Ambassador David L. Aaron
Undersecretary for International Trade
United States Department of Commerce
14th & Constitution Avenue, NW
Room 350
Washington, D.C. 20230

RE: Draft International Safe Harbor Principles - November 15, 1999

Dear Ambassador Aaron:

On behalf of the members of the Associated Credit Bureaus, we offer the following comments in response to the Department of Commerce's November 15, 1999 Draft International Safe Harbor Principles.

First, we offer our thanks for the time you and your staff has taken to schedule briefings and seek input from industries, which are affected by this negotiation. As we have previously stated, our members share a serious concern about the European Union's Directive on Data Protection, which adopts a one-size-fits-all approach. We continue to believe that the U.S. system consisting of contracts, sectoral and common law, market changes and self regulation provide the needed flexibility to ensure a fair, balanced system of privacy protection that benefits consumers and business. Following are comments on specifics of the current proposal.

We noted in your letter that the adequacy determination for the Fair Credit Reporting Act is still pending. It remains essential that the European Union agree to acknowledge as adequate the privacy protections found in and fairness provided by the FCRA. In both learning more about the reasons for the "pending" status and in our subsequent inquiries regarding practices in Europe, we believe that the measure of the FCR A's adequacy should be in terms of outcome and effectiveness. It is our view that the system of notices, choices, rights to access, limitations on use, error correction, expectations of accuracy and completeness found in the FCRA are comprehensive.

Regarding the issue of the transition period before the Safe Harbor is effective, our members support a period of not less than 24 months. This will allow the vast majority of businesses to identify and implement the most appropriate means of complying with the Safe Harbor Principles. Depending on the number of trans-border data flows, as well as the size of the company or data management system, comporting systems and personnel policies with the Safe Harbor may be enormously complex. Most affected companies will have to address technical issues such as programming and testing phases, as well as personnel issues such as changes in policies and employee training. In light of the implementation time frames offered in other countries and the fact that not all Member States have not transposed the Directive into law, this is not an unreasonable time frame.

The status of Frequently Asked Questions (FAQs) continues to be a point of concern. Regarding the FAQ on enforcement, we believe that companies ought to have the option to cooperate directly with European Data Protection Authorities (DPAs) and not be limited to U.S. enforcement systems. While it is likely true that some companies with little or no European presence may wish to have enforcement handled in the U.S. via self regulation or other certification, some firms may have mature European operations which are better suited to handling complaints and questions. In addition to the enforcement FAQ, the following points about FAQs remain relevant and we resubmit them for the record:

• Phrases in the FAQs raise compliance questions, such as charging a fee that isn't "excessive" for disclosure. Or, ensuring that a response to a request is provided "without delay and within a reasonable time." Our thirty years' of experience with similar phrases in U.S. laws reveals that such phrases are vague and thus conflict with the premise that the intent of the FAQs is to add clarity.

• It is unclear how disputes over interpretations of FAQs would be resolved. If the understanding of the FAQs isn't harmonized between the EU member countries, then the FAQs create more layers of negotiations.

• Concerns about specific FAQs are unresolved. For example, our members are concerned about the FAQ on Access, which imposes the possibility of tremendous costs, where access is controlled by the concepts of expense and burden. It is unclear how these concepts provide protection for consumers, where such information isn't used for significant decisions, or isn't likely to be harmful to or considered sensitive by the consumer. Our members support access to sensitive data, such as consumer reports. We do not believe that access to general lists with names and addresses is warranted in light of the expenses involved.

Sincerely,

Stuart K. Pratt
Vice President
Government Relations