I would like to provide comments on the "Safe Harbor Principles" letter
posted at http://www.ita.doc.gov/ecom/menu.htm.

This first issue concerns the fact that the letter is addresses to "industry
representative" rather than being directed to consumers as well.  The
remainder of the letter is misleading, false, and/or is a complete
mischaracterization of the facts.

In one part of the letter the claim is made that "We will continue to
consult closely with the private sector representatives."  In fact, the DOC
only consults with a small subset of industry representatives.  The DOC has
repeatedly refused to provide information on its activities and policies.
The DOC has gone so far as to blatantly violate FOIA laws as the Commerce
Department has refused repeated requests to answer a request I submitted in
March of this year.  The request included questions about the true nature of
the Commerce's department's interaction with this small subset of industry
representatives.

Given the interactions I have witnessed between the NTIA staff and this
small subset of industry representatives, I believe there is an expectation
of employment with these companies after these Commerce Department employees
leave government service.

As for the discussion of such things as "Choice," "Access," and
"Enforcement" this has no connection to reality.  As anyone can test at
home, there is little information available to the average consumer
concerning access or choice about their personal information.  When a
consumer tries to find out what information is available about them it is
nearly impossible.  Furthermore, many companies claim they offer an opt-out
for the distribution simply do not tell consumers how to achieve this
"opt-out."  This information is often withheld even when it is required by
law such as under the Telephone Consumer Protection Act.  I have personally
collected thousands of dollars in legal settlements from several large
companies who refused to supply these opt-out instructions for
telemarketing.  For other, more important distributions, this opt-out is
impossible.  This point has been made time and time again at meetings at
NTIA.  Of course, anyone can test this claim with their own personal
information.

Currently, there is no mechanism of enforcement.  In fact, most of the
current 'enforcement' mechanisms are nothing more than a sham.  I tried
filing complaints with the so-called "Privacy Alliance" (In fact, there is
no such organization.  the 'Alliance' is simply a group of clients of a
Washington law firm and is run by a former FTC Commissioner and Clinton
attorney.)  the only response I receive is a copy of information already
posted at their web site.  This Alliance has refused to respond to my
repeated requests that they address complaints against their members.  as a
result, litigation was necessary against one of their major members, AT&T,
for violating privacy laws.

I also tried to file complaints with TRUSTe but there staff has gone to
great lengths to block my complaint.  First they claimed that the TRUSTe
only monitors companies on a per web site basis.  therefore, if a company
has 2 web sites one could be covered while the other one is not.  This is
the current situation with AOL as their "members" site is not covered by
TRUSTe.  Any company simply needs to prepare 2 web sites, one that
advertises their service (that is covered by the seal) and a second site
that collects the information.  The complaint I filed with TRUSTe alleges
that AOL is distributing personal information to third parties while telling
consumers the information is not being distributed in this manner.  TRUSTe
has repeatedly refused to address this complaint.  AOL has refused to answer
any inquiries about this matter even though the TRUSTE program supposedly
requires them to respond.  AOL is also listed as a major sponsor of TRUSTe.

I could go on for pages with further examples but the Department of Commerce
is fully aware of the situation.  Therefore, I ask the Commerce Department
to completely scrap the "Safe Harbor Principles" and start dealing with this
matter in a realistic manner.  In addition, I ask that my FOIA request be
answered as required by US law.

Sincerely,

Russ Smith
http://consumer.net
 
 

From:Wayne Madsen,
 

12 November 1998
 

Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.,
Washington, DC 20230
 

Dear Mr. Fredell:

As a Director of the International Information System Security Certification
Consortium (ISC)2, I must respectfully disagree with the Data Protection "Safe
Harbor" proposals as being largely inadequate in meeting the goal of every
European data protection law: that is, to safeguard personal information from
unauthorized access and use. Our European Certified Information System
Security Professionals (CISSPs) view the EU data privacy law as an important
mechanism to help them safeguard personal data maintained by their companies
and agencies.

These proposals would roll back over two hundred years of European privacy law
development, a process I might add that started in 1776 with the adoption of
the Swedish Access to Information Act and spurred by abuses of such
information by totalitarian governments in Germany, Greece, Portugal, Spain,
and the USSR. The fact that the United States Safe Harbor proposals would
stymie and erode a process that is as old as our country sets a very bad
example for other countries around the world that are just beginning to
understand the importance of personal data protection.

Our CISSPs are also bound to enforce the laws governing the use of personal
information within their countries. Safe Harbor would erode their ability to
safeguard the data processed within their countries because it would give
American firms and foreign firms operating within our borders great leeway in
determining how to protect such information. Based on the record of many of
these companies, I remain extremely pessimistic about their commitment to data
protection.

I therefore urge that the Safe Harbor proposals neither be pursued nor
adopted.
 

Sincerely yours,
 

Wayne Madsen, CISSP
Member, Board of Directors, ISC2
Author, The Handbook of Personal Data Protection

2001 North Adams St. #227
Arlington, VA 22201

703.841.5425
wmadsen777@aol.com

I am writing to voice my strong opposition and utter rejection of the
Department of Commerce Safe Harbor proposal.  Instead of proposing such
measures that would completely preclude any privacy protections by defining
away any possible benefits americans might hope for from the EU
requirements, the Department of Commerce should be lobbying for strong
privacy protection measures that would meet or exceed the EU requirements.
A summary of the major objections follows:

      - The Safe Harbor proposal falls short of the 1980 OECD Privacy
        Principles that the United States endorsed almost twenty years
        ago and recently pledged to continue to support.

      - The Safe Harbor principles undermine key elements of data
        protection.  "Consent" is redefined as "choice."  There is no
        reference to "use limitation" or "purpose specification," even
        though both principles are found in the 1980 OECD Privacy
        Guidelines

      - There is no real means of enforcement for the Safe Harbor
        Principles.  Enforcement by self-regulation has not worked.
        For example, Geocities received a certification from Truste
        even while under investigation for violating the privacy of
        its users.

      - The Safe Harbor principles discriminate against small and
        medium sized companies operating on the Internet that may not
        be able to self-certify.

      - The Safe Harbor principles do not address the need to fix U.S.
        policies on encryption and other privacy enhancing technologies.

      - The U.S. still lacks privacy protection in critical areas, such
        as medical records, and the American public supports
        legislation to protect privacy online.

      - The Safe Harbor principles do not address the need to create a
        permanent privacy agency to represent the interests on privacy
        protection.

I sincerely hope the DoC and the entire US Government begins to face the
fact that we desperately need regulations and laws that provide a
comprehensive approach to protecting americans' privacy and right to
anonymity, along with other measures that would support that goal.
Examples would include (but of course, not be limited to):
 

--opt-in rather than opt-out requirements for collecting personal data,
--firm laws and regulations confirming that an individual's data is his own
property, NOT the property of some entity that happens to have that
information,
--forcing companies to disclose upon request any information collected
about an individual and provide the individual the ability to correct that
information,
--requirements for companies to secure the private data they collect
against unauthorized disclosure,
--stiff fines/penalties for corporations that fail to adequately safeguard
or allow unauthorized disclosure of private data,
--rescinding ITAR restrictions of strong encryption
--encouraging use of strong, non-escrow, non-key-recovery encryption,
--digital bearer certificates for cash-like anonymous electronic transactions

West Coile
 
 

29 Colonel Wilkins Rd.
 Amherst, NH 03031
November 11,1998

Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230

Dear Mr. Fredell:

These comments are in response to the Department of Commerce draft
policy on international privacy, specifically the "Safe Harbor" policy posted on the Department of Commerce World Wide Web site (at
http://www.ita.doc.gov/ecom/menu.htm ).

This policy is far too limited, in that it does nothing to protect the privacy of US citizens.  In fact, this policy makes it better (from a privacy standpoint) to be a citizen of the European Union!

Implementation of this policy as it is written, would effectively require US businesses
belonging to the "Safe Harbor" to implement a separate information infrastructure to maintain the required controls on this specially protected data.  This seems costly and difficult to administer.  It is more appropriate to take this opportunity to bring the privacy policies of the United States up to world class standards.  The Department of
Commerce should recommend legislative adoption of the privacy policy goals adopted in 1980 by the OECD (of which the US is a member), as enumerated in the document entitled "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data".  I encourage you to read (or re-read) this document and incorporate these principles into the Department of Commerce policies.  The document can be found at:
   http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM

In the absence of privacy legislation in the US, I urge the Department of Commerce to recommend that all businesses voluntarily comply with these policies.

Below are my comments on specific areas of the Department of Commerce
draft proposal regarding "INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES".

From Attachment B, "INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES", at
http://www.ita.doc.gov/ecom/menu.htm

   ...an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy.  An organization may also qualify for the safe harbor through membership in private  sector developed privacy programs that adhere to these principles. In addition, adherence to these principles is subject to national security, risk management, information security, public interest, regulatory compliance and supervision, and law enforcement requirements as well as to other legal and regulatory obligations,   authorizations, and exceptions. Finally, these principles do not apply  to proprietary or manually processed information.

This section opens the door to any kind of use or abuse of personal information, in the following ways:

1) There is no "statutory, regulatory, administrative, or other body of
   law that effectively protects personal information privacy" in the
   United States.
2) Neither this principle nor Principle 7 (Enforcement) requires an
   organization that repeatedly or willfully violates these privacy
   principles to lose its "membership in private sector developed
   privacy programs".
3) I have no doubt that the exception for "legal and regulatory
   obligations, authorizations and exceptions" would be interpreted in
   the US, to include things like a contractual obligation between
   organizations to share data.  Adding language to define "legal and
   regulatory obligations and exceptions" to be those required by law (as
   opposed to those allowed by law) would alleviate this concern.
4) The term "proprietary" needs to be defined for the purposes of this
   policy.
5) There should be no exclusion for "manually processed" information.
   Almost all information is "manually processed" after it is collected,
   and therefore could be excluded.  Perhaps the term "manually processed" needs to be clearly defined for the purposes of this policy.

From Attachment B, INTERNATIONAL SAFE HARBOR PRIVACY PRINCIPLES, at
http://www.ita.doc.gov/ecom/menu.htm

   2. CHOICE: An organization must give individuals the opportunity to
      choose (opt out choice) whether and how personal information they
      provide is used (where such use is unrelated to the use(s) for
      which they originally disclosed it).  They must be provided with
      clear and conspicuous, readily available, and affordable mechanisms
      to exercise this option.  For certain kinds of sensitive information,
      such as medical information, they must be given affirmative or
      explicit (opt in) choice.

This principle needs only a couple of minor modifications.  First, the
individual must be able to make their choice at the time that the data
is collected.  Secondly, all data should require "affirmative or
explicit (opt in) choice".  Individually identifiable data should be defined as
belonging to the individual, not to the organization that collects it.
Any use of that data other than that for which it was originally
collected should require the explicit consent of the individual.

   6. ACCESS: Individuals must have reasonable access to information
      about them derived from non public records that an organization
      holds and be able to correct or amend that information where it is
      inaccurate.  Reasonableness of access depends on the nature and
      sensitivity of the information collected and its intended uses.
      For instance, access must be provided to an individual where the
      information in question is sensitive or used for substantive
decision making purposes that affect that individual.

The restriction on access only to information "derived from non public
records" defeats the entire purpose of providing access.  Records from
public sources can and do become associated with the wrong individual,
and the process of "deriving" information from public records presents
many opportunities for the information to be inadvertently modified.  It
is important that individuals be given access to individually identifiable data from any source.

It is reasonable to provide access to any and all data an organization
maintains on an individual.  Only the method of access "depends on the
nature and sensitivity of the information collected".  The intended uses
of the information have no bearing on whether it is reasonable to
provide access.  If the information is not important to the relationship
between an individual and an organization, then the information should
be removed from the organization's database.  If the information is
important, the individual must have access to ensure that it is accurate.  Neither
the source nor the intended use of the information has any bearing on
whether the individual should be granted access to the data.

The note after Principle 7 (Enforcement) states that an organization may
satisfy the requirements of Principle 7 "through compliance with private
sector developed privacy programs that include effective enforcement
mechanisms of the type described in Principle 7".  The "private sector"
enforcement organization must abide by the portion of Principle 7 that
states "Sanctions must be sufficient to ensure compliance by
organizations and must provide individuals the means for enforcement".
Aside from monetary penalties, I'm not sure what form "sanctions" would
take.  Individuals whose privacy is violated must be able to recover
damages from the offending organization.  These damages must not be
limited to actual monetary losses and expenses incurred in bringing the
enforcement action, but must consid er many other things, such as the effect that the
violation has on the individual's life (both personal and professional);
whether the violation was willful, negligent or inadvertent; whether the
violation was part of a pattern violations on the part of the violator;
and any value the disclosure provided to the violator.  Only by considering
all of these, can a suitable sanction be imposed.  Any appeals process must
include a requirement for timely resolution; cases must not be allowed
to drag on for years as they do in the courts.

I am disappointed that the Department of Commerce limited its
solicitation of comments to "Industry Representatives".  Good policies can not be
developed without input from all involved, but this policy was apparently
developed with input only from industry.  Please give equal weight to all
comments received, and don't disregard the opinions of those providing
the data.  There are many good elements in this draft policy, but there are also
a number of serious shortcomings.  It is my hope that these will be addressed
before the policy is finalized.

Sincerely,
Thomas Lewis
tlewis@ctron.com

Mr. Fredell,

I would like to comment briefly on your draft policy on privacy as posted at
http://www.ita.doc.gov/ecom/menu.htm.  This "Safe Harbor" concept falls far
short of where the U.S. needs to position itself on consumer privacy.  In
fact, it doesn't even live up to the (weak) 1980 OECD Privacy Principles
which the U.S. claims to support.

Specifically, there is no means of enforcement other than self regulation.
This has shown itself unworkable in the past.  There are no provisions
promoting strong encryption or insuring anonymity, two requirements for
electronic business.  Lastly, the gathering and dissemination of personal
information in databases (medical, credit, spending patterns, etc.) is not
restricted.

We need to lead the world in protecting the privacy of our citizens.  This
isn't only the "moral high ground" but it is required to encourage the
growth of electronic commerce into the future.

Thank you,
Talmadge Wright

November 12, 1998

Comments of Robert Gellman on the Department of Commerce
International Safe Harbor Privacy Principles
<http://www.ita.doc.gov/ecom/menu.htm>
 

This is a response to David Aaron's November 4, 1998, letter posted on the ITA Electronic Commerce Task Force webpage.  Ambassador Aaron asked for comments on so-called safe harbor principles on privacy that the Department prepared for use in negotiations with the European Commission.  My comments are offered on my own behalf and not for any client or other person.
 

