TO: Electronic Commerce Task Force, U.S. Department of Commerce

FROM: Steven J. Metalitz, counsel to DBT Online, Inc.

DATE: December 3, 1999

RE: Comments on Draft Safe Harbor Principles

On behalf of DBT Online, Inc. (DBT), I submit the following comments on the November 1999 drafts of the safe harbor principles and associated documents.

DBT is a leading online provider of integrated database services for the law enforcement, government, law firm, insurance, and investigative markets. DBT is an active member of the Individual Reference Services Group (IRSG) and supports the comments IRSG is filing. This separate DBT submission focuses on the treatment under the safe harbor of personally identifiable data that is collected and used for two purposes: first, for the purpose of fraud prevention, investigation or detection; and second, for the purpose of compliance with government mandates. DBT believes that, as the documents are currently drafted, U.S. organizations may collect and process personally identifiable data on Europeans for these purposes without regard to many of the safe harbor restrictions. It may be useful to clarify this conclusion.

Anti-fraud activities are closely related to law enforcement activities, for which an explicit exception is already set forth in the fifth paragraph of the preamble to the draft Safe Harbor Privacy Principles. Like police or other law enforcement officials, companies seeking to detect and investigate insurance fraud, employee theft, or other forms of larceny clearly cannot be expected to give notice in every instance to employees, claimants, or other targets; cannot offer them choices or opt outs; and cannot be expected to make all data collected accessible for inspection.

If this issue has not been clearly spelled out in the safe harbor negotiations so far, it may be because, under U.S. practice, the private sector undertakes these anti-fraud responsibilities far more extensively than might be the case in many European systems. In this as in many other areas, activities that are traditionally a state monopoly in some European economies are often left largely to private sector resolution in the U.S. Certainly only a small fraction of employee theft or insurance fraud cases, for example, would ever wind up in the U.S. criminal justice system, to which a conventional law enforcement exception to the safe harbor would apply. Even in these cases, public authorities in the U.S. probably rely upon the results of private sector investigative work to a much greater extent than would be the case in Europe. It seems likely that once this difference in approach is discussed with Commission representatives, it should be possible to obtain agreement on an explicit recognition, at least in an FAQ, that the law enforcement exception extends to these private sector activities in support of law enforcement.

In any event, it seems clear from the draft documents that these uses of personally identifiable data will benefit, if not from a complete exemption from safe harbor treatment, at least from a relaxation of certain requirements. For instance, FAQ 8 spells out that access requests may be denied in these circumstances (see items 5(a), 5(b), 5(h), and 5(j)). Item (2) of FAQ 1 similarly rules out any opt in requirements for uses of sensitive data to establish legal claims or defenses. FAQ 4 (and, by reference, item 3 of FAQ 9) foresee processing of data without the knowledge of the data subject when to do otherwise would prejudice legitimate interests of the organization; surely protection against theft or fraud would qualify for this exception. In other words, it is apparent that many safe harbor principles either do not apply, or apply only in diluted form, to the processing of personally identifiable information for anti-fraud purposes. An explicit exception to the safe harbor would impose little additional marginal impact on personal privacy, and would greatly facilitate a channel of transatlantic data flow of considerable importance to the private sector in both the U.S. and the E.U.

With regard to the second circumstance, the safe harbor standards already recognize that in some cases (e.g., collection of information concerning employee race or ethnic origin), U.S. companies are under a legal obligation to collect personally identifiable information, including what the European directive would consider "sensitive data," in ways that may not be strictly compatible with the European legal standards. In fact, this observation is valid in contexts outside the human resources field. For instance, virtually every U.S. employer is legally obligated to collect and use personally identifiable information about workplace accidents and injuries, even those involving non-employees. This obligation applies regardless of whether the injured party or accident victim has consented to that collection and use, and without giving that party the opportunity to choose to opt out of some of those uses. Certainly in some cases this obligation extends to accidents involving European nationals, or even those occurring in European facilities of U.S. companies. Companies should not need to jeopardize their safe harbor status in order to meet these compliance obligations.

For that reason, DBT reads the fifth paragraph of the preamble to the draft Safe Harbor Privacy Principles, which states that the applicability of principles may be limited "(a) to the extent necessary to meet … public interest or law enforcement requirements; [or] (b) by statute, government regulation, or case law," to encompass any collection or use of data for the purpose of compliance with a legal obligation imposed by statute, regulation, or consent decree. It would be useful to confirm the accuracy of this reading, either by inserting the words "or compliance" after "enforcement" in item (a), or in an FAQ.

Thank you in advance for your consideration of these comments.