From: Shelley E. Harms Executive Director Bell Atlantic
Re: Bell Atlantic's Comments on Safe Harbor Principles
Attention: Eric Fredell
Attached for filing are Bell Atlantic's Comments on Draft International Safe Harbor Principles. Thank you very much. -- Shelley Harms
(See attached file: ita1198.doc)
Before the
Department of Commerce
International Trade Administration
Washington, D. C. 20230
Draft International )
Safe Harbor Privacy Principles )
November 3, 1998 Draft )
COMMENTS OF BELL ATLANTIC
Bell Atlantic is pleased to submit comments in response to the ITA’s November 4, 1998 request for industry comments on the November 3, 1998 Draft International Safe Harbor Privacy Principles.
Bell Atlantic supports the establishment of “safe harbor principles” that, if voluntarily adhered to by U.S. companies, will establish a presumption of “adequate” protection for data transferred from Europe. We also applaud the efforts of the Department of Commerce to reach an understanding with the European Commission on the adequacy of U.S. data protection based upon self-regulation.
Many of the proposed principles appear to be reasonable. They are similar to Bell Atlantic’s own privacy policies and appear to incorporate suggestions from our prior comments on privacy issues. However, we have two major concerns with the current draft.
First, as a general matter, we are concerned that the document will not provide certainty for U.S. industry. Our concern here is especially informed by our experience with the Telecommunications Act of 1996’s rules on Customer Proprietary Network Information, which contained some similar concepts. Despite the good intentions of the Act’s drafters, it required a contentious two-year FCC proceeding to resolve the issues of interpretation of how and in connection with which services information could be used. In order to achieve the desired certainty here, we would propose the use of the language developed by the Online Privacy Alliance. The language of the OPA’s principles was developed and agreed to over hours of discussion among industry members. The words were chosen very carefully, and are based on a common understanding of what they mean. Commentary has been published to further explain them. The OPA principles represent a significant coming together of major industry players to implement meaningful self-regulation. We think these efforts should be utilized and reinforced by the U.S. government. Otherwise, the presumption may arise that the OPA language was for some reason insufficient. We believe that the OPA principles are more than “adequate” for the purpose if the goal is to protect data rather than import the EU Directive. In the alternative, the necessary certainty could be provided by explicitly stating in the safe harbor principles that the OPA’s principles are in compliance.
Second, Bell Atlantic has serious concerns about the requirement that a company must police the use of data by a third party to whom data is transferred (Principle 3). We cannot control the actions of a third party, and it is unreasonable to expect us to assume that potential liability. Once data has been transferred – by customer consent, by legal requirement, or by other appropriate means – its proper use must be the responsibility of the transferee. We are particularly concerned about how this obligation would apply to certain telecommunications services which involve the release of data to millions of persons every day. For example, our Directory Assistance service provides phone number or address information to any person who requests it. Customer name and address information is placed in our Directory Assistance database with our customers’ consent for its use for this purpose. But we cannot guarantee that a person requesting such information will use it only for the purpose of making a telephone call. Similar concerns arise with respect to the transfer of data using Caller ID, reverse directory services, and similar services – once a customer has consented to the release of this information for purposes of providing such a service, we simply cannot be responsible for the use of the data once it has been released. The potential liability of having to require limits to particular uses of information by third parties could chill the provision of useful services like these.
Bell Atlantic is committed to working with our government and
with the European Union and its member states to ensure that data flows
between Europe and the United States are not unreasonably interrupted,
to ensure reasonable privacy protection, and to foster electronic commerce.
We believe the draft safe harbor principles are a good start. We
hope they can be revised to the satisfaction of U.S. industry and the European
Commission.
Respectfully submitted,
/s/ Shelley E. Harms__
Shelley E. Harms
Executive Director
Bell Atlantic
1095 Avenue of the Americas
New York, NY 10036
212-395-8053
shelley.e.harms@bellatlantic.com
For Bell Atlantic
November 19, 1998
From: Anne K. Toth
Manager, Privacy Policy & Data Protection, Yahoo, Inc.
Re: Comments on Draft International Safe Harbor Principles
Please find attached to this email message, Yahoo!'s Comments on Draft
International Safe Harbor Principles and the Online Privacy Alliance's
Guidelines for Online Privacy Policies.
If you have difficulty retrieving any of the attachments to this e-mail
message, please contact me at (408) 616-3791 or reply to
annet@yahoo-inc.com. These documents are also being sent by facsimile.
Thank you,
Anne K. Toth
Manager, Privacy Policy & Data Protection
--
~~~~~~~~~~~~~~~~~~~~~ DO YOU YAHOO!? ~~~~~~~~~~~~~~~~~~~~~~~
Anne K. Toth
Yahoo! Inc.
Tel: 408-616-3791
3420 Central Expressway
Fax: 408-616-3650
Santa Clara, CA 95051
Pager: 800-315-4814
http://www.yahoo.com/
e-mail: annet@yahoo-inc.com
http://mail.yahoo.com/
November 19, 1998
VIA FACSIMILE
AND ELECTRONIC MAIL
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, D.C. 20230
RE: Request for Comments on Draft International Safe Harbor Principles
Dear Mr. Fredell:
Yahoo! Inc. (Yahoo!) files these comments in connection with the Draft International Safe Harbor Principles, Attachment B to Ambassador Aaron’s Letter on the EU Data Protection Directive (the “Principles”). Yahoo! endorses the concept of having a safe harbor for U.S. companies that adhere to a standard set of privacy principles. Likewise, Yahoo! supports the International Trade Administration’s (the “ITA”) efforts to date to craft a set of principles that U.S. businesses can apply to the electronic collection and cross-border transmission of personal data between the US and EU member states.
By way of background, Yahoo! is a global Internet media company that offers a branded network of comprehensive information, communication and shopping services to more than 40 million unique Internet users each month. As the first online navigational guide to the Web, Yahoo! is the single largest guide in terms of traffic, advertising, household and business user reach, and is a leading Internet brand name. Yahoo! maintains 15 international Internet properties outside the United States with offices in Europe, the Asia Pacific and Canada. Yahoo! is headquartered in Santa Clara, California.
The Internet has evolved into a global source of new media. As an Internet pioneer, Yahoo! has grown to include many international users. The corporation serves its international audience by offering Yahoo! services in multiple languages with localized and personalized content for users throughout the world, including the European Community. The corporation’s privacy policy is posted on Yahoo!’s sites, accessible to users throughout the network of properties in multiple languages.
This privacy policy meets guidelines set forth by both the Online Privacy Alliance (the “OPA”) and by TRUSTe. Yahoo! is a member of both organizations. These organizations have worked diligently to address privacy issues pertaining to online businesses. Yahoo! is proud to be a member of the OPA and to comply with their “Guidelines for Online Privacy Policies” (the “Guidelines”). The Guidelines reflect the consensus view of a diverse group of companies and industry organizations with respect to privacy principles for the online medium.
Yahoo! respectfully submits comments for two of the seven principles set forth in the Principles. Specifically the “Onward Transfer” principle and the “Access” principle. These comments reflect Yahoo!’s perspective as a company that makes its primary business on the Internet.
Onward Transfer
The Onward Transfer principle (the “Transfer Principle”) specifies
that:
“Individuals must be given the opportunity to choose whether and the manner in which a third party uses the personal information they provide (when such use is unrelated to the use(s) for which the individual originally disclosed it). When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual…”
Yahoo! recommends that the aforementioned section be revised in accordance with the OPA’s Guidelines, specifically the Notice and Disclosure principle and the Choice/Consent principle. These principles provide that:
“The [privacy] policy must state clearly: what information is being collected; the use of that information; possible third party distribution of that information; the choices available to an individual regarding collection, use and distribution of the collected information; a statement of the organization's commitment to data security; and what steps the organization takes to ensure data quality and access…
…where there is third party distribution of individually identifiable information, collected online from the individual, unrelated to the purpose for which it was collected, the individual should be given the opportunity to opt out.“
Yahoo! complies with the OPA’s Guidelines, and in accordance, maintains
a strict privacy policy. The OPA Guidelines were extensively reviewed
prior to issuance and were carefully constructed. Yahoo! supports
the OPA’s philosophy, advising companies to provide clear notice and choice
about how user information will be used and shared. This philosophy
allows the greatest freedom and choice for the user. The user can
always choose to refuse to allow personal data to be transferred if the
user is uncomfortable with the possible future uses of that data.
Yahoo! concurs that providing consumers with clear notice about how personal
data will be used and with whom it will be shared allows consumers to make
informed decisions about the use of their personal information. This
approach is consistent with the OPA Guidelines.
In addition, requiring partner companies to offer “at least the same
level of privacy protection” as the company that originally collected the
data does not take into consideration the varying ways that different companies
use and protect personal data. Yahoo! has a posted privacy policy,
and partnering companies are free to utilize and implement other proprietary
privacy policies. There is no way to assure consistency between Yahoo!’s
privacy practices and those of partnering companies, particularly if partnering
companies operate in a different business category, subject to different
regulatory requirements. Furthermore Yahoo!, as a matter of policy,
does not support companies being placed in the position of policing the
privacy practices of their partner companies. As a legal mater, this
could result in unforeseen liability issues for companies should a partner
or third party misuse personal data.
Access
The Access principle (the “Access Principle”), specifies that:
“Individuals must have reasonable access to information about them derived from non public records that an organization holds and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses. For instance, access must be provided to an individual where the information in question is sensitive or used for substantive decision-making purposes that affect that individual.”
Yahoo! recommends that this section be modified to be consistent with the OPA Guidelines that state:
“Organizations creating, maintaining, using or disseminating individually identifiable information should take reasonable steps to assure that the data are accurate, complete and timely for the purposes for which they are to be used.
Organizations should establish appropriate processes or mechanisms so that inaccuracies in material individually identifiable information, such as account or contact information, may be corrected. These processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. Other procedures to assure data quality may include use of reliable sources and collection methods, reasonable and appropriate consumer access and correction, and protections against accidental or unauthorized alteration.”
Users should be able to update and amend information that is no longer current or that is otherwise incorrect. The OPA Guidelines are clear on this point and establish a link between access to information and correcting inaccuracies in such information. In addition, to ensure a balance between the importance of data access and accuracy and the high cost to companies of providing access, the OPA created a standard of requiring companies to allow consumers to correct “material individually identifiable information.” Yahoo! appreciates that the proposed Access Principle includes a reasonableness standard for data access. The OPA language defines reasonableness, which is the ability to correct material individually identifiable information. Yahoo! strongly recommends that this language be incorporated into the Access Principle to define the use of the word “reasonable.”
Thank you very much for the opportunity to comment on the Principles.
Again, Yahoo! supports the ITA’s efforts to reach a safe harbor solution
for U.S. businesses engaged in the cross-border transfer of information.
Should you need further clarification on Yahoo!’s position, please do not
hesitate to contact me at (202) 887-6932.
