On behalf of the National Retail Federation, we want to thank you for the opportunity to provide comments on the April 19^th draft international Safe Harbor Privacy Principles and Frequently Asked Questions (FAQ's).

The National Retail Federation (NRF) is the world's largest retail trade association with membership that comprises all retail formats and channels of distribution including department, specialty, discount, catalogue, Internet and independent stores. NRF members represent an industry that encompasses more than 1.4 million retail establishments, employs more than 20 million people - about 1 in 5 American workers - and registered 1998 sales of $2.7 trillion. NRF's international members operate stores in more than 50 nations. In its role as the retail industry's umbrella group, NRF also represents 32 national and 50 state associations in the U.S. as well as 36 national associations representing retailers abroad.

By way of Background, we are still concerned that the European Union's Directive on Data Protection (the "Directive") appears to assume that non-European approaches to privacy are inherently suspect or unprotective. Data can be used to enhance consumer benefits. The Directive seems not to realize that a major goal of privacy protection, the reduction of unwanted intrusions is in fact consistent with the marketing goals of many U.S. companies. For example, consumer data increasingly is being used by retailers and others to more narrowly target their communications, in order to reduce the amount of unwanted contacts most individuals receive. Equally important, the Directive strikes us as somewhat antithetical to some of the more progressive uses of personal data to protect companies and individuals from the perpetration of certain privacy crimes (such as fraud and identity theft).

As we have mentioned in the past, most of the information maintained by retailers is gathered for purposes of relationship marketing. Marketing data, such as a customer's style or shopping preferences, are not the kind of information one would ordinarily consider to be sensitive. Nevertheless, to the extent that consumers wish to limit marketing based on these characteristics, NRF encourages our members to develop and publicize procedures allowing consumers to do so. Such publication, not only establishes a contractual obligation to customers who rely on those procedures, it also establishes affirmative obligations subject to regulatory enforcement by the Federal Trade Commission among others.

Beyond this, we appreciate the Administration's continuing effort to develop common ground principles that would simplify and facilitate continued economic transactions across the Atlantic. We appreciate the fact that you have made specific changes to address some of our previous concerns. It is apparent that while many areas of the Safe Harbor Principles move closer to accomplishing the mutual goals of companies in the U.S. and in Europe, there are still some significant concerns that must be addressed.

1. We appreciate the additional flexibility you have provided in the notice section in response to our previous comments.

• We believe the "such as" clause in the "choice" provision should be striken. It invites one to assume the inclusion of many other areas they may deem sensitive. This clause removes the certainty that would exist if it were made clear that the Safe Harbor only addresses those items deemed sensitive as set forth in the Directive.
• The onward transfer provision raises an important question. Under the Directive, can a retailer participating in the Safe Harbor receive and use information from a company that is not a participant in the Safe Harbor?
• We continue to be concerned that the data integrity provision is too restrictive. The relevance of information may change over time. For example, would we really want to require that location information collected for marketing purposes be deleted as irrelevant if no marketing programs are currently planned, even if the information subsequently is discovered to be useful for purposes of notifying customers in connection with product safety recalls, a use not contemplated at the time the information was collected?
• The data integrity requirement that the data be "current" is somewhat problematic in its ambiguity. It might be misread to require continual updating. The Principle must include language that provides assurance that data is only deemed necessarily current to the extent that it is used. For example, if Baskin-Robbins collects information on a consumer and finds that they earn $16,000 a year, which is enough for them to consider marketing to, do they really need to update their files at the customers request because the consumer ten years later is making $80,000 a year? Baskin-Robbins doesn't care what their salary is once they have met the minimum standard. For this reason, it should not be necessary to spend the time and money to update the information the company has collected In evaluating the currency of information, it should be sufficient if it satisfies the purposes when viewed from the perspective of the company and not from the perspective of the subject of the data.
• One of the most important issues to retailers is the access provision. It is essential that the sentence which reads, "Reasonableness of access depends on the nature and sensitivity of the information collected, its intended uses, and the expense and difficulty of providing the individual with access to the information" remain in the definition of access.
• Also in the access provision, the ability to amend information should not be absolute. If it is sufficient for a retailers use, no update is necessary. See the above example on currency of information.
• The second paragraph under the FAQ's on access includes a sentence about individuals not having to justify access to their "own" data. The information collected by a retailer on an individual is not their "own" data. The data belongs to both the retailer who collects the information and to the subject of the data. The sentence should be changed to reflect that.
• The fourth paragraph under the FAQ's on access discusses information that is not sensitive or not used for decisions that will significantly affect the individual. As an example, it uses marketing data that is used to determine whether or not to send the individual a catalog. However, under question number 2 defining commercial confidential information, it is not made clear that marketing data used to determine whether a catalog should be sent to an individual is also confidential consumer information. These questions should be consistent with one another. The classifications used to determine that it may be likely that a consumer would receive a catalog from a retailer is information that should not be required to be disclosed by the retailer.

 Mallory Duncan
Vice President, General Counsel

Sarah Whitaker
Director, Government Relations