I. Process

The Department's request for comments is welcome.  In the past, the Department has generally not done a good job in seeking outside views during development of privacy policies and negotiating strategies.  However, the manner in which the Department is soliciting comments on the safe harbor principles leaves much to be desired.

Ambassador Aaron's letter requesting comments is not visible or highlighted on the Department of Commerce webpage.  The letter is not visible or highlighted on the International Trade Administration webpage.  A diligent effort to search for the document using search engines provided on the Department's website was unsuccessful.  I was unable to find a press release announcing the request.

Indeed, the webpage of the ITA Electronic Commerce Task Force is itself invisible.  The page is not highlighted on the ITA webpage.  The Electronic Commerce webpage is not indexed under the ITA website index offered from the ITA webpage.  Even if a user happened to stumble across the Electronic Commerce Task Force webpage, Aaron's request for comments is not visible or highlighted there.  Only by a random click on an otherwise unmarked graphic can a user find the document in question.  In contrast, I note that my search through the ITA webpage readily found seven different photographs of Ambassador Aaron that were available for downloading.

Of course, it is possible that my searches on Department webpages were unsuccessful due to a failure on my part.  In any event, there are other traditional methods of notifying the public about requests for comment.  I do not believe, however, that the Department placed a notice in the Federal Register about the request for comments.  Also, my interest in privacy matters is well known to the Department, and I have been solicited by email on many occasions to attend meetings and participate in conferences on privacy at the Department.  My email address is clearly on one or more Department lists connected with privacy matters.  However, I did not receive any email notification from the Department about the request for comments.

The salutation of Ambassador Aaron's letter is telling.  It says "Dear Industry Representative."  The letter is clearly not addressed to organizations that represent consumers, privacy advocates, Internet users, or ordinary citizens.  Any observer of the process for soliciting comments could easily conclude that the Department is only interested in the views of carefully selected members of the American business community and that it has no particular interest in the views of other parts of the business community or any other segment of American society.  The short time allowed for comments does nothing to dispel that conclusion.

While the Department began this process with a false step, it can correct the mistake by undertaking a sincere effort to solicit comments from the American public, American industry, and others American organizations with an interest in privacy policy.  At a minimum, the Department should actively solicit comments by publishing its principles in the Federal Register and allowing thirty days for public comment.  The European Union's Data Protection Directive was enacted over three years ago.  The Department's delay in developing a negotiating strategy is not an excuse for failing to solicit the views of everyone who may have an interest.  In addition, a notice about the Safe Harbor Principles should be posted prominently on the Department of Commerce webpage, and on the webpage of relevant departmental components.  Finally, I suggest that the Department immediately make available on the Internet all comments received from all parties.
 

II. OECD Guidelines and the Department of Commerce

The United States has a long history of support for the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.  In the early 1980s, NTIA took the position that voluntary adoption of the guidelines by American companies -- as opposed to formal legislative or administrative action -- would demonstrate a serious commitment to privacy protection.  In 1981 and 1982, NTIA requested private sector endorsement of the OECD guidelines.  By 1983, 182 major U.S. multi-national corporations and trade associations had endorsed the guidelines.

The sincerity of that effort to solicit endorsement of the guidelines has been questioned.  Nevertheless, what may be most interesting about the effort was the support for the guidelines without limitation, qualification, or condition.  Subsequent U.S. Government statements over the years have also shown support for the OECD Guidelines.

The proposed safe harbor principles are only a subset of the OECD Guidelines.  Nothing in the principles addresses purpose limitation or collection limitation.  Access rights and correction rights are restricted to non-public records.  The principles on access and correction mimic the policies of a U.S. trade association that insists on the right to continue to disseminate personal information even when there is evidence that the information is incorrect.  On this point, it seems strange that the United States is arguing in favor of the right to knowingly disseminate incorrect personal data.  This position can hardly be expected to have any appeal to the European Commission, and it will only undercut the credibility of our negotiators.

I do not propose here to compare further the principles and the guidelines to point out all of the differences between them.  Many differences are apparent upon even a cursory review.  The real question for Department negotiators is why they have established a starting point for negotiations that is so far from policies that the United States has supported in the past.

The principles of fair information practices were largely invented here in the United States, and the federal government has operated successfully under them for almost 25 years.  Businesses in Europe, including many subsidiaries of American corporations, function successfully under data protection regimes.  The goal should be finding ways to that we can address data protection here in a practical manner rather than to seek broad exemption from basic principles.

Further, the notion of industry self-certification with a significantly weakened set of data protection principles may not have much credibility.  The Department of Commerce already promoted a program of voluntary compliance with the full set of OECD Guidelines, and it convinced 182 American companies to agree.  That program, however, produced virtually no actual effect on privacy practices, and it was rapidly forgotten.  Given the Department's previous failure in encouraging voluntary compliance, it is hard to see the attraction of the same position for negotiating purposes.

Perhaps the worst feature of the safe harbor principles is the effect on American companies with good privacy practices.  Some companies have already adopted policies that meet most or all of the OECD Guidelines.  These companies have a good chance of being able to demonstrate that they meet the higher adequacy standards required by the EU Directive.  If so, they will demonstrate that American companies can operate under data protection rules.  The Department is seeking to convince EU regulators to accept a weakened policy that would undermine good corporate citizens and that would encourage these American companies to weaken their existing protection.  It is hard to see the attraction of a negotiating policy that encourages bad actors, discourages good actors, and results in a diminution of existing privacy protection for American citizens.

Many parts of the safe harbor proposal need clarification.  I will highlight only a few of the uncertainties.
 

• The proposal would not apply to proprietary or manually processed information.  What does this mean?  Would proprietary and manually processed data be covered by stricter rules or by no rules at all?  What would stop a company from describing all of its personal information as proprietary and claiming an exemption?
• The proposal states that an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy.  What does this mean?  It is difficult to identify any current law or regulatory regime applicable to the private sector that implements the weak safe harbor principles.  The Fair Credit Reporting Act may be the closest, followed by the Video Privacy Protection Act.  The Department's proposal would be clearer if it provided examples of federal and state laws that qualified and explained how they qualified.  It would help to clarify whether a law must meet all of the safe harbor principles to qualify or whether an even smaller subset of privacy principles than the safe harbor principles would qualify.
•  What does it mean when an organization qualifies under the safe harbor principles?  Most businesses maintain many different lines of business, with different laws and regulations applicable to each line.  In addition, organizations maintain employee personnel records that are beyond the scope of the few existing customer-focused U.S. privacy laws.  How will the EU, the Department, or a company seeking to export data from Europe determine exactly which of its records qualify for the safe harbor?  What are the consequences if a company exchanges information among various lines of business when some lines qualify for the safe harbor and others do not?  How can a company identify for the EU, the Department, its data subjects, or its trading partners what data meets the standards?

 There can be no doubt that resolving differences between the United States and the European Union on data protection is both important and difficult.  However, the Department's proposed negotiating stance seems doomed to failure.  It is significantly incomplete and fails to address several major principles that are of obvious importance to the EU.  The Department would be better advised to focus its attentions on these goals:
 

• Seek clarification of the many unclear provisions of the EU Directive.  American companies would be greatly aided if they have a more specific list of requirements, and they might discover that compliance with some of them was not so difficult.  EU regulators have the ability to ameliorate the worst fears of American companies and business community alarmists through better explanations of the intent and application of the Directive.  More progress can be made by focusing on narrow issues rather than sweeping demands for exemption and abandonment of principles.

• Ask for realistic transition provisions so that American companies willing to comply with fair information practices over time can do so without unduly disrupting current activities while they develop the ability to comply.

• Work toward standardization of the many overlapping, conflicting, and mostly inadequate privacy standards that have been promulgated by numerous self-regulatory organizations.  One reason some American companies find data protection so challenging is that many support multiple self-regulatory efforts, all with differing standards, processes, organizational structures, and financial commitments.

• Develop procedures that will enable specific disputes over data exports from Europe to be identified and addressed in a predictable and timely manner.

• Reach agreement on the application of the Directive to disclosures to federal agencies.  This is an area where it should be possible to find common ground with little difficulty because the federal government is subject to the Privacy Act of 1974, a complete code of fair information that meets the requirement of the EU Directive for the most part.  The one significant deficiency is that the Privacy Act does not grant rights to foreign nationals.  That shortcoming could be cured in large measure through administrative action and, eventually, through legislation.  Considerable amounts of personal data flow from Europe to federal agencies, and the Department should take steps to address the interests and needs of federal agencies.  The safe harbor principles do not address the failure of the Privacy Act to apply to foreign nationals.

The Department needs to begin negotiations with a position that is more coherent, more consistent with past U.S. Government policies, and more specific.  If we do not know what our proposal means, how can we expect the Europeans to understand it?

The notion of a safe harbor is not, by itself, objectionable.  It may well form a basis for reaching an agreement with the EU.  However, asking the EU to completely abandon or substantially weaken many of the basic data protection principles that are part of the law of the European Community and many of its member states shows a lack of respect and reality. The Department needs to be more pragmatic in selecting a starting point for negotiations and in identifying its objectives.
 

#####

U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

Comments re: International Safe Harbor Privacy Principles

Dear Ambassador Aaron:

 We are the authors of four recent books and monographs—Data Privacy Law: A Study of United States Data Protection (Michie 1996), Privacy in the Information Age (Brookings 1997), None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Brookings 1998), and Data Protection Law and On-line Services: Regulatory Responses in Belgium, France, Germany and United Kingdom (European Commission, forth*coming 1999)—examining the European Union’s data protection directive (Directive 95/46/EC), the *adequacy* of United States privacy protection under Articles 25 and 26 of that directive, and substantive data protection law in several European Union Member States. Four of us are law professors who teach and research extensively in the areas of privacy and information law; the fifth is director of economic studies at The Brookings Institution and a former deputy assistant attorney general in the Antitrust Division of the Justice Department and former associate director in the Office of Management and Budget.

 The views we express below are ours alone; they do not necessarily represent the views of the institutions with which we are affiliated nor have we received any financial or other compensation for preparing these comments.

 In our respective writings and public statements concerning privacy, we have disagreed frequently and, on occasion, sharply about the desirable level of substantive privacy protection for personal information and about the constitutionality, effectiveness, and the advisability of various means of achieving privacy protection. We submit these comments jointly today to highlight the fact that, despite our divergent views on other privacy issues, on these critical points we are in complete agreement. In addition to these joint comments, Professor Swire is also submitting a set of technical observations.

 We appreciate the opportunity to submit comments on the November 4, 1998, draft of International Safe Harbor Privacy Principles, and we applaud the Department of Commerce, you, and your colleagues for pursuing discussions with the European Union to create a set of international principles that would be recognized globally as meeting the requirements of Article 25 and 26 of Directive 95/46/EC. Agreement on such principles would diminish the threat that enforcement of the data protection directive might interrupt trade with the European Union and reduce the transaction costs associated with complying with the Directive.

 The key to creating effective principles and achieving the benefits that such principles promise, however, is in their specificity and comprehensiveness. Specific, comprehensive principles make it comparatively easy for consumers, businesses, and regulators alike to know what is expected, what level of privacy is provided, and whether there is compliance. Such principles also diminish the room for conflicting interpretations by information collectors and users and by national data protection regulators, thereby increasing the certainty that the principles will, in fact, constitute *adequate* data protection and therefore a safe-harbor under Directive 95/46/EC.

 We believe that the proposed International Safe Harbor Privacy Principles are too vague and incomplete to serve their intended purpose. Specifically, we believe the following examples reflect substantial difficulties for international data transfers that this proposed draft does not resolve:

 1. The applicability of the *Safe Harbor* is ambiguous

 We find the scope of application of the *safe harbor* perplexing. The preamble seems to merge sectoral regulation that may provide a statutory basis for *adequacy* with collective, industry self-regulatory schemes and isolated independent mechanisms. Yet many issues for compliance and the sufficiency of each of these means to satisfy *adequacy* are different. In addition, the *safe harbor* does not delineate how to treat a company that subscribes to the principles in connection with one set of activities, such as on-line services, but engages in many others such as employee data transfers. Furthermore, the draft exempts *proprietary information* from the principles without any definition. We do not understand what this term means in relation to the generally accepted definition of *personal information* as information relating to an identified or identifiable person.

 2. Transparency is not yet accomplished

 The *safe harbor* leaves a number of critical issues for transparency unresolved. For example, the notice requirement does not include any disclosure of the identity of the organization collecting personal information. We also believe the provision on access leaves significant ambiguity in the ability of individuals to see the information relating to them. *Reasonable access* is only vaguely defined in the clause and likely to be interpreted quite differently by the various stakeholders. At the same time, the blanket exclusion of public record information from the access right raises serious questions about whether the resulting data protection is *adequate* under Directive 95/46/EC.

 In addition, the *safe harbor* is silent on the transparency of those companies subscribing to the principles; there is no provision for the public disclosure of companies promising to adhere to the *safe harbor.* For example, a statement in corporate disclosure documents such as Form 10K or 10Q filed with the Securities and Exchange Commission would make adherence public and indicate that a particular company thought compliance was material to its business practices.

 3. The role of consent

 We are concerned that the *safe harbor* relies too heavily on consent as an absolute basis for any treatment of personal information. Especially in the case of sensitive information such as medical data, consent may not be recognized as an appropriate ground for certain uses of personal information. For example, it is doubtful whether consent should be considered valid where medical care is provided to a sick patient on condition of using personal medical information for marketing purposes.

 4. Enforcement is ill-defined

 We are unconvinced that the draft *safe harbor* provision on enforcement adds a meaningful standard to the principles. The list of mechanisms by which compliance might be assured does not contribute to clear rules or practices for companies to follow or for individuals to pursue in the vindication of claims. The draft gives no guidance on the content for *systems for verifying that the attestations and assertions business make . . . are true* nor does the draft provide any indication as to how such measures might overcome the rejection of non-independent supervision by data protection authorities. Even with respect to remedies, the draft is too vague to provide any guidance. Enforcement in the American legal system typically includes causes of action and damages for violations of standards. The draft speaks of *recourse* and *consequences,* yet does not establish any useful criteria for dispute settlement nor address the question of damages for injuries caused to individuals by violations of the principles. In combination with the vagueness of the substantive principles, the enforcement provision offers unclear protection for individuals and uncertainty for U.S. business.

