April 5, 2000
Via Electronic Mail
Becky Richards
Electronic Commerce Task Force
Room 2009
United States Department of Commerce
14th & Constitution Avenue, N.W.
Washington, DC 20230
Re: Comments on Draft Safe Harbor Materials
Dear Ms. Richards:
Visa U.S.A. ("Visa") is pleased to submit this comment letter to the Department of Commerce in response to its request for comment on the International Safe Harbor Privacy Principles ("Safe Harbor Principles") and related documents released with the letter from Ambassador Aaron ("Safe Harbor Letter") dated March 17, 2000 (collectively, "Safe Harbor Documents"). The Safe Harbor Documents are intended to provide guidance to U.S. organizations seeking to comply with the European Union's ("EU") Directive on Data Protection ("Data Protection Directive"). As discussed in the Safe Harbor Letter, this latest draft of the Safe Harbor Documents reflects a tentative agreement between the Department of Commerce and the EU on the safe harbor. While the development of the Safe Harbor Documents represents an important step in the U.S.-EU negotiations, it is only that -- a step -- since the Department of Commerce and the EU have not yet reached agreement on the application of the safe harbor to the financial services sector. Visa appreciates the ongoing and extensive efforts of the Department of Commerce in developing the Safe Harbor Documents, and strongly urges the Department of Commerce to continue its efforts to bring the benefits of the safe harbor to the financial services sector.
Visa is the largest consumer payments system in the United States and in the world. Visa is part of a worldwide association of over 21,000 financial institution members that individually offer Visa-brand payment services. Consumers hold more than 970 million Visa-brand cards globally, and these cards are accepted at more than 18 million merchant locations and at more than 550,000 automated teller machines. Visa -- which provides transaction authorization, clearing and settlement, and risk management services to its financial institution members -- supports more than $1.5 trillion in payment transactions annually around the globe. Visa's transaction volume in the United States alone is over $700 billion per year. At peak volume, Visa's systems process over 3,500 card-related transactions per second.
The efforts of the Department of Commerce in developing the Safe Harbor Documents have enormous ramifications for the U.S. economy and, consequently, for all businesses and consumers in the United States. The importance of information to the modern American economy cannot be overstated. Many experts -- including Federal Reserve Board Chairman Alan Greenspan -- attribute the unparalleled strength of the U.S. economy in large measure to the enormous investments in information technology that have been made by U.S. businesses over the last decade. Thus, undue restrictions on the flow of information to and among U.S. companies -- such as the restrictions that could flow from the inappropriate application of the Data Protection Directive -- could have devastating consequences for the U.S. economy.
Furthermore, inappropriate restrictions on the flow of information to U.S. organizations also could undermine the ability of U.S. businesses to compete with non-U.S. companies, including those located in the EU. The Department of Commerce rightly recognizes that the Data Protection Directive has significant trade implications for U.S. businesses and the American economy: the introduction to the Safe Harbor Principles itself states that the Department of Commerce is issuing the Safe Harbor Principles "under its statutory authority to foster, promote, and develop international commerce" and for the purpose of "facilitat[ing] trade and commerce between the United States and [EU]." It is crucial that the Data Protection Directive, which was developed to address privacy concerns in the EU Member States, not be allowed to be used by the EU -- or any of the individual EU Member States -- as a weapon to undermine the competitiveness of U.S. businesses that have invested heavily in information technologies and are now legitimately reaping the rewards of those investments.
As the introduction to the Safe Harbor Principles also recognizes, while the U.S. and the EU share the goal of enhancing privacy protection for their citizens, the U.S. has historically taken a very different approach to privacy issues from that taken by the EU. Companies within the United States -- particularly regulated entities like Visa's member financial institutions -- are already subject to an extensive existing legal privacy framework, which includes constitutional and common law principles, federal and state statutes and regulations, and self-regulatory efforts. Particularly given the extensive privacy provisions incorporated into the Gramm-Leach-Bliley Act ("GLB Act"), signed into law on November 12, 1999, and the even more comprehensive privacy regulations proposed by federal agencies to implement the GLB Act, any safe harbor that is adopted must recognize the strength and legitimacy of the U.S. privacy approach. Moreover, such a safe harbor must not diminish the viability of that approach by permitting the EU to unilaterally impose, albeit indirectly, EU requirements on U.S. financial institutions.
