November 9, 1998
Delivered to Mr. Eric Fredell By Hand
Ambassador David Aaron
Under Secretary for International Trade
International Trade Administration
U.S. Department of Commerce
Washington, DC
RE: Request for Comments on International Safe Harbor for Data Privacy
Dear Ambassador Aaron:
America Online, Inc, "AOL" would like to commend your work and the work of your staff in trying to forge a workable solution to the challenges presented to American companies by the European Union’s Data Protection "Directive". We appreciate the difficulties in reaching an accommodation with European officials in the context of the two very different historical perspectives on the protection of personal privacy held by this country and by European nations. With that in mind, AOL offers the following comments on the proposed safe harbor approach and the guidelines that accompany it.
Fundamentally, we believe that establishing a mechanism through which
American companies can be encouraged to engage in meaningful self-regulation
in the privacy arena is important. As we have stated publicly in
many fora, the responsible use of personal information is, for AOL, a critical
business issue as much as a policy issue. Indeed, we believe that the full
potential of a personalized online experience for consumers will never
be reached if consumers remain concerned about the privacy and security
of online transactions and communications. In that vein, we believe
that it is in the interests of all businesses to engage in responsible
self-governance that will meet the needs of both businesses and consumers
in the face of fast-paced technological development. We recognize
that your approach to the safe-harbor concept is clearly intended to support
the private sector in these endeavors.
General Strategic Comments
We believe that as you consider and negotiate the safe harbor mechanism that you should take into account that the Directive was put in place prior to the advent of the Internet as we now know it. As a result, the literal application of the Directive to businesses in 1998 and beyond is becoming increasingly difficult. In particular, there are many definitions in the Directive that are quite broad --e.g. the terms "processing" and "personal data" -- making it difficult if not impossible, to determine how they would apply online. We believe that a safe harbor should be constructed only with a recognition that significant enforcement discretion exists, making it difficult for companies to know how safe harbors will be applied.
We do have some serious reservations about the potential effects of the safe harbor as it is currently being viewed. First, we recognize your intention to craft a safe harbor that applies only to U.S. companies receiving or processing data concerning European citizens from the European Union and that it is not intended to govern or affect U.S. privacy regimes. Nevertheless, we fear the effect of the safe harbor principles now being negotiated may affect U.S. regimes. That is because the safe harbor appears not to apply specifically to the collection and processing of data inside the EU, where EU national law would continue to apply, but appear only to apply to the data collection and processing practices of companies in the U.S. Thus, we believe that the safe harbor, as currently conceived, may very well have more impact on U.S. privacy than European privacy.
Indeed, we believe that the principles being set here are likely to become the global standard for privacy protection, except perhaps in the European Union itself. In effect, the EU is exporting its approach to privacy. We believe that this is particularly evident in the context of the enforcement principle. The safe harbor enforcement principle clearly anticipates that companies will participate in third-party enforcement mechanisms like the programs being created by BBB Online and TRUSTe. We believe that these enforcement systems will undoubtedly adopt the safe harbor principles as the basis of their seal programs. This will have the effect of establishing a new standard for U.S. companies dealing with U.S. collected data.
We do not oppose per se the harmonization of global data privacy principles. Viewed in that light, however, we would urge respectfully two significant shifts in your negotiating strategy: first, the safe harbor data privacy principles should reflect a better balance between U.S. and EU approaches (particularly in the access principle discussed below); and second, the EU should be urged to incorporate the safe harbor principles into their own national laws. We believe that without some recognition now by the Europeans that their approach to privacy does not reflect the approach of other governments around the world, it will be increasingly difficult for the U.S. government to draw upon the American tradition as you negotiate around the world.
Second, it appears the U.S. government’s intention in creating a safe harbor is to establish a system under which companies could self-certify to the European Commission their compliance with the safe harbor principles, and through which the interruption of data flows between the U.S. and European countries would be minimized. While we support these goals, we question whether the “political” commitments being made by the Europeans will prevent the most aggressive data privacy commissioners from pursuing the most burdensome remedies against companies they believe to have violated the Directive. We recommend therefore that you pursue ways to do more than simply extract political commitments from these governments to support the safe harbor approach. As part of this recommendation, we also urge you to obtain commitments from all of the European member states that require prior approval for data transfers either to waive those requirements or to consider prior approval “automatic” once the organization certifies compliance with the safe harbor.
We also urge the adoption of a “rational treatment” obligation to assure that national governments consistently apply the same standards, including enforcement practices, with respect to EU-based and non-EU-based data practices. In this regard, transparency of enforcement intentions and practices is critical.
Finally, we are concerned that the safe harbor does not take into account
the specific self-regulatory efforts and the privacy principles voluntarily
adopted by many important members of the private sector, particularly through
the Online Privacy Alliance. The Alliance, with which we know you are familiar,
recently developed comprehensive guidelines for privacy in the online environment.
We believe that those guidelines, which reflect broad industry consensus,
should be the starting point for principles for the safe harbor.
As compared to the draft principles before us, the Alliance’s principles
balance the needs of consumers for privacy protection with the interests
of companies in using information in a responsible and secure manner.
We urge you to reframe your discussions with the European Commission and
urge the adoption of the guidelines promulgated by the Alliance as
the baseline for the safe harbor. We also believe that the
safe harbor scheme should contain a specific provision for companies who
comply with industry-based codes. We recommend that the safe harbor
procedures incorporate the ability for companies to bring themselves within
the safe harbor by referring to compliance with industry based codes like
that developed by the Alliance.
Comments on Proposed Safe Harbor Principles
In addition to concerns about the application of a safe harbor generally, we also have particular comments on the proposed principles. The Directive applies to a multiplicity of sectors and it is quite difficult to craft principles that will be meaningful while simultaneously ensuring that one sector or another’s business is not undermined. With this in mind, we have the following specific comments on the principles as they relate to the online world.
In regards to the notice principle, we believe that you have generally constructed a comprehensive in establishing this principle which is largely consistent with the Notice principle adopted by the Alliance. The one caveat is the requirement in the last sentence that requires that notice be given "when and individual is first asked" for personal information. It is not clear what this means in the online world in particular because information is often collectively passively requested. We recommend that you replace this language with "at the time of or before information is first collected."
We believe that the second principle in the proposed safe harbor relating to choice is a positive move forward as it fundamentally recognizes the benefits of relying on an opt-opt mechanism in the interpretation of unambiguous consent in the vast majority of circumstances. We do have a couple of concerns with the specific language, which we encourage you to address in explanatory notes. We believe that the concept of offering choice where the intended use is “unrelated to the uses for which they [individuals] originally disclosed it” needs further explanation. The term “unrelated” should be based upon the scope of notice given to consumers by the organization in its privacy policy. In addition, this section should not require a company’s choice obligations to be based upon the subjective understanding of consumers when they disclose information. Instead, the principle should read “unrelated to the uses disclosed to the individual at the time of collection and for which it was originally collected,” thus binding the company to the representations made in its privacy policy.
We also urge that you reconsider the principle entitled “onward transfer”
which appears in these principles despite the fact it has never been an
element of generally accepted fair information principles endorsed either
by the U.S. government or the OECD. Instead, we believe that the
issues identified in this principle are more properly dealt with in the
context of the notice and choice principles. As drafted, this principle
creates duties on the part of companies to be responsible for and perhaps
even police the practices of third parties with which they share information.
While we agree that individuals should be offered the choice not to have
the entity with whom they shared information disclose that information
to third parties for unrelated purposes (except where required to do so
to comply with law or legal process). We do not believe that companies
can exercise control directly over the activities of unrelated organizations.
In addition, we believe that the principle raises serious issues regarding
secondary liability. Finally, as currently drafted this principle
relies on the expectations and "privacy protection" of the consumer and
not, as it should on the consumers’ collection and processing preferences.
If you determine that your European counterparts will not accept a safe
harbor without a principle entitled onward transfer, we would urge that
you ensure that the language require only that an organization take commercially
reasonable steps to inform third parties of the choices made regarding
use and processing of personal data by the data subject and request a representation
from the third party that they will satisfy the agreed upon safe harbor
principles.
Third, as you know AOL and much of U.S. industry remains very uncomfortable
with the access principle as it is currently drafted. Perhaps most
importantly is the difference in approach between U.S. industry and the
European Union. AOL and our colleagues within the Online Privacy
Alliance believe that there may be a legitimate need for access by individuals
to certain data held about them for the purpose of ensuring the ongoing
accuracy of the data, especially where the data processor uses the data
to make decisions which affect important rights of the data subject (e.g.
credit data). The European model clearly anticipates, however, that
access will be available for access’ sake. We do not believe that
the safe harbor should reflect this European view on access, but rather
should tie any access requirement to the maintenance of the quality of
the data.
Indeed, in the online environment application of such a principle may have far-reaching implications beyond those even we can anticipate. In particular, as the online industry moves to increasing personalization of the online experience due to consumer demand, the breadth and depth of data potentially subject to an access requirement could be vast. It could include information collected passively like navigational information (even where collected with notice and consent) that is maintained in a manner that would be meaningless to a consumer unless converted into text format. In addition, a broad access requirement may require companies to put the security of their data at risk, particularly in the online environment where social hacking problems are likely to remain problematic. At the very least, security concerns would likely force companies to collect considerably more information about an individual for verification purposes to put the access requirement into effect.
We do applaud your efforts to include within the access principle the notion of “reasonableness” and encourage you to give this term even more meaning by making two important modifications: We believe that organizations should offer access where it is “commercially reasonable and technically feasible taking into account, among other factors, the security of the data.” We believe that this will clarify that the access requirement does not require companies to build dossiers of people they otherwise would never think of building nor offer access in a manner that causes such companies to put the security of the data at risk. We also believe that it will ensure that companies make only reasonable expenditures to comply with requests for data access.
We believe that the access requirement should also be limited to information maintained or processed in an individually identifiable form “in the ordinary course of business.” In other words, an access request should not require a data processor to translate the data into a form that would be meaningful to a consumer in circumstances where the data is maintained only, for example, in a coded format that would otherwise be meaningless to a reasonable consumer. This modification, along with the modification suggested above, will enable many more companies to support the access principle, while not undermining the privacy interests you wish to serve.
We thank you for the opportunity to comment on this important
process and urge you to continue exploring the possibility of a safe harbor
for U.S. companies who wish to engage in cross-border commerce and information
flow with data about European subjects. We would be more than happy
to explain any or all of our comments in more detail and look forward to
a productive working relationship between the US government and industry.
Respectfully Submitted,
George Vradenburg III
Senior Vice President
William Burrington
Vice President,
Law and Global Public Policy
Jill Lesser
Director, Law and Public Policy
Sidney Taurel
President and Chief Executive Officer
Eli Lilly and Company
Lilly Corporate Center
Indianapolis, Indiana 46285
November 18, 1998
The Honorable David L. Aaron
Under Secretary for International Trade Affairs
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Dear David:
I enjoyed meeting with you at the recent TransAtlantic Business Dialogue meeting in Charlotte. One of the issues that we discussed was the EU Data Directive and its unfortu-nate implications for the research-based pharmaceutical industry and public health more generally. As a follow-up to our conversation, I am writing to you to comment on the Draft International Safe Harbor Privacy Principles that have been proposed by the Department of Commerce.
