TRANSATLANTIC CONSUMER DIALOGUE
www.tacd.org

December 3, 1999
 

Honorable David L. Aaron
Under Secretary for International Trade
U.S. Department of Commerce
14^th Street at Constitution Avenue, NW
Washington, DC 20230

Dear Under Secretary Aaron:

The TransAtlantic Consumer Dialogue (TACD), representing consumer organizations from the United States, Canada and Europe, submit the following comments on the Administration's proposed Safe Harbor principles.

As you are aware, earlier this year the TransAtlantic Consumer Dialogue⁽¹⁾ recommended against adoption of the Safe Harbor Proposal. We said in a resolution adopted unanimously by the member organizations:

The Safe Harbor proposal now under consideration by the United States and the European Union fails to provide adequate privacy protection for consumers in the United States and Europe. It lacks an effective means of enforcement and redress for privacy violations. It places unreasonable burdens on consumers and unfairly requires European citizens to sacrifice their legal right to pursue privacy complaints through their national authorities. The proposal also fails to ensure that individual consumers will be able to access personal information obtained by businesses.⁽²⁾

It is our view that the Safe Harbor proposal still fails to provide adequate data protection for the transfer of personal information from citizens in EU countries to companies in the United States. We note that little progress has been made in the effort to ensure consumer access to their personal information held by businesses and there is still no significant mechanism to enforce privacy principles in the United States.

The lack of adequate protections for consumer purchasing products in the United States or US firms operating over the Internet leaves the country increasingly isolated in the world marketplace. The United States, one of the pioneers in establishing privacy protections from public sector abuse via the Privacy Act of 1974, remains a notable laggard in confronting the numerous threats to privacy that can result in the private sector. Of the twenty-four member countries that adopted the Organization for Economic Co-operation and Development (OECD) Privacy Guidelines in 1980, only the United States and Turkey have failed to either legislate or take significant steps towards passing comprehensive privacy laws.

European consumers must not lose their specific rights when data is exported to the US. If the US cannot give sufficient guarantees in this respect, personal data should not be transferred from the EU to the US.

We urge you to strengthen the Safe Harbor proposal and to work with others in the Administration and Congress to ensure that the loss of consumer privacy is not the cost of the information economy.
 

Sincerely,

European Consumer Association (BEUC)
Consumer Federation of America
Center for Media Education
Consumer Project on Technology
Electronic Privacy Information Center
National Consumers League
USPIRG,
for the Trans Atlantic Consumer Dialogue (TACD)
 

COMMENTS OF CONSUMER AND PRIVACY GROUPS ON THE DEPARTMENT OF COMMERCE "SAFE HARBOR" PROPOSAL (15 Nov 1999)

(1) PRIVACY IS A HUMAN RIGHT NOT SUBJECT TO COMMERCIAL CONCERNS. While the Safe Harbor principles were drafted with the sole purpose "to foster, promote, and develop international commerce"⁽³⁾, the European Union Data Protection Directive ("the Directive") also takes into account the human right dimension of privacy protection. Chapter 1, Article 1 of the Directive ("Object of the Directive") notes that "Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data." The drafting of Safe Harbor principles by a U.S. agency solely concerned with the international trade implications of privacy protections will not give due weight to the importance of such protections for individuals as right-bearing citizens. Documents produced by agencies with broader social considerations have given privacy its due as a fundamental human right. Both Article 12 of the United Nations Universal Declaration of Human Rights⁽⁴⁾ and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms⁽⁵⁾ directly address the need for privacy protection.

(2) RATHER THAN ERODING THE PRINCIPLES OF THE DIRECTIVE, SAFE HARBOR SHOULD SEEK TO REINFORCE DATA PROTECTION FOR ALL INDIVIDUALS. While Chapter IV of the Directive ("Transfer of Personal Data to Third Countries") merely requires an "adequate" rather than equivalent level of protections in non EU-member countries, the Directive should not be construed as an upper limit for privacy protections but as a baseline standard. The Directive states that national laws which will approximate the principles in the Directive ". . . must not result in any lessening of the protection they afford, but must, on the contrary, seek to ensure a high level of protection . . ."⁽⁶⁾ Globalization of the economy necessarily exposes individuals to the laws of foreign countries and the values and principles embodied in those laws. In contrast to the fundamental right of privacy the Directive respects, the Safe Harbor principles undercut data protection (see [4]) for European citizens in order to make the entry of U.S. companies into foreign markets as painless as possible.

(3) THE SAFE HARBOR AGREEMENT WILL PROVIDE LIMITED DATA PROTECTION ONLY FOR INDIVIDUALS RESIDING IN EU-MEMBER COUNTRIES. Under the Safe Harbor principles, European citizens will enjoy greater privacy protections from U.S. companies than any U.S. citizen. While U.S. companies may view the acceptance of Safe Harbor principles as an obstacle to developing European markets, U.S. citizens should be alarmed that principles drafted by a U.S. agency for U.S. companies would give greater protections to citizens of another country.

