Ambassador David L. Aaron
International Trade Administration
U.S. Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230

Attention: Mr. Eric Fredell, Task Force on Electronic Commerce
Re: Revised Safe Harbor Privacy Principles

 Dear Ambassador Aaron:

Viacom Inc. (Viacom) is pleased to have the opportunity to respond to your April 19, 1999 letter requesting comments on the revised safe harbor principles, frequently asked questions and answers (FAQs) and the draft paper on complaint procedures for organizations within the safe harbor.

Viacom is one of the world's largest entertainment companies and is a leading force in nearly every segment of the international media marketplace. The operations of Viacom include Blockbuster, MTV Networks, Paramount Pictures, Paramount Television, Paramount Parks, Showtime Networks, Simon & Schuster, 19 television stations and movie screens in 12 countries. Viacom also owns approximately 80 percent of Spelling Entertainment Group, as well as half-interests in Comedy Central, UPN and UCI. National Amusements, Inc., a closely held corporation which operates approximately 1,300 screens in the U.S., the U.K. and South America, is the parent company of Viacom.

We greatly appreciate the tremendous work undertaken by the Department of Commerce (DOC) in crafting and advancing a safe harbor approach to the European Union Data Protection Directive. The DOC's most recently released documents, which address many previously unanswered questions, provide our company with a level of comfort such that we now heartily endorse the safe harbor approach. However, Viacom believes that before the safe harbor approach can be adopted and properly implemented, a few revisions are needed with respect to certain elements of the principles and FAQs. What follows, therefore, are suggestions and requests for clarification, as well as responses to certain matters which Ambassador Aaron described as "open issues" in need of comment.

Safe Harbor Principles

Onward Transfer - The Onward Transfer principle requires that an organization can transfer personal information to third parties only if it either "ascertains" that the third party "subscribes" to the safe harbor principles or enters into a written agreement with such third party requiring that it provide at least the same level of privacy protection as is required by the safe harbor principles. It is unclear from this language what level of due diligence an organization must engage in to comply with the Onward Transfer principle. For example, could an organization comply with the ascertainment requirement of the Onward Transfer principle by checking with the DOC or its designee --which, under the Self-Certification FAQ, will maintain a publicly available list of all organizations that self-certify-- as to whether a third party has self-certified? Viacom respectfully requests that there be clarification on this matter.

Access - The Access principle must be guided by a rule of reason and of proportionality. Therefore, Viacom urges the DOC to press for the inclusion of the "reasonable" modifier bracketed in the first sentence, as well as the inclusion of the description of "reasonableness" contained in the bracketed sentence.

FAQs

FAQ on Self-Certification - The Self-Certification FAQ provides that "organizations" will have to submit certain information with the DOC or its designee in order to self-certify. Many US corporations have several wholly- and partially-owned subsidiaries that may participate in the transborder flow of personal information. In addition, a single company's several divisions may each operate one or more websites. How is "organization" to be defined? A clear definition is crucial for liability purposes. Viacom urges that the term be narrowly defined so that a parent company is not required to self-certify on behalf of all of its business units.

As an alternative to self-certification by the organization itself, Viacom suggests that privacy seal programs, such as BBBOnline and TRUSTe, be permitted, if they so elect, to provide the DOC or its designee with a list of organizations that have qualified to receive their seal. The privacy seal program would be required to submit the same information required of organizations that self-certify, but the seal program, rather than the organization itself, would certify as to the accuracy of the information, based upon data it had gathered from the organization in connection with the seal program application process. This alternative would give privacy seal programs a means of offering seal applicants a value-added service that would relieve small businesses, in particular, from the burden of having to self-certify with the DOC.

FAQ on Verification - The Verification FAQ provides that organizations may verify attestations and assertions either through self-assessment or outside compliance reviews. Viacom believes that the FAQ on verification should expressly state that participants in a private-sector privacy seal program --which conditions initial and renewed membership in the program on annual and/or periodic reviews-- are deemed to comply with any outside compliance review requirements and, therefore, any verification requirements under the safe harbor approach.

The Verification FAQ is drafted, as the EC has pointed out (in the asterisked note at the end of the FAQ on Verification), as if the criteria for self-assessment do not apply to an outside compliance review. Viacom believes that the criteria should apply in both cases, but disagrees with the EC's suggestion that procedures for the implementation need to be further specified.

FAQ on Journalistic Exceptions - The Journalistic Exceptions FAQ defers to the First Amendment of the US Constitution. As the parent company of publisher Simon & Schuster, Viacom zealously supports the principle embodied in this FAQ.

Open Issues

Weight to Be Assigned to FAQs - Viacom believes that the FAQs should be deemed to be as binding as the seven safe harbor principles themselves. If given the same weight as the principles, the FAQs will provide clearer, less ambiguous and more predictable guidance to organizations adhering to the safe harbor approach. Moreover, an express statement by both the US and EU, either in their exchange of letters or in a preface to the FAQs, that the FAQs are as binding as the principles, will avoid future international disputes over this matter.

Grace Period - As explained by Ambassador Aaron, to be eligible for an extension of the standstill period, an organization must make a commitment of its intent to comply with the safe harbor principles. Yet, it is unclear how such commitment will have to be evidenced and what, if any, consequences there will be for those organizations which fail to fulfill their commitments. Viacom respectfully requests that there be clarification on these issues.

Manual Data - Ambassador Aaron has asked for US organizations to comment on whether manual data should be subject to the safe harbor principles. Because the DOC has released no FAQ on this issue, Viacom would prefer that the US and EU defer the issue of manual data to their periodic consultations following agreement upon the safe harbor principles and impose a standstill on this matter pending the conclusion of such consultations. However, if deferral of the issue is not feasible, Viacom would support the option set forth by Ambassador Aaron, that is, that the safe harbor apply only to "new" manual data. This option would have to be carefully crafted, however, so that "new" is clearly defined.

Viacom also requests that "manual" be clearly defined.

Ongoing Processing - Viacom urges the DOC to negotiate for a grace period of three years from the effective date of the adoption of the safe harbor approach to complete ongoing data processing.

Conclusion

In sum, Viacom strongly supports the DOC's continuing efforts of promoting the American tradition of self-regulation with respect to privacy protection in attempting to insure that EU-US data flows may proceed unabated. We appreciate the opportunity to comment and hope the issues detailed above can be resolved.

Please do not hesitate to call if you have any questions or would like further information on Viacom's position.

 Sincerely,

Anne Lucey
Vice President, Regulatory Affairs
Viacom
1501 M Street, N.W., Suite 1100
Washington, D.C. 20005
202/785-7300