Under Secretary David L. Aaron
c/o Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th & Constitution Avenue,
N.W.
Room 2009
Washington, D.C. 20230
Re: Draft International Safe Harbor Principles and Frequently Asked Questions and Answers (FAQ's)
Dear Ambassador Aaron:
Thank you for the opportunity to comment on the revised International Safe Harbor Privacy Principles.
ACLI provided input to the comments submitted by the Coalition of Service Industries (CSI), and also is a signatory to an insurance industry trade association letter on the revised Safe Harbor Principles. The following comments supplement these two submissions.
The American Council of Life Insurance (ACLI) and its four hundred ninety-three (493) member life insurance companies thank you for your continued efforts in responding to the European Union Privacy Directive. ACLI supports the "Safe Harbor" approach as a way to bridge the differences between the requirements of the Directive and the legal framework governing privacy that exists in the United States.
As you know, the insurance industry has worked with the Department of Commerce and the European Commission in providing overviews of the laws and regulations that pertain to the insurance industry. In concert with other insurance trades, as well as our regulators, the insurance industry has demonstrated with specificity how the laws and regulations related to privacy in the insurance industry satisfy the International Safe Harbor Privacy Principles.
An essential and unique facet of this fulfillment
is the ability of state insurance regulators to respond to individual consumer
privacy complaints. While we believe the laws and regulations governing
our industry fulfill the Safe Harbor Principles, ACLI would urge that enforcement
remain with our insurance regulators. The insurance industry should be
deemed to be within the safe harbor because of our legal and regulatory
structure.
Choice
The initial reference to the individual's opportunity to choose (opt out) refers to the use and disclosure to third parties of personal information. In contrast, the parenthetical speaks only to use. ACLI suggests the first sentence be amended to state:
An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties (where such use or disclosure is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice).
Data Integrity
The first sentence of this principle provides that organizations may only "process" personal information relevant to the purposes for which it has been gathered. It is unclear what is meant by the term "process". If "process" is equivalent to "use", it could be interpreted as being inconsistent with the choice principle, which allows for uses other than the original use provided the appropriate opt out or opt in is secured. It may be helpful to clarify the interplay of these two principles, perhaps in an FAQ.
Access FAQ
We believe the Access Principle is much improved over the November 19, 1998 version. The only comment here is that it is not clear in the Access FAQ that fraud and investigations of fraud are covered. Fraud as an exception to access may be subsumed within one or more of the stated exceptions. However, we propose adding a specific exception as follows: "interfere with the investigation of suspected fraudulent activity or the preparation of litigation".
Thank you again for all the work you and
your staff have put into these deliberations. Please let us know if there
is any additional information we can provide you regarding our industry.
Very truly yours,
David M. Leifer
Counsel