December 1, 1998
Undersecretary David Aaron
C/o Mr. Eric Fredell
Task Force on Electronics Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Re: On-line Privacy Protection Principles
Dear Ambassador Aaron:
This letter is written on behalf of Novartis Corporation, a world leader
in pharmaceutical research and manufacturing, with extensive operations
in the
United States and abroad. We are writing to thank you for your
efforts to prevent any disruptions in data flows across the Atlantic that
might result due to the recent implementation of the EU privacy directive.
We agree that a voluntary, self-regulatory approach will provide citizens
of both the EU and the United States the utmost protection of their private
personal information, while at the same time allowing U.S. companies the
flexibility to tailor their private protection procedures in a way most
appropriate to their specific operations.
As a major pharmaceutical manufacturer, Novartis is dependent on the collection and analysis of personal patient information. Without an ability to collect and disseminate this information both within the company and among our affiliates, development of promising new pharmaceuticals will be impeded. While some of this data by necessity must be personally identifiable to specific patients, we also routinely collect and collate patient data on an anonymous basis.
This data presumably would not be covered by the EU privacy directive. However, the definition of “personally identifiable” information is somewhat ambiguous in the current version of the safe harbor principles. As result, we would ask that you provide additional definitional clarifications regarding what constitutes personally identifiable information in the next iteration of the privacy principles.
In addition to clarifying the types of information that will fall under the privacy protection principles, we also would stress the need for consistency in the treatment of various types of personal data. Specifically, we agree that private personal medical data, including genetic information, should be accorded a consistent level of protection. It is also our firm belief, and the position of the U.S. pharmaceutical industry at large, that no differentiation should be made between the protection of basic medical information as opposed to genetic information for purposes of the safe harbor principles.
With regard to the privacy principles related to “choice” we agree that individuals are entitled to some degree of control regarding how their personal medical information is used and disseminated. However, our medical researchers routinely must transfer data several times during a particular study, often in the form of aggregated, anonymous data sets. As a result, we would suggest that the safe harbor principles regarding “choice” be modified slightly to require data collectors to provide data subjects an explicit “opt-in” choice only during the initial phase of the information collection process.
At that time, patients would be notified of the planned uses for the information collected about them, the individuals or organizations that will use the information and to whom it might be disclosed. Once consent is received after providing these clarifications, then the data collector should be relinquished from any responsibility to secure additional “opt-in” consent as long as the data is used and transferred accordingly.
Finally, we certainly believe that the voluntary, self-regulatory approach developed by you and your staff provides the best avenue for U.S. companies to address the EU privacy directive. However, we also know that some companies within our industry are contemplating contractual arrangements with individual EU member states as a means of providing an extra layer of protection than those adhering to the voluntary safe harbor principles.
Again we wish to thank you for your efforts to broker a compromise with the EU over the privacy directive and for providing us an opportunity to offer our comments on safe harbor provisions currently under development. Please feel free to contact me any time if you have any questions regarding this submission or Novartis’ position on this important issue.
Sincerely,
Tracy Haller
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th & Constitution Avenue, NW
Washington, D.C. 20230
RE: EU International “Safe Harbor” Privacy Principles
Dear Mr. Fredell:
The Council of Insurance Agents and Brokers represents the nation’s largest commercial property-casualty insurance agencies and brokerage firms in the United States and around the globe. Our members are located in some 3,000 global locations and annually place nearly 80 percent – more than $90 billion – of the commercial property/casualty premiums in the United States. As such, our members are an integral part of the insurance process, providing a wide range of commercial insurance products (including workers’ compensation) and risk management services to both the private and public sectors. Businesses, schools and governments depend on our members to provide services that help them manage their risk and avoid unnecessary financial losses.
Because of the vital role our members play as intermediaries, the discussion
over the EU privacy directive and the establishment of safe harbors for
U.S. business is of particular interest to our members. As
a member of the Coalition of Service Industries (CSI), we are in complete
agreement with the comments CSI has submitted to you. We have also
signed on to the letter submitted by the American Insurance Association
(AIA) and other insurance groups. We strongly endorse the comments
outlined in that statement and encourage the Department to take the recommendations
under serious consideration. We are particularly concerned about
the following issues raised in more detail in the AIA letter:
We appreciate the opportunity to comment and appreciate the Department’s efforts on our behalf.
