Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14^th and Constitution Avenue, N.W.
Washington, DC 20230

Re: International "Safe Harbor" Privacy Principles

Dear Mr. Fredell:

These comments are submitted by the American Insurance Association ("AIA") on behalf of its member companies¹ as well as other constituent elements of the property/casualty insurance, life insurance, and property/casualty reinsurance sectors, including the American Council of Life Insurance, Reinsurance Association of America, Insurance Services Office, Inc., Alliance of American Insurers, The Council of Insurance Agents & Brokers, Independent Insurance Agents of America, International Insurance Council, National Association of Independent Insurers, National Association of Mutual Insurance Companies, and Professional Insurance Agents. These comments respond to the Department of Commerce's April 19^th revised international "safe harbor" privacy principles and the European Union Data Privacy Directive ("EU Directive").

As a general matter, we believe that the Department and the European Commission representatives have made significant progress since the November 19, 1998 principles were issued, and have narrowed the gap of differences to a discrete set of issues. We are especially encouraged by the Department's draft frequently asked question ("FAQ") on financial and insurance risk management, which recognizes that important and necessary insurance information handling practices fall within the public interest qualification for safe harbor protection. Even though we are subject to this exception and others, as an industry we are still governed by numerous privacy constraints under applicable U.S. law and we will continue to strive to address consumer privacy issues in other ways that balance personal privacy concerns with business informational needs. With that in mind, we focus on the following points of clarification with respect to the revised principles. We note that the "data integrity" and "enforcement" principles do not need significant changes since the insurance industry is confident that existing federal, state, and other requirements more than satisfy the purposes behind these two principles.

A. The U.S. Insurance Industry Is Governed By A Number Of Laws And Practices That Ensure Effective Consumer Privacy Safeguards

The preamble to the safe harbor principles notes that an organization qualifies for the safe harbor if it "is subject to a statutory, regulatory, administrative, or other body of law . . . that also effectively protects personal data privacy." As we have consistently stated to the Department, we are interpreting the preamble statement to provide a safe harbor for industries that are subject to privacy oversight created by statutory, regulatory, administrative, industry, or other standards in the United States.

Undoubtedly, the insurance sectors represented by these comments fall well within the confines of this safe harbor exception. These sectors are subject to a full panoply of common, state, and federal laws, as well as government-enforced industry practices that ensure that personal information is adequately protected from misuse by those within these sectors, and that individuals - whether they are citizens of the United States or any other nation - have the right to seek relief when misuse occurs. The multiple layers of insurance information privacy protection include: (a) state unfair trade practices statutes, (b) National Association of Insurance Commissioners ("NAIC") model insurance information and health information privacy model laws, (c) state insurance information privacy laws, (d) state laws governing the use of personal information in such areas as medical privacy, fair credit reporting, and motor vehicle records, (e) data security, integrity and information handling protocols outlined in individual state insurance codes, (f) the federal Fair Credit Reporting Act ("FCRA"), and (g) rights and remedies available under state common law. These standards governing the insurance industry's handling of personal information have been detailed in prior submissions to the Department. As recently as April 25th, we prepared a document for the Department, which outlines how privacy standards currently in place for the insurance industry track the revised safe harbor principles presently being negotiated between the Department and the EC representatives. At the time the Department receives these comments, we will be finalizing a detailed chart, which describes the various laws governing insurance industry information handling practices and how those laws fit within the revised safe harbor principles.

Our two major concerns are that the Department's statement in the preamble (a) does not explicitly provide that industry practice recognized by state officials rises to the level of a privacy "body of law" and (b) that it is difficult to determine what is "effective" privacy protection. The first concern is primarily raised by intermediaries (agents and brokers) and property/casualty insurers who place and write workers' compensation insurance pursuant to a mandatory state system. Some of the information handling practices used within the workers' compensation insurance industry may not be explicitly set forth by statute, but are nonetheless recognized by state insurance regulators as a matter of industry or administrative practice. The Department's discussion of safe harbor principles should explicitly recognize instances, like those in the workers' compensation insurance industry, where industry or administrative practice rises to the level of effective privacy protection.