Very sincerely yours,
John Scheibel
Washington Counsel and
Director of Government Affairs
Enclosures/Attachments:
OPA – “Guidelines for Online Privacy Policies”
Online Privacy Alliance
Guidelines for Online Privacy Policies
Upon joining the Online Privacy Alliance, each member organization agrees that its policies for protecting individually identifiable information in an online or electronic commerce environment will address at least the following elements, with customization and enhancement as appropriate to its own business or industry sector.
1. Adoption and Implementation of a Privacy Policy
An organization engaged in online activities or electronic commerce
has a responsibility to adopt and implement a policy for protecting the
privacy of individually identifiable information. Organizations should
also take steps that foster the adoption and implementation of effective
online privacy policies by the
organizations with which they interact; e.g., by sharing best practices
with business partners.
2. Notice and Disclosure
An organization's privacy policy must be easy to find, read and understand. The policy must be available prior to or at the time that individually identifiable information is collected or requested. The policy must state clearly: what information is being collected; the use of that information; possible third party distribution of that information; the choices available to an individual regarding collection, use and distribution of the collected information; a statement of the organization's commitment to data security; and what steps the organization takes to ensure data quality and access.
The policy should disclose the consequences, if any, of an individual's refusal to provide information. The policy should also include a clear statement of what accountability mechanism the organization uses, including how to contact the organization.
3. Choice/Consent
Individuals must be given the opportunity to exercise choice regarding how individually identifiable information collected from them online may be used when such use is unrelated to the purpose for which the information was collected. At a minimum, individuals should be given the opportunity to opt out of such use.
Additionally, in the vast majority of circumstances, where there is third party distribution of individually identifiable information, collected online from the individual, unrelated to the purpose for which it was collected, the individual should be given the opportunity to opt out.
Consent for such use or third party distribution may also be obtained through technological tools or opt-in.
4. Data Security
Organizations creating, maintaining, using or disseminating individually identifiable information should take appropriate measures to assure its reliability and should take reasonable precautions to protect it from loss, misuse or alteration. They should take reasonable steps to assure that third parties to which they transfer such information are aware of these security practices, and that the third parties also take reasonable precautions to protect any transferred information.
5. Data Quality and Access
Organizations creating, maintaining, using or disseminating individually identifiable information should take reasonable steps to assure that the data are accurate, complete and timely for the purposes for which they are to be used.
Organizations should establish appropriate processes or mechanisms so that inaccuracies in material individually identifiable information, such as account or contact information, may be corrected. These processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. Other procedures to assure data quality may include use of reliable sources and collection methods, reasonable and appropriate consumer access and correction, and protections against accidental or unauthorized alteration.
###
These guidelines are not intended to apply to proprietary, publicly available or public record information, nor to supersede obligations imposed by statute, regulation or legal process.
Other valuable resources available to Alliance members in the development of privacy policies include: the OECD's "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data"; the U.S. Department of Commerce's "Staff Discussion Paper of Privacy Self-Regulation"; and various industry association programs.
FROM: U.S. Council for International Business
From: Joseph Alhadeff
Vice President, Electronic Commerce
U.S. Council for International Business
Re: USCIB Comments
Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Attached as an unencoded MS Word 6.0 file, please find the comments
of
the U.S. Council for International Business on the Draft Safe Harbor
Principles. The comments are also cut and pasted below.
We thank you
for the opportunity to comment.
Joseph Alhadeff
Vice President, Electronic Commerce
U.S. Council for International Business
jalhadeff@uscib.org
**********************************************************************
USCIB COMMENTS ON THE DOC DRAFT INTERNATIONAL
SAFE HARBOR PRIVACY PRINCIPLES
Thank you for the opportunity to provide comments on the Draft
International Safe Harbor Privacy Principles. USCIB members greatly
appreciate the efforts of the Department of Commerce to resolve the
potential restrictions on the transborder flow of data from the E.U.
to the U.S. as a result of the implementation of the E.U. Privacy
Directive.
In theory, USCIB members support the concept of a safe harbor.
However, there are many unanswered questions that will ultimately
determine the support of our members for this draft solution, namely
the actual application of the safe harbor (how does it relate to a
private action, what does it commit the European Commission to do or
not do within its scope of authority under the Directive) and the
scope of the principles themselves.
In regard to the principles, the starting point should be the
consensus achieved by U.S. industry as represented in the Online
Privacy Alliance principles, as adapted where necessary to apply to
both the on-line and off-line environments. If there is a conflict
between these principles and E.U. demands, the resolution of the
conflict should be based on internationally agreed upon principles,
not adoption of the principles set forth in the E.U. Directive. The
U.S. position has consistently advocated that "adequacy" does not mean
equivalency, and that there are sector appropriate self-regulatory
solutions which can provide adequate protection. The OECD 1980
Guidelines provide the international consensus which should be used
to
resolve potential conflicts concerning adequacy. The principles should
be in keeping with the U.S. approach of self-regulation operating in
conjunction with existing laws and regulation.
The rationale for such an approach is twofold. First, the U.S.
will
be conceding that the OECD Guidelines and U.S. privacy protection
based on the OECD Guidelines do not represent adequate privacy
protection if we agree to safe harbor principles that exceed their
scope (the E.U. recognizes the OECD Guidelines as internationally
agreed upon principles). Second, it may be difficult for U.S.
companies to maintain two different privacy protection practices in
their databases -- one for U.S. and non-E.U. citizens and one for E.U.
citizens. In practical application it may very well force U.S.
companies to adopt privacy practices that exceed internationally
accepted principles and may restrict information flows. Moreover,
U.S. companies will have a difficult time rationalizing to U.S. and
non-E.U. consumers that E.U. consumers are offered additional privacy
protections . We must not forget the very real consumer education,
choice and convenience benefits that result from the freer flow
of
information that our self-regulatory approach provides through its
greater reliance on concepts of party autonomy and user empowerment.
Examples of where the Draft Safe Harbor Principles exceed the OECD
Guidelines:
· Generally: There should be a
general qualification and
limitation on the application of the safe
harbor principles to
personally identifiable information in order
to avoid confusion
with aggregated or otherwise "cleansed" information.
· Notice: The draft safe harbor
principles include notice of the
types of organizations to which information
is disclosed. The
OECD Guidelines do not have such a requirement.
Chapter II,
Section IV, Article 10(c) of the E.U. Directive
states that
"Members States shall provide . . . any further
information such
as --the recipients or categories of recipients
of the data."
However the Directive then qualifies this
by stating "in so far
as such further information is necessary.
. . " The draft safe
harbor principles therefore go beyond even
what the Directive
requires. The OPA addresses this by
calling for notice and
disclosure of "possible third-party distribution
of that
information." In addition, the OECD
Guidelines do not require
the identification of how information is collected
but rather
states that information should be "obtained
by lawful and fair
means. . ."
· Choice: The concept of
"unrelated uses" as set forth in the
parentheses is clearly stated in the OECD
Guidelines. Therefore,
it should be clearly stated in the safe harbor
principles without
parentheses which generally tracks the language
of the OPA.
Additionally, the OECD Guidelines and its
explanatory memorandum
do not state that absolute opt-in must be
offered for the
collection and use of sensitive data.
USCIB members recognize
that sensitive data, such as medical information
require greater
protection. However, greater protection
does not justify an
absolute presumption of opt-in for all sensitive
data.
· Onward Transfers: No such stand
alone principle exists in the
OECD Guidelines. The concept of "third-party
uses" is
incorporated in the "Purpose Specification"
and the "Use
Limitation" Principles of the OECD Guidelines.
In addition, the
OECD Guidelines do not provide that organizations
must require
third parties to whom they transfer information
to provide at
least the same level of privacy protection
as originally chosen
by the individual. Please also see above
for a discussion on
opt-in for sensitive data.
· Access: The OECD Guidelines
provide that an individual should
have the right to have "communicated to him,
data relating to
him. . ." Therefore access is through
a communication from the
data controller to the data subject.
The draft safe harbor
principle does not clearly reflect the "communication"
concept
which may be construed to allow an individual
to physically
review files/databases. It is important
to note that the
explanatory memorandum to the OECD Guidelines
(Paragraph 58)
states ". . . the right to access and challenge
is not absolute."
There must be reasonable limits on the
right to access,
especially where the access is not for data
quality purposes. At
a minimum, users requesting access must have
some obligation to
work with companies to tailor requests to
be reasonable in scope
and not prohibitive in terms of timeframe,
cost or technological
practicability.
· Enforcement: The OECD Guidelines
contain an "accountability
principle" that does not preclude effective
and viable
self-enforcing/auditing approaches.
Even if there may be a
preference for independent recourse mechanisms,
should there be
an absolute preclusion of an effective and
viable
self-enforcing/auditing approach?
We look forward to continuing our dialogue with the U.S. Government
on
this important effort. Please do not hesitate to contact us if
you
have any questions.
Submitted 11/19/98
Joseph H. Alhadeff
Vice President, Electronic Commerce
U.S. Council for International Business
jalhadeff@uscib.org
Tel: 212-703-5068
212-354-4480
Fax: 212-575-0327
FROM: Health Industry Manufacturers Association
November 19
From: Donna Slingluff
Director, Global Strategy and Analysis
Re: EU Data Protection Directive
Dear Mr. Fredell:
Attached please find comments submitted by HIMA.
<<dataprivacy1119.doc>>
The hard copy will follow shortly via facsimile.
Regards,
Stephanie
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Re: HIMA Comments on Proposed Safe Harbor for EU Data Protection Directive
Dear Mr. Fredell:
The Health Industry Manufacturers Association (HIMA) is pleased to submit the following comments on the Department of Commerce’s proposed international industry safe harbor to the European Data Protection Directive. HIMA is a Washington, D.C.-based national trade association representing more than 800 manufacturers of medical devices, diagnostic products, and health information systems.
HIMA supports efforts to protect the confidentiality of patient medical information and appreciates the European Union’s concerns about data privacy protections in other countries. HIMA is concerned, however, that the European Directive on Data Protection will impede the transfer of important patient data used for clinical research to develop innovative medical technologies, and will also impede post-vigilance activities, such as device tracking, that help manufacturers identify patients in the event of product recalls.
HIMA supports the efforts of the Department of Commerce to negotiate with the European Commission a workable solution to these and other problems created by the Directive, and we think the proposed safe harbor principles may offer some benefits to U.S. medical device companies concerned with the EU data privacy directive. Our recommendation, however, is for an amendment to the Directive -- or a statement from the European Commission -- clarifying that the transfer of data for clinical trials and post-vigilance activities is exempted from the Directive’s requirements.
We believe that clinical trial and post-vigilance activities should be exempted from the Directive, because sufficient data privacy safeguards already exist in the U.S. Many sections of the U.S. Code of Federal Regulations impose patient data privacy obligations on medical device companies involved in these activities.