Sincerely,
Coletta I. Kemper, ARM
Vice President, Industry Affairs
Under Secretary David L. Aaron
c/o Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th & Constitution Avenue, N.W.
Washington, D.C. 20230
Re: Draft International Safe Harbor Privacy Principles
Dear Ambassador Aaron:
This letter is written on behalf of the American Council of Life
Insurance (“ACLI”),
a national trade association with 532 member companies. Our member
companies write 88% of the legal reserve life insurance in force in the
United States. We want to thank you for your efforts on behalf of
U.S. industry, and the life insurance industry particularly, with respect
to the discussions you have pursued regarding implementation of the European
Union Directive on Data Protection.
As you are aware, the life insurance industry is highly regulated
with numerous laws
and regulations governing the access to, use and disclosure of personal
information. In
addition, life insurers have a long-standing history of protecting
personal information as
reflected in company policies and procedures. ACLI, in concert
with other insurance trade associations and segments of the financial services
industry (banking, securities and investment companies), has documented
the myriad laws and practices that affect our industry and has sent a compilation
of them to the European Commission and the U.S. Government. ACLI
supports the written submissions of these industries, as well as that of
the Coalition of Service Industries, of which ACLI is a member. The
following represents ACLI’s position regarding the November 3, 1998 draft
International Safe Harbor Privacy Principles: General Comments
ACLI favors the goal of crafting a “safe harbor” for purposes
of fashioning a coherent
U.S. industry response to the EU Privacy Directive. The benefits
of “safe harbor” as
outlined in your correspondence to industry representatives should
provide meaningful
assistance to any U.S. company that is challenged on the basis that
the company’s practices violate the Privacy Directive. The European
approach to privacy is apparently quite different from that of the United
States, and ACLI supports the Commerce Department’s effort to bridge these
different approaches so as to avoid any disruptions of cross-border data
flows. We believe it especially important that the “safe harbor”
concept be consistent with U.S. laws and practices.
As a threshold issue, ACLI would like the Preamble to the Principles
to clearly state
that the purview of the Directive is limited to data collected in Europe
regarding European citizens and transferred to the United States.
It is not uncommon for a U.S. life insurer to underwrite and issue a policy
to a European citizen who is legally residing in this country or to a U.S.
citizen who is legally residing abroad on a temporary basis. It is
our understanding that in such cases the Privacy Directive would not be
applicable. We would appreciate your efforts to set forth the scope
of the Directive with specific examples in the Q&A.
Qualifications for “Safe Harbor”
According to the Principles, a company “qualifies for the safe
harbor if it is subject
to a statutory, regulatory, administrative, or other body of law that
effectively protects
personal information privacy.” It is unclear how a company or
industry segment
demonstrates that it is in fact subject to legal mechanisms that effectively
protect privacy. The insurance industry believes it has convincingly
made the case that it satisfies this method of qualification for the “safe
harbor.” We would urge you to seek clarification that the life insurance
industry qualifies for the “safe harbor.” Absent such qualification,
insurers and others in highly regulated industries would presumably be
required to self-certify to compliance with the Principles themselves.
The “safe harbor” should make clear that membership in a highly regulated
industry gives rise to the benefits of “safe harbor” independent of the
Principles.
Fraud Detection and Investigation
Paragraph three (3) of the November 3 Draft Principles states
that adherence to the
Principles is subject to several exceptions, including “risk management”
and “public
interest.” The issue of fraud is enormously important to the
insurance industry. While fraud detection and investigation arguably
fall within these categories, ACLI would like to see “fraud detection and
investigation” added as a specific exception or qualification to the Principles.
Along the same lines, it would be helpful if the “risk management” exception
was expanded to “risk evaluation and management.” “Risk management”
is a term more typically associated with property/casualty insurance.
“Risk evaluation” better reflects practices within the life insurance industry.
