The Honorable David L. Aaron
Under Secretary for International Trade
International Trade Administration
U.S. Department of Commerce -Room 3850
14^th Street and Constitution Ave., NW
Washington, DC 20230

Re: International Safe Harbor Privacy Principles and Related Documents

Dear Ambassador Aaron:

The Consumer Bankers Association (CBA), American Bankers Association (ABA) and Financial Services Roundtable (FSR) appreciate the opportunity to comment on the proposed International Safe Harbor Privacy Principles ("Safe Harbor Principles") and related documents, including the Safe Harbor Letter from Ambassador Aaron dated April 19, 1999 (the "Ambassador Aaron's Letter"), the Frequently Asked Questions (the "FAQs") and the Draft Paper on EU Procedures (the "Procedures Paper") (we refer to these documents collectively as the "Safe Harbor"). We are encouraged by the progress made by the Department of Commerce and are grateful it concerns of the financial services industry in its negotiations with the European Commission.

Through the ongoing technological revolution, the U.S. has excelled in its ability to use and process information efficiently and effectively. As a result, we are world economic leaders in the new and evolving information economy. We remain concerned that the European Union's Directive on the Protection of Personal Data (the "Directive") and the proposed Safe Harbor may inadvertently result in undue restrictions on the use of information by U.S. companies. Any such restrictions could have a negative impact on the efficiency with which U.S. companies operate in the U.S.

The U.S. and European Union (E.U.), for cultural and other reasons, not only treat and use information differently, but also conduct business differently. Despite the fact that the Safe Harbor Principles are intended to apply only to information originating in European member states, there is reluctance in this country to adopt a safe harbor when the ultimate effect could be to dictate domestic policy and corporate practices for U.S. companies.

The U.S. banking industry is a heavily regulated industry with significant legal and regulatory controls that adequately protect personal data already in place. The European Commission repeatedly fails to acknowledge this fact and we hope to continue working with you to convey this message. No U.S. industry is as highly regulated as the financial services sector with such a high level of statutory privacy protections, regulatory oversight and case law. ⁽¹⁾ In addition, our industry-wide self-regulatory efforts provide added protection and demonstrate the due care taken by the banking industry with respect to personal data. We strongly believe that our current framework, though somewhat different, protects consumers as effectively as the European regime. Further, because of their relationships with the organizations they supervise, U.S. regulators are often in a position to better deal with concerns than their European counterparts. As a result, we ask that you continue to advocate the automatic inclusion of the financial services industry in the Safe Harbor.

Moreover, Congress, the states and federal regulators continue to address privacy issues as they arise. For instance, last year Congress enacted legislation that makes it easier to prosecute identity theft and gives recourse to consumers victimized by that privacy crime. New issues may arise as the use of information evolves and U.S. lawmakers will continue to formulate appropriate responses when necessary. Thus, the Safe Harbor should provide opportunity for review and revision on a regular basis to conform to new developments.

The Safe Harbor Principles have improved in many respects and the FAQs are very helpful in many instances. In fact, we would urge that the FAQs be integrated into the Safe Harbor in a manner that permits organizations to rely on them with certainty. Anything less would greatly reduce the usefulness of the FAQs and the Safe Harbor itself.

Also, the banking industry supports the concept of self-certification as set forth in Ambassador Aaron's Letter. Any mechanism that might require an approval process would be overly burdensome and would give rise to numerous questions regarding the standards for admission into the Safe Harbor. Any such questions are appropriately left to the process set forth in the Procedures Paper.

Despite all of the improvements, our members are unsure about a number of provisions in the Safe Harbor. Financial institutions must still decide on an individual basis whether the Safe Harbor is their best alternative and the CBA, ABA and FSR do not, by submitting these comments, endorse the Safe Harbor at this time.

The transition period will be an important factor in the ability of financial institutions to comply with the Safe Harbor Principles. Drafting notices, altering business practices and implementing necessary systems changes cannot likely be accomplished within the proposed timeframe. We strongly urge you to seek a transition period of at least three years. The EU member states and European companies have had at least that long to comply.
 

Safe Harbor Principles
 

Introduction

The definition of personal data is extremely broad and extends to all data recorded about an individual that is identified or identifiable to that individual. In the Safe Harbor, the definition should be limited to exclude proprietary data such as internally generated data that is identifiable to an individual, as well as publicly available information and public record information. Also, purchased data should be exempt because the responsibility to protect that information will already lie with the party collecting the information.