 Moreover, we are concerned by the confusion regarding the legal effect of the proposed International Safe Harbor Privacy Principles. Typically, American law uses the term *safe harbor* to mean a set of precisely defined practices recognized by a designated regulatory agency to satisfy an existing legal obligation in the United States. In the absence of U.S. statutory obligations, we understand this *safe harbor* is, instead, intended as a designation by the European Union that U.S. companies complying with the terms of these principles would qualify to transfer personal information to the United States under Article 25(6) or Article 26 of Directive 95/46/EC. Under Directive 95/46/EC, a determination of the sufficiency of these principles will made by the Commission subject to referral to the Committee, consisting of representatives from each of the Member States, established under Article 31 of the Directive, and, if necessary, to referral to the Council of Ministers for an overruling decision. In making the initial determination on the value of these principles as *adequate* data protection, the Commission consults with the Working Party, composed of representatives of the data protection supervisory agencies of the Member States, established under Article 29 of the Directive. Although the opinion of the Article 29 Working Party is only advisory, each of the group’s members have enforcement responsibilities for interna*tional data transfers. Hence, even if these principles are accepted by the Commission and the Article 31 Committee or the Council of Ministers, European law and Directive 95/46/EC require the data protection agencies in each of the European member states to interpret whether there is compliance and accord a significant margin for interpretation to those agencies.

 The Working Party has addressed itself for the past two years to the question of what constitutes *adequate* data protection under Articles 25 and 26. Those views are collected in the Working Party’s report this summer, Working Document on Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive. While our views on the substance of the Working Party’s conclusions differ, we are agreed that the current draft of the International Safe Harbor Privacy Principles appear inconsistent with the Working Party’s conclusions. In particular, the vagueness and omission in the draft International Safe Harbor Privacy Principles contradict the search for specific substantive standards enumerated in the Article 29 Working Party’s opinions. We do not, therefore, believe that these principles will resolve the international data flow issues for U.S. companies at the member state level and urge you to explore the problems of interpretation that these principles will create.

 Thank you again for your efforts to create International Safe Harbor Privacy Principles. We appreciate this opportunity to comment and we stand ready, individually and collectively, to work with you to address the concerns and ambiguities that we have identified and to provide any other assistance you might require in completing your important task.

Respectfully submitted,

Fred H. Cate
Professor of Law
Indiana University School of Law—Bloomington
Author, Privacy in the Information Age
211 South Indiana Avenue
Bloomington, IN 47401

Robert E. Litan
Director, Economic Studies
The Brookings Institution
Co-Author, None of Your Business
1775 Massachusetts Avenue, N.W.
Washington, DC 20036

Joel R. Reidenberg
Professor of Law
Fordham University School of Law
Co-Author, Data Privacy Law and
Data Protection Law and On-line Services
140 West 62nd Street
New York, NY 10023

Paul M. Schwartz
Professor of Law
Brooklyn Law School
Co-Author, Data Privacy Law and
Data Protection Law and On-line Services
250 Joralemon Street
Brooklyn, NY 11201

Peter P. Swire
Professor of Law
Ohio State University College of Law
Co-Author, None of Your Business
55 West 12th Avenue
Columbus, OH 43210
 

Ambassador David L. Aaron
Undersecretary for International Trade
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

Comments re: International Safe Harbor Privacy Principles

Dear Ambassador Aaron:

 You have asked for public comment on the “International Safe Harbor Privacy Principles” (the “Principles”).  I am writing these comments based largely on research and related work with Dr. Robert Litan for our book, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Brookings, 1998).  I am also joining the comments on the Principles being submitted today by Professors Fred Cate, Joel Reidenberg, and Paul Schwartz and Dr. Litan (the “joint comments”).

  The comments here express my views alone.  They do not represent the views of the Ohio State University College of Law, nor have I received any financial or other compensation for preparing these comments.

 As stated in the joint comments, I appreciate the opportunity to submit my views on the November 4, 1998 draft of the Principles, and I applaud the Department of Commerce, you, and your colleagues for your dedicated work on resolving how transfers of personal data can lawfully be made between the European Union and the United States under Directive 95/46/EC.

 My comments address eleven specific topics raised by the Principles.  Many of the comments are intended to help clarify particular, and sometimes difficult, issues that arise in interpreting the Principles.  Issues concerning a customer’s right to access data held by an organization are especially controversial.

 The final two comments, however, are likely the most important.  The first of these underlines the importance for U.S. organizations of knowing the scope of transfers permitted under the Safe Harbor.  Some enforcement mechanisms apply only to a subset of an organization’s data flows, such as its on-line customer information.  The crucial issue will be this:  if an organization complies for that subset of flows, does it also gain the legal ability to transfer its other data flows to the United States?  If not, then organizations need to be alerted that participation in the Safe Harbor for some categories of data will not entitle the organization to transfer other categories of data.  Notably, transfer of human resources records would likely require some additional compliance action by the organization.

 The final comment highlights a way in which the Safe Harbor could greatly streamline the process of complying with the Directive.  Under the Directive itself, transfers from Europe to the United States under a company-to-company contract appear to require prior approval by the national authority.  Under the Safe Harbor, by contrast, U.S. organizations that agree to comply with the Principles would not  require prior approval to carry out transfers.  A priority in the Department’s further actions should therefore be to confirm this understanding, that prior approval of transfers would no longer be required for organizations that have accepted the Safe Harbor.

COMMENTS ON UNDERSECRETARY AARON’S COVER LETTER

 (1) Complete list of derogations.  In discussing exceptions, the cover letter signed by Undersecretary Aaron lists the derogations provided by Article 26(1), but does not mention the transfers that are permitted under Article 26(2) where “adequate safeguards” exist, such as from appropriate contractual clauses between entities in the E.U. and U.S.  The use of such contracts may be helpful in a range of cases where none of the derogations of Article 26(1) apply.  Where the Department of Commerce lists the exceptions that permit transfers, Article 26(2) should be included.

PREAMBLE TO THE PRINCIPLES

 (2) Qualifying for the safe harbor.  The preamble states that “an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy.”  Some industries, such as the banking, insurance, and securities industries, are subject to industry-specific regulation and supervision by specialized agencies.  Such industries might thereby qualify for the safe harbor to the extent that this regulation and supervision “effectively protects personal information privacy.”
 The question concerns corporations that are not subject to any such specialized rules.  Such corporations are subject to statutory and other law if they violate their announced privacy practices.  Notably, enforcement actions may be brought under Section 5 of the Federal Trade Commission Act (to the extent of its jurisdiction), under similar state laws, and under state lawsuits for breach of contract.  Is it the position of the Department that corporations subject to these actions, but not under specialized regulatory regimes, are subject to a legal regime “that effectively protects personal information privacy” and thus qualifies for the safe harbor?  Because these actions would apply to all U.S. companies that have adopted privacy polices, the answer apparently is no.  Otherwise, the other means for qualifying for the safe harbor, such as membership in private sector privacy programs, would be redundant.

 (3) “Proprietary” information.  The preamble states that “these principles do not apply to proprietary or manually processed information.”  The use of “proprietary” is very vague here and needs clarification.  At the extreme, a company might take the position that all information about customers and employees is proprietary and thus not subject to the Principles.  This extreme interpretation is clearly not intended, because it would render the entire Safe Harbor irrelevant.  But it is unclear from the context what sorts of proprietary information are intended to be excluded.
 Perhaps the use of “proprietary” is intended to apply to the scope of the individual’s right of access.  Under Article 12 of the Directive, every data subject has the right to obtain from the controller “knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1).”  Many U.S. companies would consider “the logic involved in any automatic processing of data” to be competitively sensitive information and thus proprietary.  Does the Department agree?
 Also in connection with the right of access, companies today often compile information about customers in addition to the information supplied by the customers themselves.  For instance, companies may access public records and buy demographic and other information concerning their customers.  Companies may consider which information they assemble to be “proprietary.”  Is this sort of selection of data sources about customers “proprietary” and thus outside of the scope of the Principles?  If so, then this may be a large exception to the Principles.
 More generally, it would be helpful to learn whether "proprietary" has any relevance outside of the area of right of access.  If so, then clarification would be useful.   If not, then the use of "proprietary" should be moved to the section on access.

NOTICE

 (4) Identity and contact information of the controller.  Article 10 of the Directive, concerning notice, specifically requires notice to the data subject about “the identify of the controller and of his representative, if any.”  Especially for on-line transactions, however, the individual may not be aware of the identity of the organization that is collecting personal data.  The Notice Principle might be amended to add “identity of the organization” to the list of information provided to individuals.  In the alternative, the Q&A section might point out that notice, to be effective, should include the ability of the individual to identify the organization.
 A closely related point is that notice should include information about how to contact the organization, such as by mail, 800 number, e-mail, or other means.  Without such notice, individuals may lack any effective way to get access to information that an organization has about them.  In the first sentence of the Notice Principle, language such as the following might be added to the list: “information about how to contact the organization in connection with uses of personal information.”  It is possible that provision of contact information is implicit in the notice of  “the choices and means the organization offers individuals for limiting its use and disclosure.”   If so, then the Q&A section might explain that contact information should be included in the notice provided to individuals.

 (5) Information already available to the data subject.  Article 10 of the Directive states that information should be disclosed to the data subject “except where he already has it.”  The Notice Principle says that an “organization must inform individuals” about listed items, but does not include similar language.  The end of that sentence of the  Notice Principle might be amended to add “except where the individuals already knows the information.”  In the alternative, the Q&A might explain that information need not be explicitly provided where individuals already know the information.

ONWARD TRANSFER

 (6) Protection by third parties.  The Onward Transfer Principle states: “When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual.”  My question concerns the interaction of this requirement with the Enforcement Principle.  Suppose that the individual or other appropriate party seeks enforcement because the third party does not offer the same level of privacy protection as originally chosen by the individual.  Enforcement actions might take place involving the controller (who supplied the information to the third party), the third party (who received the information from the controller), or both.
 Concerning the third party, is there any requirement that it have agreed to the Principles in order to qualify to receive the personal information?  The text of the Principles do not suggest any such requirement.  If the third party has not agreed to the Principles, what obligations, if any, must it undertake to receive onward transfer of data?  The Onward Transfer Principle states “an organization must require that third parties provide” protections.  Does this mean that the third party in some way must be subject to enforcement by the controller, perhaps under a contractual agreement, or in some other way?
 Concerning the controller, what obligations apply when unauthorized use is made of data by the third party?  Is the controller itself subject to enforcement whenever the third party misuses the data (a strict liability approach)?  If the controller subject to enforcement only when it has failed to take reasonable precautions in passing on the data to a third party (a negligence approach)?  Or is enforcement only available against the third party that actually misused the data (an approach in which the third party, rather than the controller, is held responsible for the misuse)?
 Because personal data is often transferred to third parties, for many different purposes, clarification of these issues is important to understanding the actual practices expected of organizations that agree to abide by the Principles.

SECURITY

 (7) Binding contract or legal act.  Article 17 of the Directive governs the security of processing of personal data.  It sets forth requirements on the “controller,” defined as the party “which alone or jointly with others determines the purposes and means of the processing of personal data,” and on the “processor,” defined as a party “which processes personal data on behalf of the controller.”
 Article 17(3) specifically provides: “The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
 -- the processor shall act only on instructions from the controller;
 -- the obligations set out in paragraph 1 [of Article 17], as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.”
 The Security Principle makes no mention of the requirement of a “contract or legal act binding the processor to the controller.”  Is the position of the Department that no such contract or legal act is necessary for organizations that adopt the Principles and transfer personal data out of the European Union?  If no such contract or legal act is required, then it may be useful to state that understanding in the Q&A.  If such a contract or legal act is required, then it may be useful to say so explicitly in the Principles, or to include language in the Q&A notifying organizations of this requirement.

“SENSITIVE INFORMATION”

 (8)  Defining “sensitive” information.  The term “sensitive” information is used three times in the Principles.  In seeking to determine the meaning of “sensitive” information, one possible source for the definition is Article 8 of the Directive, which defines special categories of information “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”  Article 8 also creates special rules for other categories of information, notably registries of offenses and criminal convictions.  Although Article 8 does not specifically use the term “sensitive” information, the categories of Article 8 are called “sensitive” data in common usage in data protection discussions.
 Does the Department intend the listed uses of “sensitive” information to refer to the Article 8 categories?  Clarification of this issue, in the Principles or the Q&A, would help organizations understand when the stricter principles covering sensitive data would apply.
 On the same topic, some United States laws may require processing of data considered sensitive under Article 8.  Examples might be fair employment and fair lending statutes that require an organization to collect information about racial origin.  The Q&A might point out that processing of such data, as required by law, would not violate the Principles.

 (9) Reasonable access and “sensitivity” of data.  In discussions concerning the Principles, a good deal of controversy has centered on whether individuals should have “access” or “reasonable access” to their information.  Clarification may be needed in the Q&A of what the Department understands by “reasonable access.”
 The Access Principle also states: “Reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses.”  The term “sensitivity” seems to be used in a different sense in this instance than in the three instances listed above.  The “sensitivity” of the information seems to suggest a sliding scale, where greater access is appropriate as the level of sensitivity increases.
 If a different meaning is indeed intended by the term “sensitivity,” then it may be useful to clarify the difference in the Principles or the Q&A.  There may be categories of data that are not covered by Article 8 but which have enough sensitivity to merit access.  Credit histories or certain other categories of financial information might be examples of data that individuals consider sensitive in at least some circumstances.  If “sensitive” data is understood to refer solely to Article 8 categories, then all other categories of data might be understood not to be “sensitive” under the current language and thus entirely outside the scope of Access Principle.