Patient privacy is something that we take very seriously as it is not only the right thing to do, but also vital to the viability of medical research. We are, however, very concerned about the implications of the EU Data Directive for the manner in which pharmaceuticals are developed and monitored on a global basis. Lilly con-ducts clinical trials in many countries across the globe and bases its submissions for regulatory approval to the FDA and similar competent authorities in other countries upon the data that are gathered in those trials. Any ambiguity concerning Lilly’s ability to transfer data from the member states of the European Union to the United States is a matter that we, our clinician investigators, and our shareholders must take very seriously.
We urge you to secure an exception to the EU Data Directive for biomedical re-search data that are used for basic research into the causes of disease, clinical trials research to prove the safety and efficacy of new drugs, epidemiological health out-comes and other studies that improve our understanding of how drugs work, and pharmacovigilance pur-poses. We believe that it is essential that such an exception be secured to ensure that the critical flow of biomedical information across the Atlantic is not interrupted. Such infor-mation is vital to the public health in that new medicines often represent the only hope for American citizens suffering from incurable or poorly treatable diseases. Moreover, the public health is enhanced by the ability of pharmaceutical companies, physicians, and regulatory authorities to share experience data on drugs once they have reached the mar-ket. Indeed, the FDA mandates that we do so.
Our trade organization, the Pharmaceutical Research and Manufacturers of America (PhRMA) will be sharing with you its concerns with the specific princi-ples surrounding the safe harbors that you have proposed. Lilly shares the concerns that PhRMA raises in its letter to you.
The Honorable David L. Aaron
Page Two
November 18, 1998
Thank you for the opportunity to comment on the draft principles and for all your work on behalf of American companies on this important issue. I look forward to working with you on this and other issues in the future. If there is anything that we at Lilly can do to be of assistance to you, please do not hesitate to contact me.
Sincerely,
Sidney Taurel
cc: Mr. Eric Fredell
November 19, 1998
via Facsimile (202/501-2548) and UPS Overnight Delivery
Ambassador David L. Aaron
International Trade Administration
14th and Constitution Avenue, NW
Washington, DC 20230
Attention: Mr. Eric Fredell, Task Force on Electronic Commerce
Re: Draft International Safe Harbor Privacy Principles
Dear Ambassador Aaron:
LEXIS-NEXIS is pleased to submit these comments in response to the
November 4, 1998 letter from Ambassador David Aaron to industry representatives
outlining the Department of Commerce’s safe harbor proposal, which excludes
public record information from the scope of some of its draft privacy principles.
LEXIS-NEXIS is a signatory of the principles of the Individual Reference
Services Group (IRSG), which has filed comments in this proceeding.
We write separately to emphasize the importance of excluding public record
information from the scope of the safe harbor privacy principles.
LEXIS-NEXIS
LEXIS-NEXIS, a division of Reed Elsevier, Inc., is headquartered in Dayton, Ohio, employs more than 7,700 individuals, and is the world’s leading provider of enhanced information services and management tools in online, Internet, CD-ROM, and hard copy formats for legal, news, and business professionals. Serving customers in more than 60 countries, sales representative are located in 50 U.S. cities and around the world, including London, Frankfurt, Hong Kong and Toronto.
LEXIS-NEXIS leads the information industry with the largest one-stop, dial-up information service, the LEXIS-NEXIS service for legal, business, and government professionals. The LEXIS-NEXIS service contains more than one trillion characters and approximately one billion documents in more than 7,300 databases. It adds 9.5 million documents each week.
Today, 1.3 million professionals worldwide—lawyers, accountants, financial analysts, journalists, law enforcement officials, and information specialists—subscribe to the LEXIS-NEXIS services. They perform more than 300,000 searches per day. The combined services contain more than 18,600 sources: 13,800 news and business sources and 4,800 legal sources.
The NEXIS service is the largest news and business online information service, with not only news, but company, country, financial, and demographic information, as well as market research and industry reports. The NEXIS service is unmatched in depth and breadth of information, offering more than 13,800 sources of news and business information. In fact, 120,000 new articles are added each day from worldwide newspapers, magazines, news wires and trade journals.
LEXIS-NEXIS is a founding member of the IRSG. Although LEXIS-NEXIS does not at this time use personal information from the European Union for its individual reference services, we do distribute personal data as that term is defined under Article 2 of the Directive. We also have an interest in the content of privacy principles that govern practices in the United States.
Public Records Exception
The Department of Commerce’s proposal for a safe harbor excludes public record information from its draft access principle. LEXIS-NEXIS believes that the public records exception reflects a cherished American tradition that should continue to govern privacy practices in the United States.
Most public record information in the United States, including land records, voter registration records, birth certificates, marriage certificates, and death records, licensing records, and court records, has traditionally been available for public inspection. The concept of the public’s right of access to information collected and maintained at taxpayer expense is American in origin. It was American courts and legislatures that bestowed on the public an unqualified right of access to information collected and held at taxpayer expense. As the Michigan Supreme Court stated at the beginning of the 20th century: “If there be any rule of the English common law that denies the public the right of access to public records, it is repugnant to the spirit of our democratic institutions.”
The guarantees of freedom of communication in the Bill of Rights further confirm the public’s right of access to information held by the government. The U.S. Supreme Court has recognized the right of public access to trials, and has extended this right of access to jury selection proceedings and preliminary hearings, noting that the test is “whether the place and process has historically been open to the press and general public.”
Applying a tradition-of-openness analysis, other courts have extended
this constitutional right of access to legislative proceedings and to records
held by the executive branch.
Because, in part, the historical purpose of these public access laws
has been to ensure the dissemination of information by the government,
protection for the accurate reporting of information contained in public
records has co-existed with even the earliest notion of privacy rights.
For example, in their landmark, century-old article proposing the tort
of invasion of privacy, Samuel Warren and (later U.S. Supreme Court Justice)
Louis Brandeis recommended that the tort not penalize the reporting of
statements made in court, legislative, or other public proceedings.
Warren & Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 216-217
(1890).
The First Amendment reinforces the common law’s protection for the accurate
reporting of data contained in public records. Concluding that “the
interests in privacy fade when the information involved already appears
on the public records,” the U.S. Supreme Court has repeatedly held that
a person is free to accurately report personal facts obtained from public
records. Indeed, the First Amendment prohibits the government from
imposing restrictions on the dissemination of information contained in
public records.
The following are illustrations of these principles:
- The law does not prevent someone from publicizing information from
a public registry of marriage certificates or land titles. Burton
v. Tuite, 44 N.W. 282 (Mich. 1889).
- The government may not prohibit someone from reporting the facts
surrounding a sexual assault, which are obtained from official court records
open for public inspection. Cox Broadcasting Corp. v. Cohn, 420 U.S.
469 (1975).
- Nor may the government restrict physicians or others from using official
government reports that are open for public inspection to contact persons
recently involved in traffic accidents. Speer v. Miller, 15 F.3d
1007 (11th Cir. 1993); Amelkin v. Commissioner, 936 F. Supp. 428 (W.D.Ky.
1996).
- It also is unconstitutional to prohibit companies from using in their
consumer credit reports certain information obtained from court records.
U.D. Registry, Inc. v. State, 34 Cal. App. 4th 107, 40 Cal. Rptr. 2d 228
(Cal. Ct. App. 1995); Equifax Services, Inc. v. Cohen, 420 A.2d 189 (Me.
1980).
With these tradition-of-openness principles in mind, we believe that,
in addition to being excluded from the access principle, public record
information should be excluded from the scope of the Department’s other
privacy principles, too. For example, like the access principle,
the onward transfer principle would appear to require a governmental entity
to impose restrictions upon the use of public record information.
To restrict the manner in which companies use information that is available
for public inspection from governmental agencies runs afoul of the spirit,
if not the letter, of the Bill of Rights.
Publicly Available Information
The Department of Commerce should also exclude publicly available information, such as information contained in printed news stories or professional directories, from the scope of the Department’s safe harbor privacy principles. Restricting the manner in which companies use information that is available for perusal in newspapers and magazines can run afoul of the protections of the Bill of Rights. In addition, practical reasons also militate against applying the safe harbor privacy principles to publicly available information. For example, in the context of the access principle, expunging an alleged inaccuracy from publicly available information contained in an organization's file does little to prevent the same inaccurate information from being circulated to other organizations. An error in a printed story about a person needs to be corrected at the source—the publisher—so that corrections can be made in the version that is distributed.
Conclusion
As a founding member of the IRSG, LEXIS-NEXIS fully appreciates the
important role that a practical and effective safe harbor approach can
play in protecting privacy and, therefore, concurs with the comments filed
by the IRSG in these proceedings. We write separately to emphasize
the importance of excluding public record information from the scope of
the draft safe harbor privacy principles proposed by the Department of
Commerce. We also submit that publicly available information should
be excluded from the scope of the draft safe harbor privacy principles,
too.
Sincerely,
_________________________________
Gail H. Littlejohn
Sr. Vice President, Corporate & Government Affairs
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230
Re: Department of Commerce Proposal for Development of Safe Harbor
Privacy Principles For Processing of Personal Data
Dear Mr. Fredell:
Computer Sciences Corporation (“CSC”) one of the nation’s largest consulting companies specializing in information and technology issues, welcomes the Department’s efforts to develop the concept that private sector codes of conduct can constitute the provision of adequate privacy protection for processing in the U.S. of personal data on EC nationals.
CSC had $6.9 billion of revenues for the 12 months ended July 3, 1998. It has 45,000 employees in 700 offices worldwide and provides clients with a wide range of services including management consulting, information systems consulting and integration, and operations support. More specifically we provide technical assistance to a large number of U.S. and European firms, including a number in the credit, health, banking and communications industries. Among our clients as well are a number of U.S. Government agencies, including the Department of Commerce. We have been following with interest the implementation of the EC’s Data Protection Directive and particularly the difficulties posed by Articles 25 and 26 of that Directive concerning the conditions under which personal data on EC nationals can be exported for processing in third countries such as the U.S. In our own internal operations, and in conjunction with the work we do to support our clients, we are inevitably involved in the transfer of personal data between the U.S. and the EC. It is therefore crucial for us and for our clients that the flow of such data not be interrupted nor even subjected to rules and regulations which would unduly impair the fulfillment of our commitments.
As you are well aware there is a substantial amount of privacy law in the U.S., including a variety of federal statutes and numerous state laws. CSC adheres to all relevant law in its U.S. operations and is not aware of any significant problems in this country in terms of adequacy or sufficiency of existing law. Nevertheless, as a multinational corporation with substantial investment and operations in various EC countries, it is our corporate obligation to respect the law in each country in which we do business, and we strive to fulfill that obligation fully. When the legal regimes of the countries in which we operate are significantly different, we are faced
Mr. Eric Fredell
November 19, 1998
Page 2
with the need to adhere to a variety of rules and regulations. These differences are troubling enough but when the differences become mutually incompatible serious problems arise.
