification remedies -- especially where
sensitive information -- such as medical records are involved. Aggrieved
individuals must have the right to petition an agency or a court for
governmental or private sector privacy violations. The Commerce
Department should encourage the passage of legislation that will provide
an administrative agency or body with regulatory oversight powers
over
fair information practices.
2. An explicit limitation on governmental use of privately collected
information should be adopted. Moreover, there must be
no
intermingling of government and private sector collected data for the
creation of membership or identification cards -- e.g. smart cards
--
which include private information and government issued driver's license
numbers.
3. Because the consequences that may result from improper disclosure
may have a devastating impact on an individual, damages should not
be
conditioned on proof of intentional or willful violations of the law.
Actual and statutory damages should be available to aggrieved
individuals as well as punitive damages where a breach of privacy is
the
result of intentional or willful violations of privacy policies.
Enforcement mechanisms must provide users with notification when there
is a breach in privacy.
4. All individuals should be provided with the ability to review
or
modify information that is obtained about them in a timely manner.
Users must also be permitted to revoke consent against continued storage
of data about them. Reasonable access should include a timely
response
that it free of charge to the individual. Failure to provide
a timely
response to a user's request to her own information should provide
administrative recourse and an explanation of why such review is denied
if it is unavailable.
5. There Is No Privacy Without Appropriate Security --communications
conducted via electronic mail, electronic fund transfers or transactions
that take place online require secure means of encryption and
authentication. Without readily-available encryption software, however,
electronic communications can be easily intercepted, and data intended
to be private may be rendered vulnerable to exposure. We believe
that
the Commerce Department must encourage wide availability and use of
strong encryption programs to protect the integrity of communications
and stored data and must repeal the current export restrictions on
strong cryptography.
6. Industry engaged in collecting information via the World Wide Web
should be encouraged to permit "anonymous browsing" and "anonymous
transactions" on their sites. By allowing users to make purchases
or
browse using digital cash or digital pseudonyms, sites could reduce
the
amount of personally identifiable information that is gathered
unnecessarily. Moreover, by incorporating digital cash payment
schemes
or allowing users to register at a site with a pseudonym, user concerns
about interception of credit card information or other sensitive
material would be greatly enhanced. The Commerce Department should
seek
to promote awareness about anonymity and encourage the development
of
digital cash payment mechanisms.
Conclusion
The American public has made it clear that they want government
intervention to ensure privacy. The members of the European
Union have
likewise made it clear that they intend to enforce the Privacy Directive
-- which went into effect last month. The potential
for serious trade
disruption as a result of the Directive makes clear the importance
of
the task that the Department of Commerce has undertaken in issuing
this
first Safe Harbor proposal. However important that mission
is, it is
our sincere hope that any enactment of a Safe Harbor for US businesses
to the European Union Privacy Directive does not impede the continuing
effort to secure legislation to create a genuine safety net and fair
information practices for Americans and Europeans alike.
Thus, we
believe the current Safe Harbor proposal must be redefined and subject
to further public comment in order to find a comprehensive solution
to
EU member privacy concerns as well as concerns of the American public.
Respectfully Submitted,
A. Cassidy Sehgal-Kolbet, Public Policy Counsel
Cyber-Liberties Task Force
American Civil Liberties Union
125 Broad Street, 17th Floor
New York, N.Y. 10004
csehgal@aclu.org
(212) 549 - 2500
1 For example, see, Plans' Access to Pharmacy Data Raises Privacy Issue,
Robert O'Harrow, Jr., Washington Post, Sunday, September 27, 1998,
PA01
and Privacy for Sale: Peddling Data on the Internet, Andrew Shapiro,
The
Nation, June 23, 1997.
November 18, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th St. & Constitution Ave., NW
Washington, DC 20230
[Comments to Department of Commerce Draft
International Safe Harbor Privacy Principles]
Dear Mr. Fredell:
Dun & Bradstreet (D&B), appreciates the opportunity to comment
on the Department of Commerce’s (the Department) November 3, 1998 draft
“International Safe Harbor Privacy Principles.” D&B applauds
the Department’s effort to find resolution to the difficult issues raised
by the European Data Protection Directive’s “adequacy” requirement in a
manner that recognizes the differences in the legislative framework governing
data use in the United States and Europe. D&B is also encouraged
by the initial strong interest shown by the European Union. We feel
that the safe harbor draft proposal provides a sound basis for the parties
to work together to develop a final text acceptable to all.
D&B is supportive of the Department’s overarching goal of creating
a safe harbor for US companies recognized by the European Commission and
its member states. D&B operates in all of the European member states
and transfers business information from those countries to the United States
and other non-European jurisdictions. D&B, therefore, has a particular
interest in the resolution of these issues.
In our comments, we seek to have clarified the process by which the
safe harbor will be granted and administered. Additionally, in a
few instances, we have questions and suggestions meant to elucidate the
meaning of specific privacy principles as outlined in the draft document.
About Dun & Bradstreet
The Dun & Bradstreet Corporation is a multi-billion dollar company
with offices in more than 38 countries and employing around 15,000 people.
Within Europe, the company has offices in each of the member countries
of the European Union, and employs approximately four thousand
people. The company was founded in 1841 to facilitate commerce
by providing business information about businesses to other businesses.
Dun & Bradstreet (D&B) is the largest operating division of the
Dun & Bradstreet Corporation and is the world’s leading provider of
business-to-business credit, marketing, purchasing, receivables management
and decision support services worldwide.
The data we provide for our customers is essential in their sound decision-making processes and is therefore the lifeblood of our business. Dun & Bradstreet collects information from public records, private sources and through direct collection on over 50 million business establishments from 217 countries and invests over $360 million annually in these data collection activities. The company collects up to 1,500 data items on each business subject and uses thousands of information sources to ensure our data is of the highest quality possible. While all data contained in our business information products and services are business related, some are specifically identifiable to individual owners or principals of the business entity. Dun & Bradstreet collects only that information about the business owners or principals which is relevant and necessary for business decisions.
As a leader in the information industry, D&B has had data protection practices in place since our founding in 1841 and has had a written set of practices for more than 20 years. The fundamental principles of those data protection practices still apply to our traditional information products and services. Recognizing the continued need to balance the free flow of information against an individual’s privacy interests in the online environment D&B, in early 1998, developed and implemented data protection practices for the Internet. D&B’s data protection practices are consistent with the requirements of the European Data Protection Directive and with the safe harbor privacy principles as outlined.