 ENFORCEMENT
 (10) When only some transfers are covered.  Organizations can satisfy the requirements of the Enforcement Principle, for instance, “though compliance with private sector developed privacy programs that include effective enforcement mechanisms.”  What constitutes “effective” is nowhere defined in the Principles.  Some of the leading programs, moreover, cover only a subset of an organization’s transfers of data.  For instance, BBB-Online and TRUSTe focus on on-line transfers of customer data.
 Transnational organizations that sign on to such programs are likely to have other categories of transfers of personal data.  Examples would include off-line customer information and the organization’s own human resources records.  An important issue arises concerning these other categories of data.  Does the Safe Harbor apply when a company complies with a privacy program for only a subset of its data transfers?  If a company complies with programs such as BBB-Online and TRUSTe for its on-line transfers of customer data, are the companies’ other activities thereby protected by the Safe Harbor?
 Based on my own research and discussions with European officials, it would be surprising if the European authorities believed that the Safe Harbor would apply for categories of transfers where no effective enforcement mechanism existed.  If the Department agrees with this conclusion, it is important to signal to U.S. organizations that the Safe Harbor would only protect an organization for those categories of transfers where effective enforcement exists.  My belief is that compliance with a privacy program, which covers only a subset of an organization’s transfers, does not provide Safe Harbor protection for other sorts of transfers.  In that event, a different basis would be needed for an organization to transfer other categories of personal data out of Europe legally.

 (11) “Cooperation with data protection authorities.”   A different way to satisfy the Enforcement Principle is by “committing to cooperate with data protection authorities located in the European Community.”  This language suggests a very practical way for organizations to streamline compliance with the Directive.
 Article 26(2) of the Directive already provides a contract mechanism for allowing transfers to countries that lack adequate protection of privacy.  Under Article 26(2), a Member State must authorize a transfer or set of transfers, and then inform the Commission and the other Member States of such authorizations.  A concern of organizations faced with this system is that the apparent requirement of prior authorization might prove a significant administrative burden to data protection agencies.  Significant delays might result before authorization is granted, at a potentially high price to business.
 If the Principles are accepted by the Commission, however, transfers out of Europe could be authorized instead under Article 25(6).  The United States would be considered to have adequate protection to the extent that an organization makes transfers to the United States pursuant to the Principles.  In such a case, prior authorization from the national authorities would no longer be required.  Organizations that agreed to follow the principles would be able to continue data flows without interruption or the need to get each contract approved in advance by a national authority.
 The key remaining question, in that event, would be defining what it means to “cooperate with data protection authorities.”  One possibility is for a company to make a public statement of its adoption of the Principles, perhaps in its 10Q or 10K forms filed with the Securities and Exchange Commission.  Another possibility is for the organization to file with the relevant national authorities its promise to comply with the Principles.
 Where no other privacy program is in place, a related important question is whether the Europeans will accept a simple declaration that the organization will comply with the Principles.  Consider the example that likely affects the largest number of organizations -- transfer of their own human resources records from Europe to the United States.  For such transfers, one possibility is that the Europeans will consider it sufficient simply to announce an organization’s intent to comply, such as through a 10K or a filing with a national authority.
 Another possibility, in light of the current absence of private-sector privacy programs that monitor human resources records, is that the Europeans will want more specific description of the terms and conditions surrounding such transfers.  These terms and conditions might be embodied in a contract, made available to the national authority, between the European and American entities involved in the transfer.  In such an event, the Safe Harbor can provide a crucial advantage compared with the legal situation in the absence of a Safe Harbor.  Under current law, Article 26(2) would require such a contract to be approved in advance by the national authority.  Under the Safe Harbor, as provided by Article 25(6), there would be no need for such prior approval.  In this scenario,  contracts and model contracts can be developed for categories of transactions, with minimal bureaucratic obstacles.
 

Respectfully submitted,
 
 

Peter P. Swire
Professor of Law
Ohio State University
College of Law
55 West 12th Avenue
Columbus OH 43210
(614) 292-2547
swire.1@osu.edu
www.osu.edu/units/law/swire.htm

Ambassador David L. Aaron
Undersecretary for International Trade
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

Dear Ambassador Aaron:

I am Dr. Donald Harris, Manager of Human Resource Systems for The New York
Times Company, and Chair of IHRIM's Committee on Information Use and
Protection.  IHRIM is the International Association for Human Resource
Information Management, a professional association of over  6,000 members,
largely in the United States and Canada, who work as practitioners,
consultants, vendors and academics in the field of human resource
information systems.  Many of our members work with multi-national
corporations which are currently moving employment-related data from Europe
to North America, or planning to do so.

Needless to say,  these members, and the corporations for which they work,
are concerned about potential disruptions to transborder flows of human
resource information, and support any and all reasonable efforts to avoid
such disruptions.  One sign of this concern is the establishment of the
committee which I chair.  Another is IHRIM's sponsorship, with Dr. Alan
Westin, of a two-day conference this coming January on the challenge of
managing HR data under the EU privacy directive (details can be found at
http://www.ihrim.org).

Before commenting further, permit me to make clear that I am not attempting
to speak for IHRIM, or for its Board of Directors.  While the Board
authorized the establishment of my committee for the express purpose of
developing a set of standards or guidelines for protecting the privacy and
confidentiality of human resource information - in effect, an industry code
of practice for employment data - I am not empowered at this time to present
these comments as anything over than my own opinions.  Consequently, what
follows are my own observations, based upon several years of involvement
with issues surrounding the EU Directive on Data Protection as it relates to
employment data.

While I support the effort to find a reasonable accommodation with the EU
over the implementation of the directive, I am concerned about the viability
of the safe harbor initiative, and whether it will prove acceptable to the
EU, primarily because of the high level of generality of the current
proposal.  The privacy principles contained in the initiative may need some
refinement, but they are largely consonant with many other formulations of
the principles of fair information practice, whether in the OECD Guidelines,
the CSA Model Code, or the Directive itself.  What is missing, and what is
needed, is to flesh out the application of these principles to various
industries and sectors, so that they are translated from the abstract  to
the concrete.  My committee is attempting to do just this with regards to
how the principles of fair information practice apply to the employment
arena.  The suggestion that this could be done via a series of commonly
asked questions and answers radically underestimates the complexity of the
translation process.  A better model for how this might be done is the
approach the Canadian banking and insurance industries have taken in
adapting the CSA Model Code to their particular sectors.

In addition, the vagueness around what companies need to do to implement the
principles, and the time period within which they have to do so, also raise
significant concerns about whether the initiative will contribute to the
resolution of the problems surrounding the directive.  Knowledge of the
legal and regulatory requirements pertaining to the use of
personally-identifiable information is essential to the development and
operation of global HR information systems.  Put simply, companies need and
want to know what has to be done.  Does the safe harbor initiative, in its
current form, contribute to the resolution of the enormous uncertainty that
prevails at  present about these requirements?  Or does it merely defer more
substantive resolutions of the underlying trans-Atlantic dispute?

I believe that the safe harbor approach could be quite valuable if it serves
to steer organizations wishing to implement effective privacy protection in
the right direction, giving them an understanding of what has to be done and
some assurance that if they do it, they will indeed have achieved something
valuable.  What is needed, in my opinion, is less of a "safe harbor" and
more of a "safe channel."   Resting quietly at anchor is not the image that
needs to be projected when most professionals in the field of HR systems,
and probably far too many corporations, are not even aware that Washington
has been promoting a policy of self-regulation.  Better communications, and
truely cooperative undertakings between government and industry groups,
would contribute to progress around these issues.

Thank you for the opportunity to present my observations and concerns.  If
IHRIM or I can be of any assistance in helping you or the Department of
Commerce achieve resolution of these matters in the area of employment
information, please do not hesitate to contact me.

Sincerely,

Dr. Donald Harris
IHRIM's Committee on Information Use and Protection

We are data protection practitioners working in the UK in this field for
15 years.

We attach a Word 6 file containing an article from Data Protection News
which looks at the issue of transfers of personal data.

We disagree that the Directive will significantly impact on such
transfers.

The article considers the position with respect to the Data Protection
Act in the UK. It looks at 5 questions:

 - first, does the Data Protection Act 1998 introduce any new concepts
with respect to transfers of personal data to the USA (ie concepts which
are not in the 1984 Act)?

 - second, can the Data Protection Act 1998 effectively prohibit a Data
Controller based in the UK from choosing a Data Processor in the USA?

 - third, can the Data Protection Act 1998 restrict a Data Controller
based in the UK from co-operating with a Data Controller based in the
USA?

 - fourth, does the Data Protection Act 1998 put a Data Controller based
in the USA at a disadvantage when competing, in the UK, with a Data
Controller based in the UK?

 - fifth, does the Data Protection Act 1998 put a Data Controller based
in the UK at a disadvantage when competing, in the USA, with a Data
Controller based in the USA?
 

We conclude that we are not convinced by the arguments that the Act, and
the Directive upon which the Act is based, are barriers to trade; in the
article we explain our conclusions in this regard.

Taking the USA as an example of a territory outside the European
Economic Area, we explore the main data protection issues which arise
from a transfer of personal data to the USA in the context of normal
commercial operations.

Yes, there are data protection obligations, but these are easy to
identify and not onerous, let alone insuperable. We conclude that the
main data protection problems arise from the First, Second and Seventh
Principles; satisfying the requirements of these Principles will
normally satisfy the Eighth Principle.

 In Directive terms the argument is this. The need to satisfy the
fairness requirements of Articles 6, 7, 10 and 11, and the need to heed
the security requirements of Articles 16 and 17 of the Directive will
often be sufficient to qualify for an exclusion in Article 26.
Qualification for an exclusion means that the provisions in Article 25
do not apply; in other words, there is no need to assess the adequacy of
the protection offered in a Third Country.

 The text represents only the views of the authors and first appeared in
Data Protection News (Summer 1998, Issue No. 34).
 

Dr. C. N. M. Pounder
Editor
Data Protection News
Cap Gemini
95 Wandsworth Road
London SW8 2HG
<dp.news@capgemini.co.uk>

19th Nov 1998

THE DATA PROTECTION ACT 1998. Is it a barrier to transborder dataflows?
   by. Dr. C. N. M. Pounder & F. Kosten

   Editors of Data Protection News
 
 

Synopsis We are not convinced by the arguments that the Act, and the Directive upon which the Act is based, are barriers to trade; in the Section we explain our conclusions in this regard. Taking the USA as an example of a territory outside the European Economic Area, we explore the main data protection issues which arise from a transfer of personal data to the USA in the context of normal commercial operations. Yes, there are data protection obligations, but these are easy to identify and not onerous, let alone insuperable. We conclude that the main data protection problems arise from the First, Second and Seventh Principles; satisfying the requirements of these Principles will normally satisfy the Eighth Principle.

 In Directive terms the argument is this. The need to satisfy the fairness requirements of Articles 6, 7, 10 and 11, and the need to heed the security requirements of Articles 16 and 17 of the Directive will often be sufficient to qualify for an exclusion in Article 26. Qualification for an exclusion means that the provisions in Article 25 do not apply; in other words, there is no need to assess the adequacy of the protection offered in a Third Country.

 The text represents only the views of the authors and first appeared in Data Protection News (Summer 1998, Issue No. 34). Subscription details are available from <dp.news@capgemini.co.uk>
 

   *********
 Intro- We are frequently asked whether or not the Data Protection Act
duction 1998 will make it harder for organisations to transfer personal data outside the European Economic Area (EEA) (eg transfers about staff and customers via Inter or Intranet). Additionally, some of our many subscribers who live outside the EEA worry about the impact of the new law on their ability to compete effectively for customers within the EEA's boundaries. Indeed, in the USA for instance, there have long been suspicions that the European Union's Data Protection Directive was designed, on the pretence of protecting privacy, to prevent USA-based organisations from competing in Europe (eg a barrier to free trade). In addition, many national governments now avoid a regulatory approach towards an issue if a `free market' or `self-regulation' solution is available; the European Union's insistence on regulation to resolve data protection issues is thus viewed as overtly prescriptive, constraining the emergence of market-generated solutions. Consequently, this Section explores the answers to five key questions, using the USA as an example of a Third Country (ie outside the EEA) which has not implemented national data protection legislation. These questions are:

 - first, does the Data Protection Act 1998 introduce any new concepts with respect to transfers of personal data to the USA?

 - second, can the Data Protection Act 1998 effectively prohibit a Data Controller based in the UK from choosing a Data Processor in the USA?

 - third, can the Data Protection Act 1998 restrict a Data Controller based in the UK from co-operating with a Data Controller based in the USA?

 - fourth, does the Data Protection Act 1998 put a Data Controller based in the USA at a disadvantage when competing, in the UK, with a Data Controller based in the UK?

 - fifth, does the Data Protection Act 1998 put a Data Controller based in the UK at a disadvantage when competing, in the USA, with a Data Controller based in the USA?
 
 

Termin- The phrase `Data Controller based in the USA' as used above
ology does not describe a `person' who is automatically subject to the provisions of the 1998 Act. The definition in the Act merely states that a Data Controller is a person who `determines the purposes for which and the manner in which any personal data are, or are to be, processed' (Section 1(1)). In other words, `Data Controller' is shorthand for an organisation which processes personal data for its own purposes. Similarly, a `Data Processor based in the USA' describes an organisation based in that country which processes personal data on behalf of a Data Controller (eg a person who, in order to  provide goods or services to the Controller, requires access to personal data held by that Controller).
 
 

Assumption In addition to the above, our text assumes that the phasing-in rules associated with the 1998 Act do not apply; this focuses undistracted attention on the issues that can affect transfers of personal data outside the EEA. However, there are several provisions relevant to such transfers if the processing involved was under way prior to October 24th 1998; for instance, the Eighth Principle (dealing with transfers) does not apply to such `Eligible Data' until October 24th 2001. In addition, if a Data Processor is engaged by a Data Controller to process Eligible Data, there is no need, under the Act, for the Controller to impose the obligations of the Seventh Principle by means of a contract with the Processor. Readers are also referred to our detailed analysis of each of Principles of the 1998 Act (DPNs 32 and 33) and our discussion of the data protection content of contracts (DPNs 30 and 31); these contain more general advice.
 
 

Question 1 First, the most fundamental question: does the Data Protection Act 1998 introduce any new concepts with respect to such transfers? Answering this question leads us to probe the relationship between data protection legislation, other relevant legal provisions, and transborder flows of personal data.

Old idea The notion that one State should be able to prohibit the transfer of personal data to another State is an idea which is over seventeen years old; it lies at the heart of the Council of Europe `Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data', published in 1981. Article 12 of this Convention states that `A Party (to the Convention) shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party' (ie if there is an adequate level of data protection, as usually exists in signatories to the Convention, then transfers of personal data can proceed unless prohibited on other grounds). The Article also provides for exceptional cases where if `another Party' maintains an  inadequate level of protection (eg having regard to `the nature' of particular data), signatories to the Convention can use privacy grounds to prohibit such transfers.
 