Notice
The notice provision requires an organization to provide notice
before the individual
is asked to provide information. In the life insurance business
individuals are routinely asked to provide information at the time an application
for coverage is contemplated. For example, a life insurance agent
may telephone a potential applicant and ask for personal information (age,
marital status, number of children, income) so that the agent can determine
the need for insurance and, if appropriate, prepare a proposal. This
is the pre-application phase. Later, if the individual is interested
in going ahead with an application, an authorization is provided and signed,
and the insurer seeks information from medical providers and perhaps other
third parties. The notice requirement should be limited to this application
phase and should only cover the disclosure of information from third parties,
not information provided directly from
the individual.
Choice/Opt-In
Medical information is a critical component of the underwriting
and claims practices
of life, disability income and long-term care insurers. Individuals,
of course, are entitled to a measure of control over how their medical
information is used. ACLI policy recognizes the legitimate interests
of consumers in their medical information, including the ability to access,
correct and amend information in the possession of an insurer, and the
ability to learn of any redisclosures of such information that have been
made.
The Privacy Principles state several times that individuals must
be given the
opportunity and means to limit the use and disclosure of personal information.
With respect to sensitive information, including medical information the
individual must be given an explicit “opt in” choice. In the life
insurance context, companies inform individuals as to what kinds of information
will be gathered, from whom it will be gathered, to whom it may be disclosed,
etc., but the individual takes this as a package. The individual
is of course free to choose not to do business with the insurer by choosing
not to apply. The individual is not free to pick and choose what
information the company may obtain or (in the furtherance of legitimate
insurance functions) how the information may be used and shared with affiliates
and contractors.
Data Integrity
This Principle states, among other things, that information maintained
by an
organization must be “complete and current.” This is potentially
troubling for life insurers. Is there an obligation to confirm that information
is “complete”(however defined), and is
there an obligation to keep updating such information, even if the
organization has no
business purpose to do so? In our business there typically is
no need to keep personal
information up-to-date once the insurance policy has been issued.
We would suggest that this be clarified in the Principles or the Q&A
to provide that organizations are not
responsible for whether personal information is complete or current.
Thank you again for your representation of U.S. industry in the
EU Privacy Directive
discussions. Please let me know if there is any additional information
regarding life
insurance we can provide that will be of assistance to you.
Very truly yours,
David M. Leifer
From: Investment Company Institute
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, NW
Washington, DC 20230
Re: Comments on International Safe Harbor Privacy Principles
Dear Eric:
The Investment Company Institute appreciates the opportunity to provide comments on the Commerce Department’s international safe harbor privacy principles. We welcome the principles as an important step towards gaining certainty over the enforcement of the European Union’s Data Privacy Directive.
This comment letter is directed to one aspect of the proposed
safe harbor of particular importance to the US investment company industry.
The third paragraph of the draft states that “an organization qualifies
for the safe harbor if it is subject to a statutory, regulatory, administrative,
or other body of law that effectively protects personal information privacy.”
We interpret this sentence to mean that financial services companies that
are subject to regulations and enforcement by self-regulatory organizations
with respect to the protection of customer privacy will qualify for the
safe harbor. We further understand that such will be the case even
if those regulations do not embody all of the specific elements contained
in the principles, so long as they still “effectively protect” the privacy
of personal information. This approach, which the Institute supports,
fosters the Clinton Administration’s goal of avoiding “one size fits all”
regulation of privacy in the US by appropriately allowing an
industry’s traditional regulator to take the lead in addressing privacy
issues for that industry.
In the US, investment companies and their investment advisers and underwriters are subject to a stringent system of regulation administered by the Securities and Exchange Commission (SEC) under the various federal securities laws. In addition, the sales activities of investment company underwriters and their agents are regulated by the National Association of Securities Dealers (NASD). The NASD has proposed a rule specifically dealing with the confidentiality of customer data used for marketing purposes. The proposed rule would impose restrictions on the ability of NASD members to share customers’ financial information with other entities. We understand that the NASD intends to move forward with its rulemaking later this year, taking into account the comments the proposal received.