The introduction discusses ways in which an organization may qualify for the Safe Harbor. In one instance, an organization can qualify for the Safe Harbor if it is subject to U.S. statutory or regulatory law "that also effectively protects personal data privacy." As a highly regulated industry, we believe the banking industry fits within the stated criteria. Banks are subject to an extensive body of law and regulation that, with examination and oversight mechanisms, "also effectively protects personal privacy." Though we understand the European Commission has not agreed to this, we appreciate the continuing efforts of the Department of Commerce in advocating our position.

If the Department of Commerce cannot guarantee that the banking industry automatically qualifies for the Safe Harbor as a highly regulated industry, retaining the word "effectively" would give rise to additional questions. Who will decide if a regulatory or other regime effectively protects personal data, and by what standard will that determination be made? Including the word "effectively" eliminates the certainty the Safe Harbor seeks to offer and we recommend that it be deleted or at least be changed to "specifically."

We believe companies should also qualify for the Safe Harbor by incorporating the relevant principles into contracts between the parties transferring personal data from the E.U. The footnote indicates that the Commission has not agreed to this sentence and will raise the issue with the Member States. The Directive already permits companies to enter agreements that ensure adequate protection of personal data and thus compliance with the Directive. We see no reason why an agreement among parties with respect to the Safe Harbor should not be deemed satisfactory.

The introduction states that organizations may participate in the Safe Harbor even if the principles are not adhered to with respect to manually processed data. Although the European Commission has not agreed to this, we urge that manually processed data remain exempt. It does not make sense to require information collected manually in the past and not used for anything, except that it is archived - often as required by law, to be subject to the Safe Harbor Principles.
 

International Safe Harbor Principles
 

1. Notice

The Notice section provides that an organization must give notice to individuals about the purposes for which it collects information about them. This language could be interpreted to require that notice be provided to individuals from whom an organization has not directly collected information. Thus, we recommend revising the first sentence to state, " An organization must inform individuals from whom it collects information directly about the purposes for which it collects information about them…."

Furthermore, we believe that personal data forwarded to third parties, such as agents, servicers or processors, is generally not incompatible with the purposes for which the information was collected. Nonetheless, it would be helpful to include an affirmative statement in the Safe Harbor that transfers to servicers, processors and agents in the course of normal operations are deemed compatible with the purposes for which the information was collected. This would help limit the need for additional disclosures when personal information is being used for routine operations that are outsourced.

2. Choice

This section requires that choice (the ability to opt-out) be offered to individuals before information can be shared with third parties when the sharing would extend beyond the purpose for which the data was originally collected or beyond any disclosed purpose. "Third party" is not defined and could restrict sharing with affiliates. More importantly, there is no distinction made between transaction and experience information versus other types of information. As a result, this section would completely overturn the balanced approach to this issues adopted by Congress in the Fair Credit Reporting Act (FCRA). We recognize the White House recently announced its intent to permit choice with respect to the sharing of transactions and experience information. At this point, however, that is merely a policy position and is not law. Thus, the Safe Harbor would essentially sanction the applicability of European laws to U.S. companies when U.S. law should prevail.

The ability to share transactions and experience information among affiliates is vital to numerous banking operations, including risk management and fraud control. In addition, transactions and experience information is used for relationship pricing, in which good customers receive preferential pricing, and to develop products and services that customers desire. Rather than permit sharing among affiliates for specific types of use, as the FAQs do for fraud and other purposes, it would best to permit sharing of all transactions and experience information among affiliates.

We are concerned the opt-in choice will be required for customers that provide information regarding citizenship as "sensitive data." The U.S. Government contracts with financial institutions to provide financial services to U.S. military and government personnel and their families stationed in Europe. By contract, institutions may be required to provide such information. We want to insure that the choice principle does not interfere with these relationships.

FAQs on Financial and Insurance Risk Management

The FAQs on Financial and Insurance Risk Management are particularly helpful. We fully support the view that sharing of information among affiliates should be permitted for a number of purposes. These purposes include all risk management purposes, including fraud, and extend to uses that permit responses to customer desires and better pricing. Furthermore, the FAQs accurately reflect that providing customers with complete control of information, specifically high-risk customers, could undermine profitability and the financial integrity of an organization, as well as the smooth functioning of credit markets.
 