The threatened cut off on October 25, 1998 of the flow of personal data between the U.S. and the EC would have been extremely serious for CSC and would have raised the specter not only of a decline in the quality of our service but even in compliance with contractual obligations. In the macroscopic dimension the issues are even more important to the continuing integration of U.S. and other advanced economies and to the development of high technology information services for economic productivity, protection of public health, and other very important public policies. It is therefore crucial that no such cut off occurs. The provisions of Article 25 of the Data Directive, which contemplate such a cut off, are fortunately moderated by the exceptions in Article 26. These exceptions are important to CSC and we are concerned about certain recent interpretations of the meaning of these exceptions emanating from the EC which purport to narrow their scope or applicability.
We therefore welcome the Department’s suggestion that adherence to a non-statutory code of conduct would be deemed by European data protection authorities to constitute the provision of “adequate” privacy protection for EC data. We are prepared to work with the Department to assure that the concept set forth in Undersecretary Aron’s letter is developed to the point where it is feasible for U.S. industry and acceptable to the concerned authorities at the EC and in EC member governments. Broadly speaking the Guideline principles do not pose major difficulties for us since, for the most part, we already accept these principles in our daily activities. We accept the concept that our clients or others whose personal data are processed by us or under our direction and control are entitled to adequate notice of our policies and may hold us accountable if we fail to keep our commitments, albeit such rights cannot be absolute and must be established and administered in commercially reasonable ways. Nor is the prospect of embodying these principles in contracts using clear and simple language unacceptable. If industry-wide contracts are to be developed in this area, CSC would be happy to work with the Department or others in industry to develop consensus on such contracts.
However, we respectfully suggest that certain aspects of the Department’s
proposal must be further refined before we would be in a position to formally
adopt the proposed Guideline principles set forth in the Department’s notice.
Among our concerns is the important issue of enforcement. We agree that
a legal regime without penalties for nonperformance is of little value.
Nevertheless, certain of the suggestions we have heard from the EC are
troublesome to us. When
operating in the EC we are of course subject to EC law and to the enforcement
mechanisms which are part of that law. In this country, however, we would
expect that our behavior would be
subject only to U.S. law and enforced only by the mechanisms that exist
in this country. CSC
would favorably consider the adoption of an enforcement mechanism for
breaches of the Guidelines or of contracts implementing such Guidelines
if such mechanism were administered
Mr. Eric Fredell
November 19, 1998
Page 3
in this country. This could include binding arbitration or even access to the U.S. courts for alleged breach of contract if CSC does not adhere to the principles it agrees to adopt.
We are also concerned about the status which any such principles will have. If the EC and EC member government regulators are not willing to bestow the presumption of adequacy on the Guideline principles the time and expense devoted to their consideration may not be justifiable. This presumption should encompass virtually automatic approval of U.S. processing of EC personal data and freedom from exposure to administrative or judicial proceedings in the EC based on alleged failure of such processing to adhere to EC or member government law. Put differently, we would anticipate that the Department will raise with the EC and member government regulators the form of commitment which will be made by those authorities -- a form of commitment which must have the same level of formality as the Europeans are asking of U.S. industry. Simply put, commitments must be bilateral.
In addition, we would expect that a period of time, perhaps a year or more, would be required for the adoption of the Guideline principles, including the development of an associated enforcement mechanism or agreement on judicial remedies based on contract law. During this period we would expect that the present arrangements, in which personal data flow unhindered to the U.S., would not be disturbed.
This letter conveys only a very broad response to the Department’s proposal. We recognize that the issues are complex and that European concerns as expressed in the Data Directive are legitimate and important. As you proceed with this project we will be prepared to work with you and other members of industry to find a set of principles which are acceptable on both sides of the Atlantic. As your work proceeds feel free to call upon us for more detailed participation in your work.
Very truly yours,
Daryl D. Savage
DDS:jev
From: Allstate Insurance Company
ALLSTATE INSURANCE COMPANY
LAW AND REGULATION
2775 Sanders Road
Suite A8
Northbrook, Illinois 60062-6127
STEPHEN L. IHM Writer’s Direct Line: (847) 402-3184
Counsel Facsimile: (847) 402-0158
November 19, 1998
Under Secretary David L. Aaron
c/o Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th & Constitution Avenue, N.W.
Washington, D.C. 20230
Re: Draft International Safe Harbor Privacy Principals
Dear Ambassador Aaron:
I am writing on behalf of Allstate Insurance Company to thank you for your efforts to assist U.S. organizations regarding implementation of the European Union Directive on Data Protection, and to comment on the draft International Safe Harbor Privacy Principles developed by your office.
Allstate is the largest publicly held personal lines insurance company
in the U.S. with over 20 million customers. Our interest in this
issue stems from our European property and casualty insurance operations
and our interest in entering the European life insurance industry.
We appreciate your consideration of the following comments.
1) There must be clear and certain certification by the European Commission that the U.S. insurance sector qualifies for the safe harbor and meets Principle 7 based on the regulatory and administrative body of law that applies to insurers.
In general, we believe that highly regulated industries should fall within the safe harbor. We also believe that this has been demonstrated for the insurance industry in the paper submitted by several insurance trade associations entitled "United States Insurance Information Practices and Available Legal Protections." As demonstrated there, insurers are subject to a myriad of laws and regulations that protect privacy.
Such an interpretation would be consistent with Article 25(2) of the Directive where it makes clear that sectoral laws should be considered in determining whether an adequate level of protection is afforded.
It is also important that the European Commission specifically recognize
that the insurance sector meets Principle 7 by virtue of existing laws
and regulations. We are not aware of any private sector privacy programs
that would encompass the special needs of insurers, which will make it
difficult to use that alternative means of complying with Principle 7.
Also, complying with Principle 7 by committing to cooperate with data protection
authorities in the European Community strikes us as similar to the contractual
commitment which is already an available means to permit the transmission
of data under Article 26(2) of the Directive.
2) Once the European Commission agrees that the safe harbor applies to a sector, the scope of any legal action by European citizens contesting data transfers under the Directive should be narrowed to alleging noncompliance with the stated principles as applied to European data flowing into the U.S.
We understand that companies within the safe harbor would enjoy a presumption of adequacy and data transfers from the European Union to them would continue. However, this presumption will be largely illusory if European citizens retain the ability to challenge the premise underlying the presumption: whether a U.S. company or sector qualifies for the safe harbor.
Unlike the Directive which is implemented through more detailed national laws, regulations and authoritative interpretations, and which are subject to the related legislative and regulatory processes, the Principles will likely remain relatively broad statements. Given this breadth, we believe that there would always be room for disagreement about whether a company qualifies for the safe harbor through compliance with the Principles concerning U.S. data.
For example, the first requirement regarding notice states that the "notice must be in clear and conspicuous language that is readily understood and made available when individuals are first asked to provide personal information to the organization." Reasonable minds will differ when interpreting these highlighted terms especially as they apply to an insurer's various interactions with customers and claimants. The broad language used in other Principles would lead to similar disagreements.
Therefore, the scope of any legal action should be limited to compliance with the Principles as applied to European data being transferred to the U.S. Otherwise, a European citizen would need only allege that a U.S. company is not meeting the Principles in processing U.S. data to effectively put the company back into "adequacy" type controversy.
Stated more provincially, we would prefer not to give European citizens
the ability to continually second-guess the details of internal company
policy decisions about our handling of wholly U.S. data. However,
we believe this would be the result if European citizens are allowed to
pursue inquiries with regard to whether insurers are entitled to the safe
harbor protections even after the European Commission certifies that the
safe harbor applies.
3) For "self-certification" to be useful it must be limited to certification that the U.S. company will treat all European Union data in compliance with the Principles.
For many of the same reasons mentioned above, a company that self-certifies
should certify that any information it transfers from the European Union
will be treated in accordance with the Principles. Otherwise, a European
citizen could challenge the self-certification based on the U.S. company's
treatment of wholly U.S. data.
4) Principle 3 regarding "Onward Transfers" should not apply to transfers to an affiliate within a group of affiliated, commonly-owned companies.
We believe that this clarification would be consistent with consumer
expectations.
5) The "opt-in" concerning medical data in Principles 2 and 3 should be eliminated or clarified as it applies to insurers.
For example, an individual asserting a liability claim against an automobile driver should not control the disclosure of the medical information necessary to evaluate the claim.
______________________________________
In conclusion, unless insurers qualify for the safe harbor in the manner
described in the first three comments above, we believe it will be largely
ineffective from Allstate's perspective. We would be glad to work
with you in clarifying these matters further.
Again, we appreciate your consideration of our concerns and your efforts
on behalf of U.S. industry in this matter.
Very truly yours,
ALLSTATE INSURANCE COMPANY
Stephen L. Ihm
Locker Greenber & Banin, P.C.
Attorneys at Law
420 Fifth Avenue, New York M NY 10018
212-391-5200
November 17, 1998
Via Fax & Mail
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitiution Avenue, N.W.
Washington, D.C. 20230
Re: CIC 989-160 - Commerce Department Proposes
International Safe harbor Privacy Principles
Dear Mr. Fredell:
We represent Toy Manufactures of America, Inc. We agree with the proposed set of International Safe Harbor Privacy Principles being proposed by the Department of Commerce.
If we may be of furthur assistance, please feel free to communicate with the undersigned
Very truly yours,
Aaron Locker
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14 th and Constitution Avenue, NW
Washington, D.C. 20230
Dear Mr. Fredell:
1516 Second Avenue, Seattle, WA 98ioi USA
19 November 1998
This letter is written in response to the Request for Comments to the
proposed European Union Safe Harbor
principles articulated in the public letter dated 4 November 1998.
Amazon.com appreciates the time and effort
put forth by the Department of Commerce and the International Trade
Association to develop these Safe
Harbor principles. Further, we appreciate the opportunity to respond
and provide comments.
Before providing those comments directly, I would like to highlight
a few relevant points. Amazon.corn is the
leading e-commerce destination site on that Internet. Our store offers
a catalogue of over three millions
books, CDs, videos, and gifts to its 4.5 million customers worldwide.
Electronic commerce on the Internet
provides customers with exciting and unique benefits unavailable through
a traditional 'brickand-mortar' retail
experience.
Amazon.com takes advantage of this technology by offering its customers
exceptional ease-of-use and
simplicity in shopping. This convenience and speed saves customers
valuable time. Our selection of products
is unfettered by physical shelf space; and our technology enables us
to personalize the customer's shopping
experience in ways not possible 'off-line'. And customers have clearly
responded. Their acceptance and
demand for these unique benefits has fueled the growth of Amazon.corn
and other Internet retailers.
According to some recent estimates, ecommerce revenue on the Internet
will top $13 billion dollars in 1998
alone. Department of Commerce estimates suggest that e-commerce revenues
will exceed $300 billion
worldwide by 2002.
Amazon.com constantly strives to meet and exceed the expectations of
our customers; and a large part of
that involves earning and maintaining their trust in our business and
its processes. Therefore, decisions made
at Amazon.com that concern the privacy of our customers or the security
of their information that we collect
and maintain are made only after careful consideration. We urge policyrnakers
to take great care to avoid any
actions that have the effect of seek specific permission for each potential
use, they present an undue financial, legal, and technical burden. By enabling
customers to 'opt out' of any use, customers are given an effective and
adequate means of protecting their personal information.
