April 6, 2000
 
 
 

Mr. Robert LaRussa

Acting Undersecretary for International Trade

United States Department of Commerce

14th Street & Constitution Avenue, Northwest, Room 3850

Washington D.C. 20230
 

Re: Provisional "Safe Harbor" Agreement
 

Dear Mr. LaRussa:
 

The Coalition of Service Industries (CSI) appreciates the Department's achievement in reaching a Safe Harbor agreement with the European Commission. It is our hope that this agreement will, for firms that elect to certify under the Safe Harbor arrangement, provide assurance of uninterrupted flows of data necessary to the business operations of global companies. Below we will address issues of concern about several provisions of the agreement that cut across all business sectors, and to several of the FAQ's, and will conclude with observations about the determination of the adequacy of the financial services sector.
 

We appreciate the Department's effort to ensure a secure transition period through the standstill, which will hold until the mid-2001 implementation review. Half of the EU Member States have not yet enacted their own national laws implementing the Directive, but are expected to do so in the course of the next year. Member State data protection authorities will be issuing new rules and interpretive guidelines which multinationals and others doing business in Europe must take into account when designing disclosure statements, contracts, databases, training materials, and information systems. The negotiated standstill will provide a stable environment while privacy rulemaking in Europe reaches a more mature stage, and during which US firms may move into the Safe Harbor.
 

We have the following comments on revisions to FAQ's 5, 6, 7, and 8.
 

With regard to FAQ 5, enforcement of the Safe Harbor, we appreciate that it allows US firms to elect to cooperate with data protection authorities as a means of enforcement, and we hope that this provision is included in the final package. However, we strongly believe that the language in paragraph 3 should be modified to provide that data protection authorities must furnish a "reasoned opinion" in concluding that an organization is not in compliance with the Safe Harbor principles. In that event, an organization should be able to raise with the Department and the Commission questions as to whether the data protection authorities have correctly interpreted the Safe Harbor principles and the FAQ's. In addition, the 25 day limit for compliance fails to recognize the practical realities under which organizations operate. Time frames for implementing the "reasoned opinions" of data protection authorities should be determined on a case-by-case basis with due regard to the operational and financial resources required.
 

With regard to FAQ 6, new language has been added which fails to recognize data transfers possible under Article 26 derogations and sectoral adequacy determinations. The FAQ states that "An organization does not need to subject all personal information to the Safe Harbor principles, but it must subject to the Safe Harbor principles all personal data received from the EU after it joins the Safe Harbor." Just as an EU firm may transfer data under Article 26 and within the scope of a sectoral adequacy determination, so should a US firm be able to do so, while adhering to Safe Harbor principles in the transfer of data not covered by Article 26 or an adequacy determination. We suggest that this inconsistency be corrected by the addition to the previously quoted sentence of the following language: "except to the extent that personal data received from the EU are transferred under an Article 26 derogation or by an Article 25 adequacy determination."
 

With regard to FAQ 7, we value the flexibility it provides to allow self assessment as well as outside compliance reviews to verify a firm's commitment to the Safe Harbor, and urge you to ensure that it be included in the final package.
 

With regard to FAQ 8, we believe that it would benefit from revisions clarifying the extent to which information "used" for decisions about individuals is required to be disclosed. Specifically, we suggest that in the 2nd sentence of the 3rd paragraph and in the 1st sentence of the 4th paragraph under Question 1, the word "used" be replaced with "a material basis." The revised sentences would read respectively:
 

(3rd paragraph, 2nd sentence) "For example, if the information is a material basis for decisions that will significantly affect the individual…"
 

(4rh paragraph, 1st sentence) "If the information requested is not sensitive or not a material basis for decisions that will significantly affect the individual…"
 

This change will clarify that information that is a material or significant factor in reaching the decision should be disclosed, but that information that is not material or is de minimis does not rise to the level that disclosure should be required.
 

With regard to financial services, the decision to pause in the negotiations relating to a determination of adequacy for the financial services sector is useful. However, this decision puts a premium on maintaining the standstill on actions by data protection authorities. The pause will permit the Commission and data protection authorities to digest and understand the scope and effect of the Financial Modernization Act and the Fair Credit Reporting Act. When negotiations recommence, we recommend that a lead role be given to the Treasury, and that other relevant US regulatory authorities, including the National Association of Insurance Commissioners (NAIC), be present and be heard on regulatory issues.
 

As we have stated previously, with the passage of the Financial Modernization Act, we believe the EU should find adequate under the Directive the substantial and enforceable mandated privacy protections for personal data now contained in US law applicable to the financial services industry. Prolonged uncertainty about treatment of data flows between the EU and the US will not serve the interests of individuals or business in either market. The need of firms in the industry in the EU and the US to transfer critical information across borders in the daily course of business must not be jeopardized.
 

Thank you for the opportunity to present our views. We look forward to working closely with you.
 

Sincerely,
 
 
 
 
 
 
 

Robert Vastine

President
 
 
 
 
 
 
 

Cc: Ms. Meg Lundsager

US Department of Treasury.