Explicit recognition by the Department of effective industry practice would not alter the intent of the exception. The Department has already added a parenthetical to the exception that recognizes the "body of rules" issued by securities industry oversight organizations. We are merely saying that such recognition should not be limited to the securities industry alone - for other situations in other industries may arise that are covered by the exception, but may not technically be considered a "body of law." Therefore, we respectfully urge the Department to clarify that industry practice, enforced by a regulatory body, may rise to the level of effective consumer privacy protection.

With regard to the second concern, we are unsure what is meant by a body of law "that effectively protects personal data privacy." Because we understand that the safe harbor principles are not intended to govern or affect U.S. privacy regimes, we assume that the multiple layers of privacy protection applicable to the insurance industry qualify as effective privacy protection. However, it would be helpful for the Department to include either in the preamble or as part of the clarifying questions and answers concrete examples of industries that meet the effective protection standard.

B. Notice ("Clear and Conspicuous" Language; Third Party Disclosure)

Turning to the seven enumerated safe harbor principles, we have indicated in previous comments to the Department that we are not sure what type of notice of insurance information practices rises to the level of "clear and conspicuous language." The insurance industry must follow notice requirements prescribed by FCRA, state fair credit reporting acts, and those jurisdictions that have codified a version of the NAIC insurance information privacy model. Because the safe harbor principles were not meant to supplant or alter applicable U.S. privacy requirements, we are concluding that adherence to existing legal requirements meets the terms of the "notice" principle. We are asking that the Department confirm that our conclusion is correct.

Having said that, we believe that the Department has clarified the notice requirement to some extent by making the "clear and conspicuous" language requirement applicable "before the organization uses such information for a purpose other than that for which it was originally collected or discloses it to a third party." We would ask that the Department clarify one aspect of this condition: that the "clear and conspicuous" language requirement be triggered when disclosure is made to a third party "for inconsistent purposes." As explained earlier in these comments, there are certain lines of insurance, such as workers' compensation insurance, that require the mandatory delivery of benefits pursuant to statute and regulation. It would be unwieldy, if not impossible, to administer benefits under this system if every participant in the process were required to give "clear and conspicuous" notice to an individual of information handling practices every time information is transferred to carry out a statutory or regulatory mandate. Accordingly, we respectfully recommend that the Department clarify the "clear and conspicuous" language requirement in the notice principle by triggering it only where information is used for an inconsistent purpose or disclosed to a third party for an inconsistent purpose.

C. Choice ("Opt Out" Conditions; "Opt In" Clarification)

We agree with the majority of the Department's changes to the choice principle, and we would seek minor clarification with respect to note 4, which accompanies the choice principle. With respect to "opt out" choice where the use of personal information "is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice," we would note that the insurance industry only uses or discloses personal information for purposes compatible with the business of insurance, or for purposes disclosed to the individual at the outset. Existing laws prescribe the use and onward transfer of such information and detail the situations that give rise to consumer consent obligations.

With respect to "opt in" choice for sensitive information, although we are unclear about the scope of "sensitive" information, we agree with the intent of footnote 4 and the draft FAQ on sensitive data. We do believe that this note and the FAQ must be broadened to include all of the exceptions recognized by the EU Directive. Among other relevant exceptions, the Directive (i.e., Article 26) permits derogation from the Article 25 "adequacy" standard where (a) "the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;" (b) "the transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party;" or (c) "the transfer is necessary on important public interest grounds, or for the establishment, exercise, or defence of legal claims."

Inclusion of insurance "risk management" activities within the "public interest" FAQ addresses one of our concerns. In addition, we would assert that, because insurance involves a contractual arrangement between policyholder and insurer, which may or may not include benefits potentially available to a third party claimant, all of these exceptions apply to the information handling practices of the insurance industry. This assertion is especially true where personal information is necessary to carry out the terms of the insurance contract, to resolve a claim arising out of that contract, for the detection and prevention of fraud, and in the renewal process. Using workers' compensation insurance again as an example, workers' compensation insurers are permitted, without prior authorization from the employee-claimant, to gather personal information about the injured employee and to forward that information to others as permitted by the applicable state workers' compensation system. In this situation, the workers' compensation insurer is accessing personal information to further the performance of a contract between the insurer and the claimant's employer and the information is being transferred to satisfy a legal claim. The EU Directive itself recognizes that the Article 26 derogations are necessary "as regards the procedures used for settling claims for benefits and services in the health insurance system." Such procedures, applied in the context of property/casualty, life, and property/casualty reinsurance, present no less compelling circumstances of public interest. The clarifying language sought by the insurance industry would be relatively simple: add a reference to the Article 26 "contract" exception, delete the word "legal" that modifies the exception for the establishment of legal claims and defenses and note that this exception would be acceptable for the administration of mandatory benefit delivery systems.