Data Integrity ISSUE: Definition of 'personal data'. What is the scope of this definition? Is this definition co-extensive with "personal information'? ISSUE: 'Relevant' information g"I . The purpose of this particular principle is unclear and the wording leads to several possible conclusions and clarification is needed. Our reading suggest two possibilities: it may be read to limit the ability of website operators to develop and maintain customer information beyond that collected to complete a particular transaction; or it may simply be read to ensure that the quality of data stored by website operators is secure and accurate. With regard to the former, Amazon.com does not support regulations would limit our ability to develop customer profile information. In order to serve Its customers and provide them with compelling products and services, the personal information developed and maintained by online businesses may need to extend beyond that supplied by the customer. Amazon.com believes, however, that such additional information should be protected as any other personal information. With regard to the need to maintain data securely and accurately, Amazon.com agrees that such requirements are reasonable and necessary.
Access
ISSUE: Definition of 'non public record'. What is the scope of
this definition? Is
this definition co-extensive with "personal information"?
ISSUE: Customer access to non public rgcords. Amazon.com recognizes
the
need for regulations to require website operators to provide
access to that
information provided to them directly from customers, such as
physical and e
mail addresses and credit card information. Amazon.com does not
support
regulations that would require access to non-identifi able customer
information
maintained by websites. Further, we urge caution in formulating
regulations
governing "sensitive' information where that subjective term
is not clearly
defined. If certain sensitive information is to require heightened
access, clear
bounds for Its definition will help to avoid additional technical
complexities and
legal uncertainties.
ISSUE: Notice Mechanisms. Amazon.com does not support regulations
that
would require interactive, online access to customer information.
Such
regulations represent a significant technical challenge that
would divert valuable
financial and human resources away from our priorities of serving
our customers
and continuing to develop our store. Amazon.com believes that
the use of e
mail to automate the'opt-out' process is the preferable mechanism
to provide
customers with access and choice regarding to the unrelated use
of information
collected. E-mail Is quick and easy for the consumer to use and
provides
website operators with a verifiable means of controlling access
to customer
information.
3
Enforcement
ISSUE: Compliance mechanisms. The final Safe Harbor principle
speaks of
'mechanisms' to assurance compliance, recourse for complaints,
and
0
consequences when the principles are not followed. Our comment here is simply that further definition and detail is needed; without such detail, it is difficult to evaluate how the 'safe harbor' principles actually will operate. For example, guidelines for governing disputes, including legal standards for issues such as jurisdiction, choice of law, and the rules of evidence, must be made explicit and fair. In addition, at least one practical term mentioned in the Enforcement section needs further definition. "Affordable recourse" is a subjective term that invites argument and disagreement without further specification. ISSUE: Administration. The participation of private-sector organizations clearly authorized by appropriate governmental agencies - to administer the 'safe harbor' guidelines is acceptable provided that the administration is consistent as between the organizations and that a complete conflict resolution system is present. Such a system should include some appellate procedure consistent with reasonable due process standards and should provide the enforcement organizations with fair and reasonable guidelines of weighing and evaluating individual complaints. Also, additional information on the differences between private versus public enforcement is sought. When these details become available, Amazon.corn would welcome the opportunity to provide comment and industry perspective at that time.
Again, thank you for the opportunity to comment on the Safe Harbor principles. Please feel free to contact me directly with any questions regarding Amazon.com's oosition on these or related qovernment and r)olicy matters.
Yours Truly,
David Gabrieli Government Affairs Counsel Amazon.com, Inc.
cc: Alan CaDlan VP and General Counsel Amazon.corn
From: Citicorp Washington, Inc.
1701 Pennsylvania Ave. NW suite 1000 Washington, D.C20004
Tel 2021879-6655
Fax 202178.3-4460
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue
Washington D.C. 20230
Re: International Safe Harbor Privacy Principles
Dear Mr. Fredell:
November 19 1998
Citigroup commends the Department of Commerce in developing the "Principles"
to help multinational companies
cope with the European Union's Data Protection Directive and to avoid
blockages of data flows from Europe to the U.S. We
offer the following comments to assist the Department in its negotiations
with the European Commission.
Preamble
U.S. based financial institutions -- banks, bank holding companies,
insurance and securities firms -axe heavily
regulated and must comply with both federal and state laws arid regulations
and, in applicable cases when doing business
in Europe, by European financial institution, insurance and securities
regulation, that require effective privacy,
confidentiality and security protection of personal information. Furthermore,
in Europe and elsewhere, financial institutions
are bound by strict bank secrecy law regarding customer account data
that -is stricter, in most cases, than data protection
law when it comes to confidentiality of customer information Therefore,
it should be made clear in the questions and
answers that accompany the "Principles" that such financial institutions
qualify for the safe harbor, notwithstanding the
specific "Principles" themselves. It should also be made clear that
the "Principles" only apply to personal information that
individuals directly provide to an organization or certain information
about individuals obtained from third parties. The
"Principles" should not apply to publicly available information, such
as government records or information acquired as
part of or in preparation for
litigation.
There are several, additional overarching points that should be
made. First, the
"Principles" should apply equally to all companies (U.S., European
and other) that export data
from the EU_ Second, Lite Principles should be revised to reflect that
they apply to companies
3
person's health or sexual habits. We also suggest that the term "informed consent" be substituted for the term "opt in" as applied to sensitive information.
The customer's choice under this principle should be more succinctly expressed as a choice about "whether personal information they provide can be used for purposes not related to the uses for which they originally disclosed it." Consideration, moreover, should be given to defining when use of information is "unrelated," or "not related," to the use for which the customer originally disclosed it. If a credit card issuer collects data in order to evaluate the credit worthiness of a given customer, is use of this data for customer service purposes "unrelated?" 'Me answer is negative but an unrealistic definition of "related use" might become too restrictiveis use of this data by the credit card issuer to inform the customer of enhancements to the credit card for which the customer originally applied "unrelated?" Is use of this data for cross selling other financial services provided by affiliates of the credit card issuer "unrelated?" Careful consideration should be given to realistic definition of "relatedness" so that customer service and efficiencies are possible without repeated and perhaps annoying notices to customers of new and incremental uses of customer information.
3. Onward Transfer
It should be made clear that European -individuals be given the opportunity
to opt out of
having personal information transferred to unaffiliated third parties.
U.S. laws eg the FCRA) and regulations permit subsidiaries and affiliates
of a holding company to r eadily exchange personnel-related, transaction
and experrience information in order to better serve their customers' and
legitimate -internal needs. Therefore, affiliated third parties should
not be subject to the same opt out requirements as unaffiliated ones. Similarly,
agents of the entity which have collected the personal information should
not be subject to opt out requirements where such agents are performing
the activities that would have been undertaken by the data-holding entity
in the first place in serving customers (e.g., a data processor for a credit
card issuer, a telephone company
transmitting data on behalf of the credit card -issuer, an ATM, credit
card or other third party network executing the transaction on behalf of
a credit card issuer)- In addition, the term "sensitive information" should
be defined as indicated under the above principle of Choice
4. Security
This principle attempts to deal with both the reliability and protection of information, however, the concept of reliability is more closely related to the principle of Data Integrity, so we suggest deletion of the phrase "to assure its reliability for its intended use " from the sentenceFurthermore, the requirement to take "reasonable measures" should be modified to mewi C4commercially reasonable" measures. Otherwise, the Principles will expose data handlers to endless debates about whether 40-bit or 128-bit encryption is "reasonable" or whether use of key recovery schemes such as advocated by the Administration is "reasonable-"
5. Data Integrity
This principle restricts the storage of personal data by companies; however, there may be legitimate business reasons and regulatory requirements to maintain such information eg tax authority requirements, audit requirements, record retention requirements imposed by law and regulation). Therefore, the word "only" should be deleted from the first sentence to provide more flexibility and to permit compliance with legal and regulatory requirements.
6. Access
The concept expressed in this principle is too broad. Access should
be provided to sensitive inforrriation (as defined under the principles
of Choice and Onward Transfer) and to personal information collected from
an individual that is used for material decisions having significant consequences
for the individual eg denial of credit or employment). Unlimited access
to information is costly and impractical; therefore, it should be stated
in this principle that the costs of access may be passed on to individuals-
In addition, the access principle should not apply to certain proprietary
or confidential information owned by an organization or to information
supplied to the organization under- obligations of confidentiality or trust,
nor should it apply to Information that must be collected pursuant to legitimate
law enforcement authority such as anti-money laundering and know-your-customer
regulations or information acquired as pan of or in preparation for litigation
7. Enforcement
This principle should spell out some of the alternative means for enforcement of a company's privacy policies, including one or more of the following: procedures established by companies for individuals to register and seek resolution of complaints', a process for individuals to file complaints with regulatory agencies that have enforcement powers, access to the U.S. courts for breach of contract; third party dispute resolution procedures; etc.
Citigroup appreciates the opportunity to provide these comments. Please let us know if we can be of further assistance.
Sincerely yours,
November 12, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14' and Constitution Avenue, N.W.
Washington, DC 20230
Dear Mr. Fredell:
On behalf of the Pharmaceutical Research and Manufacturers of America (PhRMA), I am writing with our views concernin g the draft international Safe Harbor Privacy Principles. First of all, I would like to express our appreciation for the efforts the Department of Commerce has made to address the potential problems that would confront U.S. companies needing to transfer data from the European Union to the United States. Exchange of data between Europe and the U.S. is a critical aspect of normal business practices for companies operating in a global environment, and we are pleased that the U.S. government recognizes the stakes in this discussion.
While we appreciate your efforts, we do not believe that the proposed principles will create a safe harbor for the research-based pharmaceutical industry. We are particularly concerned that the broad scope of these principles may simply extend the reach of the European Union Privacy Directive 95/46/EC (the EU Privacy Directive) to the United States. If this were to occur, biomedical research and thus public health in both the United States and Europe could be adversely affected.
We understand that the Department of Commerce is negotiating with EU
officials to secure an exception to the Directive that would apply to biomedical
research and regulatory activities of the industry. PhRMA continues to
believe that such an exception is required, not only to prevent disruptions
to the global business environment, but, more
importantly, to promote public health by enabling our member companies
to continue to lead the way in developing innovative medicines. Because
the proposed principles do not accommodate the research-based pharmaceutical
industry's special needs, we would appreciate your continued efforts to
secure an exception for our research and regulatory activities.
This letter discusses our overall concern with the proposed principles. The attachment provides our comments on specific language and provisions of the principles. Our primary concern is that the principles do not adequately address the operations of the research-based pharmaceutical industry, thus threatening both biomedical researchers' and regulators' access to critical medical information.