The Institute supports rulemaking by the NASD as the appropriate means to deal with privacy issues involving investment companies. Such rulemaking can advance the common public policy goal of protecting personal privacy while tailoring investment company privacy regulations to take into account certain unique features in the way investment companies operate and the nature of their relationships with shareholders. It is possible, for example, that the NASD may determine to require disclosure rather than an opt out procedure for certain types of information-sharing within an investment company complex in recognition of the fact that investors who purchase shares of a mutual fund, in effect, often are entering into a relationship with the entire fund family. As a result, a rigid opt out requirement, with all its attendant costs, would neither be necessary nor appropriate in these circumstances. Should the NASD concur with this view, firms in compliance with NASD rules nevertheless should be able to avail themselves of the safe harbor.
Accordingly, the Institute and its members strongly urge that any safe harbor established with respect to the EU Directive allow an organization to qualify for the safe harbor on the basis of requirements established by its regulator with respect to the protection of personal information privacy for that industry. This should be the case even if the requirements do not precisely mirror each of the seven specific elements contained in the principles.
Sincerely,
Mary S. Podesta
Senior Counsel
MEMORANDUM
TO: Eric Fredell
Task Force on Electronic Commerce
US Department of Commerce
FROM: Bob Vastine
Coalition of Service Industries
SUBJECT: CSI Comments on Safe Harbor Principles Draft
DATE: November 11, 1998
This memorandum responds to Undersecretary Aaron’s November 4 letter
to industry representatives. It contains the comments of members
of CSI’s Transborder Data Flows and Financial Services Working Groups on
the November 3 draft of the International Safe Harbor Privacy Principles.
We look forward to the earliest opportunity to meet with representatives
of the Department to discuss the points raised below.
PREAMBLE
Public Information
To clarify that the Principles do not apply to public information, we believe the Preamble should contain a sentence such as the following:
The Principles apply to information that the organization obtains directly from the individual or from private third parties. This does not include data from public (government) records, or information in the public domain, such as information that is published or broadcast.
European Data
To clarify that the Principles apply only to European data, we believe the Preamble should also include a sentence such as the following:
An organization may adopt these Principles generally, or specify that they apply only to data from certain jurisdictions, such as the European Union.
"Sensitive" Information
As the term "sensitive information" is used several times in the Principles document, and because it has a precise meaning for Europeans, we believe it would be helpful to state a definition in the Preamble, such as the following:
Sensitive in information is information that reveals a person's racial
or ethnic origin, political, religious, or philosophical views, labor union
activity, or information about a person's health or sexuality.
NOTICE
Language must be "readily understood."
The term "readily understood" can be interpreted in different ways. If the purpose is to establish that language be clear, that is already provided in the same sentence, by the requirement that "notice must be provided in clear...language..." We recommend the deletion of the phrase "readily understood."
Notice when first asked to provide information.
A number of companies make the point that the requirement in the last sentence that notice must be made available when individuals are first asked to provide personal information to an organization, is not workable in practice in a great many off-line transactions. It is easy to provide full notice when dealing with individuals on-line. But it would be highly impractical to include a clear, complete privacy notice when soliciting an account by telephone, within the application for a credit card, or with a smart card at point of sale. This detailed information can, however, be provided easily with the initial printed interaction with the customer, or with the first account mailing to that customer. Therefore we recommend that the sentence be modified to read as follows:
This notice must be provided in clear and conspicuous language that
is made available prior to, at the time, or as soon as practicable when
individuals are first asked to provide personal information to the organization.
CHOICE
Opt-out for unrelated use (second parenthetical).
We read this parenthetical (and the parenthetical in the principle on onward transfer), to mean that companies would not have to provide an opt-out for transfers of information to third parties (either affiliated or not) if such transfers are necessary to provide the consumer with the service the consumer originally sought to obtain from the company. This would include, for example, transfers necessary in the ongoing maintenance of the customer account and relationship. If this reading is correct, we request it be established in the Q&A.
