Ambassador David L. Aaron
Under Secretary of International Trade
United States Department of Commerce
14th and Constitution Avenue, N.W.
Room 3850
Washington, D.C. 20230
Dear Ambassador Aaron:
On behalf of The Walt Disney Company, we commend you and the United States Department of Commerce for your work regarding the EU privacy policy. We recognize the complexity of the issues involved in the negotiations and greatly appreciate the opportunity to submit comments on the Safe Harbor Principles and Frequently Asked Questions ("FAQs").
Thank you again for your efforts and consideration of these comments.
Respectfully,
Cindy Rose
Counsel
European Legal and Governmental Affairs
The Walt Disney Company -- Europe
Terri A. Southwick
On behalf of
The Walt Disney Company
1150 17th Street, NW
Suite 400
Washington D.C. 20036
202-222-4700
The Walt Disney Company's
Comments on Revised Draft
Safe Harbor Principles and FAQs of April 19,
1999
General Comments
The issues presented by the EU Data Protection Directive and the Safe Harbor negotiations have captured the attention of governments and the business community around the world, at least in part, because of the potential implications they have for the future development of electronic commerce. Electronic commerce is still in a nascent stage of development and in our view it is essential that governments exercise regulatory restraint to allow electronic commerce to reach its full potential on a global scale. The EU Data Protection Directive, to our knowledge, is the first legislative instrument that introduces the threat of a government sanctioned interruption of international data flows. For electronic commerce to become a truly global phenomenon, governments need to embrace certain uniform fundamental legal principles on a variety of issues, including privacy. If other governments follow the EU lead on privacy, for example, by adopting national laws that diverge from and potentially conflict with the EU Directive, all companies engaged in electronic commerce -- including EU companies -- will find it impossible to operate globally and the development potential of electronic commerce will be seriously impeded. In retrospect, we believe that it perhaps would have been more constructive to seek a global consensus on privacy issues as they relate to electronic commerce, as opposed to resolving these issues bilaterally.
When the EU Data Protection Directive was originally proposed over 5 years ago, the European Commission clearly did not have electronic commerce in mind. The proposed Directive was primarily focused on harmonizing existing Member State rules on data protection. The Directive was viewed by consumer protection advocates at the time as a great success insofar as it extended protection afforded to manually stored data to electronically stored data as well. However, the Directive did not contemplate the explosive growth of electronic commerce. Although, we acknowledge that considerable progress has been made in negotiating the Safe Harbor, we believe that this exercise has essentially been a process of trying to broaden a narrow piece of legislation and apply it to a new and rapidly changing commercial environment. Neither governments nor industry itself knows at this point exactly how electronic commerce will develop or how and to what extent consumers and businesses will utilize goods and services offered electronically. We, therefore, believe that it is premature and potentially damaging to burden electronic commerce with regulations that will impede growth. For these reasons, we advocate a complete moratorium for a reasonable period of time from the application and enforcement of the EU Data Protection Directive for electronic commerce.
If the US position is not carefully preserved and maintained in the exchange of correspondence that will form the Safe Harbor, the Safe Harbor may end up having unintended and undesirable implications in the area of legal jurisdiction in electronic commerce. The conflicts of law debate (i.e., "country of origin" versus "country of reception") is on-going and unresolved in the European Community and indeed international law. In the EU, for instance, the European Commission's proposed Directive on Electronic Commerce establishes the principle of "country of origin" for the supply of online services within the EU, subject to certain exceptions in respect of, for example, consumer protection measures. Industry has been advocating the deletion, or at the very least limitation, of these exceptions so as not to create a legal framework in which, in order to offer online services in the EU, an organization would need to comply with 15 different sets of divergent rules. In the international context, the Safe Harbor implicitly acknowledges that it is the law of the data subject (i.e., the country of reception), and not the law of the organization offering the online good or service, that applies. The Safe Harbor in this sense creates a precedent in support of a country of reception approach that could be relied upon by the EU and others to the detriment of all companies (including EU companies) engaged in electronic commerce and to the detriment of the development of electronic commerce itself.
In addition, the Safe Harbor arguably precludes an individual data subject from exercising his/her freedom to choose the laws to which he/she wishes to submit in the context of electronic transactions. Quite apart from questions relating to conflicts of law, The Walt Disney Company believes it would be inappropriate for the Safe Harbor to effectively impinge on parties' basic freedom of contract. We recommend, therefore, that the Department of Commerce include the following language in the Safe Harbor documentation: "For the avoidance of doubt, these Safe Harbor principles shall not be construed so as to impinge on parties' basic freedom to contract and to choose the law and forum that governs any such contract. Furthermore, these Safe Harbor principles shall not be construed as an acceptance on the part of the US of the 'country of reception' approach in any area of electronic commerce. All existing rules, principles, conventions and treaties relating to international conflicts of law should continue to apply and should not be prejudiced in any way by the Safe Harbor principles."
