Ms. Becky Richards

Electronic Commerce Task Force

International Trade Administration

Department of Commerce

Room 2009

14^th and Constitution Avenue, N.W.

Washington, DC 20230
 

Re: International "Safe Harbor" Privacy Principles - March 17, 2000 Revisions
 

Dear Ms. Richards:
 

These comments are submitted by the American Insurance Association ("AIA") on behalf of its member companies⁽¹⁾ as well as other constituent elements of the property/casualty insurance, life insurance, and property/casualty reinsurance sectors. These comments respond to the Department of Commerce's ("DOC" or "Department") March 17, 2000 revised international "safe harbor" privacy principles ("safe harbor principles" or "principles") and the accompanying frequently asked questions ("FAQs"). We have filed comments with the Department on several prior occasions and, to the extent those comments are still applicable, they are incorporated herein.

As we understand the safe harbor principles, they are designed as one voluntary avenue of meeting the European Union Data Privacy Directive ("EU Directive" or "Directive") Article 25 adequacy standard applicable to certain third country personal information handling practices. While we note that the financial services sector has been set aside from the safe harbor discussions temporarily, we believe that the following issues deserve attention.

A.Federal Financial Services Modernization Legislation

Despite the temporary exclusion of financial services from the tentative safe harbor agreement, we hope that the Department will continue, in a measured way, to pursue a determination that the Gramm-Leach-Bliley Act of 1999 ("GLBA") constitutes adequate privacy protection under the Directive (and, by extension, under the safe harbor principles).

The financial privacy provisions of the new federal law were the subject of intense, prolonged negotiations among the Clinton Administration, the financial services industry, Congress, and others. It is safe to say that the law attempts to strike a balance between the informational needs of the financial services sector and the privacy concerns of financial services customers.

An adequacy determination with respect to the GLBA will benefit the financial services community (including consumers of financial services). We understand the need for EU representatives to delay their determination until the implementing regulations have been finalized. We are confident that an adequacy determination will be forthcoming, but trust that the Department, in concert with appropriate financial services regulators, has received some indication from EU representatives that the EU will not reject, as "inadequate," the broad privacy protections provided by the GLBA. Should the EU declare the GLBA inadequate, the detrimental impact on international trade and the commercial flow of data between the EU and the United States could be enormous. Further, a finding that the GLBA is "inadequate" under the Directive could complicate the regulatory process with respect to this issue in the United States and would undermine this landmark legislation. The safe harbor principles should not advance any concept that upsets the legislative balance or the regulatory process envisioned by the GLBA.

Because the preamble to the safe harbor principles still states that an organization qualifies for the safe harbor if it is "subject to a statutory, regulatory, administrative, or other body of law (or of rules) . . . that effectively protects personal privacy," enactment of the new federal law and promulgation of implementing regulations add even more substance to the creation of a safe harbor for those in the insurance industry who are governed by United States privacy oversight set forth in statute, regulation, administrative practice, and industry standard.

B. Inclusion of a "Risk Management" Exception

On a parallel track, we would encourage DOC and others involved in the safe harbor negotiations to continue to seek a separate exception for information sharing for risk management purposes. As we have explained to DOC and others on prior occasions, "risk management" activities serve an important public interest function within the insurance industry and - whether covered in the safe harbor preamble or by a separate FAQ - dovetail with present exceptions currently recognized under Article 26 of the EU Directive. However, whether or not "risk management" information sharing activities specifically fall under one of the Article 26 exceptions, the safe harbor would be clarified if risk management were specifically referenced. We urge DOC to include a reference to a risk management exception in the preamble to the safe harbor principles or, alternatively, to propose a risk management FAQ that would clarify the scope of the public interest exception to include such activities.

C. Specific Comments on the Safe Harbor Revisions

Turning to the actual revisions to the safe harbor principles and FAQs, we again note that some of our concerns have been addressed while others persist.

