Draft International Safe Harbor Privacy Principles
November 15, 1999

COMMENTS OF BELL ATLANTIC

Bell Atlantic congratulates the Department of Commerce on the November 15, 1999 Draft International Safe Harbor Privacy Principles and the draft Frequently Asked Questions. Bell Atlantic appreciates the hard work and efforts to address all concerns that have gone into the drafts. Bell Atlantic is one of the world's largest communications companies with international investments and operations in 23 countries outside the United States and in 25 states domestically.

Our comments on the November 15 drafts are limited to the Verification FAQ, where we continue to have concerns:

First, we believe the wording is too broad. Instead of addressing an organization's compliance with the Safe Harbor Principles, this FAQ appears to require verification of the organization's compliance with its entire privacy policy. Such verification may be much broader, more costly, and more burdensome than necessary for purposes of ensuring Safe Harbor compliance. For Bell Atlantic, for example, any part of the Company that will be complying with the Safe Harbor Principles will also be subject to Bell Atlantic's Privacy Principles. That Bell Atlantic entity must adhere to Bell Atlantic's Privacy Principles with respect to its domestic customers as well as complying with the Safe Harbor Principles with respect to any personal data on European citizens. Bell Atlantic's Privacy Principles contain requirements not included in the Safe Harbor Principles (such as the requirements to consider privacy in developing all new services and to comply with all privacy laws governing the company). Compliance with the Bell Atlantic Principles is very involved, covering numerous services, procedures for dealing with customers, and ways of handling customer information. Verifying compliance with Bell Atlantic's published privacy policies, then, would go well beyond the Safe Harbor Principles, with regard to both the requirements of the policies and the personal data covered. Such an extensive verification would be unnecessarily burdensome and costly (especially if required on an annual basis, see below). Bell Atlantic suggests eliminating the language that states: "such verification would have to indicate that an organization's published privacy policy is accurate, comprehensive, prominently displayed, completely implemented and accessible," and including language that limits the verification to compliance with the Safe Harbor Principles.

Second, this FAQ states that organizations should retain their records of implementation of their privacy practices. No end date is specified. Bell Atlantic suggests that the record retention requirement should not be indefinite, but should indicate a reasonable length of time after which such documents would be unlikely to be useful. For example, the FAQ could state: "Organizations should retain their records on the implementation of their privacy practices for at least two years . . ."

Finally, to the extent this FAQ requires an annual audit of the organization's compliance, Bell Atlantic believes that is too frequent. An annual audit is the same as a continuous audit and, whether done internally or by outside reviewers, will be unnecessarily burdensome and costly for the organization. An annual audit will not provide the organization with enough time to implement the recommendations from the previous year's audit before the current year's audit commences. The FAQ should make clear that audits need not be so frequent as every year. A more reasonable time frame would be once every 5 years.

In general, Bell Atlantic is pleased with the progress which ITA has made and we believe that the promulgation of the Safe Harbor Principles will forward the goal of free and healthy electronic commerce between the U.S. and the European Community.

Respectfully submitted,

Shelley E. Harms
Executive Director
Bell Atlantic
December 3, 1999