In Europe, D&B manages its local data collection use in a manner consistent with the applicable data protection laws of all of the member countries and with data protection practices which have been developed by the company to enhance the quality of the services provided. Within each European country, D&B has a designated data protection officer who is responsible for ensuring that the company upholds the rights of data subjects as required by law and as outlined in D&B’s data protection practices. In addition, D&B’s US corporate and European legal and government affairs offices have regular communications regarding data protection matters.
Safe Harbor: Process and Administration
The preamble of the safe harbor privacy principles states that the principles are being published in an effort to ameliorate uncertainty about the impact of the European Data Protection Directive’s (Directive) adequacy requirement on data transfers from the European Community to the United States. The preamble further states that the principles are intended to reduce the uncertainty by providing a more predictable framework for such data transfers. D&B strongly supports this purpose and believes that this is the most important reason for a company to participate in a safe harbor.
In that vein, D&B believes it critical for the US – European negotiation to resolve what the process for participating in the safe harbor will be; how the process will be administered; and the protections that will be provided to US companies that agree to participate. Further, the principles document should describe the procedures and protections granted by the safe harbor so that there is no misunderstanding about rights and responsibilities of those affected by an agreement.
The safe harbor proposal, as we understand it, would be a true safe harbor. As described by the Department of Commerce in public meetings, complaints against companies participating in the safe harbor would be restricted to complaints that the companies are not living up to the safe harbor principles to which they have agreed – not arbitrary adequacy complaints. The description provided also suggests that safe harbor companies would not have data transfers blocked while disputes are resolved. In addition, an expedited hearing and resolution of complaints would be granted to safe harbor companies, and the EC and the US government would be available to intervene to help mediate the resolution. The decision to participate in a safe harbor will entail a cost/benefit analysis. Without a guarantee that this process will be adhered to, the cost of agreeing to and implementing the principles might not be worth participation in the safe harbor.
In the absence of such a safe harbor, the Directive would be the only guidance for resolving complaints. Under the Directive, if a complaint is lodged against a third-country based company, it is conceivable that data transfers would be blocked until the complaint had been resolved – both by the EU member country and by the EC. The blockage of data transfers, of course, is the most ominous threat of the Directive and would be highly detrimental to a company even if the block were only for a limited time. There is no provision under the Directive for an expedited resolution and resumption of data flows. In addition, under the Directive there is no provision for US government or EC mediation in the complaint. Further, there are no parameters under which a complaint can be lodged. Under the Directive, an individual could raise a complaint that a company is not providing adequate data privacy protections with the Directive providing the template for adequacy.
It is also critically important that the member state data protection authorities cooperate with the safe harbor concept and that they be required to participate. Without this assurance, the entire safe harbor concept is rendered moot. Therefore, it is crucial that there be a formal acceptance of the process by the member state data protection authorities.
Another procedural issue that has been mentioned in Department of Commerce-sponsored public forums is that companies would self-certify that they are in compliance with the principles. As described, safe harbor companies would only be required to justify to US and EU regulators that they are in compliance if there is a complaint – under the rules described above. This type of process is in keeping with a self-regulatory environment and should be clearly accepted as part of the principles.
Safe Harbor Privacy Principles
D&B finds the privacy principles, as drafted, to be generally consistent with our current data privacy practices. In a few areas, the principles could use clarification to more clearly impart to companies what is expected of them. However, D&B agrees with Ambassador Aaron’s statement that the principles must be necessarily broad in order to encompass the widest possible range of industry practices. D&B further believes that clarifications to the principles should be confined to the principles themselves. US and European negotiators should avoid getting mired in a set of frequently asked questions which would fail to cover every specific question and which, therefore, is likely to hold less legal or administrative importance in the event a complaint is lodged.
A set of frequently asked questions could be used to distract from the real objective of the safe harbor negotiations. That objective is to try and reach agreement, in a timely manner, on a set of data privacy protections which respect US legal traditions and business uses of data, but that are largely consistent with the data protections in the Directive. Furthermore, the way in which industry collects, compiles, processes and uses information is constantly changing. Would a process described in a frequently asked questions document today really shed light on a company’s activities tomorrow?
D&B believes there are a few principles that could benefit from clarification. It is important that the Article 26 exemptions outlined in the cover letter be included in the principles. Specifically, D&B believes the public records exemption must be included so that there is not a presumption that businesses be required to carry out responsibilities that go beyond the requirements of existing European data protection laws. For instance, if D&B is not required by the member country law to provide notice and give choice to the subjects of public records, the safe harbor principles should not impose a higher standard. Once the records are made public in Europe, and standards are set for their collection and use, those rules should not change under the safe harbor principles.
With respect to the choice and onward transfer principles, it is important for the Department to either elaborate on the parenthetical which states “where such use is unrelated to the use(s) for which they originally disclosed it” or choose a phrase which provides more flexibility. D&B suggests two approaches either of which would resolve the problem. One approach is to adopt the OECD language which was highly negotiated at the OECD. It requires that information be used in a manner that is not incompatible with the reason for which the information was originally collected.
Another approach is to utilize a company’s notice to determine if a data use is an “unrelated use.” In other words a use is only unrelated -- therefore choice must be given -- if the company has not informed the individual of this use. Within Europe, companies are required to register the types of uses being made of data with the local data protection authority. A US company transferring data from Europe would be obligated to restrict itself to the uses explained in this notice. This approach places emphasis on disclosure and openness by companies. Both approaches allow companies more flexible use of data while still providing data protections.
With respect to the enforcement principle, as members of the Online Privacy Alliance (OPA) and adhering to the OPA principles, we would suggest that the note to the principle become a part of the principle itself and that the word “may” in the first sentence be changed to a must. D&B suggests this change because we believe that companies who are engaged in electronic commerce should be required to participate in a seal or other certification program in order to engender online trust with their customers. D&B was a founding member of both the Online Privacy Alliance and the BBBOnline privacy seal/certification program. The company has invested significant resources in both programs because we believe that sound data privacy practices and assurances of those practices for individuals are critical if electronic commerce is to prosper. Without this suggested change, companies could interpret the enforcement principle to allow for a lesser obligation in the online environment.
With respect to the enforcement principle, D&B is concerned that by requiring that sanctions “must provide individuals with the means for enforcement” this principle would entitle a European citizen to a private right of action against an American company. While we understand that the Directive provides such a right in Europe, we also know that the consequences of such actions in a European court are much different and less severe than in the US. If this is not the intent of the last sentence of the enforcement principle, D&B suggests that the sentence be changed to more clearly reflect the actual intent.
