Ambassador David L. Aaron

December 2, 1999

The Honorable David L. Aaron
Undersecretary for International Trade
United States Department of Commerce
14th Street & Constitution Avenue, NW
Room 350
Washington, DC 20230

Dear Mr. Ambassador:

Citigroup Inc. appreciates this opportunity to comment on the November 15, 1999 draft International Safe Harbor Principles and the Draft Frequently Asked Questions. We commend the considerable progress made to date with respect to the Safe Harbor mechanism for allowing free flow of personal information between Europe and the United States under the European Union's Data Protection Directive.

There are several points of progress that should be commended, and advanced, as negotiations continue toward the mutual US and European goal of producing "clear and predictable guidance" for businesses under the Directive:

1. Citigroup supports the US position that the EU - and Member States - accept compliance with the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act of 1999 as an alternative demonstration of adequate protection for the organizations or activities falling under the provisions of these Acts, thereby qualifying such organizations and activities for Safe Harbor treatment. In this regard, the Department should delegate to the relevant US financial regulators all matters of reporting and compliance that would be required under the Safe Harbor mechanism for other US organizations. This would avoid jurisdiction issues among US regulators and streamline and harmonize compliance for organizations and activities subject to FCRA and Gramm-Leach-Bliley. This means, among other things, that (1) the covered financial organizations would furnish Safe Harbor notifications to the appropriate financial institution regulator in the US, subject to regulations they might prescribe; (2) verification and compliance requiring third party oversight might be accomplished in cooperation with such US financial institution regulator(s); and, (3) DPAs in Europe would interact with these US regulators going forward and with respect to enforcement and disputes.

Accordingly, because sufficient time will be necessary for covered organizations to assess the implications of proceeding under the Safe Harbor mechanism for complying with the EU Data Protection Directive and because US regulators need time to issue guidance or regulations found to be necessary under relevant law, Citigroup urges the Department to seek a 2-year transition period between the date of any US-EU agreement on Safe Harbor which binds Member States and the effective date of the Safe Harbor mechanism. Of course, during the pendency of such transition period, the EU would continue its standstill on Directive enforcement in the case of data transfers outside the EU.

2. The Department states that the Safe Harbor mechanism shall apply, if at all, to data to be transferred AFTER organizations electing to rely on the Safe Harbor mechanism actually enter into the safe harbor. Citigroup supports this prospective application of the Safe Harbor mechanism, and urges the Department to seek official European acceptance of the notion that data flows occurring before the effective date of the EU-US Safe Harbor agreement shall be "grandfathered."

3. Citigroup urges the Department to seek European Union confirmation that a qualifying US financial service organization electing Safe Harbor treatment for personal data exports from the European Union may also proffer its adequate information practices and arrangements in order to satisfy obligations under the Directive for data exports between countries of the European Union and locations in countries outside the Union (non-US countries, that is). This will assist the EU in giving effect to its pledge to implement and enforce the Directive in an "even-handed and non-discriminatory" manner.

4. While the apparent EU recognition of the efficacy under the Directive of contractual safeguards should be commended, no Safe Harbor agreement should be entered into by the US unless (1) EU acceptance of contractual safeguards under the Directive is binding on the Member States, (2) all open issues, including those relating to liability and enforcement, are settled and memorialized in writing between the US and EU, and (3) agreed-upon model clauses binding on the Member States are memorialized in writing.

5. Finally, Citigroup supports the language of the Choice principle advocated by the Department and supports the deletion of the crossed-out text.

Sincerely yours,
/S/
Lionel C. Johnson
Vice President and Director of
International Government Relations
Citigroup Inc.