Ambassador David L. Aaron
Under Secretary of International Trade
International Trade Administration
Department of Commerce
14th Street & Constitution Avenue, NW
Washington, DC 20230

Attention: Mr. Eric Fredell, Task Force on Electronic Commerce

Dear Ambassador Aaron:

The Magazine Publishers of America (MPA) is pleased to comment on the revised safe harbor principles and accompanying frequently asked questions and answers (FAQs) submitted for industry review and comment on April 19 and April 30. We appreciate your continued diligence in seeking industry input on the safe harbor principles and issues relating to the ongoing negotiations with the European Union, not only allowing us an opportunity to comment on the draft safe harbor materials but meeting regularly with industry in small groups to respond to our comments and concerns. We believe that this input has helped to create a revised safe harbor proposal more in keeping with the United States sectoral and self-regulatory privacy regime.

We are pleased that the revised safe harbor principles incorporate many of the changes we suggested in our November 18, 1998 comments. We do, however, have a number of continuing concerns with the safe harbor principles and also wish to respond to the questions raised in your letter and the meeting held on May 7 at the Department of Commerce.

We are also submitting, under separate cover, joint comments of MPA, the Newspaper Association of America, and The Reporters Committee for the Freedom of the Press regarding the journalistic exceptions FAQ and the access FAQ as it relates to news archives. We strongly support the inclusion of the journalistic exception FAQ in these principles in recognition of the importance of First Amendment protection in this country.

Opt-in choice for sensitive information

In the November draft safe harbor principles, the opt-in requirement for sensitive information read as follows:

"For certain kinds of sensitive information, such as medical information, they must be given affirmative or explicit (opt-in) choice."

The current draft of the safe harbor principles expands the list of examples of sensitive information to include:

"health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information concerning the sex life of the individual."

We understand that the inclusion of this definition of sensitive information relies on references to European Union law, however, we are concerned about an overly expansive interpretation of when opt-in choice is required. We do not believe that inferences regarding an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sex life that could possibly be drawn by that individual's choice of reading material should lead to an opt-in requirement.

We believe that if this extended list of sensitive information must be included in the safe harbor principles, the language of this principle should be modified by substituting "specifying" for "revealing". This will make clear that inferences based on reading preferences are not an appropriate basis for triggering an opt-in choice requirement.

Methods of Qualifying for the Safe Harbor

The draft principles state that an organization may qualify for the safe harbor "by incorporating the relevant safe harbor principles into agreements entered into with parties transferring personal data from the EU." A note indicates that the Commission has not agreed to this option. We strongly support retaining this option for the safe harbor. This will provide industry with the flexibility it needs to choose among the implementation options without diminishing, in any way, the level of data protection afforded European citizens.

Self-Certification

The self-certification FAQ indicates that organizations will need to submit self-certification letters to the Department of Commerce. We believe that such an affirmative notification requirement is overly burdensome and may establish an unintended precedent for legal compliance in the United States. Furthermore, the draft paper on procedures for handling complaints about non-compliance suggests that the first stage in the procedure is to utilize internal complaint procedures of the third country company. We therefore suggest that companies retain self-certification statements and make such statements available to government authorities upon request during resolution of a complaint.

Weight to be accorded to the FAQs

We believe that the FAQs are an integral part of the safe harbor principles, clarifying the meaning and implementation of the principles. The content of the FAQs, which provide more extensive and specific guidance than contained in the principles themselves, should be afforded significant weight in interpreting the principles.

Access

The note accompanying the access principle indicates that the Commission wishes to delete the reference to "reasonable" access to personal information, as well as the explanation of reasonableness that demonstrates that the appropriate level of access depends on the nature and sensitivity of the information collected, its intended uses, and the expense and difficulty of providing the individual with access. While the reasonableness concept is also explained in the FAQ on access, we believe that the reasonableness concept must also be included directly in the access principle. If substitute language must be provided, we believe the language in the FAQ relating to the principle of proportionality and the fact that access obligations are not absolute should be used.

Notice

We appreciate the modification in the notice principle to allow companies to provide notice "as soon as is practicable" after individuals are asked to provide personal information. We are concerned, however, about the additional requirement that notice must be provided before the organization discloses the data to a third party. This requirement appears to apply even if the transfer of data is related to the purpose for which the data was collected and is necessary to fulfill customer expectations. We recommend that this additional timing requirement be eliminated so that relevant data transfers are not delayed.

We also suggest making clear that notice and choice is not required for a US company if the company is receiving consolidated information from a European source that is subject to European laws implementing the European Privacy Directive. In such cases, the US companies cannot provide notice when data is collected since they are not in contact with individuals at the time of data collection.

Grace Period

We support the concept expressed during the May 7 meeting of a two-stage grace period to allow companies first to decide whether they wish to avail themselves of the safe harbor option and second to implement the safe harbor requirements. We believe that at least one year should be allowed for companies to complete both stages.

We appreciate your extensive efforts to bring the safe harbor negotiations to a satisfactory conclusion and your responsiveness to industry concerns. We would be happy to provide additional information and to answer any questions that you may have.
 

James Cregan                         Rita Cohen
Executive Vice President         Senior Vice President