March 31, 2000


The Honorable David Aaron
Under Secretary for International Trade Affairs
International Trade Administration
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

Re: Comments on Draft Safe Harbor Documents

Dear Ambassador Aaron:

In response to your request of March 17, 2000, the Pharmaceutical Research and Manufacturers of America (PhRMA) is pleased to submit the following comments on the draft safe harbor documents.

Eligibility for Safe Harbor Protection

The draft Safe Harbor as revised denies membership to a US company if it is not subject to an independent dispute resolution mechanism with authority to impose sanctions. The alternative that would permit membership - a declaration agreeing to abide by the jurisdiction of EU data protection officials convened as a panel to hear disputes and issue decisions, including sanctions - ensures membership for only three years. In order to ensure equitable access to the Safe Harbor for all US sectors, the draft agreement should be revised to permit membership in the Safe Harbor until such time as a suitable alternative to the EU panel has been realized.

Transitional/Implementation Period

We note with concern that the draft agreement fails to provide an adequate period of time for US companies to come into compliance with the Safe Harbor. EU member states were provided three years to do so, and a number of EU countries are still not in compliance two years after the legislatively mandated deadline. US companies should have a grace period of at least three years, given that compliance with the Safe Harbor imposes a considerable administrative burden and entails significant costs.

Revised Draft Safe Harbor Principles

We would appreciate receiving clarification on the following:

Preamble

·

Will data transferred from countries that are not members of the EU but are members of the European Economic Area, such as Norway, be subject to the Safe Harbor Principles?

·

Particular care must be taken to ensure the accuracy of information provided in the self-certification process because it is now subject to federal criminal sanctions. In this regard, we would welcome guidance as to specifically what "statutory, regulatory, administrative or other body of law (or of rules) within the US "effectively protect personal privacy" within the meaning of the first sentence in the fourth paragraph of the draft revised preamble to the Principles.

·

The phrase "personal information in manually processed filing systems" in the sixth paragraph of the preamble is somewhat puzzling. We were under the impression that the EU directive, and hence the Safe Harbor as well, also extended to the manual processing of data.

Frequently Asked Questions (FAQs)

FAQ #1, Sensitive Data

The FAQ should be amended to include the fact that "opt-in" would not be required for data processing, nor for onward transfer, where the data processing is conducted for research in the public interest. We recommend that the following be added to the current draft:

"or (7) for reasons of substantial public interest, including research being conducted for public health and regulatory purposes."

In addition, a typo remains in part (3) of the answer; this point should refer to "medical care or diagnosis."

FAQ #5, The Role of the Data Protection Authorities

This FAQ provides for a three-year period during which organizations have the option of cooperating with the DPAs. PhRMA urges the Department of Commerce to negotiate a longer time frame for the data privacy panels as an alternative dispute resolution mechanism. In addition, we recommend that Commerce seek to eliminate the possibility that such a mechanism would be abandoned prematurely, as that could leave companies in an unfortunate and vulnerable situation hardly conducive to conducting a global business.

FAQ #6, Self-Certification

As we have noted previously, the requirement for annual re-certification of compliance with the safe harbor principles would seem unnecessary. Re-certification should be conditioned on a material change in circumstances.

We question the need for, and the legal basis for, the newly added provision that would impose federal criminal sanctions for possible misrepresentations regarding a company's adherence to the Safe Harbor. It is our understanding that the Safe Harbor agreement will constitute an understanding reflected within an exchange of letters between the US Government and the EU. It will not be a formal agreement, nor a binding treaty and will not require any US rulemaking nor advice and consent of the Senate. Membership in the Safe Harbor will be on a voluntary basis, and the sanction for failure to comply with the mandated privacy principles - including any possible misrepresentations - is denial of membership in the Safe Harbor and FTC action for false and misleading advertising.

FAQ#7 - Verification

To avoid confusion and misinterpretation, add the qualifying term "enforcement" before the phrase "principle 7(b)".

FAQ#10 - Article 17 Contracts

This FAQ is somewhat perplexing and could lead to misinterpretation. It is our understanding that data can be transferred without the need for a contract to a US company that is a member of the Safe Harbor. After all, the purpose of a finding of adequacy under article 25 as to the safe Harbor is that its provisions provide the requisite degree of data protection in the US.

FAQ #12 - Choice - Timing of Opt Out

This FAQ is ambiguous and unclear. The question posed appears to be general in scope, but the answer appears specific only as to marketing.

FAQ #14, Pharmaceutical and Medical Products

Question #1: We assume that the use of the term "anonymized as appropriate" in the new sentence added to the answer means that coding where the key to the code does not accompany the coded data is "appropriate" anonymization.

Question #3: We suggest the following amendments (suggested additions are underlined for ease of reference only):

"Q3: What happens to an individual's data if a patient/subject decides voluntarily or at the request of the investigator or sponsor to withdraw from the clinical trial?

A: Patients/subjects may decide or be asked to withdraw from a clinical trial at any time. Any data collected previous to withdrawal could still be processed along with other data collected as part of the clinical trial; however, this must be made clear to the participant in the notice at the time he or she agreed to participate."

Question #5: Add "/subjects" to "patients"; add "/subject" to "patient".

Question #6: The answer to this question would exempt from the principles of notice, choice, onward transfer and access only those safety and efficacy monitoring activities that are specifically required by regulation. As we have indicated previously, it is similarly critical to exempt those broader safety and efficacy monitoring activities that support regulatory compliance, but that are not specifically mandated by regulation. Therefore, we recommend the following amendments:

"Q6: Does a pharmaceutical or medical device firm have to apply the safe harbor principles with respect to notice, choice, onward transfer, and access in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices (e.g. a pacemaker)?

A: No, to the extent that adherence to the principles interferes with a company's ability to exercise due diligence in monitoring the safety and efficacy of its products and in its compliance with drug and device regulatory reporting requirements. This is true both with respect to reports by, for example, health care providers, to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. "

Question #7: For purposes of improving clarity, we recommend the following amendments:

"Q7: Invariably, research data are uniquely key-coded at their origin (e.g., by a principal investigator, treatment facility, or other holders of data bases) so as not to reveal the identity of individual data subjects.Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher or data-holding institution, so that the research subject can be identified under special circumstances (e.g. if follow-up medical attention is required). Does this constitute a transfer of personal data that is subject to the safe harbor principles Would a transfer of this type of data constitute a transfer of personal data that is subject to the Safe Harbor principles?

A: No. This would not constitute a transfer of personal data that would be subject to the principles."

On behalf of PhRMA and our member companies, I would like to express our appreciation for your tireless efforts throughout these important negotiations with the EU.
 

Sincerely,
 

Shannon S.S. Herzfeld