1. Safe Harbor Preamble

In the preamble, language has been added which states that:

"Adherence to these principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law, that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organizations should strive to implement these principles fully and transparently." (Emphasis added to highlight revisions)

Taking each of the revisions in turn, the first change seems to unnecessarily restrict the ability to rely on available law to share personal information. For example, in the workers' compensation industry, information may need to be shared with or collected from third parties (i.e., medical providers), but there is not necessarily a "conflicting obligation" or "explicit authorization" in the workers' compensation statutory scheme that would limit application of the safe harbor principles. As a matter of administrative practice, information sharing is simply deemed necessary in order to ensure that the obligations of all parties are carried out in furtherance of the statutory scheme. To avoid confusion, we would suggest the language be revised to limit application of the safe harbor principles where statute, government regulation, or case law creates "different obligations or authorizations." We would not support the conditional language that follows because it is an attempt to force persons and entities to justify a particular exchange of information authorized by law. Such a requirement would be unduly burdensome for commerce. For example, how would an organization "demonstrate" that its non-compliance is narrowly tailored to meet applicable legal requirements? To whom would the organization make such a justification? While not intended, such conditional language either anticipates an additional privacy bureaucracy or a proliferation of privacy lawsuits. Either scenario would neither be desirable nor efficient.

The second revision - conditioning exceptions in the Directive on their application "in comparable contexts" - seems to be relatively benign. We understand this revision to mean that exceptions or derogations contained in the Directive are not "expanded" because of their incorporation into the safe harbor preamble. If our understanding is mistaken, please let us know immediately.

2. Notice Principle

We note that certain language has been deleted which would have required notice only where "the organization is using or disclosing [information] for a purpose other than that for which it was originally collected or for a purpose which it was processed by the transferring organization." We have no inherent problem with this language change, as long as it is consistent with, and does not impose broader obligations than the GLBA, and the revisions to the notice principle do not expand an organization's obligations under the "choice" or "onward transfer" principles

3. Choice Principle -- Changes to "Sensitive" Information

With respect to "opt in" choice for sensitive information, we are adamantly opposed to the expansion of this principle to require "opt-in" choice "if the information is to be disclosed to a third party . . . ." A blanket requirement of this type could disrupt legitimate data flows for many businesses. By limiting the "exceptions" to a subset of those in the EU Directive, the "sensitive data" FAQ does little to assuage our legitimate fears. We believe, instead, that the FAQ must be broadened to include all of the exceptions recognized by the EU Directive. This is consistent with the preamble to the safe harbor principles, which recognizes limitations on those principles "if the effect of the Directive or Member State law is to allow exceptions or derogations." Among other relevant exceptions, the Directive (i.e., Article 26) permits derogation from the Article 25 "adequacy" standard where (a) "the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;" (b) "the transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party;" or (c) "the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defence of legal claims."

Because insurance involves a contractual arrangement between policyholder and insurer, which may or may not include benefits potentially available to a third party claimant, all of these exceptions apply to the information handling practices of the insurance industry. This assertion is especially true where personal information is necessary to carry out the terms of the insurance contract, to resolve a claim arising out of that contract, for the detection and prevention of fraud, and in the renewal process. Using workers' compensation insurance again as an example, workers' compensation insurers are permitted, without prior authorization from the employee-claimant, to gather personal information about the injured employee and to forward that information to others as permitted by the applicable state workers' compensation system. In this situation, the workers' compensation insurer is accessing personal information to further the performance of a contract between the insurer and the claimant's employer and the information is being transferred to satisfy a legal claim. The EU Directive itself states that exceptions are appropriate "where the transfer is necessary in relation to a contract or a legal claim." As a result, we would urge the Department to eliminate the "third party" language from the sensitive information paragraph of the choice principle and add a reference in the sensitive data FAQ which cross-references the relevant preamble language. The changes advocated here are critical, as the issue of "opt-in" choice has the potential to derail current good faith legislative and regulatory efforts in the medical privacy arena.