Conclusion
Dun & Bradstreet is supportive of the Department’s efforts to develop
a data privacy safe harbor that will allow US companies to continue the
transfer of data from Europe to the US. We believe that D&B is
significantly in compliance with the principles as drafted as long as they
are kept broad and are left to flexible implementation. We are hopeful
that clarification of the principles and the process as mentioned above
can be incorporated into the final principles document and would be happy
to work with Department officials to achieve that goal. We would
welcome the opportunity to participate in the continuing dialogue to reach
mutually agreed upon data protections to ensure the free, unfettered flow
of data. Again, we applaud the work of the US government in trying
to resolve these complicated issues and we appreciate the opportunity to
provide our comments.
Sincerely yours,
Alden Schacher
Manager, Government Relations
(202) 463-2159
November 18, 1998
FROM: Magazine Publishers of America
November 18, 1998
Ambassador David L. Aaron
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington DC 20230
Attention: Mr. Eric Fredell, Task Force on Electronic Commerce
Dear Ambassador Aaron:
We are pleased to submit comments of the Magazine Publishers of America
(MPA)
on the Draft International Safe Harbor Privacy Principles you submitted
for industry
review on November 4, 1998. MPA is the principal trade association
of the consumer
magazine industry, with over 200 domestic member companies and more
than 75
international members. MPA members publish over 1200 magazines, from
nationally
distributed and well-known publications such as Time, Reader's Digest,
and Better
Homes and Gardens to more specialized publications such as Wired, the
New
England Journal of Medicine, and Advertising Age. Many of our member
companies
are actively involved in international commerce and are vitally concerned
about the
outcome of the current negotiations between the United States and the
European
Union with regard to privacy protection.
MPA and its member publishing companies appreciate your diligent and extensive efforts to ensure that the recently implemented European Union Directive on Data Protection does not disrupt the flow of data from the European Community to the United States. We support the concept of creating a safe harbor for U.S. companies that implement effective self-regulatory privacy protection policies.
We are concerned, however, that, while you state that the Draft Principles
are not
intended to govern or affect U.S. privacy regimes, these principles
will, in fact, do
precisely that. After all, many companies today have dealings with
and receive data
from European Community countries; and the number of companies involved
with
international commerce through the Internet is growing by leaps and
bounds. It is
likely, furthermore, that U.S. governmental bodies will expect companies
to maintain
consistent privacy standards for data generated domestically and internationally.
We urge the Department of Commerce to maintain the United States' current
privacy
regime, which, as you note in your letter, relies largely on a sectoral
and self-regulatory
approach. As we discuss below in our specific comments, we believe
that the Draft
Principles move too far toward the European regulatory model and employ
a
one-size-fits- all approach to personal information protection.
The Draft Principles appear too broad, apparently applying to any electronically
processed information even if such information is not collected online.
In the United
States, the current privacy focus is limited to the Internet, recognizing
the unique
nature of data collection in this medium. Principles developed for
the Internet may
be inappropriate or excessive for other media.
In several key areas, the Draft Principles are inconsistent with ongoing
private sector
self-regulatory initiatives that have been applauded and supported
by the Administration
and the Federal Trade Commission. These self-regulatory initiatives
correctly recognize
differences in the type of information collected in different industries
and tailor policies
to the nature of such information and potential harm to consumers from
misuse of data.
The safe harbors you propose should be based on the United States model,
not the
European approach. The growth and success of electronic commerce is
inextricably
tied to the reasonableness of the privacy protection policies that
result from the
ongoing negotiations with the European Community.
Comments on Specific Principles
NOTICE
Apparently, the notice requirement as contained in the Draft Principles
would be
applicable to the collection of information through any medium, including
mail and
telephone in addition to the Internet. Requiring a full rendering of
a company's data
collection policies "when individuals are first asked to provide personal
information
to the organization" may be unworkable for non-electronic media. For
example,
individuals may submit a magazine subscription card contained in a
magazine.
These cards are too small to provide an adequate mechanism to convey
information
practices and policies. It is more appropriate to handle such information
dissemination
once a relationship is established with the consumer, perhaps accompanying
subscription acknowledgments or invoices. Similarly, it may be difficult
and confusing
to the consumer to require a complete statement of all potential uses
of consumer
information during a telephone call. Subsequent written notification
allowing
consumers choice on the use of their information may be a more effective
notice mechanism.
We are also concerned about the quantity of information required to
be provided to
individuals and the potential for this level of detail to impede effective
notice and
choice. The Draft Principles require notification "about what types
of personal information it collects about them, how it collects that information,
the purposes for which it collects such information, the types of organizations
to which it discloses the information, and the choices and means the organization
offers individuals for limiting its use and disclosure." Describing to
consumers online the full variety of methods of data collection for a multi-media
company would be burdensome to both the company and the individual and
not clearly relevant to the consumer involved in the online transaction.
Furthermore, a complete and detailed description of the types of organizations
to which information may be transferred may result in a confusing set of
choice options for the consumer, leading to difficulties for companies
in implementing consumer choices. Traditionally, consumers have been offered
a simple choice of opting out of transfers of data to any third parties.
Notification requirements need to incorporate greater flexibility than contained in the Draft Principles. The level of detail and timing of notifications should depend on the medium, the nature and sensitivity of the information collected, and potential uses of the data.
ONWARD TRANSFER
This principle requires organizations transferring data to third parties to require that these third parties provide at least the same level of privacy protection as originally chosen by the individual.
This principle introduces the troubling concept of secondary liability for the originating organization and is overly burdensome for non-sensitive information. For sensitive information, such as medical information, the choice principle requires that individuals be offered an "opt-in" choice. This opt-in will be required for every company using the data and should provide adequate onward transfer protection for such sensitive information.
SECURITY
This principle requires organizations to "take reasonable measures" to assure the reliability of data for its intended use and "reasonable precautions to protect it from loss, misuse, unauthorized access or disclosure, alteration, or destruction." We believe that as described in the access principle, security requirements should depend on the nature and sensitivity of the data maintained and the extent of harm to an individual if such data is lost, inadvertently disclosed or altered. Expensive security systems may not be justified if the loss or inadvertent disclosure of information will not harm the individual.
DATA INTEGRITY
This principle requires that data maintained by an organization be "relevant for the purposes for which it has been gathered only" as well as "accurate, complete, and current." Assuming that an individual has elected, through the notice and choice mechanism, to allow additional uses of personal information, we believe the Department of Commerce should clearly articulate that all such purposes for the data are relevant.
We believe, further, that the requirement for maintaining the currency of information should depend on the nature and sensitivity of the information and potential uses. The burden for a company in constantly verifying information in its data bases is not justifiable if an individual would not be harmed by the use of out-of-date information.
ACCESS
This principle requires companies to provide individuals "reasonable access to information about them derived from non public records" and recognizes that the "reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses." We agree with the differentiation of access requirements both with regard to the nature and sensitivity of the information and its uses. For example, if the information will be used without reference to a specific individual, such as in the compilation of survey responses, providing individuals access to that data would be overly burdensome and unnecessary.