Specifically, hospital-based clinical trials to test the effectiveness of a medical device must have the approval of the hospital’s institutional review board (IRB). An IRB is a committee formally designated by an institution to review, approve, and conduct periodic review of biomedical research involving human subjects (21 C.F.R. Section 56.102 (g)). Qualifications for IRB membership are described by regulation (21 C.F.R. Section 56.107). The IRB reviews the plan for the clinical study to ensure that the safety and welfare of the participating patients are protected. The IRB requires patients to first sign an informed consent document, acknowledging their understanding of the potential risks involved and agreeing to participate in the study. The informed consent form may provide for the confidentiality of patient records, consistent with the procedures of the institution conducting the research and/or applicable state law and regulations.
With regard to post-vigilance activities in the U.S., when patients receive an implantable device (such as an implantable pacemaker or defibrillator), the manufacturer is required to keep track of that person over the lifetime of the device. The Food and Drug Administration (FDA) requires tracking by manufacturers to ensure that if there is a notification about a device problem or recall, the manufacturer will know how to contact each patient who has received the device. It is to the patient’s advantage to share this information with the manufacturer and FDA; however, as a legal matter, a patient could refuse to be tracked by communicating that refusal in writing to the manufacturer.
The FDA tracking regulation requires manufacturers to be able, when
called for, to produce a list of the distributors, prescribing physicians,
and patients (including their addresses) that have the device. The
regulation makes the individual manufacturer responsible for developing
its own procedures for storing and tracking this patient information.
In regard to patient information a manufacturer shares with FDA, certain
types of patient information are protected by FDA through exemptions from
the Freedom of Information Act and its implementing regulations.
Thus, patient information is available only to FDA, and the agency is prohibited
from releasing it to other parties.
The current process for device tracking serves the public well by allowing
patients to be contacted in the event of a recall.
Furthermore, our interpretation of several of the Directive’s exceptions is that they cover clinical trials and device tracking activities. For example, “transfer of data necessary to protect the vital interests of an individual” would seemingly apply to patient data for both clinical trials and post-vigilance activities. If the European Union agrees with our interpretation, a safe harbor would not be necessary for the medical device industry. In any case, HIMA believes a clarification is needed – either by the European Commission or through an industry-wide safe harbor -- that compliance with U.S. regulatory requirements protecting patient data are sufficient to exempt companies from the European Data Privacy Directive.
Finally, we would like to point out that although the draft safe harbor is considered “voluntary,” from a practical standpoint it would be mandatory for those U.S. medical device companies that wish to continue sharing clinical trial and post-vigilance data with Europe. For this and the other reasons mentioned above, we would urge the U.S. government to seek a clear exemption to the Directive for these activities of the medical device industry rather than a safe harbor.
We appreciate your consideration of our views.
Sincerely,
Donna Slingluff
Director, Global Strategy and Analysis
FROM: Information Industry Association
November 19
From: Charlene Flick, Information Industry Association's (IIA)
Re: IIA Safe Harbor Comments
Attached please find the Information Industry Association's (IIA) comments
on the draft International Safe Harbor Privacy Principles. A
duplicate of
this document has been faxed to Eric Fredell at 202/501-2548.
Please let me know that these comments have been received. Thank you.
Charlene Flick, IIA
Charlene B. Flick
Assistant Counsel
Information Industry Association
(202)319-0141
CFlick@infoindustry.org
Before the
United States Department of Commerce
Washington, D.C.
Comments of THE INFORMATION INDUSTRY ASSOCIATION
(IIA) on the International Safe Harbor Privacy Principles
November 19, 1998
Introduction
The Information Industry Association (IIA) would like to take
this opportunity to congratulate the Department on the progress that has
been made regarding the ongoing negotiations with the Europeans over the
implementation of the European Directive. Both Europe and America have
very venerable and distinct histories that have each generated slightly
different perspectives on governance, and we commend the Department of
Commerce for rising to the obvious challenges of these negotiations and
bringing us closer to a common ground. We would also like to thank
the Department for its tireless efforts to include the private sector in
this policymaking process, and for affording us the opportunity to submit
comments on the “International Safe Harbor Privacy Principles” draft before
pursuing this further with the Europeans. We hope you find our comments
insightful.
Discussion
IIA is very supportive of establishing safe harbors that offer companies
and consumers predictability in the global marketplace. The benefits
of the safe harbor approach extend beyond the obvious advantage of avoiding
disruption of existing flows of data into and out of the European Community.
Consumers could presume that organizations within an established “safe
harbor” would collect and use their personally identifiable information
responsibly, thereby fostering consumer trust and ultimately electronic
commerce. Companies within this safe-harbor would gain confidence
that their information practices are exemplary and would be encouraged
to extend these practices to innovative ways of doing business without
the fear of losing the transborder dataflow that is so vital to their business.
Although safe-harbor companies conceivably would not be free from privacy-related
challenges, the favorable presumption that such a category creates greatly
lessens the burden on responsible businesses who must address such challenges.
IIA companies are encouraged to adhere to Fair Information Practices Principles
and to post and enforce responsible privacy practices. Therefore,
such a model could be greatly beneficial to IIA companies who engage or
intend to engage in international transactions.
We understand and appreciate the necessity of drafting a fairly broad document that allows flexibility for a sectoral approach and for ongoing negotiations with the Europeans. However, we would like to underscore the importance of certain themes that, from our perspective, need to be amplified and memorialized throughout the document. One such theme is the need to exclude the collection and use of public records from the outset, citing time-tested First Amendment principles and the unfettered flow of expression that form the foundation of American government and American innovation. We would also recommend clear exclusion of data collected for journalistic purposes and publicly available information such as white pages. We acknowledge and applaud the Department’s incorporation of a public records exemption in the access principle, which stipulates “reasonable access to information about them derived from non public records.....,” but respectfully suggest that this distinction apply to the notice, choice, and data integrity provisions, as well. Ambassador Aaron has noted that the exemptions incorporated in Article 26 would be applicable to the safe-harbor document, as well. These exemptions include data coming directly from public records, but only immunizes transfers from a European public register to a non-European site. We believe a public records exemption needs to be broader than the exemption in Article 26. Unless public records are broadly exempted, a company could lose its safe harbor if, for instance, it does not offer a European the right to opt out of dissemination or use of material in a public record located in the United States concerning that European (e.g., property ownership records). Additionally, it is unclear if public records information that is transmitted several times, as is often necessary to conduct business, would be construed as coming “directly” from public records.
Another concern we have is how eligibility for a safe harbor is to be established and determined. As Ambassador Aaron notes in his letter to Industry Representatives, “organizations could come within the safe harbor by self certifying that they adhere to these privacy principles.” This self-certification process does not appear to be adequately addressed in the document itself, and we would urge the Department to explicitly incorporate this principle in subsequent drafts. IIA’s membership encompasses many business sectors and a wide array of companies ranging from Fortune 500 to technology start-ups. We have drafted our Fair Information Practices Principles, Implementation Guidelines, and Privacy Policy Template to reflect the diversity of our membership and to preserve a range of options so that companies can choose how they would like to address consumer privacy based on their resources and the sensitivity of the information they collect. While many IIA organizations have chosen to have their practices reviewed and certified by a third-party audit system, some organizations have chosen to establish internal review and certification mechanisms. If the latter set of companies self-certify that they are complying with responsible business practices as implemented within their company, they should be entitled to a safe harbor presumption, as well. Although we believe that this is what the Department intended, we would suggest that the scope of the safe harbor specifically include language directed to companies who have chosen this method of self-certification. This will eliminate the potential interpretation of the third paragraph of the draft safe harbor principles, which states that qualification may depend upon “membership in private sector developed privacy programs,” to mean that self-certification is precluded. Lastly, we would be interested in learning more about the procedure surrounding the certification process and the entity actually doing the certifying as these details are finalized.
Section-by-Section Analysis
The principles discussed in the “International Safe Harbor Privacy
Principles” draft effectively track those in the Department’s earlier “Elements
of Effective Self-Regulation” draft. IIA has previously submitted
comments on these principles and supports the inclusion of these elements
in formulating an effective self-regulatory regime. The following
reflects IIA commentary regarding each of the principles as they relate
to the “International Safe Harbor Privacy Principles” draft:
Notice: We believe truthful and informative notice or “transparency” coupled with proportionate accountability or substantiation forms the foundation of an effective self-regulatory framework. IIA agrees strongly that a company has an obligation to document and support the representations it makes to the user/consumer. With adequate disclosure through a prominently displayed privacy policy, there is a presumption that the company is offering truthful and nondeceptive information. If a consumer’s trust in such a disclosure is breached, the Federal Trade Commission (FTC), state authorities, and other government agencies have proven enforcement mechanisms already in place to address such circumstances. We would suggest, however, that rather than “information it collects about them,” this provision should read, “information it collects from them.” This distinction directly relates to the input of information at the point of collection where a privacy policy is posted.
Choice: There is a long tradition of allowing consumers to limit the use of individually identifiable information for marketing purposes. There may be other circumstances where it is appropriate to allow individuals to limit the use and dissemination of individually identifiable information including when the information contains certain types of personal financial or medical history information and most information about children. On the other hand, there may be circumstances where it is inappropriate to allow individuals to limit the dissemination and use of individually identifiable information such as when the information was originally obtained from public records; the information is being used for billing purposes; the information is being used in the investigation of a crime, or the information’s use is regulated by law. We believe that it is important that the Department recognize and communicate to the Europeans that choice may not always be feasible or prudent.
With respect to the wording of this provision, we would suggest that opt-out be permitted in instances where such use is unrelated to the purpose for which it is originally collected, rather than the uses for which the user originally disclosed it. With adequate notice detailing what uses will be made of this information, the consumer should be able to make an informed choice as to whether or not opt-out is desirable. Furthermore, the “purpose” formulation aligns the choice principle with the notice principle, since the collector should state its “purposes” for the collection, but not necessarily the specific use for which the initial collection is being made. We believe the imposition of an opt-out requirement to be the most effective and generally accepted method of providing choice to users. If opt-in is to be imposed, it should only be in limited and well-defined circumstances involving highly sensitive information, because an “opt-in” standard can seriously impede the free flow of information.
Onward Transfer: The IIA Fair Information Practices Principles encourage companies to do business only with those market players who provide a consistent level of privacy protection to the consumer as that of the IIA member organization. If individually identifiable information is disseminated, the disseminating organization should take reasonable steps with respect to affiliates or the unaffiliated third parties who are receiving the information to protect against security risks and other related privacy abuses. It may not be practical, however, to offer a consumer an opt-out of such transfers, as such an option could potentially hold important transactions in abeyance until such decisions are rendered. In other cases, it would be appropriate for the company to offer individuals the choice to limit onward disclosures, and this can be done as part of the choice provision. Companies that intend to do business with other entities should disclose this fact in a succinct and readily understandable privacy policy and consumers may or may not choose to do business with this particular company in light of these policies. Although companies can seek-out business partners who appear to uphold the same privacy principles, they should not be responsible for policing these entities and not held accountable for abuses beyond their control. Therefore, we would suggest that this provision be deleted and the important concepts be incorporated in the notice and choice provisions.