 

 Logical? If transfers can be prohibited to a Member State of the Council of Europe which fails to implement adequate data protection, it is logical to extend this prohibition to States worldwide. To do otherwise would make no sense; in an era of the Global Information Society, why should the protection of individual privacy end at Europe's borders? This rationale finds expression in two provisions in the Data Protection Directive:

 - Article 1(2), which states that if Member States have implemented appropriate, equivalent data protection legislation based on the Directive (ie States have an adequate level of protection), then `Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded (to individuals)'. This Article thus reintroduces the idea, explicitly expressed in the Council of Europe Convention, that privacy grounds cannot be used to prohibit transfers between Member States of the European Union if Data Subjects are adequately protected. By implication, an adequate level of protection is that protection which is specified in the Directive, or equivalent to that specification. In the UK Act, this specification is implemented by means of Eight Data Protection Principles; thus it is difficult to see how the claim that there is an inadequate level of protection can be substantiated if, after the transfer of personal data, conditions are such that the Principles can be shown to apply to that processing. As will be seen, this conclusion is important to the relationship between a UK-based Data Controller and a USA-based Data Processor
 

 - Article 25, which refers to the obligation of Member States to `provide that the transfer to a third country of personal data' (eg for the delivery of a service) may only take place `if ...the third country in question ensures an adequate level of protection' (in the 1998 Act, this applies to countries outside the EEA); by implication, therefore, adequate protection ensures that the transfer cannot be impeded. This Article clearly has worldwide application, but only wherever there is inadequate protection for the individual. Article 26, which introduces derogations from Article 25, thus has the potential to weaken this principle by providing additional grounds for transfer despite inadequate  protection.
 
 
 

Comment It is important to understand that other forces are at work in relation to transfers of personal data. The involvement of the Council of Europe creates a direct link to the protection of human rights and, in particular, to the Human Rights Convention (which is soon to be incorporated into UK law; see DPN 32). This in turn leads to consideration of the impetus underpinning this Convention: the recognition that after the Second World War, the democracies needed a declaration of fundamental rights and freedoms which was guaranteed by a framework of law and administered by an independent and impartial judicial system. As such, therefore, this Convention is a political, social and cultural statement of values intended to contrast starkly with aspects of recent European history: ravaged by war and dominated by oppressive dictators and totalitarian regimes. By contrast, the rights of individuals guaranteed by the American Constitution have not suffered the same degree of authoritarian violation; if they had, then perhaps the European Union's approach towards data protection would not appear so contentious to American eyes.
 
 
 

 Current It is clear that the pre-Directive  generation  of  data
position protection legislation (eg the UK's 1984 Act), based on the Articles of the Council of Europe Convention, has not impeded the development of international trade. With the exception of transfers to any country bound by the terms of that Convention, Section 12 of the Data Protection Act 1984 permitted the Data Protection Registrar to prohibit the transfer of personal data `either absolutely', or until the organisation wishing to carry out the transfer `has taken such steps as are specified ... for protecting the interests of the data subjects in question'. Although this power applied to any Data User who transferred personal data outside the UK, in the twelve years that it has been available it has been used, to our knowledge, only once. Hardly earth-shattering.
 
 

European Similarly, the number of times the European Union's data
experience protection authorities have exercised such powers to prohibit transfers seem to be few and far between. Collectively, these powers have been in operation for over 100 `data protection' years; during this period there has been no sustained protest from any State (including the USA) about Member States' ability to prohibit transfers, and no convincing argument that such legislation poses a threat to international transfers of personal data. Since the Directive is largely a mechanism to harmonise pre-Directive data protection laws, and if such laws have created no difficulty on the transfer front, why should there be concerns that post-Directive legislation will change this state of affairs?  Yes, for UK Data Controllers there will be higher standards of data protection, but this problem mainly arises because some of the Member States have adopted such standards for more than a decade. As noted above, even such higher standards of pre-Directive laws have not created any sustained problems with respect to transfers (eg to the USA).
 
 

 Topical The second part of our argument that there is little new in
example data protection legislation to prohibit transfers is that restrictions on transfer would exist even if there was no data protection legislation. This is best explored by example: the free flow of personnel/human resources personal data across the globe (eg from a multi-national based in the UK). If one starts with the position that employees expect the personnel details they give to their employer to be kept confidentially, then the following analysis applies. If such personal data are subject to a duty of confidence, then for an employer to process these data in a way that would breach confidence (eg by transferring the data to a third party so that they can be used for another purpose, by transferring the data to an insecure environment so that there is a clear danger that unauthorised persons could gain access to such data), would breach the duty of care owed by the employer towards the protection of such personal data. In other words, action can be taken now to prohibit transfers of personal data if such transfers breach a confidence. Note: confirmation of the fact that to process personal data in a way that breaches confidence constitutes unlawful processing in breach of the First Data Protection Principle is one of the key conclusions of the Tribunal Decision discussed elsewhere in this issue.
 
 

Law of The law of confidence, in general, permits three circumstances
confidence under which it is permissible to breach a confidence; it is instructive to see how the main impact of the First and Second Principles of the 1998 Act ensures greater transparency when processing results in a lawful breach of confidence. These circumstances are:

 - when legislation requires the Data Controller to transfer the personal data. In an international context it is unlikely that UK law would require a private sector body, based in the UK, to transfer personal data outside the EEA (eg to an authority based in the USA). International obligations usually commit Governments to exchange personal data; in other words, there might be a legal obligation to disclose to a UK government body which then transfers the personal data in accordance with international agreement. Note that in these circumstances it will be the government body which will have to ensure that the transfer is within its powers (ie is lawfully processed) and satisfies the Eighth Principle of the 1998 Act in terms of that Principle's Interpretation or the conditions identified in Schedule 4. In addition, unless an exemption applies, or unless the purpose of the processing is known to the Data Subject, the Second Principle could require details of the purpose(s) of any Recipient's processing (ie even those Recipients outside the EEA) to be declared to the Data Subject; this follows since the transfer of personal data is also a disclosure of personal data and the Second Principle requires that `regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed' (see DPN 32, page 44). In short, the First and Second Principles work to ensure that, unless an exemption applies, the Data Subject knows about the transfer and its consequences; such transparency motivates the Data Controller to ensure that the transfer itself is lawful
 

 - when the transfer is in the public interest. The Eighth Principle permits transfers if disclosure `is necessary for reasons of substantial public interest' (paragraph 4 of Schedule 4). Thus if the USA police asked for a transfer of personal data with respect to a particular Data Subject suspected of being involved in a serious crime (eg murder, rape), then it is likely that the test of substantial public interest would be satisfied, unlike in the case of a lesser crime (eg minor theft). As explained in DPN 33 (page 23), the Secretary of State has total discretion to determine whether a particular transfer is, or is not, in the public interest; this power can be used to legitimise international agreements (eg with respect to serious crime or public health). Finally, in these circumstances, the disclosure (ie transfer) would be subject to the exemption which relates to crime (Section 29); thus there would be no need to declare the Recipient's purpose (ie the purpose of the USA police). Note: the same argument would apply when there are other public interest grounds for the transfer of personal data about a particular individual (eg the prevention of serious harm to the Data Subject; this corresponds to processing in the `vital interests' of the Data Subject, as expressed in Schedule 4)
 

 - when the use or disclosure has the consent of the Data Subject. Under the 1998 Act, obtaining consent for processing legitimises that processing, unless the processing itself is unlawful (in which case consent does not override the restriction imposed by law). For example, Schedule 4 permits transfers when the Data Subject has `given his consent' or when transfer is necessary with respect to a contract (see Schedule 4, paragraphs 2 and 3). In many cases, under the current UK law, consent is obtained via a signature on a contract (eg for connection to a telecommunications service or for the use of a credit card).
 
 

Comment In summary, therefore, if the law of confidence is maintained, then the provisions in the 1998 Act which facilitate transfer outside the EEA are also likely to be satisfied. If the law of confidence is breached, then certain provisions of the Act are also breached. In this way, the provisions of the Act can be seen as providing an alternative avenue of redress for Data Subjects. For instance, an action based on the law of confidence usually requires an actual breach to have occurred; by contrast, the transparency of processing imposed by Data Protection Act 1998 allows the Data Subject to make a pre-emptive complaint to a Data Protection Commissioner (eg on the grounds that the processing is likely to incur a breach of confidence and is, therefore, unlawful in terms of the First Principle (or Seventh Principle). In this way, if confidential personal data are transferred outside the EEA, many of the constraints which are ascribed to data protection are, in fact, a consequence of the common law which protects confidentiality; all data protection does is make redress more readily available to Data Subjects. This argument would apply to many categories of confidential personal data (eg Sensitive Personal Data as defined in Section 2 of the 1998 Act, or financial data such as a Data Subject's credit card or bank account details).
 
 

Other data With respect to other personal data (ie non-confidential personal data), there are new constraints founded solely on data protection law; however, since these data are by definition not confidential, the risk factors associated with transfers are very much reduced. We explore this aspect in relation to other questions; our main conclusion is that making any transfer transparent to the Data Subject at the time of collection of personal data will resolve most problems.
 
 

Question 2 The second question relates to how the Data Protection Act 1998 applies to a Data Controller, based in the UK, which wishes to choose a suitable Data Processor in the USA (or indeed, a Data Processor based anywhere outside the EEA). Our conclusion is that as long as the Data Controller takes the Seventh Principle to heart (eg by identifying, in advance, the appropriate security and other data protection standards which govern the processing), and takes the required care to choose a USA-based Data Processor that can guarantee their adoption, then no significant obstacles should be encountered. This conclusion is derived as follows:

 - first, the transfer of personal data to the Data Processor, outside the EEA, should take place in circumstances so that the rights and Principles, identified in the Data Protection Act 1998, will continue to apply to the processing of the data after the transfer. As far as the Act is concerned, it then does not matter where the personal data, held by the Controller, are processed by that Data Processor. In practice, the main concern of a Data Controller will be the Seventh Principle and, in particular, the choice of Data Processor who can offer the appropriate level of security and data protection guarantees in a binding contract. Given the technical sophistication of many USA-based Data Processors, it is not credible to claim that there will be difficulty in agreeing the need for standards, let alone for establishing the appropriate procedures to monitor and audit such standards. Demonstrating compliance with such standards becomes more important if the nature of the processing is sensitive (eg Sensitive Personal Data are processed)
 

 - second, a Data Processor, by definition (Section 1(1)), is a person who `processes the (personal) data on behalf of the data controller' (ie a Data Processor does not process, for its own purposes, personal data held by a client). In other words, the personal data processed in the USA remain subject to UK data protection law and the Data Subject is protected by the 1998 Act. For example, if a USA-based Data Processor were to process personal data for purposes which are not covered by the UK-based Data Controller's instructions, or if that Processor failed to adopt that Controller's security and data protection standards, then that Controller would be in breach of the Act and the Data Subjects would have redress under the Act (eg to sue that Controller for compensation which arose from the security breach). In other words, the full protection of the Act would apply to processing carried out in the USA
 

 - third, in such circumstances, it is difficult to see how a breach of the Eighth Principle can arise so long as the Seventh Principle is demonstrably being satisfied. Since, the USA-based Data Processor has to adopt the security and data protection standards of the Data Controller, and since these standards must be those which are required to satisfy the 1998 Act, it follows that the processing must be at an adequate level of protection. Paragraphs 8 and 9 of Schedule 4 permit the Commissioner to authorise transfers which `ensure adequate safeguards for the rights and freedoms of Data Subjects'; the Commissioner can hardly refuse such authorisation since the appropriate safeguards are guaranteed because the 1998 Act applies. Hence our conclusion that the only real issue of substance is how well the Data Controller can ensure that the Act applies to the processing (eg by the effectiveness of the contractual arrangements governing the processing, as required by the Seventh Principle).
 
 

Contracts Since contractual arrangements are the key, UK-based Data Controllers, in addition to the consideration of general points about contracts (discussed in DPNs 30 and 31), will need to consider the following areas if they employ a Data Processor outside the EEA (eg USA-based); this is especially the case if Sensitive Personal Data are processed, or if the processing is of a sensitive nature. These areas are:

 - audit requirements. The Seventh Principle obliges a Data Controller to choose a Data Processor which can provide `sufficient guarantees in respect of the technical and organisational security measures governing the processing', and to `take reasonable steps to ensure compliance with those (agreed) measures'. Clearly it is more awkward (ie expensive) to do this if UK-based staff have to perform security audits in the USA; if the personal data are to be processed by a Data Processor located, say, in Outer Mongolia it would be even harder for the UK-based Data Controller to guarantee that agreed standards are maintained
 

 - fair processing obligations. The USA-based Data Processor is a Recipient of personal data; the Data Controller will, therefore, have to consider whether the identity and/or location of the Data Processor needs to be revealed on the grounds that this is `to enable processing in respect of the data subject to be fair' (paragraph 2(3)(d) of the Interpretation of the First Principle). However, there is a strong counter-argument to the effect that the provision of this information would be unnecessary, since the Data Processor has adopted the Data Controller's data protection and security standards and the 1998 Act applies to the processing; expect the Data Protection Commissioner to issue advice in this regard
 

 - legal obligations arising from USA law. The circumstances which require to disclosure of personal data could differ from those pertaining to the UK, depending on the jurisdiction in question. For instance, there may be circumstances in the USA when a Processor is compelled to disclose personal data to the authorities. Data Controllers  must identify, in advance, whether such obligations exist, whether they are acceptable and, if so, whether they need to be declared to Data Subjects on fair-processing grounds which can arise from both the First and Second Principles (the impact of the Second Principle is discussed in the next Question)
 

 - Data Processors must respond, if need be, to the Data Controller's obligations under the 1998 Act. For instance, if a Data Subject were to apply for Subject Access, the Data Controller would be embarrassed to say the least (and in breach of the Sixth Principle to say the worst) if the USA-based Data Processor could not provide a copy of the relevant personal data in good time. Our advice is that as part of the pre-contractual obligations, it must be made clear that the Data Processor will be expected to respond to meet data protection obligations placed on the Data Controller by the 1998 Act (eg satisfy rights of Data Subjects; modify processing procedures if there is a breach of a Principle). Note: if the Data Processor sub-contracts part of the processing, these sub-contractors may need to give the same guarantees as the Processor (eg that they can be audited by the Data Controller; see also DPN 30 and 31)
 

 - developments in the field of contracts. The Data Protection Commissioner, the Confederation of British Industry, and the European Commission are all exploring whether they can find the magic words to feature in contracts. When these clauses emerge (in our view, it is only a matter of time), consider making use of them, especially if they are blessed by the Commissioner; it will make life simpler. Note: DPN will be on watch too!
 