3. Onward Transfer

This section could severely impact business operations and reaches far beyond regulating information practices. We strongly urge you to consider exempting from this section all of the following activities that may involve the use or transfer of personal data. These include, but are not limited to: (1) transfers of information to law enforcement authorities in the case of fraud or other violations of law; (2) transfers pursuant to legal process; (3) transfers of information to agents pursuant to confidentiality agreements, such as attorneys and accountants; (4) transfers of information to servicers, processors and vendors performing servicers for the financial institution in servicing or providing products to the customer or collecting accounts; (5) transfers of information in connection with business transactions or potential business transactions, subject to confidentiality agreements, such as account transfers; (6) transfers of information to governmental, regulatory or self-regulatory authorities having jurisdiction over the member for examination, compliance, investigation or other authorized purposes; (7) transfers of information to a consumer reporting agencies; (8) transfers of credit information in the regular course of business between a financial institution and other financial institutions or commercial enterprises; and (9) transfers of customer information for analysis purposes.

Also, this section would only permit disclosure of "personal information to third parties consistent with the principles of notice and choice." It appears inconsistent with the Choice section which limits the required opt-out to situations where disclosure of personal information to third parties are "incompatible with the purposes for which [the information] was originally collected or with any other purpose disclosed to the individual in a notice." To avoid confusion, we recommend inserting the "incompatible with" language from the Choice section into the Onward Transfer section.

Finally, this principle permits onward transfer when a use of information is compatible with the purpose for which it was collected if it ascertains that the third party subscribes to the safe harbor principles or enters an agreement with the third party requiring that they provide "at least the same level of privacy protection as is required by the relevant safe harbor principles." We support requiring that only the "relevant" principles be addressed in agreements with third parties. However, we would suggest substituting "comparable" or "similar" for "same level" of protection. This would continue to protect information transferred to third parties while allowing some variations and not requiring a strict determination that certain practices are the "same."
 

4. Security

The first sentence in this section states that organizations must take reasonable measures to insure that personal information is reliable for its intended use. This requirement goes beyond what is generally characterized as "security" and sounds more like a data integrity requirement. Thus, we recommend deleting "reasonable measures to assure its reliability for its intended use and" from this section.
 

5. Data Integrity

This section only permits organizations to process personal information relevant to the purposes for which it has been gathered. This requirement appears beyond the scope of "data integrity." We recognize the Directive references data quality and relevancy as components of data integrity. However, we believe this principle should follow the notion of data integrity as it is understood in the U.S. and therefore recommend that it be deleted.

If the provision must remain, we would recommend that it be revised to read "…may only process personal information relevant to the disclosed purposes…." For conformity, the second sentence should be revised to read, "To the extent When necessary for those purposes, an organization should take reasonable steps to ensure that data is accurate, complete and current when used to make decisions specific to that individual."
 

6. Access

This section requires that individuals have "reasonable access to personal information about them that an organization holds" and that individuals "be able to correct or amend that information where it is inaccurate. The word "reasonable" is bracketed and we strongly urge that it be retained in the final text. The word "reasonable" has a clearly understood meaning within U.S. jurisprudence. If another European term is substituted, we recommend that the FAQs make it clear that it is intended to have the same meaning. Furthermore, the scope of permissible access is far too broad. Access should be limited to "identifiable personal information" that relates directly to that individual's transaction or is being used for decisions regarding applications for products or services. U.S. law provides customers with access to information in most all necessary circumstances. To avoid overreaching current U.S. law, customers should be permitted access only to personal information collected directly from them by an organization, and not to proprietary information such as credit scores.
 

FAQs on Access

The FAQs on Access are for the most part very helpful. We support the ability to charge fees for access, as well as the ability to set limits on the frequency of permissible requests within a given timeframe. We agree that both mechanisms will help control repetitive, vexatious and excessive requests. In addition, we support preserving the language in the response to Question 1 that indicates that an organization's access obligation is not absolute. However, while we agree that the right of access may be important to privacy protection, we would argue that it is not "fundamental" to privacy protection and should not be expressed as such.

