Thank you for the opportunity to provide comments from Cendant Corporation on the subject draft safe harbor principles.  By way of background, Cendant Corporation is a global provider of
consumer and business services. The Company operates in three principal segments: Travel Services, Real Estate Services and Alliance Marketing.

In Travel Services, Cendant is the leading franchisor of hotels (Ramada, Days Inn, Travelodge, Howard Johnson, Knights Inn, Super 8, Villager Lodge and Wingate) and rental car agencies (Avis) worldwide; the largest provider of vacation exchange services (Resorts Condominium International) a leading fleet management company, the UK's largest car park operator, and a leading motorist assistance group in the UK.

In Real Estate Services, Cendant is the world's largest franchisor of residential real estate brokerage offices (Century 21, Coldwell Banker and ERA), a major provider of mortgage services to consumers and a global leader in corporate employee relocation.

In Alliance Marketing, Cendant provides access to insurance, travel, shopping, auto and other services, primarily through direct marketing to customers of  its affinity partners. Headquartered in New York City, Cendant has more than 40,000 employees and operates in over 100 countries. In meeting our obligations to individual customers and businesses, we transfer and receive personal information from our offices and other orginizations throughout the European Community.

Based upon its experience in meeting the expectations of customers and businesses in the above-described industries, Cendant respectfully offers the following comments for your considration.

1. In the "Notice" and "Choice" Principles, The phrase "clear and conspicuous" is used. In commercial practice in the US, there are currently two recognized legal standards for this term. The first standard is from a model state law -- the Uniform Commercial Code and the second from various rules issued by the Federal Trade Commission. For purposes of uniformity, I strongly suggest that most commercial enterprises in the US would prefer the UCC standard. Even the UCC standard may require additional clarification with respect to internet aplications. In the on-line world for example, the privacy statement should suffice if it appears in the same or bolder/italic type under the click through to "Legal" or "Privacy "and the opt-out should suffice if it is a click through to " Do not Disclose" or other similar instruction. Perhaps the best way to provide this clarification is through a FAQ.

2. The term "organization" is used throughout the Safe Harbor Principles. Given the proliferation of corporate subsidiaries/affiliates required in today's complex economy (particularly with respect to international trade), this term needs to be broadly defined. As long as all of the related companies use the data for similar purposes, the related companies should not be deemed "third parties" and such use is not for '' a purpose other than that for which it was originally collected". Again, this clarification should be made in a FAQ.

3. It is imperative that the "reasonableness" standard in the bracketed sentence of Principle 6 "Access" be retained. Part of the standard to determine whether or not such access by the consumer is reasonable must consider the extent of harm caused to the consumer if the access is denied.

FAQ number 1, paragraph 4 states that when information that is "inexpensive to provide". an organization must provide it to an individual even when the information is not sensitive or used for decisions that will not significantly injure the individual. If, for example, the only injury claimed by an individual is that he/she received a marketing brochure and the issuer of the brochure provides an convenient method of removing the individual's name from receiving future brochures, there should be no right to or need for access. Such a practice would also eliminate many disputes
that will certainly arise in the future over the validity of an organization's determination of its fee for such access. This issue is particularly relevant with respect to marketing data. Rarely is such data
used to identify a specific individual, but is used for mass marketing activities. Providing access to this aggregated data goes to the issue of whether the data on the individual is "readily available". To address such cases the Principles need to clarify that an organization need not take any
action to change the format, organization or structure of its information.

The Principles should also clarify that access rights are limited only to information that is readily available and in active use. There should be no access to archival records.

4. The information subject to the EU Privacy Directive should not apply to information gathered prior to the effective date of the Directive. A clear FAQ that the Principles have no retroactive effect would provide needed comfort to US businesses.

5. The Principles should not apply to information volunteered by the consumer that is not requested by the organization.

6. A FAQ should confirm that an organization should be able to rely on assurances from a third party that it has complied with the Principles in gathering consumer information that may be a part of a transaction with the third party.

7. Organizations need only use normal industry standards for the security and integrity of the information. No higher standards should be required under the Principles. An organization that has taken such industry acceptable measures should have no responsibility for the success of a
creative hacker.

8. Organizations are going to be facing constant changes to the needs of EU member states and their citizens with respect to privacy standards. Unless a violation is egregious and results in measurable harm to the individual, the enforcement approach in the Principles should adopt a series of warnings to organizations to permit them to properly respond and make needed process
changes, if required. There should also be no punitive damages, class action and no attorneys fees under the Principles.

Thank you for your consideration of our views. We would be pleased to provide you with additional materials on the topics discussed above or meet with you in person.

Sincerely,

Samuel H. Wright
Sr. Vice President
Cendant Corporation
wright_samuel@phh.com