Electronic Commerce Task Force

U.S. Department of Commerce

Room 2009

14^th and Constitution, N.W.

Washington, DC 20230April 4, 2000

Dear Ambassador Aaron:

The U.S. Direct Marketing Association submits the following comments with respect to the International Safe Harbor Privacy Principles and their accompanying FAQ's issued under cover of your letter dated March 17, 2000. On behalf of the industry, we wish to express the following concerns.

1. Title of the Principles. Direct marketing, and indeed, all industries, are becoming increasingly global, and undertaking ever-larger transborder flows of data. Therefore, we are concerned that the title of these principles may suggest that this set of principles and the FAQ's set forth the U.S. Government's views regarding what steps U.S. companies should undertake to import data from anywhere in the world. Equally troubling are the implications of the role the Department of Commerce and the Federal Trade Commission are prepared to take with respect to such data flows from anywhere in the world.

Moreover, given the international prestige of the U.S. Government, and the Department of Commerce, these may be misinterpreted by some countries to suggest that U.S. companies are expected to abide by these principles in all instances. They may go even further and conclude that it is now then incumbent upon them to adopt legislation similar to the European Data Protection Directive. U.S. business does not believe the U.S. Government should be directly or indirectly encouraging this development.

We would urge that the the title be reformulated to reflect that these principles were a joint product of discussion and agreement between the United States Government and the European Commission, that they are intended to apply to Europe-to-US data flows only, and thus are in no wider sense to be deemed "international." We would also urge that it be clearly reflected that these are based on the OECD Principles agreed to in 1980, with any variations therefrom having been made to accommodate the European implementation thereof.

2. "The principles are not a substitute for the national provisions implementing the Directive in situations where those national provisions apply." This sentence at the end of the second full paragraph implicitly makes uniform acceptance of the Safe Harbor principles throughout Europe impossible, and throws companies back on a country-by-country analysis and solution-finding exercise. The elimination of this latter burden was one of the primary ends for creating the Safe Harbor. In fact, this burden is becoming increasingly significant due to the wide disparities and frequent inconsistencies in implementation of the Directive which business is experiencing

If, as we suspect, the intention was to assert the unarguable proposition that national provisions always apply with respect to data processing (including data collecting) within the boundaries of a Member State, we would recommend that this be restated as follows: "The principles are not intended to displace the individual laws implementing the Directive with respect to data collection and processing activities conducted within the territory of a Member State, except so far as they are intended to displace or supercede provisions relating to controls on exports of data from a Member State to countries outside the European Union."

If a larger exception than this was intended by this language, we would observe that it is clear that domestic laws within the European Union Member States apply to activities within their boundaries unless these laws are over-ridden by an official Act provided for in the Treaties establishing the European Union. Either the Commission and the Member States' approval of the Safe Harbor principles will accomplish this in large part, or it will not. If it will not, it is doubtful that the Safe Harbor will accomplish its intended objects.

If Member States feel it necessary to indicate that additional provisions of their laws (in addition to their control of domestic activities) will not be displaced, we urge that these be reflected in the documentation of the Safe Harbor in order to effectively put U.S. companies on notice.

Given the extraordinary efforts to which the Department of Commerce has gone to inform your European counterparts about our system of privacy protection and self-regulation in order to create the Safe Harbor, it would seem to be a matter of comity for your European counterparts to inform you what will, nevertheless, not be within the Safe Harbor. A broadly-phrased exception of this nature is not acceptable and we hope our suggested revision accurately reflects the intentions of the parties.

3. New footnote 1 to Notice. This is a laudable addition. We would recommend also that it be made clear that European Data Controllers may transfer data to their U.S. agents who qualify to receive data by one of the methods specified in the Onward Transfer Principle (Safe Harbor participation, being subject to the Directive, adequacy finding, or contract) without being required to give notice of this. The language here suggests the Onward Transfer Principle for agents only applies after the data has been transmitted out of Europe.

The additional language we would suggest is to add a third sentence to the footnote as follows: "The foregoing may also apply to a Data Controller within the European Community who is disclosing data to its agent in the US for processing solely as a data processor on behalf of the European Data Controller."

We are finding that some legal practitioners in Europe, notably in the UK, are advising that there is an absolute prohibition on data transfers to the US without prior notice and consent of data subjects, even to agents as described here, notwithstanding the standstill agreement and the advice of the Data Protection Commissioner of the UK to the contrary. Also troubling are the positions of some Data Protection Authorities that notice of possible transfer outside Europe, even for mere processing, must be given on first collection of data in Europe. Clarification as suggested would provide European Data Controllers with continued choice of and access to the world-class and state-of-the-art processing offered by US data processing companies without imposing notice obligations as to this element on these Controllers.