We would further suggest that access requirements should depend on the
nature of the
harm to the individual from potential inaccuracies in the information
maintained by an
organization. If an individual would not be harmed by the use of inaccurate
information,
requiring a company to establish an elaborate system to provide access
would be
inappropriate.
ENFORCEMENT
The Draft Principles recognize a variety of approaches toward enforcement
mechanisms, specifically mentioning three potential methods to meet enforcement
requirements. These include "compliance with private sector developed privacy
programs that include effective enforcement mechanisms", "compliance with
legal or regulatory supervisory authorities", and "committing to cooperate
with data protection
authorities located in the European Community."
We are concerned that these alternatives are too limiting in terms of
the variety of
ways in which companies may provide assurances of "compliance with
the principles,
recourse for individuals, and consequences for the organization when
the principles
are not followed." MPA member companies have a long-term relationship
with our
subscribers and a long-term interest in providing these subscribers
with the level
of customer service they expect from us. As such, our members may choose
to
implement a full-scale privacy program internally, with an individual
or committee
responsible for ensuring company-wide compliance with privacy principles
and
providing an easy-to-access recourse mechanism for customers.
Companies should be able to qualify for the safe harbor if they follow
a rigorous
self-assessment protocol. Such companies would naturally be subject
to both
private and governmental recourse, with the Federal Trade Commission
empowered
to bring enforcement actions against companies that do not comply with
publicly
stated privacy principles.
Sincerely yours,
James Cregan Rita Cohen
Senior Vice President/Counsel Vice President, Economic and Legislative
Analysis
November 19, 1998
FROM: International Biometric Industry Association (IBIA)
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th & Constitution Avenue, N.W.
Washington, D.C. 20230
Dear Mr. Fredell:
This is in response to Mr. David Aaron's notice of November 12, 1998,
describing
the proposed International Safe Harbor Privacy Principles. As the trade
association
for the biometric industry, the IBIA has reviewed the proposal and
offers comments
on behalf of its member companies.
The biometric industry is relatively new, and it is only in the past
few years that its
products have been in common use. The industry produces devices and
software
that automatically verify or identify an individual by unique physical
characteristics.
Examples include products that use face, iris, hand, fingerprint, and
voice
measurements in environments such as border control, information security,
physical access control, financial transactions, time and attendance,
law
enforcement, and other civil and government applications.
In most of the applications biometric technology is used to erect a
barrier between
personal data and unauthorized access. Often this is done by creating
electronic
templates that are used to perform the verification process. The templates
normally
use proprietary and carefully guarded algorithms to secure a record
and protect it
from disclosure. Standing alone, these templates are of no use and
therefore do
not appear to meet the definition of "personally identifiable data."
Despite this important distinction, the industry is acutely aware of
both the general
perceptions that are created through the collection of any electronic
information
and the specific role that biometrics play in linking an individual
to sensitive data.
Companies understand that without a clear public stance on the issue
of privacy,
the industry faces serious obstacles in trying to achieve broad public
acceptance
of the technologies and thereby expand markets for its products here
and abroad.
As a first step in addressing this situation, IBIA members have established
a strict
Code of Ethics that obligates them to protect individual privacy and
prevent
unauthorized disclosure of information.
In addition to demonstrating voluntary compliance, the industry recognizes
the
need for, and generally supports, the proposed Safe Harbor Principles.
It is crucial,
however, that government negotiators be aware of the protections that
biometric
technologies offer, and resist agreements that would constrict the
use of biometric
data to preserve personal data. We therefore strongly encourage the
Department
of Commerce to be sensitive to the unique status of biometrics when
conducting
negotiations with the European Union and other countries.
To promote a better understanding of the industry and learn more about
the issues
faced by the Department, we would welcome the opportunity to meet with
you
and other appropriate officials who are involved in data privacy matters.
I will
contact you shortly to arrange such a session.
Sincerely,
Richard E. Norton
Executive Director
International Biometric Industry Association
Suite 370 South
601 Thirteenth Street, N.W.
Washington, D.C. 20005
(202) 783-7272 - phone
(202) 783-4345 - fax
www.ibia.org
FROM: National Retail Federation
November 19, 1998
Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230
Re: Safe Harbor Comments of the National Retail
Federation
Dear Mr. Fredell:
On behalf of the National
Retail Federation, we want to thank you for
the opportunity to provide comments on the November 3rd Draft International
Safe Harbor Privacy Principles.
The National Retail Federation
("NRF") is the world's largest retail
trade association with membership that includes the leading department,
specialty, discount, mass merchandise and independent stores, as well
as
32 national and 50 state associations. NRF members represent
an industry
that encompasses more than 1.4 million U.S. retail establishments,
employs
more than 20 million people -- about 1 in 5 American workers -- and
registered
1997 sales of more than $2.5 trillion. NRF and its members have
been closely
involved in privacy protection issues for years. We look forward
to our
continued involvement with the Administration on this important matter.
By way of background, we
are concerned that the European Union's
Directive on Data Protection (the "Directive") appears to assume that
non-European
approaches to privacy are inherently suspect or unprotective.
Data can be used
to enhance consumer benefits. The Directive seems not to recognize
that a
major goal of privacy protection, the reduction of unwanted intrusions,
is in fact
consistent with the marketing goals of many U.S. companies. For
example, customer
data increasingly is being used by retailers and others to more narrowly
target their
communications, in order to reduce the number of unwanted contacts
most individuals
receive. Equally important, the Directive strikes us as somewhat
antithetical to some
of the more progressive uses of personal data to protect companies
and individuals
from the perpetration of certain privacy crimes (such as fraud and
identity theft).
NRF also has reservations
as to the apparent rigidity of the Directive.
As the Department's letter makes clear, there are many paths to "adequacy".
However, it is not at all clear that the Directive fully appreciates
the comprehensiveness
and sufficiency of the U.S. alternatives.
Self regulatory programs,
such as the Principles on Customer Data Privacy
adopted early this year by the NRF Board of Directors, are being implemented
by
retailers throughout the country. They are designed to sensitize
retailers to, and
provide customers with increased control over, the dissemination of
marketing data.
In essence, the NRF Principles seek to provide security, notice,
knowledge and
the opportunity for individuals to opt out of external disseminations
of data that
would violate consumers' reasonable expectations of privacy.