 

Question 3 Can the Data Protection Act 1998 restrict a Data Controller based in the UK from co-operating with a Data Controller based in the USA? We conclude that there could be problems but only if rather basic data protection rules are ignored. We also conclude that satisfying these rules is perfectly manageable, and unlikely to create difficulty, as long as they are considered in advance of any processing. The argument to support this conclusion begins with the identification of the main data protection concerns; these are:

 - those circumstances which arise from the involvement of two Data Controllers and from the application of the First Principle. Prior to any transfer to the USA, two `fair processing' issues arise from the First Principle: the legitimisation of the processing in terms of Schedule 2 (and Schedule 3 if Sensitive Personal Data are processed), and the rules to guarantee `fair processing' described in the Interpretation of the First Principle. Assuming no exemption applies to these `fairness' requirements (such as might apply to a transfer of personal data between public authorities engaged in law enforcement), the main way to satisfy the data protection requirements is to ensure that the Data Subject has consented to the relevant processing (after receiving a full declaration of the processing purposes and of the persons involved) or, if the processing is necessary for the performance of a contract, to ensure that it is suitably described in the contract terms. Many Data Controllers in the UK already provide such complex explanations for the exchange of personal data (eg by seeking the consent of an applicant for a loan or credit card, to the disclosure of certain personal data to other lenders through the services of credit reference agency, for debt collection, fraud prevention and tracing purposes; or by making such processing a condition of contract). However, the key issue is this: the impact of the First Principle is to make the existence of the USA-based Data Controller, and the purpose of the processing in the USA, known to the Data Subject, unless this was obvious from the context in which the personal data were obtained, or unless an exemption from providing such fair-obtaining information applied
 

 - those circumstances which arise from the involvement of two Data Controllers and from the application of the Second Principle. The key requirement in the Second Principle is for the UK-based Controller, prior to transfer, to have regard `to the purposes or purposes for which the personal data are intended to be processed by any person to whom they are disclosed'; this entails consideration of the disclosure to the USA-based Data Controller and of any other subsequent disclosure to be made by that Controller. Assuming no exemption applies to this requirement, the impact of the Second Principle is to ensure that any explanation provided to Data Subjects covers such disclosures. For instance, suppose the USA-based Data Controller disclosed the personal data, which had been transferred to it by the UK-based Controller, to another USA-based company for this latter company's marketing purpose. In our view, the Second Principle is very likely to be breached by the UK-based Controller if the identity and location of the Recipient were not declared to Data Subjects at the time of collection of these data. Additionally, if the purposes of both disclosures were not revealed, then a breach of the First Principle would be likely on the grounds that `further information ... to enable processing in respect of the data subject to be fair' was not provided to the Data Subject
 

 - the Seventh Principle. It would also be prudent for the UK-based Data Controller to ensure that the security of the processing of personal data undertaken by its USA-based business partner is satisfactory (ie is at least equivalent to that deemed appropriate in the UK). Although there is no explicit obligation to assess the security measures offered by the Data Controller in the USA (as there is with a USA-based Data Processor; see the discussion of our second question above), any `inferior' security offered by that Controller could be challenged on general grounds. For instance, during negotiations between the USA and UK Controllers concerning the co-operation required to provide customers with services, the privacy protection of such customers should have been an important factor. Failure to take this factor into account would provide clear evidence of a failure to take `Appropriate technical and organisational measures' to protect the personal data (ie a breach of the Seventh Principle)
 

 - anticipate `trouble' with a Data Subject. A UK-based Data Controller would also be well advised to anticipate the consequences should Data Subjects exercise their rights (eg object to personal data being used for a marketing purpose; exercise their rights of access or correction; complain to the Commissioner). Our advice would be to ensure that the contract with the USA-based Data Controller stipulates that the actions which the UK-based Controller could be obliged to carry out (eg block the use of personal data for a marketing purpose, provide a copy of personal data to the Data Subject, notify Third Parties of any correction to personal data, provide information to the Commissioner concerning the processing), are assisted, as necessary, by the USA-based Data Controller, following a formal request from the UK-based Data Controller. Note: other considerations might also need formal identification in contracts (eg any extension of data protection requirements to Data Processors used by the USA-based Data Controller; also see DPNs 30 and 31)
 

 - those circumstances which arise from the transfer of the personal data.  Schedule 4 legitimises any transfer if the Data Subject has consented or if the transfer `is necessary for the conclusion of a contract between the data controller and a person other than the data subject (eg a USA-based Data Controller) which (i) is entered into at the request of the data subject, or (ii) is the interests of the data subject', or `is necessary for the performance of such a contract'. These conditions may require a modification of the consent clause, or of the contract terms agreed between the UK-based Data Controller and the Data Subject (eg to ensure fairness where two Data Controllers are involved; see bullets about the First and Second Principles above) in order to alert Data Subjects to the fact that it is necessary to transfer personal data outside the UK. Note: one final reminder; the `necessary' personal data which are to be transferred must be the  minimum necessary.
 
 

Question 4 Does the Data Protection Act 1998 put a Data Controller based in the USA at a disadvantage when competing, in the UK, with a Data Controller based in the UK? Assuming that the USA company has a physical presence (and hence a representative) in the UK; both Controllers have to satisfy the UK Data Protection Act 1998 and a level `data protection' playing field pertains to the processing. It is thus difficult to see how one Controller is disadvantaged. This conclusion holds even if the personal data obtained are not processed further prior to transfer to the USA; since `obtaining' is a processing operation it must be legitimised in terms of all the Principles, the related Schedules and Interpretations, and the Notification requirements. We have one further observation:
 
 

Contracts It is possible for a contractual condition to legitimise the transfer to the USA (eg if the transfer `is necessary ... for the performance of a contract between the data subject and the data controller' or `is necessary ...for the taking of steps at the request of the data subject with a view to entering into a contract with the data controller'). Such conditions legitimise the transfer in terms of the Eighth Principle; the Data Subjects may not, therefore, need to know about the transfer to satisfy this Principle. However, as with the Third Question, the application of the Principles must be seen as a whole, and the requirements of the First and Second Principles might well require certain details of the transfer to be declared to Data Subjects at the time of collection of the personal data (eg likely Recipients in the USA, non-obvious uses and disclosures in the USA). This is another example of the situation whereby the Eighth Principle can be satisfied without recourse to the Data Subject, yet such information has to be given to Data Subjects in order to satisfy the First and Second Principles.
 
 

Question 5 Does the Data Protection Act 1998 put a Data Controller based in the UK at a disadvantage when competing, in the USA, with a Data Controller based in the USA? Our answer is `undoubtedly yes'. Member States of the Council of Europe have taken the decision to use legislation to protect the privacy of individuals, in the electronic age, on the basis that privacy is integral to the delivery of goods and services. As far as Data Controllers based in the Member States of the European Union are concerned, such legislation even obliges them, when offering services to USA citizens that involve the processing of personal data in the Union, to provide those USA Data Subjects with statutory privacy protection. Avoidance of the extra costs of providing this protection as a consequence of legislation gives a USA Controller a competitive advantage in its own country (assuming the USA Controller has no equivalent statutory obligation, or one which arises from a self-regulatory Code of Practice).

Multi- The  circumstances  described  above  raise a  key  issue  for
nationals multi-nationals when processing personnel and customer records. In most of Europe, staff and customers are protected by data protection legislation and granted specific rights; in the USA, this might not be the case. Can this result in an accusation that the multi-national now holds personal data on a group of `second class' citizens - namely individuals who can be deprived of privacy protection because their personal data are processed in circumstances when data protection law does not apply? In short - why should the privacy of staff and customers be respected in Europe but not in the USA?
 
 

Internet? What happens if a Data Subject, based in the UK or the USA, visits the web-site of a Data Controller and orders goods or services? If the Data Controller is based in the European Union then the web-site will be subject to the usual data protection rules (eg fair obtaining) which will be broadly equivalent throughout the Union. However, what happens if the web-site is in the USA? Are `fair obtaining' rules, for instance, imposed extraterritorially? We are confident that the answer is `No'.
 
 

 Reasoning Section 1(2) of the Act defines `obtaining' to include `obtaining ...the information to be contained in the data'; clearly therefore the USA web-site is obtaining personal data. However, Section 5(1)(b) excludes the USA Data Controller from being subject to the Data Protection Act if the Controller only `uses equipment in the United Kingdom ... for the purposes of transit (of personal data) through the United Kingdom'. In the case of a Data Subject browsing a USA web-site, there is no processing of personal data in the UK except that needed by the telecommunications network to allow the Data Subject in the UK to transmit details to the web-site in the USA. In other words, the USA-based web-sites are not subject to the Data Protection Act 1988 (ie the USA Data Controller maintains a competitive advantage over the Controller based in the UK).
 
 

Other Transfers  of  personal  data  can,  of  course, arise  in
conditions circumstances other than those identified in the five questions posed above; in these other cases, the data protection issues are clear. If a transfer cannot be legitimised in terms of a contract or Data Subject consent (ie the two options in Schedules 2 to 4 which might require the provision of information to the Data Subject about the transfer), then at least one of the other conditions in these Schedules needs to apply in order to legitimise that processing. In this case  great care needs to be taken, because the Data Controller (or its representative) is then effectively claiming that it is legitimate to keep the Data Subject ignorant of the transfer of personal data, or to transfer such data even if the Data Subject objects. It is useful to illustrate such contentious scenarios: the relevant data protection procedures adopted by a UK Data Controller must ensure that:

 - the disclosure or transfer outside the EEA is lawful (eg in terms of the law of confidence and of other relevant legislation which applies to the processing needed to facilitate the disclosure or transfer)
 

 - the processing necessary to facilitate the transfer is lawful. This will involve close study of the conditions in Schedules 2 and 4 (and Schedule 3 if Sensitive Personal Data are transferred) which do not relate to consent or to contracts
 

 - limits on any exemption from the fair-processing requirements are scrupulously applied. Note that if there is no exemption from the fairness criteria, then contact with the Data Subject is likely to prove necessary to guarantee fair-processing; if so, why not bite the bullet and seek consent (or perhaps modify the contract terms given to Data Subjects at the time of collection of the personal data)
 

 - if the transfer is necessary, then only the minimum required amount of personal data should be transferred (a consequence of the Third Principle)
 

 - that rights of Data Subjects are respected (unless an exemption applies). For instance, the right to object to the processing on grounds of substantial damage or substantial distress (Section 10), and the possibility that any correction, erasure or blocking of personal data will have to be notified to Third Parties (including Parties outside the EEA) who have received a copy of the uncorrected data (Section 14)
 
 

 - that appropriate consideration is given to the security of personal data. Note: much of what we say in our analysis of the Third Question is also relevant here.
 
 

Political The question of whether or not a State offers an adequate
comment level of data protection will only arise in those circumstances where legitimising the transfer in terms of a contract, or Data Subject consent, or one of the other conditions in Schedule 4, proves impossible or impracticable. So, assume the worst case scenario and assume that there is a real data protection problem which prompts a Member State of the European Union to decide that a particular country offers an inadequate level of protection. In this case, the procedure specified in the Directive is that the Member State must inform the Commission who then must investigate the issue, no doubt obtaining the advice of data protection authorities on the way. However, the Commission's remit is also `to enter into negotiations with a view to remedying the situation' (Article 25(5)). Thus, it is only if these negotiations prove fruitless that the Member States could impose the ban on the transfer of personal data from the European Union. Note that the above process is essentially a political one designed to require agreements between sovereign countries; such a process will inevitably mean that the national interests of all concerned will weigh heavily during the negotiations.
 
 

Trade ban? Now pose the following question: is it credible that Europe would risk a trade-war with the USA, the leading economic powerhouse, on the grounds of privacy protection, when the counter threat would be barriers to trading with the largest marketplace in the world? Of course there is the possibility of bans from Europe on the transfer of personal data to certain other States. For instance, one can easily see such a ban being imposed on a country with a particularly shocking human rights record, or where the international community has made a collective decision to impose a trade embargo (eg the UN-wide trade embargoes on Iraq or Serbia). But the USA hardly fits this description.
 
 

Prohibition The general rule outlined in the Directive is that personal data can be freely transferred to countries outside the European Union which offer an adequate level of protection. Clearly, therefore, countries outside the European Union which have data protection legislation and which have ratified the Council of Europe Convention (on automated processing of personal data), or have implemented legislation to give effect to the Convention (eg Switzerland) should not encounter difficulty with respect to such transfers. Similarly, it is reasonable to expect that countries which have implemented data protection legislation based on the OECD Guidelines (eg New Zealand) or on UN Guidelines will not encounter many problems. Of course, particular transfers of personal data to specific organisations could run into difficulties, but in these circumstances one can expect intervention by a Data Protection Commissioner on a case-by-case basis (and not a country-wide ban imposed by the Member States of the European Union).
 
 

General Many commentators are concerned that a prohibition on the
position transfer of personal data could impact the USA (and possibly Canada) since in these countries there is no federal data protection legislation. However, the picture is patchy; most of the Provinces of Canada, for example, have enacted statutory protection which covers the public sector, Quebec being a notable exception. Thus the transfer of personal data to, for example, one or more social security administrations in the provinces of Canada is unlikely to be subject to data protection difficulties (and, likewise, if the private sector in Quebec is involved). Similarly, in the USA, there are a many constitutional devices, self-regulatory Codes of Practice, and laws which offer a varying depth of privacy protection and which apply to specific sectors at federal and State level; any of these could, on a case-by-case basis, be deemed to be appropriate as required by the Directive. For instance, there are observers who argue that the legislative protection of credit histories, as established by the federal Fair Credit Reporting Act, meets the requirements set in the Directive. In other words, because Canada and the USA offer certain elements of protection, it cannot be claimed that a particular Province in Canada, or a specific State in the USA, or a specific sector subject to a self-regulatory Code of Practice, offers an inadequate level of protection in all cases.
 
 

Consequence In these cases, the mosaic of privacy legislation (and Codes of Practice) will ensure that the `adequacy' of protection will always be tested in the context of the specific transfer which is intended, or has taken place. In such circumstances, it will take several cases which alarm data protection authorities before the problem escalates to one in which a country-wide ban becomes a possibility. Realistically, one expects such cases to be settled long before this stage is reached (eg by negotiation between the parties involved).
 