Pharmaceutical Research and Allanufacturers of America
1100 Fifteenth Street, NW, Washington, DC 20005 * Tel: 202-835-3420
* FAX: 202-8,35-3429
The principles pose threats to researchers' access to critical medical information, and may thus impde the discovery and development of lifesaving medicines. Several of the terms used in the principles are based directly on the language used in the EU Privacy Directive. These terms have very specific meaning and, if incorrectly applied, could impede critical and appropriate access to medical information. While this is addressed in more detail in the attachment to this letter, our concern involves, for example, an excessively broad definition of "data" that does not clearly distinguish between that which directly identifies individuals and that which is encrypted or coded and therefore does not directly identify an individual. In addition, in our view, the requirements for notice, choice, and access create unnecessary or inappropriate burdens on biomedical research activities.
0
The principles do not adequately address regulatory activities related to pharmaceuticals, and thus may have unintended consequences for current and future patients. While we recognize that the principles have been drafted so as to encompass a wide range of industries and organizations, as currently written, they do not appear to consider the special needs of the pharmaceutical industry nor its obligations to provide information to regulatory authorities such as the Food and Drug Administration (FDA). For example, the Directive and these principles could impede the transfer of critical information about adverse drug events that occur in Europe. If such information is not relayed to the FDA in a timely manner with adequate detail (e.g., gender, race, age, prior or other health conditions), there are risks to the health and welfare of American and European patients. indeed, if such information is relayed to the FDA without identification of the individuals involved, there is a risk that duplicate reporting would occur, potentially resulting in wrong conclusions.
In sum, the proposed principles merely transplant the most objectionable elements of the EU Privacy Directive to the United States, are likely to disrupt ongoing pharmaceutical research, and delay or make infeasible other potential research that holds promise for helping patients. The proposed principles also threaten our system of tracking adverse drug reactions, further placing patients at risk. As a result, PhRMA and the companies it represents cannot support such principles as drafted.
PhRMA would welcome an opportunity to discuss these concerns and an exception to the EU Privacy Directive for biomedical research and regulatory activities.
Sincerely,
Alan Holmer
Attachment
cc~ Under Secretary David Aaron
Attachment
PhRMA Comments on Specific Safe Harbor Principles
1 . "Personal IV-identifi able data" and "Personal information" are not defined. As a result, these terms might include information that directly identifies individuals as well as information that may be encoded or encrypted, which only identifies individuals indirectly. Complying with the principles may thus require stripping databases of valuable information (e.g., patients' gender or race), rendering data virtually useless for important research purposes.
2. The principles single out medical information as a type of sensitive information, which should be held to a higher standard (e.g., affirmative or explicit opt-in choice). PhRMA recognizes the overarching importance of adequately protecting confidential medical information that identifies patients, and PhRMA member companies go to great lengths to safeguard the interests of individual patients in all day-to-day operations. While the industry strongly supports the protection of medical information that identifies patients, we also strongly believe that biomedical researchers should have unrestricted access to medical information that does not directly identify patients. As mentioned above, the principles fail to make this important distinction, thus creating barriers to the use of critical information in which both biomedical researchers and regulatory officials have legitimate interests.
3. "Notice" and "choice" would require researchers to inform individuals about all potential uses of their medical information. This would mean that subsequent analyses of the data could not be done without obtaining informed consent from the individual again, which might prove difficult or impossible, precluding important research questions from being answered.
4. "Data integrity" would similarly be affected by the requirement that individuals be informed and given a choice regarding all possible uses of the information, as an organization would be permitted to keep data relevant only for those purposes originally intended. This suggests that existing databases might have to be destroyed and that long-term retrospective research (involving re-analyses of data originally collected for another purpose) might be prohibited.
5. "Access" of patients to medical information about them could jeopardize the validity of research results from clinical trials. Clinical trials are often double-blinded such that neither providers nor patients know which patients are receiving a particular therapy and which are in the "control" group. Providing participants with access to medical information would violate this aspect of the research and thus invalidate the results.
6. The principles seem to be based in large part on the Department's
earlier "Elements of Effective Self-Regulation for Protection of Privacy"
and appear to be directed
I
largely toward protecting consumer privacy in on-line activities. Thus, they need to be substantially amended to be appropriate for research activities involving medical information.
7. Aside from the content of the principles themselves, it is not clear
when an organization qualifies for the safe harbor. The draft document
states that organizations subject to statutory, regulatory, administrative
or other body of law that effectively protects personal information privacy
would qualify. However, there is no mention or definition of what constitutes
"effective" protection and who would ultimately make such a judgment.
Securities Industry Association
1401 Eye Street, NW, Washington, DC 20005-2225, (202) 296-9410, Fax (202) 296-9775 info@sia.com, http://www.sia.com
November 19,1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
U.S. Department of Commerce
14th and Constitution Avenue, NW
Washington, DC 20230
Re: Comments on Draft International Safe Harbor Privacy Principles
Dear Mr. Fredell:
Thank you for Ambassador Aaron's letter dated November 4, 1998 explaining
and requesting comment on
the Department of Commerce's Safe Harbor Principles ("Principles").
The securities industry's position on the privacy issue
is well known: The Securities Industry Association ("SIA") opposes
the imposition of new privacy standards on the
securities industry. The existing comprehensive regulatory structure
of the securities industry and the self-interest of
industry members in protecting their clients' privacy have protected
- and will continue to protect -the privacy of the
industry's customers. New privacy standards would raise the costs of
doing business with no corresponding benefits to the
customer. /1
In this regard, SIA appreciates and supports the Department's continued
efforts to address the business
concerns raised by the European Union's Directive on Data Protection
in a manner which appropriately reconciles those
concerns with reasonable
l/ The Securities Industry Association brings together the shared interests
of
more than 770 securities firms throughout North America to accomplish
cornmon goals.
SIA members - including investment banks, broker-dealer and mutual
fund companies
- are active in all markets and in all phases of corporate and public
finance. In the U.S.,
S IA members collectively account for approximately 90 percent, or
$ 100 billion, of
securities firms' revenues and employ about 350,000 individuals. They
manage the
accounts of more than 50 million investors directly and tens of millions
of investors
indirectly through corporate, thrift and pension plans. More information
about SIA is
available at our Internet web-site, http:Hwww.sia.com.
2/ See Securities Industry Association, "Privacy Protection in the
United
States Securities Industry," June 23, 1998 (copy attached).
privacy considerations. The Safe Harbor Principles represent a significant
step forward in clarifying the obligations under
the Directive and in keeping those obligations within reasonable bounds.
Nonetheless, SIA has a number of suggestions
that would make the Principles even more effective.
First, SIA supports the comments submitted by the Coalition of Service
Industries ("CSI") regarding the
Principles. SIA is a member of CSI and strongly recommends that the
Department incorporate CSI's proposed edits both
in the Principles themselves and in the Frequently Asked Question ("FAQ")
section of the Principles document.
In particular, SIA supports CSI's proposed elaboration of the distinction
between factual and proprietary
information. In the securities industry, there are critical situations
where it could be damaging both to securities firms and
to financial markets generally for a firm to disclose its proprietary
information about an individual. A securities firm
typically would welcome disclosure of a customer's factual information
to ensure that the firm's records are accurate. But
disclosing to a customer the criteria and results of a firm's proprietary
internal decision-making processes could be quite
harmful. Indeed, SIA thinks that such a requirement could chill the
prudent evaluations of creditworthiness and the
suitability of investments that members of the securities industry
must undertake. 3/ In short, individuals may need access
to their personal information in order to ensure that an organization's
data is accurate. They should not, however, be
permitted to second-guess how an organization makes business decisions
using that information. Thus, SIA supports
CSI's refinement of the "reasonable access" requirement with respect
to proprietary information.
SIA also supports CSI's suggestions regarding the enforcement provisions
of the Principles. Those
provisions currently leave wide room for interpretation. CSI's proposed
edits would improve the efficacy of the principles
by setting forth in more detail what businesses must do to be in compliance.
The securities industry, for example, already
has extensive complaint and arbitration procedures in place, under
the auspices of both the Securities and Exchange
Commission ("SEC") and self-regulatory organizations such as the National
Association of Securities Dealers-Regulation
("NASD-R"). The Principles should state clearly that such a respected
and proven arbitration system will be a sufficient
enforcement regime under the safe harbor. CSI's proposed additions
3/
To the extent that securities firms are required by law to gather and
analyze information about
individuals, the Principles' exception for "regulatory compliance and
supervision, and law enforcement requirements"
would presumably override any access requirement under the Principles.
For example, if a firm were expressly forbidden
from informing a customer that the firm had filed a report of suspected
money laundering regarding the customer, the
Principles would presumably not obligate the firm to inform the customer
of the report. If such a firm would not be
protected against the Principles' access requirements, the Department
should modify the Principles to so provide.
substantially further that goal by noting that "complaint[s] to a government
agency with enforcement powers" and
"dispute resolution procedures established by self-regulatory bodies"
should allow an organization to satisfy the Principles' enforcement provisions.
In addition, SIA supports CSI's recommendation to clarify that an opt-out choice is not required when an organization uses or transfers a customer's information in order to provide the customer with the service that the customer originally sought from the organization. Indeed, SIA urges the Department to clarify further that an opt-out choice is not required for transfers among affiliated organizations that provide the same general line of services as the service initially requested by the customer. When affiliated organizations transfer information among themselves, it is often difficult to draw sensible lines between (1) those uses that are related to the uses for which a customer initially provided the information, and (2) those uses that are unrelated to the initial uses. Indeed, financial services companies often employ multiple affiliated entities to provide interrelated services that cannot be easily separated from the initial service sought by the customer.41 The Department therefore would greatly simplify the task of defining these companies' obligations if it broadened the scope of the opt-out exception to permit organizations to transfer information among affiliates in order to provide services that are in the same general line of business as the service initially sought by the customer.
Furthermore, SIA supports CSI's suggestions regarding (1) the inapplicability of the Principles to public information, and (2) when notice must first be provided to consumers. Both of these recommendations are practical refinements of the Principles.
Second, SIA supports the comments submitted by the American Council of Life Insurance ("ACLI"). SIA particularly highlights ACLI's concern that organizations not be required under the data integrity principle to keep updating information even if the organizations have no business purpose to do so. A firm, for example, will typically retain account information for some period of time after the account is closed, for a variety of legal, insurance, and commercial reasons. But unless the account is reopened, the firm has no need to update information about the customer's address, employment, or investment objectives.
4/
For example, we believe that if a customer requests financial planning
services from an organization, that organization should be allowed to share
information with its affiliates to provide related banking, insurance,
or securities services to the customer without being constrained by the
precise scope of the customer's initial request. We believe that the safe
harbor should be flexible enough to allow for this type of situation, where
requiring an additional opt-out both could be a nuisance to the customer
and cause the customer financial harm by preventing a financial services
organization from acting quickly in the customer's financial interest.
Third, SIA requests that the Department clarify precisely how organizations
can qualify for the safe harbor. More specifically, the Department should
clarify when the existence of an overarching regulatory framework will
be sufficient to place organizations within the safe harbor. The preamble
to the Principles states that "an organization qualifies for the safe harbor
if it is subject to a statutory, regulatory, administrative, or other body
of law that effectively protects personal information privacy." SIA wholeheartedly
endorses this provision of the Principles, but the language should be strengthened
and expanded (in either the Principles themselves or in the FAQ section)
to make clear that comprehensively-regulated industries such as the securities
industry qualify for the safe harbor so long as privacy-related concerns
and complaints can be addressed within the regulatory framework. In that
regard, we also would like to associate ourselves with the comments regarding
the safe harbor submitted by the Investment Company Institute.