Medical Information Provision
The opt-out choice and the opt-in authorization requirement for medical
information unnecessarily raise the bar for those covered by the directive
to a level higher than that provided to US citizens. For example,
under model legislation recently developed by the National Association
of Insurance Commissioners, the special informational needs of workers'
compensation insurers are recognized by exempting them from authorization
requirements entirely. We would recommend that the phrase "where
appropriate" be added each time the data subject is given an opt-out or
opt-in choice so as to balance the privacy needs of the consumer against
the business need to meet state statutory requirements. This modification
should be amplified by a Q&A that establishes that the phrase "where
appropriate" has specific application to unemployment compensation insurance.
ONWARD TRANSFER
Requirement for third party privacy protection.
Companies are concerned that the requirement that the organization to which information is transferred provide the same level of privacy as originally chosen by the individual is unworkable in practice and might limit sharing with affiliated companies to the extent that it is permitted under US law (for example, after notice and opt-out). Equally effective from the standpoint of the customer, and more workable from a contractual point of view, would be a requirement that transferred information will be kept confidential and will be used only for the purpose for which the third party was engaged. We suggest a substitute sentence which would read:
When transferring information to unaffiliated third parties, an organization must require assurances that the information will be used only for the purposes for which the information is given to the third parties (unless required by law to do otherwise).
Data should be current.
It is suggested that the requirement that data should be current implies
a requirement to update old, even archived, records. It is suggested
that “timely” might be a better word.
DATA INTEGRITY
The requirement that an organization may keep data relevant only for the purposes for which it has been gathered, may conflict with regulatory requirements that some data be maintained that is not relevant only for the purposes for which acquired. We recommend deletion of the word "only."
ACCESS
Substantive decision-making purposes.
We believe it would be more appropriate to move the example in the third sentence to the interpretive Q&A, where it can be more fully explained. In the Q&A we would like to establish that the decision to solicit a consumer for a product or service would not be a substantive decision that affects that consumer. This could be expressed as follows:
Applying the criterion of reasonableness, access should be provided where the data is sensitive (information revealing racial or ethnic origin, political, religious, or philosophical views, labor union activity, health or sexuality) or where the data is used for substantive decisions that have legal or other significant consequences for the individual. Decisions on whether to solicit a consumer for a product or service would not be such a decision.
Proprietary information.
We believe the principle of proprietary information in the Preamble should be given further definition in the interpretive Q&A, in connection with the Access Principle. We suggest the following language:
This Principle, like the others, does not apply to proprietary information, which is any confidential or legally protected information held by the organization, apart from factual information about an individual. In applying the Access Principle, for example, an organization should provide reasonable access to an individual’s transaction record and the factual bases for substantive decisions that significantly affect the individual, but not the organization’s information technology structure, modeling techniques, product development strategy, trade secrets, confidential commercial information, or software subject to intellectual property protection
ENFORCEMENT
Providing individuals the means for enforcement.
This requirement, stated without qualification, opens a wide range of possibilities for individuals in pursuit of enforcement. We suggest interpretive language in the Q&A as follows:
The means for individuals to obtain enforcement of an organization’s privacy commitments might include one or more of the following:
a. Mechanisms established by organizations to resolve consumer complaints including an organization's own customer relations procedures, including toll-free telephone service centers, web site communications, and local or centralized contact points.
b. Complaint to a government agency with enforcement powers (Federal Trade Commission, financial services regulatory authority, state attorney general, etc.);
c. Legal action in US courts based on breach of contract;
d. Dispute resolution procedures established by self-regulatory bodies with the authority to assess fines, publicize abuses, expel members, revoke a license to display a trust seal, prosecute a lawsuit based on failure to meet contractual commitments, refer violations to the FTC or state or local authorities, or take other effective dissuasive measures; or
e. Contractual submission of the US organization to the jurisdiction
of European courts or data protection authorities, or contractual commitments,
enforceable in European or US courts, to (a) cooperate in investigations
of individual’s privacy complaints by European administrative or judicial
authorities and (b) comply with their decisions.
