COMMENTS OF BELL ATLANTIC

Bell Atlantic appreciates this opportunity to comment on ITA's April 19, 1999 Draft InternationalSafe Harbor Privacy Principles and the draft Frequently Asked Questions dated April 19 and April 29, 1999. Bell Atlantic is one of the world's largest communications companies with international investments and operations in 23 countries outside the United States and in 25 states domestically.

We applaud the efforts of the ITA to address the comments of the various organizations and companies which commented on the previous draft of these principles. We specifically note the changes in the Draft Principles which are responsive to the comments made by Bell Atlantic in response to the issuance of the Draft of November 3, 1998.

In general, with respect to the draft Safe Harbor Principles themselves, we urge that any further refinements to the Draft retain the concept of flexibility which has been incorporated in the current Draft of the Principles. We also urge ITA to continue to acknowledge the significant role undertaken by self regulatory and private organizations, both in the promulgation of standards as well as in policing compliance. It is those organizations which will bear the primary enforcement burden with respect to US businesses and other organizations which accumulate personal data.

We also believe that the success of the Safe Harbor Privacy Principles depends upon broad interpretation of them. ITA should discourage any interpretation that does not permit an organization to use the most effective and reasonable methods available to it for achieving the goals of the Principles. In this regard, we believe the Principles themselves should be controlling, and that the Frequently Asked Questions should provide guidance, in any complaint or issue that is raised under them.

We have several specific comments on the latest draft of the Principles and the FAQs:

• Secondary Liability FAQ: Thank you for including this!
• Letters from Ambassador Aaron: Both the November 4, 1998 and the April 19, 1999 Aaron letters accompanying the draft Safe Harbor Principles contain useful information which should be incorporated into the FAQs or the introduction to the Principles so it becomes part of the final, official version of the package. Specifically, (a) the benefits to participation from the April 19 letter should be included in the introduction, the FAQs, or a similarly "official" part of the final package; and (b) the exceptions to the Principles from Article 26 that were listed in the November 4 letter along with the national security exception in the April 19 letter should also be included in the introduction or in a FAQ so they can be easily referred to in conjunction with the Principles and the other FAQs (in particular, the Sensitive Data FAQ needs to be understood with these additional exceptions in mind).
• The Self-Certification FAQ: It is unclear how the self-certification procedure will work for an organization subject to US laws that effectively protect personal data privacy. The introduction to the Principles states that such an organization does qualify for the safe harbor, but the certification FAQ does not address how such an organization would qualify. Does such an organization need to self-certify? If such an organization does self-certify, it might be more useful for it to generally identify the laws that apply rather than the organization's privacy policy. And, for such an organization, it should not be necessary to include all the additional information listed in the FAQ, which seems designed more for the self-regulatory organization.
• Financial and Insurance Risk Management FAQ: This FAQ should be changed to make it clear that risk management activities of companies that are not in the financial or insurance industries are included. Other types of companies, such as telecommunications companies, also use personal information "to combat fraud, manage other business risk, or ensure a person's ability to pay or qualify for various services."
• Verification FAQ: This FAQ goes way beyond the Safe Harbor Principles. Principle 7 requires verification and recourse regarding compliance with the Principles. The FAQ goes further and states that verification must be provided for an organization's entire published privacy policy. This is unduly broad since the Safe Harbor Principles may constitute a relatively small portion of an organization's overall privacy program. In Bell Atlantic's case, for example, verifying that our published privacy policies are "completely implemented" would involve much more than our compliance with the Safe Harbor Principles. It is unreasonable to require an audit of our entire program in order to meet the verification requirements of these Principles. In addition, this FAQ implies that an audit (internal or external) must be undertaken yearly, since a corporate officer must attest to compliance on an annual basis. This is too frequent and burdensome, and we would guess that it is far more than most European companies do in order to comply with the Directive.

Respectfully submitted,

Shelley E. Harms
Executive Director
Bell Atlantic
May 14, 1999