Security/ Data Integrity: Information security is a key feature of responsible collection, use and dissemination of individually identifiable information. Our Fair Information Practices Principles mandate that companies take reasonable and appropriate measures to secure information they collect and use. Therefore, we have no substantive revisions to the security provision as written in the current draft. With respect to the data integrity provision, we would suggest the insertion of “reasonably” preceding “accurate, current, and complete” because companies often are not the originators of such information and therefore do not always have control over these factors. A reasonableness requirement would preclude a scenario where a company would be investing a disproportionate amount of energy in pursuing and updating this information to meet an arbitrary standard of “current” or “complete.”
Access: Again, we would like to commend the Department for recognizing the importance of incorporating a flexible reasonableness standard and a public records exception in the access provision. We would also agree that reasonableness of access depends upon the sensitivity of the information collected and its intended uses. We would, however, broaden reasonableness to include a notion of feasibility. A great many IIA members have expressed difficulty in providing access and correction to consumers given the structure of their internal databases and the inability of the technology to perform the necessary function for providing the access that the Europeans envision. Many companies have embedded technology and an assortment of separate and distinct databases that are not currently integrated to perform such a comprehensive search. Revamping such a system all at once could, in some cases, result in closing business operations altogether and bringing commerce to a halt. This scenario is surely not what the Europeans envisioned, and we would urge the Department to communicate the differences between Europe’s business functionality and our own, as well as the difficulty inherent in changing our business models to accommodate comprehensive access.
Furthermore, the current draft could be construed to condition “reasonableness” on a unilateral consumer-driven decision. Each time an individual determines that the information a company holds in its possession could potentially be used for a “substantive decision-making purpose that affects that individual,” he or she may demand a right of access and correction. Even if it is left to the company to determine what information is utilized in a “substantive decision-making process,” predictability is still not accomplished. Although information that is the basis for affording credit may be clearly more “substantive” than information that determines whether or not an individual is included in a marketing list, creating a “bright-line” test for defining substantive remains problematic. Therefore, in keeping with the intended flexibility of the document and its intent to preserve the American sectoral model, we would suggest omitting the sentence that offers the example of what constitutes reasonable access and instead letting the nature and sensitivity of the information collected serve to steer the access debate towards a sector-by-sector or case-by-case approach. We would also suggest that access be limited to information collected from the consumer, rather than about the consumer.
Enforcement: As stated earlier, we believe that notice coupled with effective enforcement or accountability is at the heart of any self-regulatory regime. We agree that mechanisms for recourse for consumers, verification of business practices, and the imposition of consequences for noncompliance are essential components of this accountability. Furthermore, we would agree with Ambassador Aaron’s opening remarks regarding the compatibility of self-regulation with existing remedies at law. For example, companies continue to be held accountable for representations made pursuant to Section 5 of the Federal Trade Commission Act despite participation in a self-regulatory program. Certain highly-regulated sectors of industry continue to be regulated notwithstanding their participation in self-regulation. Self-regulation or safe harbor status complements the existing legal framework; it does not diminish the potency of these laws already providing recourse, verification, and accountability.
The draft enumerates what constitutes, at a minimum, effective enforcement of self-regulation, highlighting the importance of verification, recourse, and remedy or consequence. These are concepts that IIA has incorporated into its own Fair Information Practices Principles, encouraging companies to develop their own customized approach to enforcement derived from these tenets that adequately addresses the nature of their business, given the nature of the data the companies collect and use. As the Department has recognized in its earlier “Elements of Effective Self-Regulation” draft, the preservation of flexibility in this area is crucial. Enforcement mechanisms need to be carefully tailored to the nature of each particular business and the level of the sensitivity of the information collected. An effective enforcement scheme for a multinational credit agency would have very little resemblance to that of a tiny web-page operator who does not collect information other than who visits its site. While these general precepts are not troublesome, what is in need of further clarification is what is meant by an “independent” recourse mechanism. For example, if Company A employs specially trained Privacy Officers who review privacy complaints from within the organization and resolves disputes with customers, would that be deemed sufficiently independent? We would suggest striking the word “independent” so as not to exclude good actors who have selected to self-certify in light of the nature of their business rather than employing an outside auditor rendering an external review.
Lastly, we seek clarification with respect to the Note to the Enforcement Provision that “compliance with private sector developed privacy programs that include effective enforcement mechanisms” be applied as broadly as possible so as not to exclude internal self-certification program participants. Additionally, it is not clear by what is meant by “compliance with legal or regulatory supervisory authorities.” If a company is in compliance with existing legal and regulatory requirements, does this fact automatically constitute an effective enforcement mechanisms rendering eligibility for safe harbor status? We would suggest that the posting of a policy and the adherence to that policy constitutes the requisite self-regulatory program for safe harbor status. The fact that a company which flagrantly violates its stated policy can be pursued for deceptive trade practices under existing law should be enough to satisfy the Enforcement Principle.
Conclusion
The development of a safe harbor model is a positive step towards building
consensus with the European Community and preserving an uninterrupted transborder
dataflow that courses through the conduits of international commerce.
IIA supports the ongoing negotiations between the United States and Europe,
and is hopeful that a safe harbor model will ultimately be adopted.
We understand that this document represents a work-in-progress, and look
forward to further clarification as both the principles and the Q &
A commentary develop. It is clear that the Department understands
the importance of preserving flexibility and First Amendment values within
the context of a safe harbor approach. As content-producers, IIA
members are especially sensitive to these issues, and enthusiastically
support a dialogue that ultimately will achieve privacy protection worldwide
without sacrificing freedom of expression. We look forward to further
contributing to this debate in an effort to reach a speedy and satisfactory
solution for both industry and consumers worldwide.
Appendix A
INFORMATION INDUSTRY ASSOCIATION
MEMBER LIST
Abels, Dr. Eileen G. (University of Maryland)
Access Innovations, Inc.
Advanta Partners LP
AG Communications Systems
AGENCIA ESTADO LTDA
Allen & Company Incorporated
Allied Marketing Group, Inc.
Alpine Meridian, Inc.
AMA CPT Intellectual Property Services
America Online, Inc.
American Banker/Bond Buyer
American Health Consultants
American Stock Exchange
Amsterdam Exchanges N.V.
Andersen Consulting Media & Entertainment Group
Anthony Rudkin Associates
Arabian Advanced Systems
Architects First Source
Atlantic Accord
Autodesk Press
Australian Stock Exchange
Autex Systems Inc.
Aviation Week Group
Aviation/Aerospace Newsletter
Bancroft & Whitney
Bankers Trust Company
Bankstat
Barbados Investment & Development Corporation
Barclays Law Publishers
BC Telecom
Belden Associates
Berkery, Noyes & Co.
BETA SYSTEMS Inc.
BioInformatics Publishing
Bloomberg L.P.
Bloomberg Business News
Bloomberg Financial Markets
BNA Communications Inc.
BNA International, Inc.
Board of Trade of City of New York
BOVESPA
BPI Electronic Media
Breakwater Holdings, LLC
Brewer Consulting Group, Inc.
Bridge Information Systems
BRIDGE News
Bridge Telerate
Broadview Associates LLC
Brooks/Cole Publishing Company
Brussels Stock Exchange
Buckman Communications
Budapest Stock Exchange
The Bureau of National Affairs
Burlington Consultants
Burrelle's/VMS NewsAlert
Business Week Group
Butterworth-Heineman
Butterworth Asia
Byggfakta Scandinavia AB
BYTE
Cable One
Cahners Business Information
Cahners Electronic Media - Industrial Group
Cahners Travel Group
Cambridge Information Group
Cambridge Scientific Abstracts
Cape Cod Times
Carbo, Toni (University of Pittsburgh)
CARCO GROUP INC.
CareerBuilder Inc.
Carfax, Inc.
Cargill, Inc. Trading Technology
The Carswell Company Limited
CBOE Trading Operations
CCH Incorporated
CCH Legal Information Services
CCH Trademark Research Corp.
CCH Washington Service Bureau
CDA Investment Technologies
CDB Infotek
CD-ROM Information
CED BORSA S.C.p.A.
Chapman and Hall
Charles E. Simon & Company
Charles Schwab Electronic Services
Chescot Publishing, Inc.
Chester Chronicle & Associated
Chicago Board of Trade Market Data Services
Chicago Mercantile Exchange/
Market Data Services
Chin Shan
CIDEX International, Inc.
Claritas, Inc.
CLARITECH Corporation
Clark Boardman Callaghan
Clearnet/The Morris Group
CMD Group
Commercial Information Systems
Communication Products Ltd.
Communications Development Inc.
Compania Anonima Nacional Telefonos de Venezuela
Compania Dominicana de Telefonos
Compania de Telefonos del Internior
COMPASS Media, Inc.
Competitive Media Reporting
Compu-Mark (UK) Ltd.
Compu-Mark NV
COMTEX
Congressional Information Service
Continental Cablevision
Copyright Research Group
Corporate Technology Information Services
Course Technologies
Creative Communications
Crossaig Limited
CS First Boston Corporation
CSK Software Trading Systems
CT Corporation
The Cyber Solutions Group
Daily Star
Data Communications
Data Control Corporation
Data Conversion Specialists
Data Downlink Corporation
Database Technologies, Inc.
DATAFUSION
Datasource Reports
Delmar Publishers
Derwent Information LTD
Derwent North America
Deutsche Boerse AG
The Dialog Corporation
Direct Marketing Technology
Disclosure Incorporated
DonTech
Dow Jones & Company, Inc.
Dow Jones Financial News Services
Dow Jones Interactive Publishing
Dow Jones Newswires
DTN Financial Services
Dun & Bradstreet
DW Thorpe
EarthWeb
EASDAQ Limited
Editora McGraw-Hill do Brasil
Edutech Middle East
Edward Kaminski Associates
Electronic Information Group
Electronic Settlements Group
Elsevier Science
Engineering Information Inc.
ESI International, Publishing Division
Eugene Simonoff & Associates
Excalibur Technologies Corp.
Excerpta Medica, Inc.
Experian
Explore Information Service
Extel Financial Limited
F.W. Dodge
The Farragut Group
Faulkner & Gray
Faulkner Information Services
Faxon Informatics
Federal Document Clearing House
Federal Filings Inc.
Federal Information & News Dispatch (FIND)
Federal Publications, Inc.
Fidelity Investments
FIDES Information Services
Financial Information, Inc.
Financial InterGroup Holdings
FININFO SA
First Call Corporation
Fitzsimmons, Beth
Focus Enterprises
Folio Corporation
Frames Data, Inc.
FTSE International
The Gale Group
Gardner, Carton & Douglas
GARI Software Associates
Garvey, Schubert & Barer
Garvin Information Systems
Genesys Partners, Inc.