As might be expected, most
of the information maintained by retailers is
gathered for purposes of relationship marketing. Marketing data,
such as a customer's
style or shopping preferences, are not the kind of information
one would ordinarily
consider to be sensitive. Nevertheless, to the extent that
consumers wish to limit
marketing based on these characteristics, NRF encourages our members
to develop
and publicize procedures allowing consumers to do so. Such publication,
not only
establishes a contractual obligation to customers who rely on
those procedures, it
also establishes affirmative obligations subject to regulatory enforcement
by the Federal
Trade Commission among others.
These obligations are in
addition to those privacy requirements imposed by the
Telephone Consumer Protection Act; the Telemarketing Sales Rule
and, for those retailers who offer credit to their customers, the
Fair Credit Reporting Act. In addition to the latter, many
retailers provide credit to their customers through affiliated credit card
banks which are subject to comprehensive regulation by banking authorities.
Although admittedly cumbersome at times, these regulatory and self
regulatory regimes protect consumers without unduly burdening legitimate
commerce, and should be accorded safe harbor treatment, independent
of the Safe Harbor Principles.
Beyond this however, we appreciate
the Administration's effort to develop
common ground principles that would simplify and facilitate continued
economic
transactions across the Atlantic. The Safe Harbor Principles
represent a notable
step in that regard.
As to the Safe Harbor Principles,
there are some areas, such as those set
forth in Undersecretary Aaron's cover letter, we believe should be
incorporated into
the final draft. We also suggest certain principles be clarified.
While no document
can answer all questions, in some cases it is difficult to know whether
the goal of
an effective safe harbor will be achieved unless there is greater specificity.
Although
we have not been able to obtain extensive comments over the past two
weeks, following
are recommendations based on the primary concerns raised by our members:
We recommend there be an express statement that the Safe Harbor Principles
are not
intended to govern or affect U.S. privacy regimes. In practice,
it will be difficult for
U.S. retailers with relatively modest amounts of European Union business
to segregate
those transactions from all others. Consequently, the cost of
those transactions, and
the number of them, will rise and fall respectively. Still, the
Safe Harbor Principles are
important. For such retailers to operate outside of the safe
harbor likely would entail
even higher costs and even greater unacceptable risks. We expect
retailers to adopt
a variety of operational approaches to compliance with the principles.
For example, in
some circumstances, it may be relatively less complicated to treat
customers within
certain data clusters, containing both European citizens and others,
as if all were subject to the principles, despite the higher costs of doing
so. But such approaches should not
be read by any government as a mandate to treat all customers in such
a manner, and
thus impose the higher costs and inefficiencies the Directive entails
on non-European
Union transactions.
We suggest the definition of "sensitive information" should mirror that
contained
in the underlying documents, and this be expressly stated in
the introduction.
The last sentence of the notice provision requires that very detailed,
clear and
conspicuous, readily understood statements regarding information practices
be given
"when individuals are first asked to provide personal information to
the organization"
(emphasis added). For a variety of reasons, in many cases this
will not be achievable,
especially in off line transactions. A certain amount of information
is routinely captured
in the ordinary course of business (e.g. name, address and other information
may be
captured when a customer seeks to pay for a purchase by check).
To provide detailed
disclosures about one's information policies each and every time a
routine transaction
takes place would not only be extraordinarily burdensome, in many cases
it would be
unnecessarily duplicative. A customer who makes several purchases
from different
branches of the same store, or possibly even from different sales associates
within
the same branch, would have to be repeatedly provided with the same
required disclosures since, until the information is collected, none of
the other sales associates would know for a certainty whether the detailed
disclosures had already been provided. We would suggest the language
be changed to require either:
The organization make reasonable efforts to inform its customers of
the existence of
its customer privacy policies, and make the substance of such policies
available, on
a regular basis; or
The organization make the disclosures available before it transfers
the information to
an affiliate or third party (except, of course, as necessary to complete
the transaction).
We believe the "only" clause in the data integrity provision is too
restrictive. The
relevance of information may change over time. For example, would
we really want
to require that location information collected for marketing purposes
be deleted as
irrelevant if no marketing programs are currently planned, even if
the information
subsequently is discovered to be useful for purposes of notifying customers
in
connection with product safety recalls, a use not contemplated at the
time the
information was collected?
The requirement that the data be "current" is somewhat problematical
in its am
biguity. It might be misread to require continual updating.
Encouraging the concept of "access" in the context of marketing
data, as used
by most retailers, would add immeasurable costs to retail operations.
This is especially
true if it is conjoined with a requirement that individuals be able
to amend or correct
information. It is our expectation that access is to be limited
only to certain types
of sensitive, factual information. This point should be made quite
clear. The statement
that reasonableness of access depend on such fluctuating characteristics
as the "nature," "sensitivity," and "intended use" of the information is
too ambiguous to provide the certainty needed when designing data processing
systems.
That a retailer's internal
systems "know" that an individual had shopped with
the retailer twelve times in the course of the past year, whereas the
individual may believe that he or she has shopped eleven or thirteen times
is, for all practical marketing purposes immaterial. Yet, if too
broadly read, the access provision might require that the company rework
its systems in such a way so as to make that information available to any
individual who happened to ask, (and that the company set up a separate
process for "correcting" disputed information) even if the company itself
never explicitly retrieved the information in that form.
For example, that a system
routinely mails the men's shoe catalog to a customer
after he has purchased shoes, does not justify re-engineering
the internal processes to
provide access to the underlying information. Certainly,
in light of the fact that the safe
harbor is being proposed as a simplified option, its numerous
other provisions, including the opt-out, make this access requirement,
within the marketing context, unnecessary, expensive and superfluous.
As to corrections or amendments,
they logically relate to matters of fact. That
a household is a "promising" prospect is not a matter that should,
or practically can be,
thrown open to dispute and resolution unless one were to have courts
substitute their
judgments for that of marketers.
This is a case where the
advantages of a safe harbor might be undercut by
uncertainty. NRF suggests either that this principle be deleted
with respect to internal
marketing of one's own customers, or that it be made clearer that the
access principle
applies solely to sensitive, factual information.
7. Finally, as to enforcement, sanctions
imposed by regulatory bodies, whether
at the state or federal level, in response to citizen complaints should
be an explicitly
recognized enforcement avenue.
We appreciate the opportunity to comment. We would be happy to
meet with
you to discuss these or other issues in greater depth. Should
you have any questions
please feel free to contact the undersigned, or Sarah Whitaker at the
NRF (202) 783-7971.
Again, thank you for your consideration.
