Dear Ambassador Aaron:

The Commercial Internet eXchange Association (CIX) is the world's oldest trade association of Internet service providers (ISPs) and Internet-related businesses. CIX was organized in 1991 to provide the first commercial interconnection to the Internet backbone. Today our members carry approximately 75 percent of the traffic across the national backbone. The association is also a network services provider with facilities in Palo Alto, California.

We deeply appreciate your efforts to craft an agreement with the European Commission to enable American companies to comply with the requirements of the European Union's Data Protection Directive. We cannot, of course, comment definitively until the final principles, FAQs, and other documents are publicly disclosed. Nevertheless, we are greatly encouraged by the most recent developments and urge you and your team to continue your constructive efforts, for failure to reach a reasonable accommodation could seriously retard the evolution of electronic commerce. We hope that participants will keep in mind that future technological developments could mitigate the severity of privacy problems on Web sites as tools are emerging to limit the amount of personal data one chooses to release.

ISPs are in the business of providing connectivity and access to the Internet and for several reasons generally have only a very limited amount of personal data about their customers. First, consumer ISPs set up accounts via valid credit cards and do not require extensive personal
information about the account holder. The lack of access to personal data is particularly true of the national backbone providers, which lease capacity to retail providers and lack any knowledge about the end users.

Second, ISPs do not collect information about their customers who surf the Internet. Such personal data is recorded on the subscriber's computer though ISPs collect that data if the subscriber happens to be on the ISP's home page. This differs from an online service provider
(OSP) customer who happens to access proprietary content or chat rooms hosted on his or her OSP's computers, and whose complete record of information is known by the OSP. For these and other reasons, it is important to understand Internet architecture and technology and the ISP
industry, which is more complex and diverse than is sometimes appreciated. Our industry and its underlying technologies are also rapidly evolving, and resist simple categorization and technical description.

Secondary Liability

CIX is pleased to note that the April 29, 1999, FAQ on Secondary Liability states that ISPs, telecommunications carriers or "other organizations" that "merely transmit" information would not be liable for violations. It should be noted that ISPs (and the other parties as well) also "route",
"switch" and "store" such data as part of their normal activities. We suggest that the FAQ and other documents be changed accordingly.

Further, the FAQ should be clearer as to the meaning of the term "other organizations".

Legal Status

We are concerned that the FAQ might have less weight in a legal dispute than the principles themselves and that, as a consequence, we cannot depend on the good intentions of the FAQ drafters to protect providers and carriers. Ideally, this intention should also be reflected in the
principles themselves, perhaps as an endnote. A recent decision by the European Parliament to impose copyright monitoring duties on ISPs and carriers demonstrates that technological factors do not necessarily lead to the appropriate policy decision. Overall we believe the issue of
the FAQs' legal status must be clarified and strengthened.

Safe Harbor Principles

The principles incorporate the OECD guidelines that have long been in place. They should be informed by the rule of reason. CIX strongly endorses the addition of the term "reasonable" to the Access principle (No. 6) and suggests that an attempt be made to define the term.

Enforcement

The procedures for handling complaints described on April 19, 1999, as well as the enforcement procedures could result in significant expenditures of management resources. As many of the ISPs around the world are small to medium-sized businesses, procedures should be designed to be as streamlined and economical as possible.

CIX supports the efforts of the Department of Commerce and looks forward to commenting on the final documents.

Sincerely,

Barbara Dooley
President