November 23, 1998
Ambassador David L. Aaron
Under Secretary for International Trade
United States Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Attention: Eric Fredell, Task Force on Electronic Commerce
Dear Ambassador Aaron:
AT&T Corporation welcomes the opportunity to provide comments to the U.S. Department of Commerce regarding its Draft International Safe Harbor Privacy Principles, (“Draft Principles”). AT&T applauds your efforts, and those of your staff, and others in the Administration to ensure that U.S. industry’s interests and concerns are understood and reflected in the development of an approach that addresses the concerns of European privacy regulators and the European Commission. We believe that such an approach can bridge the differences between the U.S. and the European Union regarding privacy protection.
AT&T has a long heritage of protecting our customers’ personal information, and just recently, AT&T introduced its Online Privacy Policy (http://www.att.com/privacy/). AT&T views industry self-regulation as a critical first step toward protecting privacy online. That is why, along with other companies and several industry associations, we became a supporting member of the Online Privacy Alliance (OPA). We are also supporting the development of enforcement mechanisms such as the BBBOnline Privacy Project and TRUSTe, two industry-led programs that are developing online privacy “seals” and working to broaden consumer awareness. AT&T has also supported the development of privacy protection tools such as the World Wide Web Consortium’s P3P.
AT&T believes that privacy protection approaches may be based on different cultural experiences and still provide effective protection to consumers. In our view, the self-regulatory approach is the appropriate one for the United States. We further agree that the concept of a safe harbor for those companies and their associations that meet a set of privacy principles which ensure consumer notice, consent, reasonable access, and consumer redress mechanisms is an inherently sound means to address the issue. However, several critical changes are needed in the present Draft Principles. In order to ensure that we are responsive to your request for comments on the Draft Principles, we are providing comments focused on concerns specific to your document. Our comments make an effort to follow the format of the Draft Principles document for your convenience.
However, we would prefer a safe harbor which is based more directly on the principles and approach as outlined in the work of the Online Privacy Alliance since the principles and approach of the Online Privacy Alliance represent an existing broad industry agreement for the online sector.
International Safe Harbor Privacy Principles:
The introductory paragraphs identify three methods for qualifying for a safe harbor. The second method is described as membership in private-sector-developed privacy programs that adhere to the proposed Draft Principles.
AT&T is a founding sponsor of the Online Privacy Alliance and supports its Guidelines. AT&T’s recently announced Online Privacy Policy meets, and in some areas exceed the OPA Guidelines (e.g., children’s privacy and customer choice about receiving marketing messages from us). From our reading of the proposed guidelines, AT&T understands that if the OPA’s guidelines meet the safe harbor definition , then AT&T, as a member, would qualify for the safe harbor.
However, we note that the use of a new set of principles as described in the Draft Principles initiates a new round of discussions regarding their meaning and merits, since no broad industry consensus exists on these new principles. A multi-industry consensus for the online environment was laboriously built by the OPA in its work with its members. OPA’s comments regarding the proposed safe harbor are being submitted separately, on behalf of all its members. AT&T has participated in the discussions and understands and supports the concerns expressed by OPA on behalf of its full membership. We agree with the OPA that a safe harbor approach, crafted directly on the OPA guidelines, would be the best approach for the online sector. We urge that their suggestions be part of the ongoing inter-government considerations.
In addition, while AT&T appreciates the continuing government effort to provide guidance and leadership to avoid a trade dispute with the European Union, we do have some concern that this effort could develop into a quasi-rulemaking with significant domestic implications. Safe harbors based on existing U.S. regulation and appropriate self regulatory approaches, coupled with the consent and contractual based exemptions offered in the Directive, are a means to keep information and commerce between the continents flowing. It would be counter to the concept of industry leadership in self-regulation that has guided the United States Government’s discussions with the European Union if a new or additional U.S. based privacy protection infrastructure were required in order to facilitate the application of the European directive to trans-border data flows to the U.S.
Concerns and Clarification on Specific Principles
Many of the associations that AT&T belongs to are also providing comments, and we are participating fully in these processes. The comments outlined here are specific concerns that AT&T has. AT&T supports the OPA’s suggested approach of online safe harbor principles focused specifically on online services.
Principle 1. Notice: No specific comments.
Principle 2. Choice: No specific comments.
Principle 3. Onward transfers:
This particular heading is not a phrase commonly used by U.S. industry. We believe that a better phrase would be “Transfers to unaffiliated third parties.”