Respectfully submitted,
Mallory B. Duncan
Vice President, General Counsel
Don Gilbert
Senior Vice President
Information Technologies
FROM: Online Privacy Alliance - OPA
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street & Constitution Avenue
Washington, D.C. 20230
Re: November 4, 1998
Request for Comments
on International Principles
Dear Mr. Fredell:
The Online Privacy Alliance
("OPA") submits the following comments and
attachments to the Department of Commerce (DoC) regarding the proposal
to
create a "safe harbor" within which US businesses could enjoy a
presumption of "adequacy" under the European Union's Directive on Data
Protection (Data Directive).
The Online Privacy Alliance
is a cross-industry coalition of more than
70 global companies and associations committed to promoting privacy
online. The OPA is an ad hoc organization and its primary purpose
is to
promote online privacy practices and policies and to foster an online
environment that respects consumer privacy. The principles, guidelines,
policies and recommendations of the OPA are intended to apply to the
online environment only.
The OPA supports the concept
of a safe harbor _only_ to the extent that
such a safe harbor is premised on and reflects the principles adopted
by
the Online Privacy Alliance -- at least for data collected online.
The
draft DoC International Safe Harbor Principles (Principles) seem to
reflect an ombudsman type approach to privacy, with proposed principles
reflecting the European approach to all data without regard to the
manner
in which the data is collected and its intended use. The OPA
urges the
DoC to allow for privacy standards that are consistent with best
practices in the online sector. The OPA Privacy Guidelines, are
attached
hereto for your consideration. (See Attachment 1.) To the
extent that
the DoC draft Principles and the OPA Guidelines differ, we request
that
the OPA language be used as the standard for online data protection.
The OPA has carefully crafted
its Privacy Guidelines. To aid in
understanding the application of the Privacy Guidelines in practice,
the
OPA is issuing its "Privacy Guideline Commentary". (See Attachment
2.)
This Commentary is intended to assist organizations as they craft data
practices and privacy policies to comply with the OPA Guidelines.
The
Commentary is intended to clarify any ambiguity in the Guidelines.
The OPA self-regulatory model
is premised upon enforcement of existing
law and regulations. To aid in understanding why we believe the
OPA
Privacy Guidelines provide adequate privacy protection . . .The OPA
is
issuing a "Legal Framework White Paper" (See Attachment 3.) The
White
Paper details how the OPA model works within the structure of existing
U.S. law.
Sincerely,
Christine A. Varney
Enclosure -see 3 attachments below:
\\\DC - 68528/1 - 0769655.01
Attachment 1 - OPA
On Line Privacy Alliance Companies and Associations
An alliance of global companies & associations
committed to promoting privacy online.
Acxiom
America Online, Inc.
Ameritech
Apple Computer
AT&T
Bank of America
Bell Atlantic
Cisco
Compaq
Dell
Disney
Dun & Bradstreet
eBay Inc.
Eastman Kodak, Co.
EDS
E-LOAN
Engage Technologies Inc.
Equifax
Ernst and Young
Experian
Ford
Gateway
GeoCities
Hewlett-Packard
IBM
InsWeb Corporation
KPMG
LEXIS-NEXIS
MatchLogic
MCI
Microsoft
Narrowline Inc.
NCR
NETCOM On-Line Communication Services, Inc.
Netscape
Network Risk Management Services
NORTEL
Oracle
Preview Travel
PricewaterhouseCoopers
Procter & Gamble
Sun Microsystems
Time Warner Inc.
Unilever United States, Inc.
Viacom
ViewCall Canada, Inc.
WebConnect
Xerox
Yahoo!
American Advertising Federation
American Electronics Association
American Institute of Certified Public Accountants
CASIE (CASIE is representing Association of National Advertisers &
American Association of Advertising Agencies)
Association of Online Professionals
Computer Systems Policy Project (CSPP)
Council of Growing Companies
Direct Marketing Association
European-American Business Council
Individual Reference Services Group
Information Technology Association of America
Information Technology Industry Council
Interactive Travel Services Association (ITSA)
Internet Alliance
The Software Publishers Association
The United States Council for International Business
The United States Chamber of Commerce
Privacy Guidelines Commentary
Submitted with the Comments of the Online Privacy Alliance
On the Draft International Safe Harbor Principles
Legal Framework White Paper
Submitted with the Comments of the Online Privacy Alliance
On the Draft International Safe Harbor Principles
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street & Constitution Avenue
Washington, D.C. 20230
Re: November 4, 1998 Request for Comments on International Principles
Dear Mr. Fredell:
The Internet Alliance welcomes the opportunity to submit comments to
the
Department of Commerce on its proposal to create a "safe harbor" from
enforcement of the European Union's Directive on Data Protection (Data
Directive). The Internet Alliance (IA) is concerned about the
level of
uncertainty engendered in the online marketplace by the European Union's
(EU) Data Directive which became effective on October 25, 1998.
As you
know, the Internet is a dynamic and global medium which respects no
borders. The IA believes that the global nature of the Internet
should
factor into any policy decision made with respect to it. We therefore
appreciate the Department of Commerce's (DOC) efforts to find a common
ground which both addresses EU privacy concerns and respects the US
approach to privacy protection. We hope that our comments provide
some
guidance to you as you continue your negotiations with the EU.
The IA is the leading trade association representing companies focused
on
providing consumer-focused, Internet-based goods and services.
The IA
has long urged companies doing business online to adopt and implement
fair information practices. In 1996, The IA developed our own
guidelines
showcasing the concepts of "notice and consumer choice" for IA members.
More recently, the IA demonstrated its commitment to promoting online
privacy by helping to form the Online Privacy Alliance (OPA).
Consistent
with our mission and in accordance with the OPA's Association Policy,
the
IA continues to encourage its members to adopt privacy policies and
to
implement appropriate self-regulatory mechanisms. Beyond proselytizing
to our own members, the IA assists the OPA in reaching out to both
businesses and consumers about the importance of online privacy.
Further, the IA has contributed significant time and resources to
facilitating the OPA's mission.
In light of the our strong support of and participation in the OPA,
the
IA aligns itself with the comments submitted by the OPA. While
the draft
International Safe Harbor Principles may apply to several sectors of
electronic commerce, the IA, like the OPA, believes that they should
address issues particular and unique to the online environment.
Further,
the IA requests that the DOC clearly delineate the issues surrounding
the
implementation and certification process for US-based businesses seeking
safe harbor status.
Again, the IA seconds the OPA's comments on the safe harbor approach
and
encourages the DOC reach a consensus with the EU which reflects the
US,
sectoral privacy approach and acknowledges the significant efforts
made
by industry to self-regulate.
If you have any questions or if I can be of further assistance, please
do
not hesitate to contact me at 202-955-8091 or via email at
.