Ginn & Company
Glass's Dealer's Guide
Global Finance Information
GlobalSource
Globe Information Services
Goldberg, Morton David (Cowen, Liebowitz & Latman, PC)
Government Counseling Ltd.
GrayFire Information Services
Greenhouse Associates
Greenwood Publishing Group
GTE Airfone
GTE Business Development and Integration
GTE Card Services
GTE Communications Corporation
GTE Corporation
GTE Customer Networks
GTE Data Services, Inc.
GTE Directories Corporation
GTE Government Systems
GTE Information Services
GTE International Operations
GTE International Telecom Services
GTE Internetworking Services
GTE Laboratories, Inc.
GTE Long Distance
GTE Network Services
GTE New Media Services
GTE Paging
GTE Supply
GTE Technology and Systems
GTE Telecommunication Services
GTE Video Services
GTE Wireless
H. Donald Wilson LLC
The H.W. Wilson Company
Hallmark Capital Corporation
Hambrecht & Quist LLC
Heinemann Publishers (pty)
Heinemann Reference
Heinle & Heinle
Hinkley Enterprises
Horizon Media
Horton, Forest W.
HuebCore Communications Inc.
I.R.S.C., Inc.
IDD Information Services, Inc.
IFR Publishing
IHS Engineering Products Division
IHS Environmental Information
IHS Group, Inc.
ILX Systems Inc.
Industry Information Group
Infonautics, Inc.
Information Access Company
Information America
Information Access & Distribution Pte Ltd.
Information Connectivity Group
Information Handling Services
Information Please, LLC
Information Resources Group
Information Today, Inc.
Infosis Corporation
InfoTech, Inc.
ING Barings Furman Selz LLC
INSTINET CORPORATION
Institute for Scientific Information
Intelpro
Interactive Connection
Interactive Data
Interactive Market Systems
Interactive Video Enterprises
Intermedia Advertising Solutions
International Database Group
International Information Services
International Thomson Business Press
International Thomson Distribution
International Thomson Organisation Ltd
International Thomson Publishing Japan
International Thomson Publishing Services, Ltd.
International Thomson Transportation
Internet Financial Network
Internet Industry Relations
The Investext Group
IPC Magazines Ltd.
ITP Education Group
ITP School Publishing
J.J. Kenny Company Inc.
J.P. Morgan Investment Management Inc.
Jane's Information Group
The Jordan, Edmiston Group
Journal of Commerce Limited
K G Saur Verlag
Kaplan Educational Center Ltd.
Keystone Venture Capital Management
Kinokunia Company Ltd.
KnowledgeLink infoMarket
KnowledgeLink Interactive, Inc.
KnowledgeLink NewsStand
KnowedgeMax, Inc.
KRT Business News
LAN Times
LBC Information Services
Law Offices of J.L. Ebersole
LEGI-SLATE, Inc.
Lehman Brothers Inc.
LEXIS Document Services
LEXIS Law Publishing
Lexis-Nexis
Liberty Brokerage, Inc.
LIFFE
Loan Pricing Corporation
Logos Corporation
Lokalbogsforlaget A/S
London Stock Exchange
LSW, Inc.
Luntz, Suleiman & Associates
Luxembourg Stock Exchange
MacRae's
The Mail Tribune
Management Decisions
Mandarin Offset
Manning & Napier Information Services
Markborough Development
Market Data Corporation
Market Data Retrieval
Market News Service, Inc.
Marketing Resources Plus
Martell, Terrence F. (Baruch College)
Maruzen Co. Ltd.
The Marx Group
Matthew Bender
McClure, Charles R. (Syracuse University)
MCG Credit Corporation
The McGraw Hill Companies, Inc.
McGraw-Hill Asia/Pacific Group
The McGraw-Hill Bookstore
McGraw-Hill Broadcasting
McGraw-Hill Construction Information Group
McGraw-Hill Continuing Education
McGraw-Hill Financial
McGraw-Hill Health Care Publications
McGraw-Hill Higher Education Group
McGraw-Hill Ibero-American
McGraw-Hill Information Services
McGraw-Hill Information System
McGraw-Hill Libri Italia, Srl
McGraw-Hill Lifetime Learning
McGraw-Hill Medical Publishing
McGraw-Hill Professional Publishing Group
McGraw-Hill Publication Services
McGraw-Hill Ryerson
McKnight Medical Communication
MDL Information Systems
MEDEC Dental Communications
Medical Economics
Medscape, Inc.
The MEDSTAT Group
Meridian Venture Partners
Merrill Lynch Asset Management
Merrill Lynch Capital Markets
Merrill Lynch Pierce Fenner & Smith, Inc.
Merrill Lynch Securities Pricing Service
Micromedex, Inc.
Micronesian Telephone Company
Mitchell International
Money Market Directories, Inc.
Morgan Grenfell Asset Management
Morgan Stanley & Co. Incorporated
The Moschovitis Group, Inc.
Mostrups Forlag A/S
Muller Data Corporation
Municipal Market Data, Inc.
N2K, Inc.
N2K Encoded Music
The Nasdaq Stock Market Trade Dissemination Services
National Auto Glass Specifications Inc.
National Quotation Bureau, Inc.
National Software Testing Laboratories, Inc.
NCCI Information Services
Nelson Canada
Nelson English Language Teaching
Nelson Price Milburn Limited
NERAC, Inc.
NET3 Technologies, Inc.
New Media Associates
New York InfoTech Capital Forum
New York Mercantile Exchange
New York Stock Exchange, Market Data Division
Newcastle Chronicle & Journal
NewsBank, inc.
NewsEdge Corporation
Newsweek, Inc.
NFER-Nelson
NIKKEI AMERICA/Electronic Media Dept.
Noble, J. Kendrick (NOBLE Consultants)
North American Marketing Intelligence Systems, Inc. (NAMIS)
North Eastern Evening Gazette
Northern Light Technology LLC
Oakley, Robert L. (Georgetown University Law Center)
Official Airline Guides, Inc.
OKI Business Digital
OPEN - Online Professional Electronic Network
Osborne/McGraw-Hill
Ottaway Newspapers, Inc.
Outsell, Inc.
Oy Rakennusalan Projektitiedos
PaineWebber Inc.
Parnassus Associates International
Parrys
The Parthenon Group
PC QUOTE, INC.
PennWell Information Technology
Perot Systems Corporation
PERQ Research Corporation
Peterson's
Physicians' Online, Inc.
Pike & Fischer, Inc.
Pinkerton Services Group
PLATT's/The Commodities Division
Pocono Record
The Police Review Publishing
The Polk Company
Post-Newsweek Business Information, Inc.
Practitioners Publishing Co.
Prentice, Anne E. (University of Maryland)
Price Waterhouse LLP - PW - Assist Group
PricewaterhouseCoopers LLP
Primark-Datastream/ICV
Primary Source Media
Primis Custom Publishing
PRN Associates
Prospex, Inc.
PsycINFO
Public Record Research Library
The Publishers' Consortium
Pubnet, LLC
PWS Publishing Company
QUAESTUS Management Corp.
Quebec Telephone Company
Qpass Inc.
Quotron Systems, Inc.
R. Shriver Associates
R.R. Bowker
R.S. Means Company, Inc.
Rapid Communications of Oxford
Rapid Patent Service
RCT Systems, Inc.
Reality Online, Inc.
Reed Academic Publishing Asia
Reed Business Information
Reed Elsevier
Reed Elsevier New Providence
Reed Elsevier Technology Group
Reed Telepublishing
Reed Travel Group
Regulatory Resource Center LLC
Research Information Systems
Research Institute of America
Retrieval Technologies, Inc.
Reuben H. Donnelley
Reuters America, Inc.
REUTERS Canada Ltd.
Reuters Limited
Reuters New Media Inc.
Reuters Singapore Ptd. Ltd.
Reuters:file Ltd.
Robbin, Alice (Florida State University)
Rockingham County Newspapers
Rotunda, Inc.
Routledge, Inc.
Russell Distributing Company
S&P’s CUSIP Service Bureau
S&P MarketScope
S&P Ratings Group
Salomon Smith Barney
Santa Cruz Sentinel
SaveSmart, Inc.
Sawabih Information Services
SBF - French Stock Exchange
Scarborough Research Corp.
Schaum
The Scotsman Publications Ltd.
Securities Data Company
Securities Data Publishing
Securities Industry News
Securities Information Corp.
Securities Valuation Company
Shepard's
Sheshunoff Information Service
Shinwon Datanet Inc.
SilverPlatter Information, Inc
Simba Information
SkyTeller L.L.C.
Sociedad de Bolsa, S.A.
Solbright, LLC
Soliton Associates
The Source Maythenyi, Inc.
Spectra-Market Metrics
Springhouse Corporation
SRA International, Inc.
Standard & Poor's Compustat
Standard & Poor's ComStock
Standard & Poor's Corporation
Standard & Poor’s/DRI
Standard & Poor's Information
Star Data Systems Inc.
Stockalert, Inc.
The Stockholm Stock Exchange
StockObjects
Strategic Advantage, LLC
Strategic Weather Services
TheStreet.com
Sun City, News-Sun
Sweet & Maxwell Ltd.
Sweets Group
Swiss Exchange
Sydney Futures Exchange Ltd.
Taiwan Stock Exchange Corp.
Tax Management Inc.
TBG Information Investors, LLC
TCI Software Research
Technical Data
Technimetrics, Inc.
tele.com
Telecommunications Reports
Telekurs Finance Information Ltd.
Telekurs USA Inc.
TFS Ventures
Thomas Nelson & Sons Ltd.
Thomas Register Online
Thomson & Thomson
Thomson BankWatch
Thomson Business Information Group
Thomson Business Publishing
Thomson Canada Limted
Thomson Consulting
Thomson Corporate Publishing International
The Thomson Corporation
Thomson Directories, Ltd.
Thomson ESG
Thomson Financial & Professional Publishing Group
Thomson Financial Database Group
Thomson Financial Information
Thomson Financial Services
Thomson Free Newspapers
Thomson Healthcare Communications
Thomson Information Resources
Thomson Information/Publishing Group
Thomson Institutional Services
Thomson Investment Software
Thomson Legal & Professional Publishing
Thomson Municipal Services
Thomson Newspapers Corporation
Thomson Newspapers Inc.
Thomson Publications Australia
Thomson Research Corporation
Thomson Science and Technology
Thomson Securities Information
Thomson Trading Services
Times Herald-Record
Toronto Stock Exchange
Tower Group International
Trade Data Reports, Inc.
Trade Dimensions
Transactions Marketing Inc.
Transmision Boos & Microforms
Transport Technology Publishing
The Trepp Group
Trident Capital, Inc.
U S WEST Advanced Technologies
U S WEST Communications, Inc.
U S WEST Dex
U S WEST Enterprises
U S WEST InterAct!
U S WEST International
U S WEST, Inc.
UMI
UMI/Data Courier
UMI/DataTimes Company
University Publications of America
Utility Data Institute
Valorinform
Ventresca, Marc J. (Northwestern University)
Veronis, Suhler & Associates, Inc.