(4) THE PRINCIPLES OUTLINED IN THE SAFE HARBOR PROPOSAL DO NOT ADEQUATELY ESTABLISH FAIR INFORMATION PRACTICES.

A. NOTICE: Notice of privacy practices should always take place before the collection of personal information without exception. The concession of notice until a time "as soon as is practicable"⁽⁷⁾ allows for the collection of information to occur without notice of the individual.

B. CONSENT NOT CHOICE: The collection of personal information requires opt-in consent from the individual not opt-out choice. Opt-out choice unfairly places the burden of preventing the collection of personal information on the individual. Given the invisibility of new technology in the collection of personal information, consent is necessary to adequately establish control over personal information. Furthermore, the current standard of opt-in for "sensitive information" gives undue deference to commercial interests since it applies only to information "specifying" rather than "revealing" subjects such as medical conditions, race, or political beliefs.⁽⁸⁾ Even considering the weak protection of opt-out choice, the Safe Harbor principles even allow for opt-out to not immediately go into effect when information is collected.⁽⁹⁾

C. PURPOSE SPECIFICATION AND USE LIMITATION: The purposes for which personal information is collected should be revealed before data collection and limited to such use. The requirements of notice and consent should apply to information which will be passed onto third parties not subscribing to Safe Harbor principles⁽¹⁰⁾ or those third parties whose use of such information is "compatible"⁽¹¹⁾ with the purpose for which it was originally collected and authorized to be used. This is particularly important given the lack of responsibility that the original data collector will bear for any transgressions of the third party in processing personal information.⁽¹²⁾ To maintain control over personal information, the individual must be aware of all purposes and use of that information. The Principles also fail to provide adequate assurance that the information collected is relevant, not excessive, and stored only as long as necessary for the purposes for which it is collected.

D. ACCESS: The exceptions for providing access are too broad and unfairly limit individual access in favor of business interests. While rights to access should be weighed in balance with other considerations, the current access principles allow the entities least likely to consider the rights of the data subject - the data collector -- to make that determination. The current access principle allows for numerous situations for refusal to access on the basis of expense or burden⁽¹³⁾, due to protection of "confidential commercial information"⁽¹⁴⁾, or for research or statistical purposes⁽¹⁵⁾. The access principle provides for the right to have data deleted only in case the date is inaccurate. Instead, the data subject should have the right to have data deleted whenever there has been an infringement of the Safe Harbor Principles.

E. OVERSIGHT AND ENFORCEMENT: Oversight and enforcement of these principles rely on industry self-policing which has shown itself ineffective against companies that have violated consumer privacy. Verification of compliance with Safe Harbor principles can be done either through self-assessment or through outside reviews.⁽¹⁶⁾ The former does not provide any substantial reassurance that compliance is taking place and the latter does not make the review or the identity of the agency conducting the review easily publicly available. The dispute resolution and enforcement component of the Safe Harbor principles does not provide for any civil penalties or tangible punishments as sanctions for one-time or persistent violations of Safe Harbor principles.⁽¹⁷⁾ Such penalties may only be assessed by the Federal Trade Commission only after being referred via industry-funded groups such as TRUSTe or BBBOnline, neither of which have ever taken any action against a licensee deserving of a full investigation. The enforcement principle should include compensation for any damage suffered by individuals.

F. RIGHT OF INDIVIDUAL TO CONDUCT BUSINESS: The Safe Harbor principles do nothing to protect the individual from refusal of service if a customer does not provide information that he or she finds is unnecessary for transactions.

1. http://www.tacd.org/

2. http://www.tacd.org/meeting2/electronic.html#safe

3. http://www.ita.doc.gov/ecom/Principles1199.htm, Draft, International Safe Harbor Privacy Principles issued by the U.S. Department of Commerce ("Principles"), paragraph 2, 15 November 1999.

4. http://www.hrweb.org/legal/udhr.html.

5. http://www.coe.fr/eng/legaltxt/5e.htm.

6. Preamble, European Union Data Protection Directive.

7. Principles, "Notice".

8. In addition, the U.S. Tenth Circuit Court of Appeals is currently considering a petition for rehearing in the case mentioned in the draft principles. For more information, see http://www.epic.org/privacy/litigation/uswest/.

9. http://www.ita.doc.gov/ecom/FAQ12Opt-Out1199.htm, FAQ 12, "Choice - Timing of Opt Out".

10. Principles, "Choice", text struck out.

11. Principles, "Onward transfer".

12. Principles, "Onward transfer".

13. http://www.ita.doc.gov/ecom/FAQ8access1199.htm, FAQ 8, "Access", question 1.

14. FAQ 8, "Access", question 2.

15. FAQ 8, "Access", question 5.

16. http://www.ita.doc.gov/ecom/FAQ7Verif1199.htm, FAQ 7, "Verification".

17. http://www.ita.doc.gov/ecom/FAQ11DisputeRes1199.htm, FAQ 11, "Dispute Resolution and Enforcement".