Ambassador David Aaron
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14^th and Constitution Avenue, N.W.
Washington, DC 20230

Dear Ambassador Aaron:

TRUSTe applauds the efforts of the Department of Commerce and the International Trade Association for their progress in developing and negotiating these Safe Harbor principles. Further, we appreciate the opportunity to provide comments.

TRUSTe strongly believes that for consumer trust to be built on the Internet, whether in the United States or in Europe, consumers must have full knowledge of what is happening with their personal data. Demonstrable progress has been made in the area of on-line privacy over the past year. Specifically, the number of TRUSTe licensees increased from 69 to 675--a growth rate of nearly 1000 percent. Half of the Media Metrix top 100 most visited Web sites now participate in TRUSTe's oversight and monitoring program, impacting more than 90 percent of the U.S. Web audience each month. While we have seen great progress, there is still more that must be done to address this issue. Industry, government and watchdog groups must work together to ensure that consumers' expectations of privacy assurances on the Web are met.

TRUSTe has reviewed the Safe Harbor Principles and associated FAQs and would like to submit the attached comments. We are very pleased with the level of detail provided in the latest Safe Harbor package. Our comments focus on clarification to facilitate the implementation of the principles into the TRUSTe seal program. Please feel free to contact me by phone at 408.342.1945 or by email at blewin@truste.org, should you have any questions.

Sincerely,
 

Richard E. Lewin
Executive Director
TRUSTe
 

Comments on the Safe Harbor Package

1. TRUSTe would like to see equal weight given to the FAQs relative to the principles.

2. To provide effective consumer dispute resolution, TRUSTe recommends that if an organization satisfies the Enforcement principles through compliance with private sector developed privacy programs, compliance with legal or regulatory supervisory authorities, or by committing to cooperate with data protection authorities located in the European Community or authorized representatives, that those entities be made part of the process for handling of complaints about non-compliance of the safe harbor principles. Specifically, TRUSTe would want to be included the process if the organization is a licensee of the TRUSTe program and the non-compliance involves the misuse of data collected at the organization's web site.

3. It is unclear how much time U.S. companies would be given to fully implement these principles. Will U.S. companies be required to cease collecting information from European citizens until they fully implemented these principles?

4. For the purpose of meeting the Safe Harbor Principles, it is unclear what constitutes a third-party.

5. Under the Onward Transfer principle, it is unclear if an organization would be liable if the third-party is found to be in non-compliance with the principles or their written agreement.

6. In meeting the Security principle, it is unclear if the minimum requirements should change based on the industry or the type of information being collected (i.e., medical information, financial information, etc.).