Correspondingly, given that the European side has agreed in the Onward Transfer Principle that adequate protection in the hands of the third party agent can be provided by a written agreement, we feel it appropriate that the European side come forward with an approved contract form for that purpose which would cover the European Controller to U.S. processing agent situation. This would assure uniformity of treatment throughout the EC and relieve business of the enormous confusion and expense of contract drafting to which they are now being subjected.

4. Choice. "In any case, an organization should treat as sensitive any information received from a third party where the third party identifies it as sensitive." This new sentence, while well-intentioned, risks confusing the reader and complicating implementation of appropriate levels of treatment of data. The term "sensitive" under the European Data Protection Directive is a term of legal art and refers to specific categories of data. The treatment of "sensitive" data by US and European data-holders is of a different nature and degree. Imposing requirements on US data-holders to provide that mandated protection for data not categorically defined in Europe as "sensitive," but perhaps arbitrarily labeled as such by some third party, risks imposing burdens on US data-holders to which their European competitors are not subject. We would recommend the use of the term "confidential" or its equivalent, or clarification that "sensitive" is used here in the Directive's sense.

5. FAQ 5 and FAQ 6. Interplay of self-certification and election of the "enforcement role" of the Data Protection Authorities (DPAs). While there is a reference in FAQ 5 to an organization's commitment to cooperate with the DPA's with respect to two aspects of the Enforcement Principle, there is no indication in FAQ 5 as to how or where this should be indicated in the self-certification letter. An analysis of FAQ 5 suggests that such commitment would be expressed in response to item 3.g in the certification. A footnote to this item in FAQ 6 (or in FAQ 5) would be desirable to avoid confusion.

6. FAQ 6 and Principles introduction paragraph 4. The FAQ and the Introductory paragraph 4 create confusion. The introductory paragraph 4 limits self-certification availability to companies that are subject to a "statutory, regulatory, administrative, or other body of law… that effectively protects personal privacy…" This would appear to effectively eliminate vast portions of the direct marketing industry outside the medical and financial sectors.

On the other hand, FAQ 6 on Self-Certification, at 3.d, merely requests specification of the "specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy." This arguably describes nearly every State Attorney General, and thus would make self-certification available for other "unregulated sectors." Clarification of intention is desirable here.

7. FAQ 7. The burden of articulating and implementing a privacy policy and program of the scope described here for the self-assessment approach, the course which many companies in the direct marketing industry will have to take, will be expensive and time-consuming. Moreover, few companies in Europe have taken any of the steps outlined here. This argues, then, for a phase-in period equal to that which authorities in Europe are providing their companies. This phase-in has been most clearly articulated by the UK, and is lengthy. U.S. companies should be provided parity with their European competitors.

8. FAQ 10. We are not sure the assertion in the last sentence of this FAQ stating that prior authorization is required for contracts with recipients not participating in the safe harbor is legally accurate. In our experience, neither the UK, France nor Germany require prior authorization of contracts for "mere processing," and in fact the UK Data Commissioner's published guidance on the subject puts the burden of providing adequacy through contract on the data controller.

9. FAQ 12. This FAQ for safe harbor organizations engaged in direct marketing imposes upon them an obligation to advise recipients that they can register with the DMA's Mail Preference Service (MPS). This is not an obligation which we impose on our members, who are obligated to give notice and choice only with respect to their own marketing activities, and who are also obligated to use the MPS list. Moreover, no similar obligation (to advise of the local MPS system) exists in any European country. This obligation would thus go beyond what is required even of European marketers.

Moreover, the DMA's Mail Preference Service is a US-address formatted system and is not accurate for foreign addresses. Such notices then would create expectations among consumers which we are not able to fulfill. The US DMA makes available for use in the U.S. those MPS files it is able to obtain from Europe. We also recommend to our members who market into Europe that best practice would be to employ these lists. In addition, we are recommending that companies renting lists from Europe obtain a warranty from the list owner that the list as delivered will have been cleaned against the most current list in that country, where European consumers will normally expect to be able to register. We recommend to delete "…that option should be identified in the organization's notice to the individual in cases where it is available."

10. Draft Commission Decision. The Decision makes no reference to the proposed committee of Data Protection Authorities, and their availability for a company to satisfy points (a) and (c) of the Enforcement Principle. This would be a desirable change to assure the legal validity of their actions.

Mr. Ambassador, we are grateful for your and your colleagues' efforts on behalf of U.S. businesses and institutions.

Very truly yours,

 Charles A. Prescott

Vice President, International Business Development and Government Affairs

Direct Marketing Association