Via email to: ecommerce@ita.doc.gov

Comments of the Information Technology Industry Council on April 19, 1999 Draft International Safe Harbor Privacy Principles and Frequently Asked Questions dated April 19, 29 and 30

The Information Technology Industry Council (ITI) supports the Department of Commerce's efforts to develop international safe harbor privacy principles and associated Frequently Asked Questions (FAQs), and is pleased to offer these comments on recent drafts. ITI represents the leading U.S. providers of information technology products and services. Its members had worldwide revenue of more than $440 billion in 1998 and employ more than 1.2 million people in the United States. As global suppliers and users of the technologies that make electronic commerce possible, we are leading the information technology industry's efforts to develop and implement an effective self-regulatory framework for protecting personal information in the digital environment.

General Comments

First, we applaud the clear and conspicuous statements in the material that the principles and accompanying explanatory materials are applicable only to use by U.S. organizations receiving personal data from the European Union, and that they are not intended for use in domestic circumstances.

Second, ITI reiterates its support for the Commerce Department's work to develop a "safe harbor" that would help U.S. organizations address the European Union's Directive on Data Protection. The safe harbor principles and associated documents will provide U.S. companies with helpful guidance for implementing effective and acceptable practices to protect data from EU Member States.

Third, we agree with and support the statement in the draft that the safe harbor principles apply only to electronically processed data, and not to manually processed data.

Comments on Principles

The April 19, 1999 revised draft, along with its accompanying documents, is a positive step. We particularly appreciate the fact that a number of the concerns we raised in our November 18, 1998 comments on the earlier draft have been addressed. However, we believe further clarification is needed on the following principles.

Access -- As we noted in our November, 1998 comments, requiring organizations to provide individuals with unconditional access to the information about them creates serious operational difficulties for companies. While we appreciate the statement acknowledging this in the Access FAQs, we feel strongly that this concept of reasonableness must be reflected in the language of the Access principle itself. Our preferred solution would be to retain the word "reasonable" in the principle, as well as the bracketed second sentence of the principle, which the EC has proposed deleting. However, we would be comfortable with revising the principle as long as it continues to reflect the concepts of proportionality and balance, such as, for example, the following:

Individuals must have fair access to personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate. The right of access is not absolute and must be balanced against the feasibility and resources required to provide the individual with access to the information.

Choice -- We interpret the current formulation of the Choice principle to mean that "choice" can include the option of opting out of a transaction. We request confirmation of this interpretation. Further, the parentheses around the phrase "where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice," should be deleted because the parenthetical phrase actually is the governing thought in the sentence.

Onward Transfer -- We request clarification of the responsibilities of a recipient of personal information who independently qualifies for the safe harbor. Would obtaining the assurance of the information collector -- the information transferor -- that it has complied with the safe harbor principles be sufficient to insulate the information recipient from liability under the Directive? In addition, we would oppose addition of the text proposed by the EC (described in footnote 5) requiring explicit notice and choice when personal data is transferred to a third party that does not adhere to the safe harbor requirements.

Enforcement -- The current draft provides for three ways to satisfy the enforcement requirement. We agree that each is useful and should be retained. The third mechanism -- committing to cooperate with data protection authorities -- is particularly useful for certain kinds of data. However, we would benefit from further clarification of the phrase "committing to cooperate," including how an organization would demonstrate such a commitment. We are also concerned about the inclusion of the phrase "provided those authorities agree" as it introduces an element of uncertainty into the process.

In addition, the note relating to the enforcement principle addresses an important and fundamental aspect of compliance with the principle, and as such should be made an integral part of the principle, rather than being relegated to a note.

Comments on Frequently Asked Questions

Verification and Certification -- The FAQs on verification and certification make it clear that certification and verification can be achieved through self-assessment. This concept, however, is not clearly reflected in the principles. We propose adding a statement to the fifth paragraph of the principles document clearly noting that organizations may self-certify their compliance with the principles. Furthermore, the certification and verification procedures detailed in the FAQs are significantly more complex and bureaucratic than it seems would be necessary in order to assure compliance.