VerticalNet, Inc.
Veterinary Medicine Publishing
VISTA Information Solutions
VNU Marketing Information Services
Volt Directory Marketing
VS&A Communication Partners
vwd Vereinigte Wirschaftsdiens
Wadsworth Publishing Company
Wadsworth, Inc.
Wall Street Computer Review
The Wall Street Journal
Warren, Gorham & Lamont, Inc.
Warsaw Stock Exchange
The Washington Post Company
Washington Post Newsweek Interactive
Waters Information Services
Wave Systems Corp.
WavePhore, Inc., Newscast Division
Wellington Management Co., LLP
West Group
Western Mail & Echo Ltd.
Wigand, Rolf T. (Syracuse University)
Winstar Telebase Inc.
World Aviation Directory
Xcitek, Inc.
From: Tess Koleczek
Website Data Protection Manager
Netscape Communications Corporation
Re: safe harbor comments
Attached are comments from Netscape. Hard copy to follow via Fedex,
copy
faxed this morning.
November 17, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230
Dear Mr. Fredell:
On behalf of Netscape Communications Corporation, I would like to submit the following comments on the November 03 draft International Safe Harbor Privacy Principles.
Netscape takes a special interest in the draft principles because of our commitment to the privacy and security of personally identifiable information submitted by users to our site. Aside from our browser and server components, we have developed a rapidly growing portal site, Netcenter, which provides users a gateway to the world wide web. A feature of this site is the opportunity to become a member of Netcenter, which provides valuable services such as free email accounts and page personalization. Netcenter has always taken the issue of privacy seriously. We have had a privacy policy for users to review since the inception of Netcenter in August of 1997, and we update it as needed to conform to our practices as the content and services offered on Netcenter evolve. We are members of TRUSTe, carrying their seal on both our main site and our KidZone pages, and are active members of the Online Privacy Alliance and the board of directors for BBB Online.
Our greatest concern is with the safe harbor principle of Onward Transfer. We provide members of Netcenter with the choice of sharing their personal information with third parties. If the member makes this selection, the principle as written would require us to police the privacy practices of any third party with whom we share that data at the customer’s request. This would burden Netscape with an unreasonable level of liability, and lead to the question of who is responsible for any misuse of that user’s data by a third party.
A broad interpretation of what constitutes a “third party” could have a crippling effect on the business models of innumerable online companies. Any partnerships or affiliations would automatically be questioned when data transfer is involved and possibly subject to additional and cumbersome layers of consumer notification and acceptance.
The principle of access also needs a clearer definition. Much of the information collected online can be maintained for accuracy by allowing the customer access to correct and update certain personally identifiable data. This maintenance is clearly in the best interests of both the customer and the organization collecting the data. But the definition as stated in the principle would cover any information that an organization holds about that individual, including IP logs and transactional data which is held in separate databases and may not be considered “sensitive” information. Some data is not relevant to the sensitive or personal identity concerns inherent in the principle, and provision of such upon request would be not only burdensome to the organization, but unnecessary for the purpose of correction and accuracy of data stored.
We suggest that the definition of access be limited to relevant, individually identifiable information which should be maintained for quality and accuracy. And as suggested by many of our colleagues, “sensitive” data should be clearly defined as medical information, financial information, and the personally identifiable information of children.
We thank you for your efforts, as well as your inclusion of the business
sector in drafting these safe harbor principles. We hope that our comments
are of assistance to you in developing an effective and acceptable safe
harbor approach to the EU Directive.
Sincerely,
Tess Koleczek
Website Data Protection Manager
Netscape Communications Corporation
FROM: National Fraud Center
November
From: Norman Willox
President and CEO
National Fraud Center
Re:International Safe Harbor Principles
Eric,
Attached please find the comments of The National Fraud Center, in two
different formats. Please use which ever format works best for
you.
I have also sent you an original copy in the mail with Norman Willox
signature.
Best regards,
Patt Cumberbatch
Assistant to N. Willox
(See attached file: Safe Harbor Provisions II.doc)
(See attached file: Safe Harbor Provisions III.wpd)
Before the
United States Department of Commerce
Washington, D.C.
COMMENTS
OF
THE NATIONAL FRAUD CENTER
ON DRAFT
INTERNATIONAL
SAFE HARBOR PRINCIPLES
Norman Willox
President and CEO
National Fraud Center
300 Welsh Road
Suite 200
Horsham, PA 19044
Phone: (215) 657-0800
Fax: (215) 657-7991
Date: November 19, 1998
The Honorable David L. Aaron
Undersecretary of Commerce
U.S. Department of Commerce
Washington, DC
Dear Secretary Aaron:
The National Fraud Center (“NFC”) is the internationally recognized private sector leader in risk management and fraud prevention solutions. NFC’s experienced personnel cumulatively have over two hundred years of experience in law enforcement and fighting fraud. This vast experience gives NFC an in-depth understanding of economic crime and how businesses, consumers and governmental agencies can minimize their exposure to fraud and risks. In short, NFC helps catch the bad guys that prey on innocent people. As economic crime continues to grow both nationally and internationally, NFC will continue to develop and market products and services that will help businesses save hundreds of millions of dollars per year which would be otherwise lost to fraud. This in turn saves American consumers from having to pay what is in essence a hidden “fraud tax” as businesses and governmental agencies pass along losses caused by economic criminals.
Efforts to fight economic crimes depend in large part upon the ability to access, accumulate and process data from a variety of sources. Personal information is required in order to identify individuals and validate data they provide in both electronic and non-electronic transactions. Without access to a wide variety of accurate data and the ability to use those data to fight fraud and other economic crimes, business and consumer losses will continue to increase. In recent years, the increase in fraud has been astronomical. Analysts and law enforcement agencies estimate yearly losses due to such fraud to be over $800 billion. American consumers, taxpayers and businesses will pay for these huge losses.
National Fraud Center is a founding member of the Individual Reference Services Group (“IRSG”) which has adopted a set of self-regulation guidelines in cooperation with the Federal Trade Commission. NFC is strongly committed to the principles of industry self-regulation that the Administration wisely continues to pursue. Self-regulation is the most practicable way to protect legitimate privacy concerns because it recognizes that in the real world, there can be no one single solution to govern every situation in which personal data are collected and analyzed. This is particularly true as new technology develops new products and new services rapidly enter the marketplace. The rapidly developing technology of the information age requires flexible and easy to administer procedures with minimal delays imposed by unnecessary government intervention.
The IRSG Principles recognize that the use of personally identifiable information to detect and prevent fraud is an appropriate use for that information. Use of such data for fraud prevention has also been recognized in state and federal legislation which often exempt fraud prevention from limitations that would otherwise be imposed upon the use of personal data. Neither the Safe Harbor Principles nor the European Union Data Protection Directive makes any specific mention of the provisions for using data for fighting fraud and economic crimes. The DOC should, after consulting with the Department of Justice and private industry, ensure that the Safe Harbor Principles specifically exempt use of data for fraud prevention and interdiction. Without such exemptions, literal application of the Safe Harbor Principles or the European Directive would render ineffective industry efforts to fight fraud.
Article 26(1)(d) of the European Union Data Directive allows the transfer of personal data to a third country which does not ensure a level of protection deemed “adequate” by the European Union if the “transfer is necessary or legally required on important public interest grounds or for the establishment, exercise or defense of legal claims. We understand that the EU tradition would apply this exemption only to public bodies. In the United States, however, activities to defend the public interest are the province of both private and public agencies. The DOC should ensure that the Safe Harbor Principles and the European Union specifically recognize that the transfer of data to the United States for purposes of fighting fraud and economic crimes, and for enforcing legal claims, is permitted by both public and private organizations under Article 26 or pursuant to agreement. Without such access to European data, American corporations and financial institutions will become the targets of increased efforts to commit fraud or other crimes.
A simple example makes this clear. Consider pre-employment background checks for individuals who work with children’s organizations such as day care centers. In the United States, the Fair Credit Reporting Act was recently amended to allow the use of information relating to civil suits, civil judgments and records of arrest for seven years from the date of entry or until the governing statue of limitations expires, whichever is longer. The FCRA was also amended to permit convictions of crimes to be used and reported no matter how old the conviction. The reason for this amendment was to ensure that such information could be used when deciding whether to offer employment since such information is clearly relevant and important to know.
The European Union Data Directive, however, does not permit the use and reporting of such information. The Data Directive mandates that a organization must give an individual notice of the types of information it has on an individual, how it collects the information, the purposes for which it collects the information and the types of organizations to which it discloses the information. If the organization does not provide this information, then its procedures are not “adequate” under the European Union approach. The EU Directive also provides that governmental authorities subject to “specific safeguards” may only process criminal conviction information, which must be notified to the European Commission. In the example of the pre-employment verification for the day care position, the European Union’s Directive would not permit the use of information relating to sexual abuse of a child.
In the world of economic crime or due diligence relating to financial and banking regulations, the European Union’s Directive again makes no specific exception for use of data for fraud prevention. Given the requirement to provide notice of the information gathered on an individual, it is not difficult to understand that criminals will be forewarned about the information a financial institution has and, therefore, better equipped to circumvent fraud prevention efforts. Similarly, since the European Union’s Directive would not allow the use of historical data, it will not be possible to gather and use information over a period of time in order to help consumers and corporations fight fraud.
The implications for increased fraud, however, are not limited to American
corporations. In the United States, both state and federal agencies
often partner with private entities and investigative organizations in
order to share information necessary to fight economic crimes. Limitations
on the availability of data from the European Union has significant implications
for the United States and our ability to enforce laws and regulations such
as the “Know Your Customer” rules which require businesses to gather information
relating to financial transactions. Neither the Safe Harbor Principles
nor the European Union Directive make any exceptions to ensure the uninterrupted
flow of information to the United States although gathering such information
may well be “legally required on important public interest grounds” in
the U.S. Interestingly, pursuant to Article 7 of the Directive, such
information can be processed in Europe if the information is “necessary
for the performance of a task carried out in the public interest or in
the exercise of official authority.” Processing of such information
in the United States or other third countries, however, is permitted only
by the incompletely- defined “important public interest grounds.”
Financial and investment statutes that require strong auditing and
compliance procedures provide additional examples of important public policy
grounds for permitting access to personally identifiable data for fraud
detection and prevention. The European Union Directive does not specifically
permit transfers of financial information that may contain personal information.
The vague terms of Article 26(1)(d), without negotiated understandings
that clarify the public and private pursuit of the public interest, may
not help. The DOC must ensure that the European Union recognizes
the importance and need for free flow of information necessary to allow
auditing procedures. A ban on transfers of information obtained from
internal or external auditors could undermine the ability of U.S. management
to oversee European operations. This would not only tend to deter
American investment in Europe by making it potentially riskier, it would
also tend to increase the opportunities for fraud against such companies.