D. Onward Transfer

The onward transfer principle allows disclosure to third parties "consistent with the principles of notice and choice." However, the revised principle seems to allow disclosure to third parties for a "compatible" purpose only where the disclosing entity (1) "ascertains" that the third party meets the safe harbor principles or (2) enters into an agreement with the third party to provide equivalent privacy protection. This language is not acceptable for one overriding reason: an entity to which personal information is disclosed cannot be responsible for the information handling practices of those to which it discloses personal information in order to carry out a business function. The most that can be done is to hold a third party responsible under applicable laws governing or related to insurance information privacy. As we have stated many times, the insurance industry is "heavily regulated" for privacy purposes and we are confident that state insurance regulators have the enforcement authority to address and resolve individual consumer privacy complaints, and to discourage abusive information handling practices by those associated with the business of insurance. To this end, we would respectfully ask the Department to clarify that the onward transfer principle does not impose an affirmative duty on any entity or individual in the insurance industry to stand behind the information handling practices of others.

E. Data Security (Duty To Protect From Destruction Or Alteration)

We are generally satisfied with the data security principle because it is consistent with obligations already imposed by the examination provisions of most state insurance codes. However, we would note that many states have record retention provisions that would limit the extent to which information could be protected from alteration or destruction. In this regard, we would ask the Department to clarify that the "reasonable precautions" referenced in the data security principle permit adherence to existing record retention requirements, whether imposed by statute, regulation, or industry practice.

F. Access (FAQ Clarification)

We have reviewed the revised access principle and find that the language, including the bracketed language, addresses many of the concerns raised in our November 1998 comments to the Department on this issue. We have also reviewed the draft FAQ on access and find that the FAQ raises additional questions that need to be answered. Under the first FAQ ("Is the right of access absolute?"), the following paragraph appears:

"Expense and burden are important factors and should be taken into account but they are not controlling in determining whether providing access is reasonable. For example, if the information is used for decisions that will significantly affect the individual (e.g., the denial or grant of important benefits, such as insurance, a mortgage, or a job), then the organization would have to disclose that information even if it is relatively difficult or expensive to provide."

In short, we believe that our requests for clarification restate what has been the Department's consistent position: that industries already well-regulated by U.S. privacy standards can continue to adhere to those standards without fear of running afoul of the EU Directive, and that the principles are flexible enough to strike an appropriate balance between the privacy concerns of individuals and the legitimate informational needs of business. We appreciate the opportunity to submit comments on this important public and business issue, and we look forward to a continuing dialogue on the safe harbor principles.

Respectfully submitted,
 

J. Stephen Zielezienski
Senior Counsel
American Insurance Association

On behalf of

American Insurance Association
1130 Connecticut Ave., N.W
Suite 1000
Washington, DC 20036

American Council of Life Insurance
1001 Pennsylvania Ave., N.W.
Washington, DC 20004-2599

Reinsurance Association of America
1301 Pennsylvania Ave., N.W.
Washington, DC 20004

Insurance Services Office, Inc.
1825 K Street, N.W.
Washington, DC 20006-1202

Alliance of American Insurers
1211 Connecticut Ave., N.W.
Washington, DC 20036

Independent Insurance Agents of America
412 First Street, S.E.
Washington, DC 20003

The Council of Insurance Agents & Brokers
701 Pennsylvania Ave., N.W., Suite 750
Washington, DC 20004

International Insurance Council
900 19^th Street, N.W.
Washington, DC 20006

National Association of Independent Insurers
444 N. Capitol Street, N.W.
Washington, DC 20001

National Association of Mutual Insurance Companies
122 C Street, N.W.
Washington, DC 20001

Professional Insurance Agents
400 North Washington Street
Alexandria, VA 22314

cc: George Brady (NAIC)

1 AIA is a trade association that represents more than 350 of the Nation's most prominent property/casualty insurers.