International Safe Harbor Privacy Principles
The introduction to the Safe Harbor Principles declares that U.S. "[o]rganizations subject to a statutory, regulatory, administrative or other body of law that effectively protects personal privacy may assure safe harbor benefits by self-certifying to the Department of Commerce or its designee." As discussed below, without question, the banking industry is among the most highly regulated industries in the United States; federal and state regulators regularly examine for, and effectively enforce, financial institutions' compliance with an extensive body of statutes and regulations, including those relating to the protection of consumer information. For example, as discussed further below, U.S. financial institutions will shortly be subject to comprehensive new privacy requirements that are contained in the GLB Act and the federal banking agencies have made quite clear their intention to examine not only for compliance with the GLB Act, but also the privacy policies required to be disclosed under the Act. As a result, Visa strongly urges the Department of Commerce to explicitly state in the Safe Harbor Principles that regulated U.S. financial institutions are among those organizations that are subject to a "body of law . . . that effectively protects personal privacy" and, thus, that such financial institutions can qualify for the safe harbor by virtue of their compliance with the extensive regulatory structure described below. Accordingly, it is essential that the Department of Commerce aggressively continue its efforts to achieve the recognition and agreement of the EU that financial institutions, by reason of their very compliance with the GLB Act and its implementing regulations, satisfy all of the safe harbor requirements.
GLB Act Privacy Provisions.
Although some have suggested that stronger privacy protections are still possible, it is no exaggeration to say that the GLB Act contains the most comprehensive federal privacy legislation in U.S. history. In the words of House Banking Committee Chairman Jim Leach, the statute contains "the strongest privacy protections ever considered by the Congress." Among other things, the GLB Act imposes dual obligations on a U.S. financial institution before it may disclose a customer's personal financial information to a nonaffiliated third party. First, the GLB Act requires that every financial institution give to its customers, at the start of the relationship and annually thereafter, a comprehensive notice of the institution's policies and practices regarding the disclosure of customer financial information. Second, the GLB Act requires a U.S. financial institution to give its consumers: clear and conspicuous notice that information about them could be shared with nonaffiliated third parties; an opportunity to opt out of such sharing before it occurs; and an explanation of how the consumer can opt out. These comprehensive privacy protections will be examined and enforced by the federal banking regulators, that have at their disposal an extensive arsenal of possible sanctions against financial institutions that violate the new consumer privacy protections, including implementation of cease and desist orders barring policies or practices deemed violations of the GLB Act's privacy provisions. Financial institutions also are subject to both federal and state "unfair and deceptive acts and practices" statutes, to the extent that their privacy policy notices do not accurately reflect their actual practices and policies of collecting and disclosing information.
Fair Credit Reporting Act.
In addition, U.S. financial institutions are subject to the Fair Credit Reporting Act ("FCRA") that, among other things, regulates the sharing of consumer information among corporate affiliates. Specifically, the FCRA requires that consumers be clearly and conspicuously notified if their credit, application, or other nonexperience information will be shared among affiliated entities, and given the opportunity to opt out prior to the time that information is shared. Under the FCRA, as amended by the GLB Act, the federal banking agencies also are instructed to prescribe regulations as necessary to carry out the purposes of the FCRA. Moreover, under the FCRA, as revised by the GLB Act, the federal bank regulatory agencies now have the same authority to examine a depository institution for FCRA compliance as they have to monitor that institution's compliance with other federal consumer protection statutes.
Comprehensive Web of Federal, State and Common Law Privacy Standards
Applicable to Financial Institutions.
Financial institutions also are subject to a myriad of other federal, state, and common law standards that establish effective barriers against the improper use of personal information by financial institutions and corresponding penalties for non-compliance. This existing network of federal, state and common law standards provides effective enforcement tools to address situations where financial institutions are allegedly engaging in improper information sharing practices, as is evidenced by the recently-settled lawsuits filed by the attorneys general in Minnesota and New York, as well as the class-action privacy lawsuits currently pending against a number of U.S. financial institutions. Given this comprehensive web of federal, state, and common law standards applicable to financial institutions, the Department of Commerce should explicitly state in the Safe Harbor Principles that U.S. financial institutions are covered by the safe harbor by their very compliance with this extensive regulatory structure and its effective enforcement mechanisms, and the Department of Commerce should continue its efforts to achieve recognition and agreement from the EU regarding this matter.
* * * * *
Once again, Visa appreciates the substantial efforts of the Department of Commerce in developing the Safe Harbor Documents. If you have any questions concerning these comments, or if we can otherwise be of assistance in connection with this matter, please do not hesitate to contact me at (650) 432-3111.
Sincerely yours,
Russell W. Schrader