This could also increase the risk of hiding losses overseas, much like
the example of the Bank of Credit and Commerce International where billions
of dollars in losses were hidden when auditing operations were confined
to specific countries.
National Fraud Center believes that the Safe Harbor Principles must recognize the importance of data availability for fraud prevention by emphasizing that “opt out” provisions must still allow legitimate and properly regulated companies and industries – including self-regulated industries as the founding members of the IRSG – to use personal data to detect and prevent illegal activities. The IRSG principles emphasize that the information member companies such as NFC make available will be protected by ensuring that the recipients of that information have legitimate and verifiable uses for such information. The IRSG also ensures compliance with the integrity of personal data and adherence to privacy interests of the individuals whose data is involved.
NFC believes that it is important to focus privacy protection on how information is used rather than simply on how it is collected. Such an approach allows legitimate security interests to be adequately balanced with the desire of individuals that personal information not be used inappropriately. We believe that this can be accomplished by negotiating specific understandings of the meaning of “public interest” in Article 26, and by adding fraud detection, interdiction and prevention to the list of obligations, authorizations and exceptions in the preamble to the Safe Harbor Principles.
The DOC must also recognize the importance of publicly reported information in the fight against crime. Newspaper stories, magazine articles, wire reports and other media reports provide vital sources of information in the fight against crime. By piecing together information from stories around the world, skilled investigators and law enforcement personnel can put together pieces of a puzzle on criminal organizations and their operations. The DOC must ensure that the Safe Harbor Principles protect American news organizations and their ability to gather personal information on residents of the European Union for their publications. Currently, Article 9 of the Directive provides only that “Member States shall provide for the exemptions . . . for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.” This is scant protection when compared with the prohibitions enshrined in the First Amendment of the U.S. Constitution. The DOC must ensure that the Safe Harbor Principles and the European Union spell out specific rights of American news organizations to process personal data without the unworkable constraints the Directive would impose.
National Fraud Center intends to lead the information industry by protecting individual privacy while enabling responsible and appropriate use of that information. We recognize that the threat of fraud and loss of personal assets is as real as the threats of the inappropriate disclosure of private information. We encourage the Department of Commerce to work not only with the Department of Justice, but others in the law enforcement and investigative communities to ensure that the Safe Harbor Principles adequately recognize and balance these threats. Failure to do so will most certainly increase the risks and losses of American consumers and businesses. We also encourage the DOC to continue to recognize the importance of self-regulation in this complex area and commend it and the Administration for their efforts to allow industry the opportunity to develop and implement such self-regulatory programs.
Thank you for the opportunity to comment.
Sincerely,
Normal A. Willox
President and CEO
FROM: Better Business Bureaus
November 19
From: Steven J. Cole, Council of Better Business Bureaus and
BBBOnLine
Re: Safe Harbor Comments
Attached are the comments from the Council of Better Business Bureaus
and
BBBOnLine on the November 3, 1998 safe harbor draft.
COUNCIL OF BETTER BUSINESS BUREAUS, INC. 4200 Wilson Blvd.
Arlington, VA. 22203 703.247.9346
November 19, 1998
Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, NW
Washington, D.C. 20230
email to ecommerce@ita.doc.gov and
fax to 202.501.2548
Dear Mr. Fredell:
Thank you for the opportunity to comment on the November 3, 1998 “Draft International Safe Harbor Privacy Principles” circulated by Assistant Secretary David Aaron on November 4th. BBBOnLine, the online activity of the Council of Better Business Bureaus and the 135 Better Business Bureaus throughout the nation, is now in the process of establishing a self-regulatory mechanism for assuring compliance with required privacy principles, providing recourse to individuals and significant consequences for non-compliance or non-cooperation with the self- regulation program.
We applaud Secretary Daley’s and Under Secretary Aaron’s dialogue with the European Commission, and their efforts to negotiate an acceptable online privacy protection approach that rewards business participation in meaningful self-regulation mechanisms. We believe that the framework for a “safe harbor” included in the November 3d draft is a good start, but that additional provisions are needed to assure that self-regulation is not an empty promise.
We do not feel it necessary for BBBOnLine to comment extensively on the aspects of the draft pertaining to the contents of acceptable privacy notices, choice, transfer, security and data integrity, and access insofar as they affect information collected from individuals online. BBBOnLine is prepared to administer an enforcement program that will be flexible enough to incorporate whatever reasonable standards are required by appropriate governmental organizations, the business community, and the needs of the public for online privacy protection. We expect that our program standards, when finalized in the coming weeks, will be fully consistent with the minimum protections set forth in the November 3d draft, earlier Department of Commerce “elements” papers, and the principles enunciated by the Online Privacy Alliance. Indeed, our program standards are expected to clarify areas in these standards needing more specificity, and may, in certain cases, go beyond these general guidelines to provide additional protection to the public.
However, we note that the November 3d draft does not explicitly confine its reach to online information practices, but appears to extend its scope to the full reach of the European Union’s Directive on Data Protection. To the extent that the premise of the safe harbor negotiations is reliance, in part, on private sector self-regulation activities, it is crucial to recognize that the U.S. business community has not chosen to request that BBBOnLine (or any other third party mechanism for that matter) to administer a program reaching information collected in channels other than online, and that it should not be expected by the Administration that such programs will develop in the near term on a voluntary basis.
EU representatives appear to recognize that in the short term it is desirable to put important and reliable online privacy protections in place, and the U.S. business community similarly appears to recognize that in the longer term it is possible that some or all of the online protections might extend as a practical matter and natural progression to information collected in other ways. In short, we recommend that a safe harbor be available to companies that participate in third party programs offering adequate protection of online privacy, and also available on a voluntary basis to companies that offer broader protections through whatever enforcement techniques are available to them.
BBBOnLine does believe, however, that additional and more specific measures are required to assure the adequacy of enforcement mechanisms, and that a procedure is needed to certify mechanisms that purport to meet the requirements. Initially, while Ambassador Aaron’s November 4th letter indicates that the safe harbor proposals are not intended to “govern or affect U.S. privacy regimes,” our view is that it is realistic to expect that protocols endorsed by the Department of Commerce and the EU will enjoy wide currency and acceptance in the business community, Congress and the Federal Trade Commission, each of which will have an opportunity to measure the acceptability of self-regulation mechanisms over the coming months. It is important, therefore, that the safe harbor requirements for enforcement be of the highest quality.
Our experience in operating a “seal” program online in connection with
helping consumers find reliable companies (http://www.bbbonline.org) is
that many new companies, inexperienced in the consumer protection field,
have seen the Internet as an attractive entrepreneurial opportunity, but
too many do not deliver or even attempt to deliver a high integrity service.
There have even been occasional “seal givers” that appear to be “shills”
for their participating companies. The result in these situations,
of course, is improper and dangerous reliance on these “seals” by
unwary consumers, and a risk of lessening respect for online consumer
protection efforts in general. It can be expected that online privacy seal
and other private sector enforcement efforts will
encounter similar problems, and these may even be greater because of
the likely widespread public education efforts underway or planned by the
private sector and government aimed at recommending to consumers that they
look for a “seal” or other indicator of an online privacy enforcement
mechanism. Moreover, without rigorous and somewhat more detailed
standards defining acceptable enforcement programs, a principle of “adverse
selection” may drive businesses to the weakest or less demanding of the
programs, thereby depriving the public of needed minimum protections and
risking the eventual collapse of the safe harbor concept.
It is our opinion that the following minimum standards in addition to
those outlined in the
November 3d draft ought to be required for a private mechanism to qualify
as a safe harbor:
Moreover, unless there is reasonable prior review and approval of the
mechanism itself by some entity, the business community will be at great
risk if businesses join programs only later to discover that the enforcement
standards were determined not to be sufficient. At the same
time, less-than-responsible programs will unfairly compete for business,
and while the long term effect of the marketplace should help weed out
these inadequate programs, the short term impact of low integrity programs
could be disastrous for the public and the responsible business community,
and
could well eliminate respect for, and support of, self-regulation as
a concept.. A “certification” procedure, perhaps administered by
the FTC or other agency, would go a long way to assure integrity and fair
competition in the online privacy protection business.
Again, thank you for the chance to comment, and please be assured of the BBB’s cooperation in future activities to protect the public’s online privacy.
Sincerely,
Steven J. Cole
Senior Vice President and General Counsel
Attach ATTACHMENT A
(The comments in this letter are those of the Council of Better Business
Bureaus and its
BBBOnLine subsidiary, and are not intended to represent the views of
BBBOnLine sponsors.)
BBBOnLine Founding and Corporate Sponsors and Board Companies:
Ameritech Corporation
AT&T Corp.
Dun & Bradstreet, Inc.
Eastman Kodak Company
GTE Internetworking
Hewlett-Packard Company
IBM Corporation
Microsoft Corporation
NationsBank Corporation
Netscape Communications Corporation
The Procter & Gamble Company
Reed Elsevier Inc.
Road Runner Group
Sony Electronics, Inc.
US West
Visa, U.S.A.
Xerox Corporation
BBBOnLine Privacy Program Sponsors and Steering Committee Companies:
America Online, Inc.
American Express Company
AMR Corporation
AT&T Corp.
Dell Computer Corporation
Dun & Bradstreet
Eastman Kodak Company
Equifax Inc.
Experian Information Solutions
Ford Motor Co.
Hewlett-Packard Company
IBM Corporation
Intel Corporation
J.C. Penney Company, Inc.
MCI WorldCom, Inc.
Microsoft Corporation
NationsBank Corporation
New York Times Electronic Media
The Procter & Gamble Company
Reed Elsevier Inc.
Sony Electronics, Inc.
U S WEST
Viacom Inc.
Visa U.S.A.
Wells Fargo & Co.
Xerox Corporation
FROM: Stone Investments
November 19
From: Stone Investments
Re:Comments on Safe Harbor Principles.
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution, N.W.
Washington, D.C. 20230
Attached is a copy of the comments by Stone Investments, Inc. to the
Draft
Safe Harbor Principles. I have attached a copy of the response
in both
Word97 and Word Perfect 8. An additional copy of the comments
is being sent
via fax and overnight delivery.
Please let me know if you have any questions or if you need any additional
information.
Gary E. Clayton
Before the
United States Department of Commerce
Washington, D.C.
COMMENTS
OF
STONE INVESTMENTS, INC.
ON THE DRAFT
INTERNATIONAL
SAFE HARBOR PRINCIPLES
Gary E. Clayton
Vice President, General Counsel and Senior Privacy Analyst
Stone Investments, Inc.
8150 N. Central Expressway
Suite 1901
Dallas, Texas 75206
Phone: (214) 365-1977
Fax: (214) 365-6977
November 19, 1998
The Honorable David L. Aaron
Undersecretary of Commerce
U.S. Department of Commerce
Washington, D.C.
Dear Secretary Aaron:
Stone Investments, Inc. ("Stone") is a private investment firm located
in Dallas, Texas. Stone advises and invests in a wide variety of
technology companies including some that responsibly use personal data
for fraud and risk detection, interdiction and prevention. Stone
also advises and invests in companies that provide services over the Internet.