As SIA explained in its paper submitted to the privacy summit earlier this year, the securities industry already protects the privacy interests of investors. Between the regulations of the SEC, the requirements of self-regulatory organizations such as NASD-R, and the agency duties imposed on securities brokers by common law, securities firms are under intense business and regulatory pressure to serve customers honestly and with the highest ethical standards. Although this regulatory framework does not dictate specific rules concerning privacy, abuses of private information would be captured by many of the existing principles, statutes, and rules. Moreover, the securities industry clearly has a structure in place to respond to privacy issues as they develop. Indeed, SIA understands that NASD-R is currently considering new rules specifically designed to address privacy concerns.
In light of this regulatory framework, the Principles should be amended to clarify that securities firms (and other organizations operating under similar regulatory regimes) are protected under the safe harbor. When an organization is operating under intense regulatory scrutiny, the potential risk to individual privacy is substantially reduced. Indeed, regulated organizations such as securities firms are under constant supervision and subject to prompt, efficient enforcement mechanisms. As noted above, the preamble to the Principles already recognizes this basic fact by stating that regulated organizations are protected by the safe harbor. If any business sector should qualify under this provision, it is the securities industry. The Department, therefore, should expand the Principles to clarify that the regulatory framework governing the securities industry is precisely the type of regulatory structure that would bring an organization within the safe harbor.51
5/
In suggesting that the securities industry should so qualify, we do
not mean to suggest that others should not so qualify.
Again, SIA commends the Department on its good work in this area, and we hope to continue working with you in this process going forward. If you have any questions, or wish to discuss these issues further, please do not hesitate to contact me, or Kristin Roesser on my staff.
Sincerely,
Marc E. Lackritz
President
PRIVACY PROTECTION IN THE UNITED STATES SECURITIES INDUSTRY
SECURITIES INDUSTRY ASSOCIATION
1401 Eye Street, N.W.
Washington, D.C. 20005
(202) 296-9410
Executive Summary
The securities industry successfully balances its need for sensitive information to serve its customers with privacy concerns. A wide array of common law principles and regulations imposes on the industry duties not to abuse private information with which it is entrusted and provides adequate means to redress any violations of those duties. Just as important, however, no industry member could thrive for long should it gain a reputation for abusing confidential information.
Given the breadth of its current regulatory regime and its history of, and selfinterest in, protecting the privacy of investors, the industry believes proposals to impose uniform privacy standards throughout the private sector are premature. Such a "one-size-fits-all" monolithic approach would stifle the flow of information, which benefits consumers and the securities industry needs to function and impede creative business innovations intended to benefit its customers.
The securities industry is governed by a broad framework of common law principles, state and federal statutes, Securities and Exchange Commission ("SEC") rules, and self-regulatory organization ("SRO") rules that prohibit the improper use of private information. Although this framework generally does not dictate specific rules concerning privacy, abuses of private information would be captured by many existing principles, statutes, and rules, and these provisions are reflected in members' practices. Violations of the provisions, moreover, could give rise to private civil liability, government enforcement action, or even criminal liability. In this connection, it is important to note that, unlike some other industries, securities SROs maintain examination and oversight staffs and are fully capable of sanctioning, and have sanctioned, firms for non-compliance with rules concerning the misuse of confidential information.
Furthermore, the intense competition in the securities industry ensures that firms will not misuse private information. Privacy protection is an important dimension on which securities firms compete. A firm that fails to protect its customers' privacy and gains a reputation for doing so will soon find its business has been damaged. In addition, because the identity of, and information about, its customers is a critical asset of any securities firm, it is very unlikely that an industry member would disclose private information that could be used by a competitor.
Finally, the SIA supports efforts by its members to increase awareness
among customers about privacy issues and is currently exploring ways in
which it could promote customer awareness on an industry-wide basis. Increased
customer awareness would further competition among industry members to
adopt privacy policies that accord with customers' wishes and prominently
disclose those policies.
The Securities Industry's Regulatory and Business Structure Protects
Privacy.
A. Regulatory Framework
The U.S. securities industry is comprehensively regulated with a view toward complete disclosure of material information, the protection of investors, and the maintenance of fair and orderly markets. A framework of constitutional and common law principles, state and federal statutes, Securities and Exchange Commission rules, and self-regulatory organization ("SRO") rules prohibits the improper use of private information. Although this framework generally does not dictate specific rules concerning privacy, abuses of private information would be captured by many of the existing principles, statutes, and rules. These provisions are also reflected in the firms' own practices. Violations of the provisions, moreover, could give rise to private civil liability, government enforcement action, or even criminal liability.
Privacy protection is a fundamental and longstanding value in this country. Indeed, when specific concerns or regulatory gaps have been identified, Congress has enacted legislation. The Privacy Act of 1974 3/ and the Fair Credit Reporting Act 4/ are two examples. Similarly, the courts long have recognized tort actions for invasion of privacy. 5/ This is not the proper forum, however, to expound on general notions of privacy. Rather, we examine those principles, statutes, and SRO rules that would most directly reach misuse of private information in the securities industry.
Common Law Agency Duties
The agency duties owed by members of the securities industry to their customers provide very significant proscriptions against the misuse of confidential information. A securities firm owes its customers duties of loyalty and care. 6/ Violations of those duties with respect to customer privacy could subject firms to civil liability, including customer class actions.
The duty of loyalty requires a securities firm to abstain from conflicts of interests
I/
A/
I/
5 U.S.C. § 552a.
15 U.S.C. § 1681.
See, e.g.
., Pearson v. Dodd, 410 F.2d 701, 703 (D.C. Cir. 1969).
6/ See, eg., Merrill Lynch. Pierce. Fenner & Smith, Inc. v. Cheng,
901 F.2d 1124,
1128 (D.C. Cir. 1990); Leib v. Merrill Lynch, Pierce. Fenner &
Smith. Inc., 461 F.Supp. 951,
953 (E.D. Mich. 1978).
2
and, most importantly, put the interests of the investor ahead of its
own. 7/ Thus, a firm that intentionally discloses, or otherwise
makes use of, a customer's confidential information to benefit itself at
the expense of the customer may violate its agency duties to the client
and face liability for any resulting damages. 8/
The duty of care requires a securities firm to act with reasonable care when serving investors. 2/ Thus, a securities firm that negligently discloses confidential information about an investor might be liable to that investor for any resulting damages.
2. Federal and State Securities Laws and Regulations
Certain abuses of confidential information entrusted to a securities firm by a client could give rise to violations of the securities laws and SEC regulations. For example, a firm, or affiliated person, that uses material, non-public information taken from a customer (without consent) to trade securities on its own behalf would be subject to civil liability, SEC enforcement action, and/or criminal liability. Liability would be grounded in, among other provisions, Section I O(b) of the Securities Exchange Act of 1934 and Rule I Ob-5 thereunder (which prohibit fraud and misrepresentation). 1O/ Furthermore, so-called state "blue sky" laws parallel these and other provisions of the federal securities laws that could apply to abuse of confidential information.
3. SRO Rules
The rules of the National Association of Securities Dealers-Regulation ("NASD-R") and other SROs include many provisions that would reach misuse of confidential information by their members or affiliated persons. Most generally, NASD-R Conduct Rule 2110 provides, "[a] member, in the conduct of his business shall observe high standards of
7/ See Chang, 901 F.2d at 1128 (agent has a duty to act in the principal's
best
interest); see also Thomson McKinnon Securities, Inc. v. Moore's Farm
Supply, Inc., 557
F.Supp. 1004, 1011 (W.D. Tenn. 1983) ("An essential element in the
relationship of principal
and agent is that the object of the contract between the parties is
to benefit the principal.").
IV _See, eg., Barnsdall Oil Co. v. Willis, 152 F.2d 824, 828 (5th Cir.
1946) ("[I]f any
broker or agent [] acquires confidential information from his principal
which he would not have
acquired had he not been such agent, he cannot use the information
so acquired to the injury of
his principal."); see also Restatement of Agency (Second) § 395
(agent is prohibited from
misusing information obtained from the principal in connection with
his or her agency).
2/ Roe v. Sewell, 128 F.3d 1098, 1104 (7th Cir. 1996) (agent owes principal
a duty
of reasonable skill, care, and diligence).
IQ/
15 U.S.C. § 78j; 17 C.F.R 240. 1 Ob-5.
3
commercial honor and just and equitable principles of trade." This
general provision would reach unauthorized disclosure, or other misuses,
of confidential information benefiting a securities firm at the expense
of an Investor. 11/ Other SROs maintain similar rules that would
reach abuses of confidential information by their members. 12/
Other more specific rules would reach certain types of misuse of confidential information. For example, NASD-R Conduct Rule 2110-3 prohibits members from misusing confidential information concerning investor orders to "frontrun" buy or sell orders on behalf of investors. Similarly, NASD-R Conduct Rule 32 10 prohibits members acting in the capacity of paying agent, transfer agent, trustee, or in any similar capacity that receive information about the ownership of securities from using such information to solicit purchases, sales, or exchanges except at the issuer's request.
The SROs, unlike many industry associations, have authority and maintain staff to investigate and sanction violations of their rules. SRO rule violations therefore may lead to substantial penalties.
4. Fair Credit Reporting Act
The Fair Credit Reporting Act ("FCRA") 13/ restricts the use and transfer of confidential financial information (eg., data pertaining to an individual's credit capacity or credit worthiness, including customer lists that reflect on a consumer's credit capacity). Although it focuses on the activities of credit reporting agencies, the FCRA covers any individual or entity that collects or communicates information covered by the Act, and therefore reaches the use of such information by members of the securities industry. Violations of the FCRA are enforced by federal and state agencies and through civil litigation. Recent amendments to the FCRA address the transfer of covered information among affiliated companies. The FCRA requires that "it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such [affiliates] and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that the information not be communicated among
11/ U. Report Pursuant to 21 (a) of The Securities Exchange Act of 1934
Regarding
The NASD and the NASDAQ Market, Securities Exchange Act. Rel. No. 37542
(Aug. 8, 1996)
(observing that market makers' undisclosed sharing of information about
their customers orders,
including the size of the order and the identity of the customer along
with other actions "can be
inconsistent with the fair dealing obligations owed by dealers to customers.").
IV See, e.g. New York Stock Exchange ('WYSE") Rule 401 (requiring exchange
members "at all times [to] adhere to the principles of good business
practices in the conduct of
[their] business affairs").
13/
15 U.S.C. § 1681.
4
such persons." 14/
B. Competitive Business Structure
Wholly apart from the regulatory sanctions that misuse of private information may bring, it is in the self-interest of industry members to avoid such abuses. Members face fierce competition in all sectors of the securities industry. That has two very important implications for privacy protection.
First, privacy protection is an important dimension on which securities firms compete. A firm that fails to protect its customers' privacy and gains a reputation for doing so will soon find that its business has been damaged. Therefore, securities firms seek to ensure that they do not disclose private client information in ways that would injure, or even annoy, their clients. Their customer relationships are simply too valuable to risk through confidentiality breaches. Thus, in the context of privacy, the market punishes such breaches.