The development of the FAQs is certainly helpful in terms of clarifying some of the issues presented by the Safe Harbor where there is potential ambiguity. We understand that the FAQs will form part of the final exchange of correspondence between the US and the EU, which will collectively form the Safe Harbor. Regarding the question of whether the FAQs should be given equal weight to the Safe Harbor principles, we had some difficulty reaching a conclusion on this, given a number of contingencies that have not yet been resolved. For instance, if the reasonableness language in the access principle is for some reason not included in the final version, then it would certainly be desirable for the FAQs on access to have equal weight to the principles so as to provide guidance to the relevant parties and the relevant authority in resolving potential disputes that may arise.
On the other hand, if the EU prevails in its argument that the Safe Harbor ought to be legally binding on an organization once an organization self-certifies (an issue that is discussed in further detail below), then giving the FAQs equal weight would necessarily mean that they would be legally binding as well. If this is the case, then this entire exercise, rather than being a broad agreement on self-regulatory principles, becomes an exercise in detailed rule writing. Given the fact that the Safe Harbor principles and FAQs have not had the benefit of being vetted through the ordinary legislative process, we obviously would not like to see this scenario develop. On balance, however, subject to the Safe Harbor principles themselves being non-binding and subject further to certain specific points discussed below, we believe that the FAQs should be given equal weight to the Safe Harbor principles.
Organizations that may wish to comply with the principles of the Safe Harbor should have adequate time in which to do so. The Safe Harbor principles contain many requirements not imposed by US law. Organizations will require adequate time in which to assess the compliance burden and implement a compliance strategy. Money and human resources will need to be committed in order to develop both the technical and organizational expertise needed in order to comply. Accordingly, we believe that there should be no less than a 2-year grace period for US organizations to prepare for compliance. During this period, the EU should agree not to interrupt transatlantic data flows by issuing blocking orders.
Notice Principle
The first sentence of the notice principle assumes that all individual data subjects are interested in being notified about the purposes of data collection, etc. -- which may or may not be the case. In the event that certain individuals are in fact not interested in being notified, organizations should not be subject to an absolute obligation to do so. We suggest that this sentence be amended to provide that "an organization must offer to inform individuals . . ." in order to acknowledge the fact that an organization can only offer individuals the opportunity to be notified by making notification available, but cannot and should not be required to control whether or not an individual accepts that offer.
The first sentence of the notice principle refers repeatedly to the term "information." This term is extremely vague, broad and potentially misleading. The EU Directive only applies to "personal data."(1) The Safe Harbor principle should not under any circumstances go beyond the scope of the EU Directive. In order to clarify this point, we suggest that all references to the term "information" in the Safe Harbor be replaced by the term "personal information." In particular, the terms "personal data" and "personal information" should not, in our view, include information relating to businesses or companies, nor information generically derived from personal information from which individuals cannot be identified, such as marketing inferences or classifications.
The second sentence of the notice principle states that "notice must be provided in clear and conspicuous language." We suggest that this sentence be clarified to specify that such notice be provided in the language generally used by the organization (as opposed to the individual). In other words, "clear and conspicuous language" could be understood by EU Member States as providing a legal basis, explicitly acknowledged by the US, for imposing local language requirements on US companies providing online services accessible from these respective countries. This, once again, becomes an issue of conflicts of law. The US should not, in the context of these Safe Harbor negotiations, concede a "country of reception" approach, including with respect to local language requirements.
Choice Principle
With respect to sensitive information, while we accept that notice and choice are important, we believe that an opt-out scheme is sufficient to address privacy concerns in this area. Opt-in would require organizations to develop, maintain and operate a separate registry resulting in unreasonable additional cost and administrative burden. Opt-out schemes are being promoted by both the EU and the US in several other contexts (i.e., commercial communications and distance selling). There is no compelling reason, in our view, to establish a different regime with respect to so-called "sensitive data," nor does the EU Directive mandate this result. Subsection (5) of the FAQ on Sensitive Data should be amended to read as follows: "(5) necessary to carry out the organization's obligations in the field of employment, disability or any related fields of law."
Onward Transfer Principle
The Walt Disney Company suggests that the Department of Commerce clarify that legal entities within a group of companies (e.g., subsidiaries, parents, affiliates and associated companies) should not be considered to be "third parties" relative to the organization collecting the personal information. Once the principles of notice and choice have been applied by the organization collecting the personal information, the organization should not suffer the burden of having to repeatedly apply the same principles with respect to other entities within the same group of companies. Any other result would be unduly burdensome and costly for an organization and would not be justified by any additional benefits to the data subject. Third party transfers should only include transfers to unrelated third parties.
