December
3, 1999
The Honorable David L. Aaron
Under Secretary
International Trade
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, D.C.
Dear Ambassador Aaron:
The members of the United States Council for International Business
(USCIB) thank you again for your continuing negotiations with the European
Commission to resolve outstanding issues regarding implementation of the
E.U. Privacy Directive. As we have stated in the past, USCIB members support
the concept of a safe harbor as a practical means to resolve the potential
restriction on the transborder flow of data from the E.U. to the U.S. However,
ultimate support for the safe harbor will depend on the final version of
the principles. In order to ensure that the final set of principles are
acceptable to our members, this letter provides comments on the current
draft.
In our previous comments, the USCIB asserted that where a conflict exists
between the U.S. and the E.U. on data protection principles, the resolution
should be based on internationally agreed upon principles - the 1980 OECD
Privacy Guidelines, not adoption of the E.U. principles set forth in the
E.U. Directive. Such an approach is consistent with the concept of "adequacy"
rather than equivalency.
We are pleased that several of our suggested changes and requests for
clarification on the principles and FAQs issued on April 19, 1999 have
been addressed. There are a number of remaining issues from our comments
submitted on May 14, 1999 that have not been addressed. However, recognizing
the significant progress made since the April 19, 1999 draft, we are confining
our comments here to issues that our members believe are essential to ensure
industry's support for the final safe harbor documents.
The USCIB strongly supports the deletion of the last portion of the
first paragraph of this principle. Compliance with the deleted sentence
would be impractical and overly burdensome, most importantly, because at
the time choice is offered a company subscribing to the safe harbor may
not know each and every third party to which data may be transferred. Moreover,
this issue is addressed in the Onward Transfer Principle.
Our members seek clarification regarding the use of a written agreement
when a subscribing organization transfers data to a third party. We would
like to confirm that this written agreement does not mean that the third
party must subscribe to the safe harbor, but rather provide at least the
same level of protection.
-
FAQ 5 - The Role of Data Protection Authorities:
Our members believe that a commitment to cooperate with data protection
authorities must be an enforcement mechanism option. This is essential
given that significant portions of many of our member companies' businesses
are not regulated and a self-regulatory enforcement mechanism does not
exist. Therefore, without this option, companies will not be able to comply
with the enforcement principle for those portions of their business. Our
members believe that this option is essential and do not support an automatic
termination date for this option.
-
FAQ 6 - Self-Certification:
USCIB members do not believe that organizations subscribing to the safe
harbor should be required to provide self-certification letters "not less
than annually." A more logical requirement would be to require notification
to the Department of Commerce or its designee if there has been a material
change in the subscribing organization's self-certification declaration.
-
FAQ 11 - Dispute Resolution and Enforcement:
The response to the first question in this FAQ indicates that data protection
authorities must agree to serve as an enforcement mechanism when subscribing
organizations commit to cooperate with them. As stated above, we believe
that this must be an enforcement mechanism option. Moreover, it is important
to clarify that the phrase "provided those authorities agree" does not
mean that each data protection authority has the choice to serve as an
enforcement body. This would effectively require subscribing companies
to seek the agreement of every member state authority, which would defeat
the purpose of the safe harbor, a harmonized resolution to the potential
restriction on the transborder flow of data.
-
Summary of the Main Operative Provisions of a Possible Decision on the
Basis of Article 25.6 of the Data Protection Directive Concerning the US
"Safe Harbor:"
The summary clarifies when a Member State authority may suspend data
flows to organizations that subscribe to the safe harbor. It was the understanding
of USCIB members that there were four cumulative criteria to be met. However,
the summary does not so indicate. It appears as though the second sentence
of the relevant paragraph is a definition of "irreparable harm." It was
our understanding that irreparable harm was one of four cumulative factors
to be met. Moreover, we think harm should also be qualified with the term
"unreasonable."
-
Draft Letter from the Department of Commerce to the European Commission:
Footnote 1 of the letter states that "the duration of the interim period
is not yet agreed." USCIB members believe that, in order to ensure that
they can adapt their business practices to comply with the safe harbor
principles and to ensure the continued flow of data from the E.U. to the
U.S., the interim period should be 18 months and in no event expire prior
to the approval of a model contract by the Commission.
-
Draft Letter from the European Commission to the Department of Commerce:
The letter includes a section on "Use of Contracts - Article 26 Decisions."
In many circumstances, existing contracts and proposed Model Contracts
such as the ICC Model Contracts require the data importer to comply with
the laws of the country from which data is being exported. USCIB members
believe it is essential that the safe harbor principles be considered the
law of an exporting E.U. member state in the context of contractual arrangements.
This should be the case without the need to renegotiate existing individual
contracts or proposed model contracts that require the data importer to
comply with the law of the country from which data is being exported. Suggested
language to capture this issue could be: "In the context of a contractual
solution, the safe harbor principles can be considered the law of the E.U.
member state from which data is exported, without the need to renegotiate
or explicitly state it in a contract. This could apply to existing approved
contracts and proposed model contracts where the data importer is required
to comply with the laws of the exporting country without revision."
-
Regulated Industries - Financial Services:
The heavily regulated U.S. financial services industry will be subject
to significant new privacy regulations stemming from Title V of the just-enacted
Financial Services Modernization Act (S. 900). The Act imposes new privacy
and security obligations on financial services institutions, requires disclosures
and choice for the sharing of customer information, and directs both federal
and state regulators to adopt rules and examination guidelines to assure
compliance with the new law and with the Fair Credit Reporting Act. Financial
services companies will be required to publicize their privacy policies
and update or restate them at least annually, subjecting them to potential
civil liability and regulatory action if they do not live up to their commitments.
The Act does not preempt more restrictive state laws and regulations, which
are already under consideration in a number of states. Given the extensive
new privacy requirements under the Act, we would recommend that: a) the
Commission finds that the total privacy regulatory framework applicable
to the U.S. financial services sector is adequate under the terms of the
E.U. Data Protection Directive; or b) the Commission review that regulatory
framework after all state and federal regulations pursuant to the act have
been implemented (roughly a year to 18 months from now) in order to make
an adequacy determination at that time; and c) the Commission immediately
finds that U.S. financial services regulators constitute a third-party
enforcement agent under the terms of the safe harbor agreement.
Similar consideration should be given to other regulated industries,
such as healthcare products and services, for which regulations are being
developed under the auspices of the Department of Health and Human Services.
The regulations are expected to be issued in early 2000, with implementation
to be required within 24 months.
Thank you for your consideration and your continued efforts on behalf
of U.S. industry. Please do not hesitate to contact me or David Fares (212/
703-5061) if you have any questions regarding these comments.
Sincerely,
Charles Prescott
Chair, Working Group on Privacy and Transborder Data Flows