 

Codes of  Much work is being undertaken with respect to Codes of
Practice Practice (and standardised contract terms) which could permit personal data to be transferred to Third Countries; these could be relevant to all the circumstances described above. Their importance lies in the fact that adoption of a publicly available Code of Practice (eg based on the one produced by the Council of Europe; see DPN 31, page 22) can help to clarify the obligations of the various parties involved, and offer reassurances to Data Subjects. Adoption of such a Code, if it has the approval of the Data Protection Commissioner, could allow the transfer to occur without the need to seek the consent of Data Subjects; Schedule 4 (paragraphs 8 and 9) of the 1998 Act permits this. However, having said that, the First and Second Principle might well require the Data Subject to be informed (as we have pointed out in several times already). We will keep readers informed of developments in this important area.
 
 

Conclusion In our view the risks of country-wide prohibitions on the transfer of personal data are minimal; the key issues are for UK-based Data Controllers to extend their fair-obtaining practices to include information about transfers outside the EEA, and for such processing (eg in the USA) to be undertaken with appropriate regard to the data protection and security standards adopted by the UK-based Controller. Of course there could be other practical difficulties (eg in obtaining consent for a transfer, or in deciding what is meant by informed consent). However, since our subscribers have, largely successfully, grappled with such issues for years (eg how to obtain consent for a different use or disclosure), we do not anticipate any profound problems. Controversially, perhaps, our analysis opposes those who claim that unless the Federal Government of the USA adopts a more rigorous approach to data protection and the safeguarding of individual privacy, then a ban on the transfer of personal data from Europe is feasible. We know that some civil libertarians close to the privacy debate in the USA believe this to be the case; we don't.

 ENDS
September 1998
 
 

November 18, 1998

Ambassador David L. Aaron
Undersecretary for International Trade
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

Comments re: International Safe Harbor Privacy Principles

Dear Ambassador Aaron:

 You have asked for public comment on the “International Safe Harbor Privacy Principles” (the “Principles”).  I am writing these comments based largely on research and related work with Dr. Robert Litan for our book, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Brookings, 1998).  I am also joining the comments on the Principles being submitted today by Professors Fred Cate, Joel Reidenberg, and Paul Schwartz and Dr. Litan (the “joint comments”).

  The comments here express my views alone.  They do not represent the views of the Ohio State University College of Law, nor have I received any financial or other compensation for preparing these comments.

 As stated in the joint comments, I appreciate the opportunity to submit my views on the November 4, 1998 draft of the Principles, and I applaud the Department of Commerce, you, and your colleagues for your dedicated work on resolving how transfers of personal data can lawfully be made between the European Union and the United States under Directive 95/46/EC.

 My comments address eleven specific topics raised by the Principles.  Many of the comments are intended to help clarify particular, and sometimes difficult, issues that arise in interpreting the Principles.  Issues concerning a customer’s right to access data held by an organization are especially controversial.

 The final two comments, however, are likely the most important.  The first of these underlines the importance for U.S. organizations of knowing the scope of transfers permitted under the Safe Harbor.  Some enforcement mechanisms apply only to a subset of an organization’s data flows, such as its on-line customer information.  The crucial issue will be this:  if an organization complies for that subset of flows, does it also gain the legal ability to transfer its other data flows to the United States?  If not, then organizations need to be alerted that participation in the Safe Harbor for some categories of data will not entitle the organization to transfer other categories of data.  Notably, transfer of human resources records would likely require some additional compliance action by the organization.

 The final comment highlights a way in which the Safe Harbor could greatly streamline the process of complying with the Directive.  Under the Directive itself, transfers from Europe to the United States under a company-to-company contract appear to require prior approval by the national authority.  Under the Safe Harbor, by contrast, U.S. organizations that agree to comply with the Principles would not  require prior approval to carry out transfers.  A priority in the Department’s further actions should therefore be to confirm this understanding, that prior approval of transfers would no longer be required for organizations that have accepted the Safe Harbor.

COMMENTS ON UNDERSECRETARY AARON’S COVER LETTER

 (1) Complete list of derogations.  In discussing exceptions, the cover letter signed by Undersecretary Aaron lists the derogations provided by Article 26(1), but does not mention the transfers that are permitted under Article 26(2) where “adequate safeguards” exist, such as from appropriate contractual clauses between entities in the E.U. and U.S.  The use of such contracts may be helpful in a range of cases where none of the derogations of Article 26(1) apply.  Where the Department of Commerce lists the exceptions that permit transfers, Article 26(2) should be included.

PREAMBLE TO THE PRINCIPLES

 (2) Qualifying for the safe harbor.  The preamble states that “an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy.”  Some industries, such as the banking, insurance, and securities industries, are subject to industry-specific regulation and supervision by specialized agencies.  Such industries might thereby qualify for the safe harbor to the extent that this regulation and supervision “effectively protects personal information privacy.”
 The question concerns corporations that are not subject to any such specialized rules.  Such corporations are subject to statutory and other law if they violate their announced privacy practices.  Notably, enforcement actions may be brought under Section 5 of the Federal Trade Commission Act (to the extent of its jurisdiction), under similar state laws, and under state lawsuits for breach of contract.  Is it the position of the Department that corporations subject to these actions, but not under specialized regulatory regimes, are subject to a legal regime “that effectively protects personal information privacy” and thus qualifies for the safe harbor?  Because these actions would apply to all U.S. companies that have adopted privacy polices, the answer apparently is no.  Otherwise, the other means for qualifying for the safe harbor, such as membership in private sector privacy programs, would be redundant.

 (3) “Proprietary” information.  The preamble states that “these principles do not apply to proprietary or manually processed information.”  The use of “proprietary” is very vague here and needs clarification.  At the extreme, a company might take the position that all information about customers and employees is proprietary and thus not subject to the Principles.  This extreme interpretation is clearly not intended, because it would render the entire Safe Harbor irrelevant.  But it is unclear from the context what sorts of proprietary information are intended to be excluded.
 Perhaps the use of “proprietary” is intended to apply to the scope of the individual’s right of access.  Under Article 12 of the Directive, every data subject has the right to obtain from the controller “knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1).”  Many U.S. companies would consider “the logic involved in any automatic processing of data” to be competitively sensitive information and thus proprietary.  Does the Department agree?
 Also in connection with the right of access, companies today often compile information about customers in addition to the information supplied by the customers themselves.  For instance, companies may access public records and buy demographic and other information concerning their customers.  Companies may consider which information they assemble to be “proprietary.”  Is this sort of selection of data sources about customers “proprietary” and thus outside of the scope of the Principles?  If so, then this may be a large exception to the Principles.
 More generally, it would be helpful to learn whether "proprietary" has any relevance outside of the area of right of access.  If so, then clarification would be useful.   If not, then the use of "proprietary" should be moved to the section on access.

NOTICE

 (4) Identity and contact information of the controller.  Article 10 of the Directive, concerning notice, specifically requires notice to the data subject about “the identify of the controller and of his representative, if any.”  Especially for on-line transactions, however, the individual may not be aware of the identity of the organization that is collecting personal data.  The Notice Principle might be amended to add “identity of the organization” to the list of information provided to individuals.  In the alternative, the Q&A section might point out that notice, to be effective, should include the ability of the individual to identify the organization.
 A closely related point is that notice should include information about how to contact the organization, such as by mail, 800 number, e-mail, or other means.  Without such notice, individuals may lack any effective way to get access to information that an organization has about them.  In the first sentence of the Notice Principle, language such as the following might be added to the list: “information about how to contact the organization in connection with uses of personal information.”  It is possible that provision of contact information is implicit in the notice of  “the choices and means the organization offers individuals for limiting its use and disclosure.”   If so, then the Q&A section might explain that contact information should be included in the notice provided to individuals.

 (5) Information already available to the data subject.  Article 10 of the Directive states that information should be disclosed to the data subject “except where he already has it.”  The Notice Principle says that an “organization must inform individuals” about listed items, but does not include similar language.  The end of that sentence of the  Notice Principle might be amended to add “except where the individuals already knows the information.”  In the alternative, the Q&A might explain that information need not be explicitly provided where individuals already know the information.

ONWARD TRANSFER

 (6) Protection by third parties.  The Onward Transfer Principle states: “When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual.”  My question concerns the interaction of this requirement with the Enforcement Principle.  Suppose that the individual or other appropriate party seeks enforcement because the third party does not offer the same level of privacy protection as originally chosen by the individual.  Enforcement actions might take place involving the controller (who supplied the information to the third party), the third party (who received the information from the controller), or both.
 Concerning the third party, is there any requirement that it have agreed to the Principles in order to qualify to receive the personal information?  The text of the Principles do not suggest any such requirement.  If the third party has not agreed to the Principles, what obligations, if any, must it undertake to receive onward transfer of data?  The Onward Transfer Principle states “an organization must require that third parties provide” protections.  Does this mean that the third party in some way must be subject to enforcement by the controller, perhaps under a contractual agreement, or in some other way?
 Concerning the controller, what obligations apply when unauthorized use is made of data by the third party?  Is the controller itself subject to enforcement whenever the third party misuses the data (a strict liability approach)?  If the controller subject to enforcement only when it has failed to take reasonable precautions in passing on the data to a third party (a negligence approach)?  Or is enforcement only available against the third party that actually misused the data (an approach in which the third party, rather than the controller, is held responsible for the misuse)?
 Because personal data is often transferred to third parties, for many different purposes, clarification of these issues is important to understanding the actual practices expected of organizations that agree to abide by the Principles.

SECURITY

 (7) Binding contract or legal act.  Article 17 of the Directive governs the security of processing of personal data.  It sets forth requirements on the “controller,” defined as the party “which alone or jointly with others determines the purposes and means of the processing of personal data,” and on the “processor,” defined as a party “which processes personal data on behalf of the controller.”
 Article 17(3) specifically provides: “The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
 -- the processor shall act only on instructions from the controller;
 -- the obligations set out in paragraph 1 [of Article 17], as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.”
 The Security Principle makes no mention of the requirement of a “contract or legal act binding the processor to the controller.”  Is the position of the Department that no such contract or legal act is necessary for organizations that adopt the Principles and transfer personal data out of the European Union?  If no such contract or legal act is required, then it may be useful to state that understanding in the Q&A.  If such a contract or legal act is required, then it may be useful to say so explicitly in the Principles, or to include language in the Q&A notifying organizations of this requirement.

“SENSITIVE INFORMATION”

 (8)  Defining “sensitive” information.  The term “sensitive” information is used three times in the Principles.  In seeking to determine the meaning of “sensitive” information, one possible source for the definition is Article 8 of the Directive, which defines special categories of information “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”  Article 8 also creates special rules for other categories of information, notably registries of offenses and criminal convictions.  Although Article 8 does not specifically use the term “sensitive” information, the categories of Article 8 are called “sensitive” data in common usage in data protection discussions.
 Does the Department intend the listed uses of “sensitive” information to refer to the Article 8 categories?  Clarification of this issue, in the Principles or the Q&A, would help organizations understand when the stricter principles covering sensitive data would apply.
 On the same topic, some United States laws may require processing of data considered sensitive under Article 8.  Examples might be fair employment and fair lending statutes that require an organization to collect information about racial origin.  The Q&A might point out that processing of such data, as required by law, would not violate the Principles.

 (9) Reasonable access and “sensitivity” of data.  In discussions concerning the Principles, a good deal of controversy has centered on whether individuals should have “access” or “reasonable access” to their information.  Clarification may be needed in the Q&A of what the Department understands by “reasonable access.”
 The Access Principle also states: “Reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses.”  The term “sensitivity” seems to be used in a different sense in this instance than in the three instances listed above.  The “sensitivity” of the information seems to suggest a sliding scale, where greater access is appropriate as the level of sensitivity increases.
 If a different meaning is indeed intended by the term “sensitivity,” then it may be useful to clarify the difference in the Principles or the Q&A.  There may be categories of data that are not covered by Article 8 but which have enough sensitivity to merit access.  Credit histories or certain other categories of financial information might be examples of data that individuals consider sensitive in at least some circumstances.  If “sensitive” data is understood to refer solely to Article 8 categories, then all other categories of data might be understood not to be “sensitive” under the current language and thus entirely outside the scope of Access Principle.

 ENFORCEMENT

 (10) When only some transfers are covered.  Organizations can satisfy the requirements of the Enforcement Principle, for instance, “though compliance with private sector developed privacy programs that include effective enforcement mechanisms.”  What constitutes “effective” is nowhere defined in the Principles.  Some of the leading programs, moreover, cover only a subset of an organization’s transfers of data.  For instance, BBB-Online and TRUSTe focus on on-line transfers of customer data.
 Transnational organizations that sign on to such programs are likely to have other categories of transfers of personal data.  Examples would include off-line customer information and the organization’s own human resources records.  An important issue arises concerning these other categories of data.  Does the Safe Harbor apply when a company complies with a privacy program for only a subset of its data transfers?  If a company complies with programs such as BBB-Online and TRUSTe for its on-line transfers of customer data, are the companies’ other activities thereby protected by the Safe Harbor?
 Based on my own research and discussions with European officials, it would be surprising if the European authorities believed that the Safe Harbor would apply for categories of transfers where no effective enforcement mechanism existed.  If the Department agrees with this conclusion, it is important to signal to U.S. organizations that the Safe Harbor would only protect an organization for those categories of transfers where effective enforcement exists.  My belief is that compliance with a privacy program, which covers only a subset of an organization’s transfers, does not provide Safe Harbor protection for other sorts of transfers.  In that event, a different basis would be needed for an organization to transfer other categories of personal data out of Europe legally.