In addition, as used in this principle, we believe that the “must require”
phrase in sentence two requires further clarification. For instance,
if the individual has consented to the transfer to the third party, there
is no basis to require the company to obtain the same level of protection
from the third party. This phrase seems to require a
continued responsibility for the business practices of others, even when
the consumer has previously consented to the transfer. In addition,
it implies a liability for the actions of unaffilated third parties, when
in non-compliance.
Principle 4. Security: No specific comments
Principle 5. Data Integrity: No specific comments
Principle 6. Access:
AT&T supports the OPA’s understanding that access should be provided to allow the customer a simple and easy to use means to ensure data integrity. (AT&T would suggest that Principle 5 and 6 be integrated into a single principle, as illustrated in the existing OPA principles).
AT&T provides its customers with access to the information they have provided to us and to their account information. Proprietary notes constitute a set of information distinct from account information and are not included in the account information to which we provide access. AT&T expects this to meet the test of “reasonableness.” We urge the Administration to ensure that this information remains in the “proprietary” definition.
AT&T’s recent experience provides a unique perspective on the complexity of this issue. AT&T’s analysis of the expense of meeting the electronic safeguards of the FCC’s CPNI Order provides an example of the potential costs of meeting one regulatory vision of privacy protection. The task of combining multiple businesses with over sixty billing systems raises potential implementation costs of hundreds of millions of dollars. AT&T felt other, significantly less expensive alternatives would more effectively safeguard customer privacy. The electronic safeguard requirements remain under FCC review.
In today’s business environment, companies typically utilize multiple databases. The vision of a single database for a customer to access may not exist or be economically feasible to develop within a company. A citizen may have to interact with different segments of a corporation to gain access to disparate customer accounts in order to assure data integrity. We believe that as long as the corporation provides reasonable access to relevant databases, that should also meet the definition of reasonableness.
Principle 7. Enforcement:
AT&T does not support the concept of financial sanctions or penalties. We believe that the approaches outlined by the “seal” programs, coupled with FTC Section V authority, provide sufficient redress.
USG Telecommunications Regulation Should Qualify for Safe Harbor
The introduction to the Draft Principles notes that the first qualification
for safe harbor status may be met by companies subject to statutory, regulatory,
administrative, or other bodies of law. This sectoral approach has
consistently been the U.S. method of crafting effective privacy protection.
AT&T supports this sectoral approach. As part of the U.S. telecommunications
industry, significant portions of AT&T’s businesses are already subject
to a statutory and regulatory body of law that effectively protects personal
information in the telecommunications arena.
It is important to note that the European Union has also taken a sectoral
approach to its telecommunications sector. Its Telecommunications
Directive (97/66/EC) adds a supplemental layer of regulation for data protection
upon that sector, in addition to the requirements established by the Data
Protection Directive. It is imperative that the overarching rules
for safe harbors be addressed in the current discussions to preclude the
future need for clarification of conflicting USA-EU sector regulations
involving telecommunications. For instance, care should be taken
so that duplicative or conflicting requirements not be established.
The Telecommunications Act of 1996 with its extensive requirements for
the protection of customer proprietary network information (CPNI) as well
as earlier laws implemented and enforced by the FCC should clearly fit
into the safe harbor.
Conclusion
AT&T understands that cultural differences have led to the development of different approaches to privacy protection. However, AT&T’s extensive regulatory experience has convinced us of the benefits of voluntary standards and industry self-regulation to both customers and industry. We fully support the U.S. Government’s position that self-regulation is the appropriate U.S. method of addressing privacy protection. Therefore AT&T continues to support the process of seeking a successful resolution to the US- EU differences on this issue and shares the vision that appropriately crafted safe harbors provide an excellent contribution toward achieving that goal. AT&T appreciates that this will be an ongoing process and that significant implementation and industry specific questions need clarification from both the U.S. and European Governments.
We appreciate your continued leadership on behalf of U.S. industry,
and we look forward to continuing to work with you on this important issue.
Respectfully submitted
James W. Cicconi
Senior Vice President
Government Affairs and Federal Policy