VIA E-MAIL (Ecommerce@ita.doc.gov)
The Honorable David L. Aaron
Undersecretary of International Trade
U.S. Department of Commerce
14th Street & Constitution Avenue, N.W.
Room 3850
Washington, D.C. 20230
Dear Ambassador Aaron:
I write to submit the views of The Direct Marketing Association, Inc. ("The DMA") in response to your letter of November 15, 1999 eliciting comments on the current drafts of the Department of Commerce's safe harbor proposal.
The DMA is very encouraged by the significant progress that has been made during the past year and appreciates the DOC's continued openness and inclusion of industry as this approach has developed.
The DMA continues to believe that the concept of a safe harbor can become an effective means for the United States and European Community countries to continue engaging in trade and protect data consistent with the E.U. Data Protection Directive. We will have to await final resolution of the negotiations before The DMA and its members can decide whether to support the principles in their entirety, or make use of the mechanism. We are, however, optimistic that the outstanding issues will be resolved in a manner that will allow for such a framework to proceed.
After a brief discussion of the overall safe harbor framework, we set forth below the views of our members in connection with specific principles, FAQs, and supporting memoranda.
I. Overall Safe Harbor Framework
The DMA is encouraged by the progress that has been made in clarifying the scope of the safe harbor, the manner in which it will be implemented, and the meaning of the principles. For example, the current draft clarifies that:
· The safe harbor approach is but one of many alternatives for compliance with the E.U. Data Protection Directive. The documents now clearly state that entering the safe harbor is just one of the ways for the data protection of a U.S. company receiving personal data from the European Union to be considered "adequate" for purposes of the Directive.
· The principles and the FAQs will be accorded equal weight, and that any E.U. article 25.6 determination will treat the principles and the FAQs together. This recognizes how essential the FAQs are to clarifying the meaning and implications of the principles.
· The notice, choice, onward transfer, and access principles do not apply to European public record information nor, in most instances, to publicly available information.
The DMA still believes, however, that the balancing approach found in article 7(f) of the Directive should be applied more generally to the safe harbor documents. This concept--the general notion that the legitimate rights of individuals must be balanced against the legitimate needs of business--sends a deliberate legal message that neither of these rights or needs is absolute. Recipients of information in the United States should not be faced with absolute principles while their counterparts in Europe are allowed to operate under a more flexible framework incorporating this important balancing concept. Although this sliding scale is best reflected in the access principle and FAQ, it should be applied more generally to the other safe harbor principles, FAQs, and supporting memoranda.
We also continue to believe that requiring affirmative notification to the Department of Commerce or another third party repository as part of self-certification will be unnecessary and unduly burdensome. Notification requirements are not as simple as they may appear, and may set unwarranted precedents within the United States. For example, companies in the United States are not required to certify that they are in compliance with United States advertising laws or other laws. Moreover, the European systems themselves are moving away from registration of data processors and, where this does exist, provide broad exceptions to the registration requirement.
Finally, the duration of the interim period for implementation of the safe harbor is critical to the success of this approach. However, the Department of Commerce's safe harbor documents indicate that "the duration of the interim period is not yet agreed." There must exist sufficient time to fully evaluate the potential impact of the safe harbor on member businesses and to evaluate the other options that are available to comply with the directive. The DMA has previously suggested a minimum initial evaluation period of six months followed by at least a one-year grace period for companies to come into compliance. This time frame would allow more time for companies to implement the principles without interrupting the normal flow of their business operations. Some flexibility should also be built into the principles to allow for the opportunity, if necessary, for extensions to the grace period.
II. Safe Harbor Principles, FAQs, and Supporting Memoranda
A. Notice
We assume that FAQ 12, which addresses the timing of opt outs, applies to the timing applicable under both the notice and choice principles.
In our prior comments, we urged modification of the safe harbor principles to accommodate legitimate marketing purposes when prompt notice is provided upon entering into a customer relationship because, in some circumstances, clear and conspicuous notice may need to wait until the shipment of a purchased good or a communication via postal mail. In fact, we understand the U.K. Data Registrar and the French Registrar accept that such notice can be given by a company who is a transferee of a list of prospects in the first commercial message to the prospect. Without this exception, one is faced with the absurd situation of having to give notice to prospects "before processing," which cannot be done without processing the name and address for printing purposes.
Our suggested edits to the notice principle are now reflected in the FAQ on choice. This FAQ now incorporates a practical approach to notice in stating that "an organization may use information for certain direct marketing purposes when it is impractical to provide the individual with an opportunity to opt out before using the information" provided that the organization promptly provides the individual such opportunity and "complies with the individual's wishes."
B. Choice
The DMA supports the two changes that the Department of Commerce has made to the text of the choice principle.
As we stated in comments filed more than a year ago, the safe harbor mechanism should not result in imposing burdens on U.S. businesses greater than are imposed on European businesses under the directive. The last sentence of the first paragraph of the text, which the Department of Commerce wants stricken, would impose greater burdens upon U.S. companies because it is not required by the Directive. It should not be retained if it is not the prevailing practice in each member state.
We agree with the Department of Commerce that the term "specify" in the definition of "sensitive information" in the choice principle better addresses the concerns underlying the need for special treatment of sensitive information. A person is not specifying sensitive information by the mere purchase of a product or service, even if such a transaction may lead to marketing inferences about that person's race, religion, etc. For example, the fact that a person subscribes to The Christian Science Monitor does not necessarily mean he or she is a Christian Scientist. Although product purchases may enable a company to draw inferences about the purchaser, the character of this data is fundamentally different from that of sensitive information transferred to a data controller for safekeeping. The fact that innocuous information can lead to inferences should not transform the character of this information into sensitive information.