The importance of maintaining a reputation for protecting privacy is especially great in light of the recent media attention devoted to privacy concerns. Any serious lapse in privacy protection is likely to result in substantial negative publicity. At the same time, increased consciousness about privacy concerns among customers will lead many to scrutinize carefully the privacy policies of securities firms before choosing one with which to do business. This scrutiny, in turn, has caused (and will continue to cause) firms to examine their privacy policies to determine if modifications are appropriate.
Second, given the intensely competitive nature of the securities industry, it is very unlikely that an industry member would disclose private information that could be used by a competitor. The identity of, and information about, its customers is a critical asset of any securities firm. Thus, a firm has a strong incentive to ensure that its competitors do not obtain an advantage by gaining access to information about the firm's customers.
The Securities Regulatory Structure is Responsive to Changing Customer Expectations.
The core privacy protections in the U.S. securities industry are embodied in the industry's overall regulatory framework. Nevertheless, the SEC and the securities industry have demonstrated the flexibility and will to respond to specific privacy issues and concerns as they arise. The SEC and SROs have addressed these issues on several occasions when promulgating regulations that might bear on privacy issues. Furthermore, SROs take seriously the supervision of privacy issues and review their rules to enhance privacy assurance This is demonstrated by the NASD-R's recently proposed general confidentiality rule that would apply to all its
14/
15 U.S.C. § 1681a(d)(2)(A)(iii).
5
members. 15/ In addition, individual firms regularly adopt internal
policies designed to offer their customers protections that are above and
beyond any regulatory requirements, simply as matter of good customer relations.
The regulation of the use of electronic media to deliver information required under the securities laws and the regulation of "cold calling" to market securities are examples of specific areas in which the SEC and SROs have addressed privacy concerns involving customers and potential customers. In its interpretive release on the use of electronic media, the SEC noted that the securities laws often require broker-dealers, transfer agents, and investment advisers to deliver information about personal financial matters. 16/ In that connection, the SEC made clear that securities firms "should take reasonable precautions to ensure the integrity, confidentiality, and security of that information, regardless of whether it is delivered through electronic means or in paper form."-"' Protections for personal financial information sent by electronic media must be tailored to that mediurn. 18/ Accordingly, securities firms have adopted policies to ensure that privacy is protected, whether the firm receives or sends information electronically or through a more traditional medium.
Indeed, the SEC noted the importance of privacy concerns under the federal securities laws in evaluating SRO rules regarding the use of electronic media to satisfy members' delivery obligations. Specifically, in approving New York Stock Exchange rules concerning these matters, the SEC expressly stated that: "[T]he proposed rule change benefits the public, because it not only allows customers easy and efficient access to account documentation, but also requires an evaluation of systems and procedures to ensure that the privacy of personal information is maintained." 19/
The SEC also has responded to privacy concerns raised by the practice of brokers and dealers cold-calling to market securities. Under the Telemarketing and Consumer Fraud Abuse Prevention Act of 1994, 20/ the Federal Trade Commission adopted detailed regulations ("FTC Rules") to prohibit deceptive and abusive telemarketing acts and practices. The FTC Rules, among other things, (1) require the maintenance of "do-not-call" lists and procedures; (2) prohibit abusive, annoying, or harassing calls; (3) place restrictions on the timing of calls; and (4)
15/
IV
17/
IN
19/
a/
See NASD-R Notice to Members 97-12 (Mar. 1997).
Securities Act Rel. No. 7288 (May 9,1996).
a.
Id.
Securities Exchange Act. Rel. No. 38731 (June 17, 1997).
15 U.S.C. § 6101 (1994).
6
require the telemarketer to identify himself or herself, the company
he or she works for, and the purpose of the call. The FTC required the
SEC either to promulgate rules itself or require the SROs to promulgate
rules substantially similar to the FTC rules, unless the SEC determined
either that the rules were not necessary or that existing rules already
provided the same protections. The SEC delegated the promulgation of new
rules to the SROs. 21/ Every major SRO has created rules, or
offered interpretations of existing rules, that bring their regulations
into substantial conformance with the FTC Rules. 22/
The securities industry is continually evaluating whether there is a need for new rules concerning privacy and will not hesitate to act if it determines that new rules are needed in addition to existing privacy protections. That is well illustrated by the consideration that the NASD-R is giving to adopting a rule governing the use and release of customer financial information. 23/ With a few exceptions, proposed NASD-R Rule 3121 would apply to all NASDR members that use or release confidential financial information regarding customers who are natural persons.
The proposed rule addresses three different scenarios: (1) the release of information to a person other than a business affiliate; (2) the release of information to a business affiliate; and (3) the use of information received from an affiliate. The rule would require members to disclose to customers certain information about the member's use of customer data and, depending on the entities with which information would be shared, obtain consent from the customer or provide the customer a meaningful opportunity to object to disclosure. Furthermore, members would be prohibited from using information obtained from a business affiliate unless the member determines that the affiliate has complied with the rule's requirements or the member, itself, complies with those requirements.
The proposed rule, which arose from a review of banks' securities activities rather than from any reports of privacy abuses by NASD members, remains under review by the NASD-R. Whether or not the NASD-R will adopt the rule depends on the comment letters
21/
See, eg., Securities Exchange Act. Rel. No. 38009 (Dec. 2, 1996) (approving NASD rule changes and discussing legislative history).
22/ See Securities Exchange Act Rel. No. 8480 (April 7, 1997) (determining
that no
additional rulemaking by SEC was needed based on existence of SRO rules).
For the various
changes the SROs made to their rules to bring them into conformance
with the FTC Rules, see
Securities Exchange Act Rel. Nos. 38009 (Dec. 2,1996) (NASD); 38053
(Dec. 16, 1996)
(Municipal Securities Rulemaking Board); 38638 (May 14,1997) (NYSE);
38724 (June 6, 1997)
(American Stock Exchange); 34-38875 (Philadelphia Stock Exchange);
SEC Rel. 39010 (Sept. 3,
1997) (Chicago Board Options Exchange); 39303 (Nov. 5, 1997) (Pacific
Exchange).
211
NASD-R Notice to Members 97-12 (March 1997).
7
received from members, a subsequent assessment of the necessity and
utility of the rule, and approval by the SEC. Whether the NASD-R ultimately
adopts this particular proposed rule or not, the industry will continue
to explore whether there is a need to supplement existing privacy protections
with new rules.
Individual firms, moreover, have begun to create policies that address the privacy concerns of their customers. On its Online Application Instructions, for example, Charles Schwab states that the information on the application "will be used solely by Charles Schwab and will not be given to any outside marketing firms." 24/ In addition, Charles Schwab educates investors about its privacy policies through a privacy practices statement, which is accessible by hyperlink from its homepage on the Worldwide Web.
Customers expect a high degree of trust from securities firms, and firms govern themselves accordingly. Firms must maintain customer privacy to ensure that other firms do not obtain a competitive advantage by providing better service in this area. Put simply, individual firms have an incentive to maintain customer privacy that may exceed any possible industry regulations. That incentive has become even stronger with the advent of widespread electronic commerce. To compete effectively for business in the new, electronic medium, firms must give customers (who may initially be reluctant to share information electronically) confidence that their private information will be used only for proper purposes.
The SIA supports efforts by its members to increase awareness among customers about privacy issues and is currently exploring ways in which it could promote customer awareness on an industrywide basis. Increased customer awareness would further competition among industry members to adopt privacy policies that accord with customers' wishes and prominently disclose those policies.
In brief, securities firms currently are subject to a regulatory structure, both governmental and self-regulatory, that is capable of ensuring that investors are aware of privacy considerations, data is secure and data integrity is maintained in a manner that provides customers with access to the information and the ability to hold firms accountable for data usage. Furthermore, the oversight framework ensures that existing privacy protections are both effective and enforceable. In this regard, it is important to note that, unlike some other industries, securities SROs maintain examination and oversight staffs and are fully capable of sanctioning, and have sanctioned, firms for non-compliance with these requirements.
24/
See, Schwab Account and Schwab One Application Instructions at http:Hwww.schwab.com/SchwabNOW/SN ... /apps/SN047SchwabOneFonnlntro.htmI (accessed on June 10, 1998).
8
k
Securities Firms Use Confidential Information for Legitimate Purposes that Benefit Investors.
The securities industry has long gathered information about its customers to use in serving them. For example, securities firms must gather financial information concerning their clients to satisfy SRO "suitability" rules. Those rules require that firms recommending securities transactions to retail customers have a reasonable basis for recommending the transaction based on information disclosed by the customer. 25/ Thus, firms routinely gather financial information about their customers to satisfy that obligation, including information about the customer's financial and tax status, investment holdings, and investment objectives. Because they regularly gather private information about their customers for this and other purposes, firms maintain internal policies to ensure that information with which they are entrusted is not misused. That there is no significant history of privacy abuses in the securities industry speaks to the effectiveness of those internal policies and the regulatory and competitive framework discussed above. Furthermore, the success of the current system --- along with the advantages of privacy policies tailored to individual firms' needs --- explains why the securities industry has thus far not adopted an industry-wide privacy code.
Given the rapid consolidation ' within the securities industry, many companies participate in several lines of financial business. These companies routinely share information concerning a particular customer among affiliated entities that also serve or may begin to serve that customer. The purpose of such information sharing is to provide better service and offer opportunities to the customer. Customers who come to a diversified financial firm generally expect to receive and/or be offered services from affiliates of the firm. Indeed, many investors come to diversified firms precisely because such firms provide the investor with opportunities to benefit from the synergies and efficiencies of an integrated firm. 26/
211
26/
See NASD-R Rule 23 10; NYSE Rule 405.
Some proposed privacy standards would require members of the securities industry to disclose to investors that information they provide may be shared with affiliated entities. The SIA believes this requirement is unnecessary (there is no history of significant abuse) and would ultimately inure to the detriment of investors. Such a requirement would impose significant and unnecessary administrative costs, which would be borne by investors. Because securities firms would use the confidential information only for legitimate business purposes that benefit investors, there would be no reason for an investor to opt out, and the opportunity to do so would provide only a theoretical, not an actual, privacy benefit. Thus, the costs absorbed by investors would not be justified by any offsetting benefit. Information sharing among affiliates raises no concerns about abusive conduct. Even assuming there could be such concerns, however, the existing regulatory framework of the securities industry proscribes, and provides means to redress, such conduct.
9
Sharing of information among affiliated entities is not improper because
it does not raise the specter that information would be used to benefit
the securities firm at the expense of the investor. The following examples
will illustrate the benefits obtainable through information sharing.
0 An asset management firm may introduce customers to an affiliated
broker-dealer for the execution of a securities trade. The broker-dealer
would
then need to obtain information about the customer from the asset management
firm. By obtaining the information directly from its affiliated asset
management
firm, the broker-dealer is able to avoid the administrative costs and
needless
delays associated with contacting the client directly. The savings
may be passed
on to investors in the form of lower fees and commissions.