Stone welcomes this opportunity to respond to the request of the Department
of Commerce ("DOC") for public comment on the "Draft International Safe
Harbor Privacy Principles" (Draft Principles). Stone appreciates
the serious effort that DOC is making to address the concerns of American
business regarding the European Union Data Directive.
Introduction:
The European Data Directive seems poorly matched to the reality
of today's information flows. The Directive's approach is designed
for the regulation of mainframe computers. The world has changed dramatically
since the Directive was written. Today, the Internet and the client/server
distributed networks present a world that the Directive did not contemplate.
New technologies have made the definitions of processing, data system,
controller, processor, recipient and even transfer too narrow and limiting.
Therein lies the problem for the European Union, the DOC and businesses
generally. How do you draft provisions to address concerns of the
moment yet provide enough flexibility to allow the inevitable changes
brought by technology? One step is to realize that there cannot be
one single approach to these complex data and privacy issues. Second,
there must be a recognition that industry and its consumers are best able
to address these concerns in the specific contexts in which they occur
as part of commercial and other transactions. And third, is to promote
and enforce self-regulatory programs by individual sectors of the economy.
Self-Regulation:
Article 27 of the European Union's Data Directive instructs the
European "Member States and the Commission" to encourage the development
of codes of conduct regarding privacy. Stone encourages the DOC to
promote such codes of conduct such as that adopted by the Individual Reference
Services Group (AIRSG@). The IRSG Principles were developed in coordination
with the Federal Trade Commission. The advantage of codes of conduct
such as the IRSG Principles is that they are specifically tailored to address
the needs and concerns of businesses, consumers and government in a single
industry sector rather than the one-size-fits-all or cross-sectoral approach
proposed in the Draft Principles. Stone believes that the cross-sectoral
approach is not the most effective way to protect privacy in the rapidly
changing technology age. The reality is that different sectors of
the economy use information differently. And, as the DOC is aware,
the issues involving the use of information are incredibly complex and
evolving. Stone believes that markets and self-regulatory regimes
will allow industries that have a firsthand understanding of the desires
of their customers and the operational requirements of their practices
to most effectively regulate their own particular industries. Such
an approach will avoid the temptation to freeze the information age and
the Internet into a fixed position based only upon today's limited understanding
of the future development of electronic commerce. And it will allow
different approaches depending upon the needs of each industry. Industries
that handle more sensitive information should have more stringent requirements
than industries that handle less sensitive information. And most
importantly, it recognizes that in the end, the market will reward industries
and companies that address the needs and desires of consumers to balance
their privacy concerns with the reduction of economic and other risks involved
in commercial transactions.
Any agreement ultimately reached with the European Community should allow for data flow to continue uninterrupted for companies that comply with the existing self-regulatory codes such as the IRSG's. The DOC should ensure that there is a pre-approval process to determine which self-regulatory programs comply with the safe harbor principles. The DOC should also ensure that the safe harbor principles' pre-approval process is easy to administer and eliminates unneeded governmental involvement.
The DOC must also recognize that there are legitimate uses of personal information in the process of fraud detection, interdiction and prevention. In the United States, state, local and federal governments as well as private industry use information in order to prevent fraud and to avoid risks. For example, personally-identifiable information is used to prevent credit card fraud and cellular phone fraud. It is also used to ensure that fraudsters are not abusing governmental programs. And in today's world, with increased travel and transnational flows of information and funds, it is a reality that data from nations around the world is needed to help prevent criminal fraud. Because of the unique operational requirements for fighting fraud and other economic crimes, the DOC should ensure that any safe harbor agreement with the European Union takes into account the unique situation of those entities using data to help fight fraud and to prevent risks.
The Draft Principles propose that organizations allow individuals an opportunity to "opt out" of data collection or use. Without an exception for legitimate public interest activities to prevent fraud, such a requirement poses significant problems for fraud prevention since presumably those most likely to commit fraud will also be those most likely to "opt out" of any databases which are intended to fight fraud and prevent risks. The current Draft Principles require an opt out whenever the uses of information are unrelated to the uses for which the individual originally disclosed the personal data. Again, this poses significant problems in the effort to fight fraud since those most likely to commit fraud are also most likely to be those who are unlikely to provide personal information that could be used for fraud prevention.
Stone recommends a change in the term "unrelated" as used in the current
Draft Principles. Currently, the Draft Principles provide an opt
out whenever information is used in a manner which is unrelated to the
uses for which the individual originally disclosed the personal data.
This is a difficult standard for any business to follow since it is tied
to the subjective intent of the individual. This creates an ambiguity
regarding when an opt out is required. The DOC should instead tie
the ability to opt out whenever the use was not revealed in the original
privacy notice. This will provide an objective standard for both
the individual and the business organization using the information.
An additional change is that the DOC use the term "purpose" rather than
"use." This would be more consistent with the Directive which uses
the term "purpose."
The scope of the access principles needs to be more restricted.
Generally, access should be provided to individuals when an organization
collects information from the individual directly rather than when it collects
information about the individual. Requiring that organizations provide
individuals with access to any information about them would not only be
unreasonably burdensome, but also could thwart the ability of organizations
that collect information (for example, from public records) intended to
fight fraud.
The DOC should more clearly define the term "current" when dealing with
data integrity. In the United States, data up to seven years old
may be considered "current" to be used to make substantial decisions about
individuals. The recent amendments to the Fair Credit Reporting Act
provide that certain information may be reported for seven years from date
of entry or until the governing statute of limitations expires, whichever
is longer. Convictions of crimes may be reported no matter how far
back they were entered. These amendments reflect a recognition that
in certain circumstances, there is value in retaining historical data in
addition to more recent information. This is particularly true in
the area of fighting fraud and preventing crimes. Consequently, the
DOC should recognize that complete data may include both historical and
current data.
Stone supports the concept of applying the safe harbor principles,
particularly the access principle, only to non-public records. In
order to avoid confusion, however, the DOC should consider defining what
constitutes a public record. Further, the DOC should ensure that
the safe harbor principles do not require businesses to delete or correct
information about an individual which was gathered from public records
or such publicly available sources such as telephone or professional directories,
newspapers and magazines, or other such similar sources.
Internet Issues:
Neither the Data Directive nor the Draft Principles address many of
the issues raised by the Internet, extranets, intranets, e-mail and the
Web. The DOC should work with the European Union to more adequately
address information sent via these media. The decentralized processing
of information on the Internet, for example, does not seem to fit within
the Data Directive's model nor does it appear to be adequately covered
by the Draft Principles. Stone would encourage the DOC to work closely
with major Internet companies, Internet service providers and suppliers
of technology and equipment for the Internet and networks. The DOC
should expand the coverage of the safe harbor provisions to ensure that
small and start-up companies using the Internet can be deemed compliant
if they operate within jointly-developed safe harbor principles.
The DOC should also ensure that the Draft Principles exempt individuals
who send or receive an e-mail outside of Europe and who fail to follow
the European data protection directive. The Directive was clearly
drafted before e-mail became such a common means of communication.
The DOC should work with the European Union to spell out which rules if
any apply to individuals who send and/or receive e-mails containing the
types of personal information governed by the Directive.
The DOC should include provisions in the Safe Harbor Principles to confirm that the European Union Directive does not apply to non-European Web sites. At least one senior official of the European Union has commented that the Europeans would attempt to shut down non-European Web sites that are viewed by Europeans if the sites do not comply with the requirements of the EU Directive. Setting aside the issue of whether or not the European Union or its Member States would have jurisdiction to enforce its Directive in such circumstances, the European official stated that the EU would attempt to block the Internet sites of those American companies and individuals failing to meet the requirements of the Directive.
The DOC should also include provisions in the Draft Principles to confirm
that Americans who travel to Europe with laptop or palm computers are not
subject to the European Directive. The typical American business
traveler going to Europe is almost certain to have information which would
be deemed personal data. This means that the business traveler who
carries that information from Europe to countries like the United States
that do not have "adequate" protection would presumably violate the terms
of the Directive. The derogations contained in Article 26 do not
seem to provide adequate protection to American business travelers.
Americans, therefore, will have to rely upon the discretion of enforcement
officials in each of the 15 Member States in Europe. Stone Investments
proposes that the Draft Principles expressly permit individual business
travelers and tourists to be exempt from the European Union Data Directive.
In response to any concerns raised by the Europeans, perhaps the Data Directive
could be held to apply if tourists and business travelers were attempting
to circumvent the EU Data Directive by transferring personal data to floppy
disks, personal organizers, laptops or similar devices. The issue
must be addressed since laptops and personal organizers will become more
prevalent and more powerful over time. It is important for the DOC
to work to guarantee that the rules relating to such devices are more transparent
in order to ensure that Americans visiting Europe are not subject to the
unilateral discretion of enforcement officials in each of the European
Member States.
Stone encourages the DOC to incorporate some threshold before the Safe
Harbor Principles apply. The European Union Directive currently applies
the same rules to large American multinational corporations as it
does to small companies of only a few employees. While data protection
officials can undoubtedly suggest concerns over such a threshold, the DOC
should be wary of promoting rules that would place expensive or undue burdens
on small American businesses from competing in Europe. Stone Investments
encourages the DOC to work with representatives of small enterprises to
develop a workable approach to this issue.
Conclusion:
Stone Investments applauds the progress that the Department of Commerce
has made in addressing these issues, and is encouraged that the DOC is
continuing to consult with industry as it proceeds to negotiate with the
European Union. The DOC should insist upon a solution that recognizes
a sectoral approach to privacy as well as recognizing the essential role
of self-regulation. The DOC should also insist that the European
Union recognize the special issues related to the use of personal information
for fraud and risk prevention. These issues are not addressed in
the current draft of the safe harbor principles nor in the European Directive.
On behalf of Stone Investment, Inc., the primary concern over the European
Directive and the Safe Harbor Principles is that they will fail to adequately
foster continued dynamic economic growth of the Internet and electronic
commerce. This is particularly of concern for American companies
which are leading the world in the deployment of these newly emerging technologies.
In the long run, this will hurt not only American businesses, but American
consumers.
Sincerely,
Gary E. Clayton
Vice President, General Counsel and
Senior Privacy Analyst
FROM: Information Technology Industry Council
November 19
From: Information Technology Industry Council
Re:Comments on Safe Harbor
ITI's comments in response to the 11/4/98 letter on International
Safe
Harbor Privacy Principles are attached in Word format and also pasted
below.
Fiona Branton, ITI
<<Safe HarbComm.doc>>
November 19, 1998
Via email to: ecommerce@ita.doc.gov
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th Street & Constitution Avenue
Washington, D.C. 20230
Re: ITI's Comments on November 4, 1998 Letter on International Safe
Harbor Principles
Dear Mr. Fredell:
The Information Technology Industry Council (ITI) is pleased to offer
these
comments on the Department of Commerce's d