 (11) “Cooperation with data protection authorities.”   A different way to satisfy the Enforcement Principle is by “committing to cooperate with data protection authorities located in the European Community.”  This language suggests a very practical way for organizations to streamline compliance with the Directive.
 Article 26(2) of the Directive already provides a contract mechanism for allowing transfers to countries that lack adequate protection of privacy.  Under Article 26(2), a Member State must authorize a transfer or set of transfers, and then inform the Commission and the other Member States of such authorizations.  A concern of organizations faced with this system is that the apparent requirement of prior authorization might prove a significant administrative burden to data protection agencies.  Significant delays might result before authorization is granted, at a potentially high price to business.
 If the Principles are accepted by the Commission, however, transfers out of Europe could be authorized instead under Article 25(6).  The United States would be considered to have adequate protection to the extent that an organization makes transfers to the United States pursuant to the Principles.  In such a case, prior authorization from the national authorities would no longer be required.  Organizations that agreed to follow the principles would be able to continue data flows without interruption or the need to get each contract approved in advance by a national authority.
 The key remaining question, in that event, would be defining what it means to “cooperate with data protection authorities.”  One possibility is for a company to make a public statement of its adoption of the Principles, perhaps in its 10Q or 10K forms filed with the Securities and Exchange Commission.  Another possibility is for the organization to file with the relevant national authorities its promise to comply with the Principles.
 Where no other privacy program is in place, a related important question is whether the Europeans will accept a simple declaration that the organization will comply with the Principles.  Consider the example that likely affects the largest number of organizations -- transfer of their own human resources records from Europe to the United States.  For such transfers, one possibility is that the Europeans will consider it sufficient simply to announce an organization’s intent to comply, such as through a 10K or a filing with a national authority.
 Another possibility, in light of the current absence of private-sector privacy programs that monitor human resources records, is that the Europeans will want more specific description of the terms and conditions surrounding such transfers.  These terms and conditions might be embodied in a contract, made available to the national authority, between the European and American entities involved in the transfer.  In such an event, the Safe Harbor can provide a crucial advantage compared with the legal situation in the absence of a Safe Harbor.  Under current law, Article 26(2) would require such a contract to be approved in advance by the national authority.  Under the Safe Harbor, as provided by Article 25(6), there would be no need for such prior approval.  In this scenario,  contracts and model contracts can be developed for categories of transactions, with minimal bureaucratic obstacles.
 

Respectfully submitted,
 
 

Peter P. Swire
Professor of Law
Ohio State University
College of Law
55 West 12th Avenue
Columbus OH 43210
(614) 292-2547
swire.1@osu.edu
www.osu.edu/units/law/swire.htm

November 19, 1998

Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street and Constitution Avenue, NW
Washington, DC 20230

Re: Industry Safe Harbor Principles
Dear Mr. Fredell:
This letter is in response to Ambassador David Aaron’s request of November 4, 1998  seeking comments on the Department of Commerce efforts to craft a “safe harbor” from the European Union’s so-called data directive for U. S. companies engaged in business with the European Community. Our Association welcomes this opportunity and deeply appreciates the efforts of the Commerce Department to minimize uncertainty and to, more importantly, “enhance [not hinder] commerce between the U.S.  and the European Community.”

The American Bankers Association brings together all categories of banking institutions to best represent the interests of this rapidly changing industry.  Its membership – which includes community, regional and money center banks and holding companies, as well as savings associations, trust companies and savings banks – makes ABA the largest banking trade association in the country.

ABA, along with a number of other financial service providers, have made clear our position that the United States has a comprehensive set of laws and regulations at the state and federal levels that provide strong protection for financial privacy.   In fact, we believe that  our financial institution customers have greater protection from privacy intrusions than currently exist in Europe. So, while the debate on this issue continues, we support the Department as you attempt to keep commerce moving with the possibility that some U. S. companies, who may not be as regulated as our industries, can utilize a voluntarily chosen safe harbor.  The following are some comments on the November 3rd draft International Safe Harbor Privacy Principles:

General Comments
We concur with the comments of other financial service providers that a clear statement is needed on the scope of coverage of the Directive is limited to data collected in Europe on European citizens that is transferred to the United States and not European citizens with legal residence in the United States.
As we have stated above, the banking industry in the United States has more than adequate safeguards regarding privacy.  We believe, therefore, that the language addressing how an “organization” qualifies for a safe harbor without the principles applies to our industry—namely that we are ”subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy.”  The financial sector should be specifically named as a part of the U.S. economy that fulfills this qualification.  Failure to clear up this question will put members of our industry in a position of not knowing whether to rely on the voluntary principles or the general safe harbor in their dealing with the European Union.  ABA urges you to consult with the Treasury Department in clarifying this issue.
Notice
While our industry works under the assumption that our qualification for the safe harbor has already been established, it is important that nothing in the principles cause problems for either our customers or the institutions themselves. The notice provision calls for informing the individual about the various  purposes  for collecting information. It must be pointed out that financial institutions are mandated to report suspicious transactions and gather  information  to deter fraud. While these practices should be covered in the preamble (adherence to the principles being subject to “risk management…regulatory compliance….and law enforcement concerns”) the question and answers that are anticipated by the Department should make clear that banks and others do not have to disclose these requirements to the customer.
Enforcement
Section 7 of the principles (Enforcement)  covers  the mechanisms that must be included to  ensure “effective privacy protection.” ABA agrees with the “Note” at the end of  both  the section and the paper that restates the ability of organizations to satisfy the requirements of the principle through “compliance with legal or regulatory supervisory authorities.” To avoid confusion, this note should be placed within the body of section 7.

 Thanks again for your continued efforts to represent United States industry in these important discussions on privacy and the EU Directive. Our Association remains prepared to offer any additional assistance in this difficult area.

Sincerely,

John J. Byrne
Senior Counsel and
Compliance Manager

From:Joan Hays
Experian Corporate Affairs
 

Joan Hays
Experian Corporate Affairs
Allen, TX
972 390 3525
972 390 3624 FAX

  Martin E. Abrams
  Vice President
  Information Policy and Privacy
 

November 17, 1998  Experian
  701 Experian Parkway
  Allen, TX  75013

  972 390 3659 Telephone
  972 390 3624 Facsimile

Mr. Eric Fredell  www.experian.com
Task Force On Electronic Commerce
International Trade Administration
United States Department of Commerce
14th and Constitution Avenues, N.W.
Washington, DC  20230

Dear Mr. Fredell:

This electronic communications responds to Undersecretary Aaron’s letter of November 4, 1998,  to industry representatives concerning the nature and substance of a draft safe harbor to facilitate data transfers to the United States from the European Union.  Experian participated in the development of comments from various trade groups, and will keep its comments brief to avoid redundancy.

First, Experian commends the Department of Commerce and DG 15 for their efforts in resolving differences in approach to protecting individual privacy.  The bottom-line is protecting consumers from harm while maintaining the freedom and economic choice that comes from the free flow of information.  The differences between the U.S. and the EU approaches are legal and cultural, and difficult to resolve.  Experian urges the Department of Commerce not to compromise on the balance we have achieved in the United States that has facilitated the emergence of service-based economy, fueled in large part by a free but responsible flow of information.  While there may be room for change in the United States as demonstrated by the Online Privacy Alliance, the DMA Privacy Promise, and the IRSG Principles, any such change cannot be mechanical restrictions that put our freedom of expression and information based economy in jeopardy.

Safe Harbor Scope and Actionability
Undersecretary Aaron’s letter says the safe harbor is only intended to cover transfers of personally identifiable information from the EU.  While this safe harbor will not have legal status when applied to personally identifiable information on U.S. citizens collected, stored, used and communicated in the U.S., the principles behind it create consumer expectations.  Experian may choose to comply with the safe harbor when transferring data from Europe, but would have great difficulty in applying the same principles to information collected and maintained on U.S. citizens.   For example, Experian would have difficulty in complying with a consumer access principle that defined reasonable access to include information used for marketing and market segmentation.  Experian is not concerned about the substantive decision making example in the principals.   American laws, such as the Fair Credit Reporting Act, already require such access.
However, it is not clear how reasonable will be defined in the final version.  It is clear that the principles are the beginning point in negotiations, and there is very little room to negotiate consumer access.

Access is not the only area where applying the principles to the U.S. marketplace would be difficult.  Choice is very close to being a consent principle, with some significant ramifications for the U.S. market.  For example, the use of information to find individuals due pensions is done without giving the consumer the choice of opting out of such an unrelated use.  Instead, we weigh the benefit against the potential harm, and define the use as beneficial.  We use a common sense test in the United States when determining if a new use of information is appropriate, while data protection requires a more mechanical approach based on notice and consent.  There are huge economic and social consequences related to migrating from choice to consent.  Experian would urge the Department of Commerce to be careful in avoiding such costs.

Experian doesn’t understand the scope of the onward transfer principle.  At first reading, it seems to be redundant with notice and choice, and most applicable to organizations that collect information directly from consumers.  However, the language doesn’t limit it to that group.  Referencing services, data compilers and credit bureaus are all critical to our society and economy, but are aggregators of information rather than collectors.  Experian is not sure how one applies this principle to their activities.

Closing Comments
Experian reminds the Department of Commerce that the purpose of this exercise is assuring adequate protection for EU nationals when individually identifiable data is transferred to the United States.  However, it is very difficult for the government to define best data practices, without having a direct affect on the internal market.  Therefore, the safe harbor principles must be actionable by U.S. companies when collecting, storing, using and communicating information on U.S. nationals.  Furthermore, our U.S. system is based on sector specific application of principles that recognize the diversity of direct marketing methodologies, on-line medium, and the lending industry.  The safe harbor concept must recognize that diversity and facilitate the differences that come with diversity.

Thank you for your efforts and the opportunity to comment.

Sincerely,
 
 

Martin E. Abrams
Vice President, Information Policy & Privacy

MEA/jh
 

From:  Jane E. Kirtley, Esq. Executive Director The Reporters Committee for Freedom of the Press
 

November 19, 1998

Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC  20230

RE:  Comments on Proposed International Safe Harbor
Privacy Principles

Dear Mr. Fredell:

On behalf of The Reporters Committee for Freedom of the
Press, a voluntary association of news reporters and
editors dedicated to protecting the First Amendment
interests of the news media, I submit the following
comments on the proposed Safe Harbor Principles
developed by the Commerce Department to address issues
raised by the European Union's Directive on Data
Protection.

As Executive Director of The Reporters Committee, and
in my individual capacity, I have written and spoken
frequently in the United States and abroad about the
very real threats to free expression and to the free
flow of information raised by the Directive.  As has
been pointed out many times before, the European
approach to privacy protection is founded on several
presumptions that appear to be at odds with United
States constitutional law.

First, it assumes that the government is in the best
position to regulate and monitor the gathering and
dissemination of truthful, accurate information about
individuals, and to punish it, if it deems it to be a
violation of vague and overbroad "privacy" interests.

Second, although it grants an exception, of sorts, for
the processing of data "carried out solely for
journalistic purposes," this exception is not absolute,
and is subject to restrictions "necessary to reconcile
the right to privacy with the rules governing freedom
of expression."

Third, even assuming that the exception is construed
broadly, the government would still be required to
decide whether the entity or individual processing the
data is engaged in "journalistic" pursuits and would
qualify for the exception.

These systemic problems, in our view, raise formidable questions
about whether regulations or legislation implementing the
European Directive can ever be squared with the First Amendment.

Turning specifically to the proposed Safe Harbor Principles
themselves, we note at the outset our grave concern that the
Department of Commerce would encourage U.S. companies to
"voluntarily" sign away their First Amendment rights, especially
in light of its vague language, particularly in the preamble and
enforcement sections, which cannot realistically be construed to
provide adequate notice either to data processors or data
subjects.  Although we understand that the Safe Harbor Principles
are not intended to "govern or affect U.S. privacy regimes," this
will be the inevitable consequence.

We note particularly that, although the preamble does mention
that adherence to the principles is subject to "public interest"
and "other legal . . . exceptions," no explicit mention is made
of the First Amendment's protections, including the news media's
ability to seek out and publish news.  This is a significant
omission.  As recently as June 29, 1998, a federal court in
Maryland, adopting an argument made by the Department of Justice,
ruled that a journalist who was charged with violation of the
Child Pornography Prevention Act, 18 U.S.C. § 2252, could not
invoke the First Amendment as a defense to a statute of general
applicability.  U.S. v. Matthews, 11 F.Supp.2d 656 (D.Md. 1998).
Although we hope and expect that this ruling will be overturned
when reviewed by the U.S. Court of Appeals (4th Cir.) in
Richmond, it is nevertheless a chilling example of the
willingness of both the Justice Department and the courts to
reject the First Amendment as a defense when it is not explicitly
mentioned in a statute.

We note, for the record, that application of many of the
principles would be unworkable, as well as unconstitutional, if
applied to journalistic endeavors.  For example, the Notice and
Choice provisions require that individuals be informed about the
purposes for which information is being collected, and to be
given the choice to "opt out."  To compel reporters to identify
why a particular piece of information is being gathered, and to
obtain permission from the subject before writing about him,
would be an unwarranted intrusion into the editorial process that
would undermine investigative reporting.

Similarly, the provisions governing Onward Transfer, Security,
Data Integrity and Access pose serious threats to both
dissemination of news and the editorial process.  Under current
law in the United States, individuals have the right to file
civil actions for invasion of privacy, if they believe that news
organizations have published intimate information that is not
newsworthy, or for libel, if they believe that news organizations
have published false and defamatory statements.  Such suits
provide an adequate remedy for genuine harm, are subject to the
First Amendment protections recognized by the Supreme Court, and
do not allow an individual free rein to invade newsroom archives
to compel a news organization to "correct" or remove information
the individual believes to be "inaccurate."  Journalists welcome
corrections of truly inaccurate information from whatever source,
but they cannot surrender their editorial judgment to news
subjects, nor to the executive or judicial branches of
government.

We do, however, appreciate the provision in the Access proposal
that exempts information derived from public records from this
type of scrutiny.  It would be contrary to existing law to compel
news organizations to rewrite history by altering public record
information to conform with an individual's version of the truth.
The proper recourse in such a situation is for the individual to
approach the author or custodian of the public record and to seek
amendment to it at the source.

Finally, we are alarmed at the breadth and vagueness of the
Enforcement provision, and are very concerned that the Department
of Commerce would expect anyone, including but not limited to
news organizations, to waive their due process rights by
effectively signing a "blank check" agreeing to be bound by
unspecified sanctions which would be levied by unspecified
enforcement bodies by signing on to these "voluntary" principles
in exchange for a promise of a Safe Harbor which has yet to be
agreed to by the European Union

We appreciate that the process of attempting to reconcile the
disparate legal principles and traditions embodied in the
European Directive and the U.S. Constitution is a difficult and
sensitive one.  We urge the Department of Commerce to make clear
that government regulation of the exchange of constitutionally-
protected information is inimical to the First Amendment.

Thank you for the opportunity to provide these comments on the
proposed Safe Harbor Principles.

Sincerely,
Jane E. Kirtley, Esq.
Executive Director

cc:  Ambassador David Aaron