Quintiles is pleased to submit comments in response to the Draft International Safe Harbor Privacy Principles issued on March 17, 2000 by the United States Department of Commerce

April 5, 2000

The Department of Commerce
International Trade Administration
Washington, DC. 20230

RE: Draft International Safe Harbor Privacy Principles (March 17, 2000 Draft)

COMMENTS OF QUINTILES TRANSNATIONAL CORP.

Quintiles Transnational Corp. is pleased to submit comments in response to the Draft International Safe Harbor Privacy Principles issued on March 17, 2000 by the United States Department of Commerce. Quintiles supports these "safe harbor privacy principles" that create a presumption of "adequate" protection for the transfer of personally identifiable data from the European Union (EU) to organizations in the United States that voluntarily certify an intention to adhere to these principles.

Quintiles has been an employer in the United States and countries of the EU for a number of years and has regarded the protection of our employees' personal data to be of the utmost importance. This comes easily to us, because in our business involving health-related research, we have always considered the protection of patient privacy and confidentiality as a fundamental principle of medical ethics. Quintiles believes that the Draft International Safe Harbor Privacy Principles establish adequate protection for the transfer of personally identifiable data from the EU to the United States, both with regard to the concerns of employers and the treatment of patient information. Further, the company agrees with the Department's view that reliance on aggregate data and/or the use of anonymized or pseudonymized data does not raise privacy issues. Further, Quintiles applauds the Department's efforts to encourage that data used for pharmaceutical research and other purposes be anonymized as appropriate as an adequate means for protection of personal medical information.

Quintiles regards the proposed safe harbor to embody a sensible approach, and, therefore, urges that these draft privacy principles be approved and implemented. In this way, employers may establish balanced procedures and members of the health care and research communities may effectively exchange and transfer information in a manner that ensures the confidentiality of personally identifiable data, while protecting employee privacy and facilitating the delivery of high quality health care and health research.

Quintiles offers certain suggestions for clarifications to the safe harbor principles: Personally identifiable research data obtained in the EU by pharmaceutical and medical device companies are subject to the regulatory standards of the Department of Health and Human Services (HHS) or one of its agencies, the Food and Drug Administration (FDA). In the fourth paragraph of the draft principles, the Department notes that "organizations subject to a statutory, regulatory, administrative or other body of law or of rules that effectively protects personal privacy may assure safe harbor benefits by self-certifying to the Department of Commerce (or its designee)." Also, in Frequently Asked Questions (FAQ) 6 - Self Certification, the organization will describe, inter alia, to the Department of Commerce or its designee, the organization's privacy policy for personal information with respect to "the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy." From this language, it appears that a pharmaceutical or medical device company would certify that FDA or HHS has jurisdiction to hear claims against it. Would the pharmaceutical company or medical device company certify directly to HHS or FDA as the Department of Commerce's designee?

Furthermore, in the fifth paragraph of the proposed principles, the Department states that adherence to the safe harbor may be limited, i.e., preempted "by statute, government regulation, or case law that create conflicting obligations or explicit authorizations," but that noncompliance with the principles would be "limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization." It appears that the conflicting obligation envisioned would allow greater sharing of personal data than that permitted by the safe harbor principles. In the alternative, if the relevant statute, government regulation, or case law stipulated more stringent protections for personal data, would such requirements also supersede the application of the safe harbor principles to data transfers between member states of the European Union and the United States?

In sum, it is the view of Quintiles Transnational Corp. that these safe harbor privacy principles are a positive step towards building a consensus with the European Community and preserving an uninterrupted transfer of personally identifiable data, while providing adequate protection of privacy to the individual.

Quintiles appreciates the opportunity to comment on the Department of Commerce's Draft International Safe Harbor Privacy Principles and thanks the Department for serious consideration of its suggested clarifications to the proposed rule.

Respectfully submitted,

/s/ John S. Russell

John S. Russell
Senior Vice President and General Counsel
Head Global Human Resources
Quintiles Transnational Corp.
Post Office Box 13979
Research Triangle Park
North Carolina 27709-3979
919-998-2000