In the response to Question 1, it would be helpful to state that access is not required when, for instance, a business decision resulted in the mere offering of a product or service. We believe individuals receive adequate protection during the application process itself. If credit is denied, for instance, U.S. law provides those individuals with access so they may verify that the credit decision was made using accurate information. Not requiring access when products and services are offered would reduce the cost and burden of compliance with this principle.

Financial institutions take extraordinary measures to insure financial information is secure and to prevent fraud. Providing access to certain information is inconsistent with security and fraud prevention policies and procedures. Thus, in the response to Question 5, we would recommend inserting "fraud" after "public security."

Businesses expend substantial resources generating proprietary information. Accordingly, we support the exception from the access requirement for "confidential commercial information." The exception is consistent with other protections afforded commercial information under U.S. laws, such as the federal rules of discovery. Thus, we would object to the Commission's proposal to narrow the exemption to "trade secrets" rather than "confidential commercial information."

Questions 7 and 8 provide exceptions from the access requirement for (1) public records and (2) publicly available information, respectively. However, for the exception to apply the information must be "kept separately from other information." It would present an undue burden on financial institutions and others to require that information be stored separately. Furthermore, where and how public record or publicly available information is stored should not be a factor in whether it is accessible. Therefore, we recommend deleting "kept separately from other information" in the responses to Questions 7 and 8. Also, the public records exception should apply to all public records and not just U.S. public records as suggested by the Commission in endnote 7.
 

7. Enforcement

The banking industry believes it meets the requirements of the enforcement principle by virtue of item two in the Note to this section. It states that an acceptable mechanism for complying with the requirements of the enforcement principle is "through compliance with legal or regulatory supervisory authorities." Financial institutions are closely examined on a regular basis by regulatory authorities and clearly fall into the above category. Thus, the statement is extremely helpful and should be preserved.

Furthermore, subsection (a) requires "independent" recourse mechanisms. The requirement that an independent mechanism be available forgoes the use of internal mechanisms that might be equally effective, such as internal corrective action. Thus, we recommend that "independent" be deleted.

We agree with the Commission's preference, as stated in endnote 7, to include the text in the Note as a continuation of the enforcement principle.
 

Draft Paper on EU Procedures

Ambassador Aaron's Letter states that Europeans will be expected to exhaust their options for recourse with the U.S. organization prior to bringing a claim under the Procedures Paper. However, no language to this effect appears in the Procedures Paper. It is essential that the requirement for European customers to exhaust their options for recourse with U.S. organizations first be clearly and explicitly stated as part of the Procedures Paper. The absence of explicit language would severely weaken the benefits for U.S. organizations of being in the Safe Harbor.
 

FAQs on Self-Certification

As mentioned above, the banking industry supports the concept of self-certification as set forth in the Aaron letter. The banking industry has not had sufficient time to respond fully to this FAQ, as well as the other FAQs issued on April 30, 1999. Our initial reaction is that we would recommend a simple self-certification process that could be satisfied through publication of notice, for example, on the institution's web site. If notification to the Department of Commerce is required, it should be only a simple statement that provides notice of the organization's election to use the Safe Harbor. The FAQ on Certification is too extensive and should reflect that the Department of Commerce is merely a registry for organizations that elect to opt-in to the Safe Harbor. The opt-in election should be purely procedural, with no requirement for the Department of Commerce to determine or monitor whether an organization is in compliance.

The response to the FAQ would require that organizations disclose certain information, including the identity of a third party that will investigate unresolved complaints. Financial institutions often resolve complaints internally, and it would be helpful to recognize this in the response to the FAQ.

If you have any questions, please contact Marcia Sullivan (703) 276-3873, John Byrne (202) 663-5029 or Jim Febeo (703) 276-3883.

Thank you again for the opportunity to provide comments.

Sincerely,

CONSUMER BANKERS ASSOCIATION

AMERICAN BANKERS ASSOCIATION

THE FINANCIAL SERVICES ROUNDTABLE

cc: Barbara Wellbery
     Eric Fredell

1. See, e.g., Fair Credit Reporting Act of 1970, 15 U.S.C. § 1681; Right to Financial Privacy Act of 1978, 12 U.S.C. § 3401; Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510; Fair Credit Billing Act, 15 U.S.C. § 1666. In addition, bank examiners frequently review banking practices for compliance and safety and soundness, which include privacy and security of customer information.