4. Onward Transfer Principle

The onward transfer principle allows disclosure to third parties "consistent with the principles of notice and choice." However, where information is transferred absent "opt in" or "opt out" choice, the revised principle seems to impose responsibility on the disclosing entity unless that entity (1) "ascertains" that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding, or (2) enters into a written agreement with the third party to provide equivalent privacy protection. The revisions have failed to cure the most obvious problem with this principle: under current U.S. law, an entity to which personal information is disclosed may not be responsible for the information handling practices of those to which it discloses personal information in order to carry out a business function. The revisions made to this principle do not cure the problem.

Simply put, the most that can be done is to hold a third party responsible for its own information handling practices under applicable laws governing or related to insurance information privacy. As we have stated many times, the insurance industry is heavily regulated for privacy purposes and we are confident that state insurance regulators have the enforcement authority and willingness to address and resolve individual consumer privacy complaints, and to discourage abusive information handling practices by those associated with the business of insurance. To this end, we would respectfully ask the Department to clarify that the onward transfer principle does not impose an affirmative duty on any entity or individual in the insurance industry to stand behind the information handling practices of others. Without such assurances, it is doubtful that any company would take advantage of the safe harbor principles.

5. Access Principle

We have reviewed the access principle and note that it continues to omit any references to the "reasonableness" of the access. While we find these continued omissions unfortunate, our concerns might be resolved by clarifying the access FAQ. Under the FAQ ("Is the right of access absolute?"), the following paragraph appears:

"Expense and burden are important factors and should be taken into account but they are not controlling in determining whether providing access is reasonable. For example, if the information is used for decisions that will significantly affect the individual (e.g., the denial or grant of important benefits, such as insurance, a mortgage, or a job), then . . . the organization would have to disclose that information even if it is relatively difficult or expensive to provide."

Access FAQ at 1(March 17, 2000 Draft) (emphasis added). While the FAQ later describes some exceptions to an individual's access rights, this does not diminish the reality that individuals are not always entitled to access information where insurance is involved. For example, current U.S. law provides a prohibition on access in connection with insurance claims or civil or criminal cases. We would respectfully ask that the Department modify this FAQ to permit U.S. standards to continue to govern reasonable rights of access. Such clarification might be accomplished by changing the referenced FAQ language to read as follows: "Expense and burden are important factors and should be taken into account but they are not controlling in determining whether providing access is reasonable, especially where the information is used for decisions that will significantly affect the individual. Rights of access, of course, are tempered by exceptions, some of which are discussed later in this FAQ." Alternatively, the word "reasonable" could be re-inserted in the access principle before the word "access."
 

CONCLUSION
 

We believe that our concerns and corresponding requests for clarification restate what has been the Department's consistent position: that industries already well-regulated by U.S. privacy standards can continue to adhere to those standards without fear of running afoul of the EU Directive, and that the principles are flexible enough to strike an appropriate balance between the privacy concerns of individuals and the legitimate informational needs of business. We would hate to see these objectives obscured by a few instances of vague language. We appreciate the opportunity to submit comments on this important public and business issue, and we look forward to resolving our concerns in a productive way that will ensure the success and utility of the safe harbor principles.
 
 

Respectfully submitted,
 
 
 
 
 

J. Stephen Zielezienski
Senior Counsel
American Insurance Association
 

On behalf of
 

American Insurance Association
1130 Connecticut Ave., N.W
Suite 1000
Washington, DC 20036
 

American Council of Life Insurance Reinsurance Association of America
1001 Pennsylvania Ave., N.W. 1301 Pennsylvania Ave., N.W.
Washington, DC 20004-2599 Washington, DC 20004
 

Alliance of American Insurers The Council of Insurance Agents
1211 Connecticut Ave., N.W. & Brokers
Washington, DC 20036 701 Pennsylvania Ave., N.W., Suite 750
Washington, DC 20004
 

National Ass'n of Mutual Insurance Insurance Services Office, Inc.
Companies 1825 K Street, N.W.
122 C Street, N.W. Washington, DC 20006-1202
Suite 540
Washington, DC 20001
 

¹AIA is a trade association that represents more than 300 of the Nation's most prominent property/casualty insurers.