0 Conversely, a broker-dealer firm may provide financial information
about
a potential client to an affiliated asset management firm. Such an
information
exchange would promote efficiency by eliminating the need for the asset
management firm to obtain the information directly from the customer.
Moreover, precluding such information sharing among affiliates could cause securities firms difficulty in meeting regulatory requirements. For example, Congress has recognized the potential risks that a broker-dealer may face from the activities of affiliated companies. In the Market Reform Act of 1990, Congress granted the SEC authority to obtain from a broker-dealer information about affiliated companies. 27/ The temporary risk assessment rules that the SEC adopted under this authority contemplate that broker-dealers will use information from all available sources to assess their financial exposure.
It makes sense to permit the industry's existing regulatory infrastructure to address any abuses that might arise from sharing of private information, rather than to impose rigid privacy standards. Should there arise a need for regulation to address a particular practice, as explained earlier, the existing infrastructure provides the means to enact new rules through statute, SEC rulemaking, or industry self-regulation.
The U.S. Government Should Oppose Attempts By the European Union to Export its Privacy Directive.
Because the privacy of investors in the United States is protected through a broad regulatory scheme rather than highly specific rules, there is a possibility that the European Union
27/
12 U.S.C. § 18311.
10
("E.U."), or its member countries, might construe its Data Protection
Directive ("Directive")21' to prohibit transfer of "personal data" from
member countries to the United States. Because, as explained above, the
industry's mechanisms for protecting consumer privacy are more than adequate,
such a construction is wholly unnecessary to protect the privacy interests
of citizens of E.U. member countries. Accordingly, the U.S. Government
should oppose vigorously any attempt by the E.U. or its member countries
to deny U.S. securities firms access to personal data.
Under Article 25(l) of the Directive, member countries are responsible to ensure that personal data are not transferred to a third (i.e. non-E.U.) country unless "the third country in question ensures an adequate level of protection." Although Article 25(2) provides some general guidance concerning the determination whether a third country "ensures an adequate level of protection," it remains unclear exactly how the E.U. or its member countries will make that determination. Nonetheless, a paper prepared by the Directive's Article 29 "Working Party which coordinates implementation of the Directive and advises the Commission (which can adopt binding measures as needed), suggests that the Commission may apply a high standard for adequate protection abroad, especially when the third country has not enacted an omnibus law similar to the Directive.22/
Although the industry is not subject to an E.U.-style code setting forth specific privacy procedures, the regulatory framework governing the industry and the competitive pressures on its members ensure the protection of confidential information. Thus, there are no grounds for the E.U. or its member countries to deny the U.S. securities industry access to personal data, and the U.S. Government should oppose any efforts by the E.U. or its member countries to do so.
M Directive 95/46/EC On the Protection of Individuals With Regard to
the
Processing of Personal Data and on the Free Movement of Such Data O.J.
L 281/31
(23 Nov. 1995).
22/ See First Orientations on Transfers of Personal Data to Third Countries
- Possible
Ways Forward Assessing Adequacy, WP4, XV D--5020--97--EN. Final (Art.
29 Working, 26
June 1997). Article 26(l) of the Directive provides certain exceptions
under which data transfer
to a third country would be permitted without a determination of adequacy,
but the E.U. or its
member countries may construe the exceptions narrowly, and it is unclear
whether they would
permit transfer of personal data to U.S. securities firms.
I I
Conclusion
The comprehensive regulatory structure of the securities industry and the broad common law agency duties to which industry members are subject mean that there is no need to impose one-size-fits-all privacy standards on the industry. The existing regulation of the securities industry, with its broad prohibitions and regulatory flexibility, and the self-interest of its members have protected (and will continue to protect) customers' privacy. Furthermore, the regulatory structure provides a mechanism for enacting new privacy rules if necessary. Not only are uniform privacy standards unnecessary, they would raise the costs to securities firms associated with proper and efficient business practices that benefit both them and their customers, thereby raising customer costs with no compensating benefit. All this being so, the SIA opposes the imposition of uniform privacy standards on the securities industry. Furthermore, the U.S. Government should vigorously oppose any effort by the European Union to deny the U.S. securities industry access to data emanating from member countries because the industry does not have in place uniform privacy standards similar to the Directive.
November 19, 1998
VIA MESSENGER
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Re: Comments on Draft Safe Harbor Principles
Dear Mr. Fredell:
Visa U.S.A. (“Visa”) is pleased to submit this comment letter to the Department of Commerce in response to its request for comment on the Draft Safe Harbor Principles attached to the November 4, 1998 letter from Ambassador Aaron.
The Visa payments system is the largest consumer payments system in the world. Visa is a joint venture comprised of more than 21,000 financial institution members from around the world that have issued over 640 million Visa payment cards, which are accepted at more than 14 million merchant locations and at over 400,000 automated teller machines worldwide. Visa - which provides transaction authorization, clearing and settlement, and risk management services to financial institution members - supports more than $1 trillion in Visa-related payment transactions annually throughout the world. At peak volume, Visa systems process over 2,400 card related transactions per second.
Visa supports the Department of Commerce’s efforts to negotiate with the European Commission appropriate safe harbor principles as a means of complying with the European Union’s Directive on Data Protection (the “Privacy Directive”). In particular, Visa strongly supports the statement in the Draft Safe Harbor Principles that an organization qualifies for the safe harbor if it is “subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy.” It is critical that any agreed to safe harbor recognize that certain institutions, such as financial institutions, qualify for the safe harbor by virtue of their being subject to comprehensive federal and/or state statutory and regulatory requirements, supervision and examination, including with respect to their use of customer data.
Visa recommends that the Draft Safe Harbor Principles, or alternatively the Frequently Asked Questions document which we understand will supplement the Draft Safe Harbor Principles, clarify that “an organization subject to regulation and examination by a federal or state bank regulatory authority” is an example of an organization that is subject to a statutory, regulatory, administrative or other body of law that effectively protects personal information privacy. Indeed, we are aware of no other industry in the United States that is subject to a more comprehensive statutory and regulatory framework than the banking industry. We understand that the Department of Commerce has previously been provided an extensive analysis detailing this statutory and regulatory framework. Also, the language provided above (“an organization subject to regulation and examination by a federal or state bank regulatory authority”) is the appropriate way to describe the banking industry for these purposes. This language reflects the scope of certain of the relevant statutes governing the banking industry (see e.g., the federal Bank Service Corporation Act, 12 U.S.C. 1861 et seq.), and would cover Visa and its U.S. member financial institutions.
Visa appreciates this opportunity to comment on the Draft Safe
Harbor Principles. If you have any questions regarding this letter,
or if I can provide you with any other information to assist the Department
of Commerce in negotiations with the European Commission, please do not
hesitate to contact me, at (650) 432-3111.
Sincerely yours,
Russell Schrader
Senior Vice President
Visa U.S.A.
From: American Insurance Association (AIA)
November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, DC 20230
Re: International “Safe Harbor” Privacy Principles
Dear Mr. Fredell:
These comments are submitted by the American Insurance Association (“AIA”) on behalf of its member companies1 as well as other constituent elements of the property/casualty insurance, life insurance, and property/casualty reinsurance sectors, including the American Council of Life Insurance, Reinsurance Association of America, Insurance Services Office, Inc., Alliance of American Insurers, The Council of Insurance Agents & Brokers, Independent Insurance Agents of America, International Insurance Council, National Association of Independent Insurers, National Association of Mutual Insurance Companies, and Professional Insurance Agents. These comments respond to the Department of Commerce’s November 4th memorandum and accompanying attachment discussing “safe harbor” privacy principles and the European Union Data Privacy Directive (“EU Directive”), and focus on the following points of clarification with respect to these principles:
First, it is our understanding that the safe harbor principles are not intended to elevate the privacy rights of those in European Union nations above the rights of those in the United States, and that the principles apply only to European Union data on European Union citizens flowing from the European Union into the United States. However, these points are not clearly stated either in the November 4th memorandum or in the safe harbor principles themselves. We would ask that the Department clarify that European Union citizens do not have heightened privacy rights as a result of the safe harbor principles, which apply only to the data described above.
Second, the preamble to the safe harbor principles notes that “an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy.” We are interpreting the preamble statement to provide a safe harbor for industries that are subject to privacy oversight created by statutory, regulatory, administrative, industry, or other standards in the United States.
Undoubtedly, the insurance sectors represented by these comments fall well within the confines of this safe harbor. These sectors are subject to a full panoply of common, state, and federal laws, as well as government-enforced industry practices that ensure that personal information is adequately protected from misuse by those within these sectors, and that individuals – whether they are citizens of the United States or any other nation – have the right to seek relief when misuse occurs. The multiple layers of insurance information privacy protection include: (a) National Association of Insurance Commissioners (“NAIC”) model insurance information and health information privacy model laws, (b) state insurance information privacy laws, (c) state laws governing the use of personal information in such areas as medical privacy, fair credit reporting, and motor vehicle records, (d) data integrity and information handling protocols outlined in individual state insurance codes, (e) the federal Fair Credit Reporting Act (“FCRA”), and (f) rights and remedies available under state common law. These standards governing the insurance industry’s handling of personal information have been detailed in prior submissions to the Department, and need not be repeated here. Indeed, we have attached a submission, previously sent to the Department and the European Commission staff, which outlines how privacy standards currently in place for the insurance industry track the elements of effective privacy self-regulation previously developed by the Department.
Our two major concerns are that the Department’s statement in the preamble (a) does not explicitly provide that industry practice recognized by state officials rises to the level of a privacy “body of law” and (b) that it is difficult to determine what is “effective” privacy protection. The first concern is primarily raised by intermediaries (agents and brokers) and property/casualty insurers who place and write workers’ compensation insurance pursuant to a mandatory state system. Some of the information handling practices used within the workers’ compensation insurance industry may not be explicitly set forth by statute, but are nonetheless recognized by state insurance regulators as a matter of industry or administrative practice. The Department’s discussion of safe harbor principles should recognize instances, like those in the workers’ compensation insurance industry, where industry or administrative practice rises to the level of effective privacy protection.
With regard to the second concern, we are unsure what is meant by a body of law “that effectively protects personal information privacy.” Because the safe harbor principles “are not intended to govern or affect U.S. privacy regimes,” we assume that the multiple layers of privacy protection applicable to the insurance industry qualify as effective privacy protection. However, it would be helpful for the Department to include either in the preamble or as part of the clarifying questions and answers concrete examples of industries that meet the effective protection standard.
Third, turning to the seven enumerated safe harbor principles, we are not sure what type of notice of insurance information practices rises to the level of “clear and conspicuous language that is readily understood and made available when individuals are first asked to provide personal information to the organization.” The insurance industry must follow notice requirements prescribed by FCRA, state fair credit reporting acts, and those jurisdictions that have codified a version of the NAIC insurance information privacy model. Because the safe harbor principles were not meant to supplant or alter applicable U.S. privacy requirements, we are concluding that adherence to existing legal requirements meets the terms of the “notice” principle. We are asking that the Department confirm that our conclusion is correct.
Fourth, we believe that the concept of consumer choice embodied in the “choice” and “onward transfer” principles1 should be qualified to note that “opt-in” or “opt-out” choice or authorization for access, use, and disclosure of