Sincerely,
Jeff B. Richards
Executive Director
Internet Alliance
(1825 I Street, NW, Suite 400)
PO Box 65782
Washington, DC 20035-5782
USA
FROM: Compaq Computer Corporation
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street & Constitution Avenue
Washington, DC 20230
Re: November 4, 1998 Request for Comments on International Safe Harbor Principles
Dear Mr. Fredell:
Compaq Computer Corporation welcomes the opportunity to comment on the draft international safe harbor principles put forth by the Department of Commerce in connection with the European Union Directive on Data Protection (“the EU Directive”). We recognize and appreciate the efforts of the Clinton Administration in its ongoing dialogue with U.S. industry and the European Union on the issue of personal privacy.
Founded in 1982, Compaq Computer Corporation is a Fortune Global 100
company.
Compaq is the second largest computer company in the world and the
largest global
supplier of personal computers. Compaq develops and markets hardware,
software,
solutions, and services, including industry-leading enterprise computing
solutions,
fault-tolerant business-critical solutions, networking and communication
products,
commercial desktop and portable products and consumer PCs. Compaq
recognizes
the importance of protecting our customers’ and employees’ privacy
rights. To this
end, Compaq was a founding member of the Online Privacy Alliance, and
was an
initial sponsor of TRUSTe’s groundbreaking privacy seal program.
Compaq commends the Department of Commerce for its efforts to ensure
the continuing flow of data from the European Union to the U.S. under the
EU Directive. It is Compaq’s view that the concept of a “safe harbor,”
as set forth in Undersecretary Aaron’s letter of November 4, 1998 to industry
representatives, is a promising means to achieve that goal. However,
we are unable to wholeheartedly endorse this proposal without significant
additional information and measures taken in response to the comments herein.
Compaq has concerns both with respect to unanswered questions about the
actual operation of the safe harbor, as well as with the draft principles
laid out on November 4. Many of our concerns are set forth more completely
in the comments
of the Online Privacy Alliance, the Information Technology Industry
Council, and
other trade associations to which Compaq belongs. They are incorporated
herein
by reference.
GENERAL ISSUES
Concerning the general operation of the safe harbor, Compaq seeks additional
clarification on the following issues. Further dialog in response
to these
questions is required before we can make a final determination as to
the
utility of a safe harbor approach.
US businesses must not be subject to greater requirements under the
safe
harbor than those imposed by the EU Directive itself. The safe
harbor principles
should be consistent with existing US practices and laws. In
particular, the safe
harbor approach should specifically recognize a company’s compliance
with
industry-based codes, such as the OPA guidelines for online business
practices.
Along these same lines, the safe harbor principles should explicitly
acknowledge
the traditional US sectoral-based system of protection of privacy (as
Undersecretary
Aaron clearly noted in his November 4 cover letter).
Much of the safe harbor remains vague, leaving companies unable to assess
whether they will be able to comply with its provisions. Certain
terms are left
undefined, without guidance as to how they will be interpreted in practice.
Moreover the mechanics of the safe harbor remain unclear, including:
how
a company receives the protection of the safe harbor, and what process
or
processes will be used to address complaints arising under the safe
harbor.
Compaq is extremely mindful that the EU Directive applies to a wide
variety of
personal data and data transfers. As a global company, for example,
we have
significant European operations and must consider the impact of the
Directive
on human resources and employee data. This is a serious issue
that potentially
involves thousands of Compaq employees. Keeping in mind that
the U.S. and
Europe are each other’s largest sources of foreign investment, the
potential
impact on inter-company data exchanges generally would seem to be huge.
The Department of Commerce must consider this myriad of situations
in crafting
the safe harbor, so that it may be applied to all collections and transfers
of data
under the Directive (where such data is nonproprietary and electronically
processed).
A company operating within the safe harbor should be able to extend
the protections
it receives thereunder to other corporate entities outside of the U.S.
If the
company (including those non-U.S. entities) is operating in compliance
with
the safe harbor, it should be able to transfer data throughout the
corporation
irrespective of geographic designations.
COMMENTS ON THE DRAFT INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES
Compaq believes that the initial point of consideration for safe harbor
principles
should be existing industry programs. As set forth in the comments
of the OPA,
we urge you to consider the carefully crafted OPA guidelines as a basis
for safe
harbor principles, at least for the online environment. However,
Compaq also
offers the following specific comments with regard to the draft principles
proposed
by the Department of Commerce.
Notice
Compaq fully supports the concept of requiring adequate notice as the
significant
starting point for informing individuals of an organization’s data
practices. However,
certain elements of the notice principle set forth in the draft are
unduly burdensome
and may be unworkable. In particular, the requirements to state
“how [the organization]
collects that information” and “the types of organizations to which
it discloses the
information” are both unclear and may potentially be overly broad and
burdensome without similarly increasing an individual’s level of privacy
protection.
Choice
The parenthetical in the first sentence serves to confuse the meaning
of this
principle. First, the focus should be on the use for which the
data was collected,
rather than for which it was disclosed, since the latter presents a
subjective
standard that the organization cannot know and verify in order to manage
the
data. Second, Compaq respectfully suggests that the parentheses
be deleted,
in order to effectuate the widely accepted principle of choice: that
is, choice is
provided explicitly “where such use is unrelated to the use” for which
it is collected.
Onward Transfer
Compaq has grave concerns about the inclusion of this principle in
a safe harbor
designed for US entities. The requirement that an organization
ensure that third
parties to which the organization transfers data provide at least the
same level
of privacy protection as originally chosen by the individual is fraught
with potential
liability for the party initially collecting the data. This principle
appears unnecessary
in light of strong notice and choice principles, as espoused in the
OPA guidelines.
Under such guidelines, the individual will be able to opt-out of transfers
of the data
to third parties in the vast majority of circumstances. Accordingly
it follows that
where an organization is transferring the data to a third party it
will be with the
consent of the individual – and thus there is no need to impose a burden
on the
company to monitor the use of the data by that third-party. This
would, in addition,
be an extremely difficult requirement for companies to administer.
Data Integrity
Compaq is uncertain as to the specific goals and requirements of this
principle.
The use and placement of the word “only” in the first sentence renders
that
sentence ambiguous. Compaq believes that organizations that collect
data share
the interest of the individuals providing such information that the
data be accurate,
timely and complete. If the focus of this principle is that the
data should be relevant,
then that term needs to be defined. Moreover, an organization
should not be held
responsible for the accuracy of data collected from publicly available
sources.
Access
Compaq has concerns about the ability of organizations to comply with
this principle.
Although the term “reasonable” may limit the provision somewhat, it
remains extremely
broad, involving all data an organization may have about an individual.
