Ambassador David L. Aaron
Undersecretary for International Trade
United States Department of Commerce
14th Street & Constitution Avenue, Northwest, Room 350
Washington D.C. 20230

Re: Proposed US-EU Data Privacy "Safe Harbor"

Dear Ambassador Aaron:

This letter responds to your request for comments on the November 15, 1999 draft "International Safe Harbor Privacy Principles" and associated FAQs. We appreciate the opportunity to respond to your request.

Given the work that has gone before and the short time remaining before the next US-EU summit in December, we are limiting our comments here to three open issues that need to be resolved with the EU and that are particularly important to our members: (1) the transition period, (2) the treatment of the financial services industries following the enactment of the federal Financial Services Modernization Act, and (3) the option of satisfying the Safe Harbor enforcement principle by committing to cooperate with the European data protection authorities (DPAs) themselves. As our members examine the Safe Harbor documents in greater detail, including those that have not yet been posted publicly, we may pass along additional comments. However, we thought you would find it helpful to have reactions now on these three important points, which are to some extent interrelated.

Transition Period

We understand that the Department of Commerce and the European Commission recognize that there must be a transition period for companies to determine if they will certify under the Safe Harbor and then to implement the necessary changes. We ask that this transition period be at least 18 months. Where changes may be required in corporate information technology systems and networks, as well as in contracts, operations, publications, and training, 18 months is barely adequate for planning and full implementation. In addition, to the extent that companies are to look to independent self-regulatory bodies to satisfy the enforcement principle of the Safe Harbor, they must have sufficient time to work together to establish such bodies and make them effective.

Two other considerations argue for a transition period of at least 18 months: the timing of new privacy rules in Europe and rulemaking under the new Financial Services Modernization Act in the US. Half of the EU Member States have not yet enacted their own national laws implementing the Directive, but are expected to do so in the course of the next year. In all of the EU countries, data protection authorities will be issuing new rules and interpretive guidelines, which multinationals and others doing business in Europe must take into account when designing disclosure statements, contracts, databases, training materials, and enterprise information systems. At the same time, the US financial services industry in particular will be participating in the development of privacy regulations and examination guidelines under Title V of the Financial Services Modernization Act and the Fair Credit Reporting Act. The federal banking and securities regulators, and the state insurance departments, have six months to promulgate those rules, which are not to take effect until at least six months thereafter. Thus, a year from now (possibly somewhat later) a whole new legal regime for privacy protection in the financial services industry will just be coming into force.

The reality is that our member companies will be engaged in helping to fashion and then comply with the new privacy rules in Europe and in the US over the next couple of years. They want to avoid making incomplete policies or inconsistent commitments. They will be understandably reluctant to commit themselves early to the Safe Harbor and to make final decisions with legal consequences before the privacy rulemaking in Europe and before the US reaches a more mature stage. Thus, while many or most companies would prefer to operate with the predictability and uniformity promised by the Safe Harbor, they cannot be expected to commit to the Safe Harbor until they have examined their own plans and operations and allowed regulatory issues to be settled, on both sides of the Atlantic. A short transition time would probably mean that many companies would just say no, at least at the outset, and continue to deal with their trans-Atlantic data transfers individually. Thus, in light of systems upgrades required to comply with the enactment of the Gramm-Leach-Bliley Act of 1999, in addition to year 2000 compliance requirements, and decimalization in the securities industry, a transition period of 18 months is essential.

Substantial resources, public and private, have been invested in the effort to reach the Safe Harbor understanding. An adequate transition period will help to ensure that many American companies participate and make the program a success.

Financial Services

The American financial services industry, already one of the most heavily regulated and publicly visible business sectors to begin with, is now subject to additional comprehensive federal privacy regulation under Title V of the new Financial Services Modernization Act. The Act imposes affirmative privacy and security obligations on financial services institutions, requires disclosures and choices with respect to the sharing or reuse of customer information, and directs the federal and state regulatory bodies to adopt regulations and examination guidelines to assure compliance with the new law and with the Fair Credit Reporting Act. Financial services companies will be required to publicize their privacy policies and update or restate them at least annually, subjecting them as well to potential civil liability if they do not live up to their commitments. One emerging view is that the Act does not preempt more restrictive state laws and regulations, and recent lawsuits in Minnesota and California, based on both statutory and common law grounds, demonstrate that there are indeed already means of challenging the information practices of financial institutions in the states. Certainly, federal and state financial services regulators, with their new statutory privacy mandate, can serve as the independent enforcement bodies for those financial services companies that choose to certify under the Safe Harbor.

Article 25 of the EU Directive calls for "adequate" protection, and the Financial Services Modernization Act, added to the existing federal and state legislative framework, establishes a high and enforceable standard for notice, choice, access, and security of consumer information. This comprehensive legislative framework achieves adequacy as provided by the Data Protection Directive in protecting customer information covered by Title V of the Financial Services Modernization Act and the FCRA.

On the question of the necessity of an FAQ on risk management, we agree that an exception for information sharing for "risk management" purposes need not be explicitly referenced in a separate FAQ. "Risk management" exceptions are adequately explained in the new federal financial services modernization law, as well as the derogations recognized by the EU Directive and existing US privacy laws, regulations, and standards.

FAQ 4-Investment Banking, Audits and Headhunters and FAQ 8-Access need further clarification. Does "headhunter" considered in FAQ 4 include internal headhunters? Does the FAQ 8, "succession planning" exclusion apply to confidential employment references, assessments and peer ranking information derived from employee data?

Cooperation with European DPAs

The EU has suggested that enforcement should be in the United States with regard to all processing here, and that enforcement requires an independent, responsive, and effective third party, whether public or private. We firmly support the Commerce Department in insisting that companies should also have the option of making a commitment instead to cooperate with the DPAs themselves to enforce the Safe Harbor principles.

With regard to consumers, some companies have well-established European customer service functions, mediation programs, and consultations with local consumer or data protection authorities. They should have the option of certifying compliance with the Safe Harbor principles and agreeing to cooperate with their European affiliates in responding to the local authorities, rather than referring privacy matters to an independent body in the US.

Some of the Member States have reportedly objected that the DPAs do not want to be troubled with handling investigations of practices in the United States. This is, however, what they may find themselves doing in any event if companies are not able to use Safe Harbor and must rely instead on one or more of the derogations under Article 26. Having a Safe Harbor cooperation commitment from the US entity means that the DPAs can direct their questions and instructions to the local company in Europe, and can ultimately restrict information sharing with a US parent or affiliate that does not abide by its cooperation commitment.

The cooperation commitment is a workable approach to enforcement that can be used to support US regulatory and self-regulatory coverage. It also gives companies the alternative of responding locally rather than in the US, in cases where that makes the most sense given the structure of their relationships with employees, customers, and regulators in Europe. One size does not fit all when it comes to finding appropriate enforcement vehicles, and the Commerce Department is right to ask for this option of a cooperation commitment.

Thank you for the opportunity to present our views on these highly important matters.
 

Sincerely,

Robert Vastine
President