The requirement that an organization either "ascertains that the third party subscribes to the Safe Harbor principles or enters into written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Safe Harbor principles" creates an unreasonable level of responsibility and an unacceptable risk of legal liability for the actions, practices and operations (both present and future) of an unrelated third party over which the organization has no control. An individual data subject who has been harmed as a result of non-compliance with the Safe Harbor principles should only have recourse against the organization directly responsible for the non-compliance. The onward transfer principle as written would suggest that the organization is responsible for procuring third party compliance and is liable for third party non-compliance. The Safe Harbor is designed to protect organizations that opt to comply with its principles from prosecution and/or data flow interruptions pursuant to the EU Directive. It should not be used as a legal basis for establishing third party liability for the non-compliance of others.
Access Principle
As we have stressed on many occasions, we strongly believe that the access principle should be qualified by a reasonableness standard and should be limited to the sort of data that could be reasonably expected to significantly affect the individual or materially infringe the individual's right to privacy. We believe that not all personal data necessarily falls within this category (e.g., certain types of marketing data clearly do not). An absolute right of access to all data will not only create an unreasonable administrative compliance burden for organizations, but it will expose organizations to nuisance lawsuits without limits or safeguards. Organizations will find themselves liable for damages and possibly facing the prospect of interrupted transatlantic data flows as a result of denying access that may have been unreasonably (or even abusively) requested and which may relate to data that is relatively insignificant.
In light of the fact that it has already been acknowledged in FAQ 9 that an organization would not be obliged to respond to repetitious or vexatious requests, we strongly urge the Department of Commerce to leave the bracketed language in this principle in order to prevent potential inconsistencies. While we note that FAQ 1 suggests that an organization engage the individual requesting access in a dialogue to better understand the motivation for the request and to locate responsive information, we believe the principle itself should clearly delineate appropriate limitations on the right of access.
In addition, we feel that a request for access properly made ought to be limited to personal data held by the legal entity to which the request was made. It would not be appropriate for such a request to extend to all entities within the organization's group. A possible compromise position may be for the right of access to extend to the organization collecting the information and any other entities within the organization's group to which the organization directly transferred or disclosed such information. However, it would be unreasonably burdensome for an organization to provide access on a company-wide basis irrespective of whether the information was actually received by all of the other entities within the organization's group. In a situation in which the group of companies consists of many hundreds of legal entities located all over the world, such data is not likely to be readily available, nor inexpensive to provide. Therefore, the principle should provide appropriate limitations on the right of access.
Enforcement Principle
The Safe Harbor principles are essentially a framework for a system of voluntary self-regulation. The notion that "rigorous sanctions" be imposed in order to ensure compliance is wholly incompatible with the concept of voluntary self-regulation. Organizations that either do not elect to comply with the Safe Harbor principles or whose compliance efforts are found to be less than satisfactory will face the prospect of (a) the loss of the benefit of the Safe Harbor thereby resulting in potential legal liability and/or interrupted transatlantic data flows, (b) the potential loss of privacy seals (i.e., BBB or others), (c) potential prosecution by the FTC or relevant AG, and (d) loss of credibility in the business community, bad press, loss of consumer confidence and consequently business revenues. Surely, these are sufficient disincentives for any rational organization so as to ensure adequate levels of compliance. We, therefore, strongly urge the Department of Commerce to delete the last sentence of the enforcement principle and to resist any further attempts on the part of the EU to introduce rigorous sanctions for non-compliance.
FAQ on Self-Certification
It remains unclear in this FAQ whether self-certification must occur on a legal entity basis or on a group basis. We suggest that organizations have the flexibility to choose whether or not to self-certify their entire group of companies or only selected legal entities within the group (i.e., only those which collect, process, transfer or receive personal data pertaining to EU citizens).
We believe that it is inappropriate and potentially prejudicial to require an organization that wishes to self-certify to declare (and arguably thereby submit to) the specific statutory bodies that have jurisdiction to hear claims against the organization. The question of jurisdiction is a threshold matter in any dispute resolution procedure and should be resolved by a competent authority at the time that the dispute arises in light of the surrounding facts and circumstances in accordance with applicable rules on conflicts of law. This requirement should, therefore, be deleted.
This FAQ is silent on the question of whether an organization can withdraw self-certification. The issue of withdrawal directly relates to the question of whether the Safe Harbor is legal binding. As a voluntary self-regulatory instrument, we strongly believe that organizations should have the flexibility to opt-in and opt-out of the Safe Harbor at will. While it seems perfectly appropriate to require organizations to publicly declare their intentions by providing some sort of letter, it is wholly inconsistent with the concept of voluntary self-regulation to suggest that once an organization self-certifies, there is no exit. We believe this FAQ should provide for withdrawal of self-certification with the effect that the Safe Harbor principles and FAQs not be legally binding.
1. The EU Directive provides that "personal data" shall mean any information relating to an identified or identifiable natural person.