In the online
environment in particular, this presents complex and burdensome requirements
on an
organization. For example, when individuals visit a web site
it is possible to track their
visit from one place on the web site to another, i.e., where they “click
and go.” Must
access be provided to “session data” that might be traceable to an
individual, and if
so, in what form should the organization provide access? Moreover,
this principle does
not focus on serving the primary purpose of providing access: accuracy.
Access by
individuals for the purpose of correcting material data used for substantive
decision-making purposes that affect the individual would be more in
line with
American tradition and the self-regulatory codes developed by U.S.
industry,
while still addressing the perspective of the EU.
Enforcement
It is well established that enforcement is a critical component of
the self-regulatory
scheme upon which the safe harbor is to be based. Compaq endorses
the OPA
Enforcement paper, which expresses this view in greater detail.
With regard to
this principle, Compaq supports the proposed language of the Information
Technology
Industry Council (“ITI”). We again want to emphasize, however,
the wide variety of
circumstances under which an organization such as Compaq may be subject
to the
EU Directive and seek the protection of the safe harbor. We support
the development
of seal programs, as an appropriate system for the online environment,
but other types
of data flows may not be amenable to that system. In those circumstances,
an
organization may need to rely on other means of enforcement, as set
forth in the
proposed principle.
CONCLUSION
Compaq appreciates the efforts of the Department of Commerce to address
the
issues of data privacy and the EU Directive, and is pleased to be able
to offer
comments to the November 4 proposal. We welcome the opportunity
to continue
to discuss these issues with the Department of Commerce, and to work
with you
on a successful resolution of the critical outstanding issues.
Sincerely,
/s/Joseph Tasker, Jr.
Vice President and Associate General Counsel
Government Affairs
Compaq Computer Corporation
1300 Eye Street, N.W.
Washington, D.C. 20005
joe.tasker@compaq.com
November 20, 1998
Ambassador David Aaron
Undersecretary for International Trade
U.S. Department of Commerce
International Trade Administration
14th and Constitution Avenue, N.W.
Washington, D.C. 20230
Dear Ambassador Aaron:
The U.S. Chamber of Commerce
commends the Department of Commerce
on its efforts to reach an understanding with the European Commission
relative to
the application of the EU Privacy Directive for U.S. companies managing
personal
data from the EU to the U.S. Free flow of data is crucial to
the health of our already
vibrant trade relationship with the EU. We support U.S. government
efforts prevent
any blockage of data that may result from the EU Privacy Directive,
and recognize
the need to protect consumers’ security and privacy.
The U.S. Chamber strongly believes that consumer privacy is an essential
element
of any electronic commerce. However, U.S. companies should not
be held to a higher
standard than is customary commercial practice in the U.S. simply in
order to accommodate the European Privacy Directive. In the United
States, industry-wide self regulation of data privacy backed-up by legislation
where necessary, has proven to be the most successful and cost effective
way to ensure the privacy of consumers.
The definition and scope of consumer privacy vary significantly between
the U.S.
and the EU. U.S. industry has historically relied on a sectoral,
self-regulatory approach
while Europeans have relied more on government regulation to address
violations of privacy. Requiring U.S. industry to move towards a European
approach to on-line privacy protection would seriously impede continued
expansion of the medium that has brought such tremendous growth to the
U.S. and global economy. We believe the Safe Harbor Principles should
be consistent with the Online Privacy Alliance (OPA) guidelines.
The U.S. Chamber offers the following basic principles that should govern
the privacy principles:
Adoption of Privacy Policy
The U.S. Chamber strongly believes that all companies engaged in electronic commerce should adopt and implement a privacy policy.
Sectoral Approach
We believe the Department’s Safe Harbor principles should adopt a sectoral
approach and should be consistent with the Online Privacy Alliance
(OPA) guidelines.
After close examination many industry representatives have concluded
that the Safe
Harbor Principles as they stand are unworkable. We support a
sectoral approach to
privacy protection that would create a safe harbor for companies that
comply with their
industry-based codes. The Department’s Safe Harbor Principles
should include industry codes for privacy, thereby making it clear which
companies benefit from the safe harbor. Companies should be considered
in the safe harbor if they self certify, for example, through a third party
seal program.
Notice and Disclosure
The consumer should be given adequate notice and choice when providing
personally
identifiable information online and this notice should be clear,
understandable, and
easily found. Businesses collecting data online should explain
what data are being
collected, the purpose of collecting this data, the consumer’s options
concerning processing and the possibility of transfers of this data to
third parties. The data collecting companies should not be responsible
for identifying the third parties, and should not be held liable for ensuring
that the same level of privacy is adhered to once the data is transferred.
Choice and Consent
Consumers must be empowered with choice and responsibility regarding
personal
information collected on them. The consumer should be given the
choice to opt
out of giving confidential information, such as medical and financial
information, whose
disclosure could significantly compromise the consumer’s privacy.
Enforcement
Enforcement of any violations to privacy rules should be done by third-party
programs,
such as BBB online and TRUSTe, that verify adequate steps have been
taken to ensure
consumer security and privacy and that provide adequate certification
of enforcement.
Measures include on-site compliance review, seal rights, and consumer
dispute resolution programs
Access
Access to information should be granted to individuals when that information
is directly
traceable to them. Unlimited access, as is embodied in the EU
Privacy Directive, could
be extremely costly to a company and could severely impede the development
of electronic commerce activities. Consumers should be granted access
to data for the purposes of assuring its quality, that is, to verify its
accuracy and correct and update it if necessary.
We welcome the Department’s efforts to try to come to a mutual understanding
with the
European Union on the issue of data privacy protection. Everyone
should be mindful of
the vast potential for global commerce that is at stake. The
U.S. Chamber continues to
support industry self regulation as the best means of ensuring effective
protection of data privacy while at the same time preserving the uninterrupted
flow of data across the globe.
Sincerely,
Willard A. Workman
Vice President, International
November 23, 1998
FROM: Laser Institute of America
TO: Eric Fredell, Task Force on Electronic Commerce
Dear Mr. Fredell,
It was with interest that we read the recent fax from Rose Ann
Antoniello regarding OMC N 262 - Commerce Dept. Proposes International
Safe Harbor Privacy Principles.
The Laser Institute of America is a professional membership society
that
includes international members, sells publications worldwide and
registers overseas attendees for our annual laser applications
conference. We feel that the Safe Harbor Privacy Principles might
affect us somehow. To be truthful, though, we were unable to
decipher
from the faxed missive just how it would impact us.
Will you please forward more background on this proposal and
information on what types of organizations will be affected.
Thank you for your time.
Sincerely,
Daryl Flynn
--
M. Daryl Flynn
LIA Conferences Director
407-380-1553
407-380-5588 fax
daryl@laserinstitute.org