For similar reasons, we concur with the Department of Commerce's conclusion that the use of the term "specify" in the choice principle better corresponds with existing First Amendment jurisprudence. Absent additional evidence of any threat that the data poses to consumers, requiring an opt-in for the use of innocuous information--which reveals nothing with certainty but may permit inferences to be drawn--may run afoul of the First Amendment. Moreover, use of the term "specify" in the choice principle is consistent with the discussion of confidential commercial information under the access FAQ, which includes "marketing inferences" as confidential commercial information.
C. Onward Transfer
The DMA supports the decision not to include language that would require explicit notice and choice when personal data is transferred to a third party that does not adhere to the safe harbor requirements. The language proposed by the Commission last spring would have severely undermined the ability of organizations to use subcontractors that have not self-certified under the safe harbor program. Enabling a third party to contractually comply with the level of protections afforded by the safe harbor, even without notifying the Department of Commerce and formally subscribing to the principles, will preserve the potential utility of the safe harbor for the sizeable number of companies that rely on subcontractors.
D. Contracts
FAQ 10 contains clarifications that should encourage participation in the safe harbor. We support and, indeed, encouraged some of these clarifications.
Specifically, FAQ 10 makes clear that contracts between data controllers in the E.U. transferring data to the U.S. and safe harbor participants for processing purposes only will not require prior authorization or approval by the Member State or the E.U. Commission (unlike the use of contracts with U.S. entities not participating in the safe harbor). It also states that, in such circumstances, the data controller in the E.U.--not the safe harbor participant receiving data from the E.U. merely for processing purposes--remains responsible for complying with European law regarding notice, choice, onward transfer, access, and data integrity. The safe harbor participant processing the data need only apply the safe harbor security principle. We agree with the Department of Commerce that these features demonstrate situations where participation in the safe harbor represents advantages over non-participation.
E. Safe Harbor as Contract
The DMA supports the Department of Commerce's efforts to reach agreement with the European Commission on the use of the safe harbor principles in model contracts being developed under article 26.4 of the Directive. This would further facilitate the transfer of data between Europe and the United States. We also concur with the need for sufficient transition time after the Commission's decision on the use of the safe harbor principles in model contracts for companies to evaluate and make decisions as to whether to enter the safe harbor or rely on contractual safeguards.
F. Access
In our May 1999 comments, we urged retention of the "reasonableness" standard in the text of the access principle but indicated that a "proportionality" standard could also address our concerns. The current documents substitute a "proportionality" standard for a "reasonableness" standard in the text of the access principle, but retain the "reasonableness" standard--including factors such as frequency of access requests and response time--in the FAQ, which is now accorded equal weight with the text of the principle. This appears to constitute a satisfactory accommodation of Commission concerns, which the DMA does not oppose.
In addition, the FAQ on access now states that "modeling programs" and "marketing inferences or classifications generated by the organization" are confidential business information to which a company may deny access. We support these clarifications and urge their retention in the final documents.
However, the FAQ still states that access may be required to be provided to non-sensitive factual information that is not used for decisions that will significantly affect the individual if the data is "readily available and inexpensive to provide." The DMA continues to believe that the FAQ could be clearer in stating that the level of expense and difficulty required should in every instance be proportional to the sensitivity of the data. Thus, for information with minimal sensitivity, the level of expense or difficulty may be disproportionate unless it can be retrieved in the normal course of business by measures that are taken on a regular basis with respect to that information.
G. Enforcement
We understand that a company's ability to enter the safe harbor by committing to cooperate with data protection authorities in the relevant member states is still under negotiation and consideration. For example, FAQ 5 would enable companies to make a commitment to cooperate with the data protection authorities in the relevant member states as one means of satisfying the enforcement principle. FAQ 11, on the other hand, states the same concept but contains the following phrase in brackets: "provided those authorities agree."
The DMA continues to believe that committing to cooperate with European data protection authorities should be one of the means of satisfying the enforcement principle, and that this would help increase the usefulness of the safe harbor. However, we still believe that also requiring companies to seek agreement of the data protection authorities will negate some of the safe harbor's usefulness.
We also urge clarification of the circumstances under which a data protection authority may suspend data flows to organizations that subscribe to the safe harbor. In briefings, Department of Commerce officials indicated that there were four cumulative criteria that would have to be met before this extraordinary remedy could be exercised. The text of the draft Summary of a Possible Article 25.6 Decision Concerning the Safe Harbor is less clear. It also is vague about the notice and opportunity to be heard that organizations will receive prior to a data protection authority suspending data flows to them.
The DMA
The DMA is the largest trade association for businesses involved in direct marketing and database marketing. The DMA represents more than 4,800 companies in the United States and 58 other nations. Our members are leaders in the development of global commerce, supported by the exchange of information across borders. The DMA's leadership is continuing to extend in the Internet and electronic commerce areas with its recent acquisitions of the Internet Alliance and the Association for Interactive Media.
Founded in 1917, its members include direct marketers from almost every consumer and business-to-business segment, as well as the non-profit sector. Included are catalogers, financial service companies, book and magazine publishers, retail stores, industrial manufacturers, Internet marketers, and a host of other vertical segments as well as the service industries that support them. Many of our members have for decades engaged in the transfer of data from the E.U. and include what we believe are the majority of the companies that will be affected by any agreement reached with the European Union.
The DMA has worked for many years on numerous successful consumer protection initiatives on behalf of our members. Led by The DMA, and in coordination with the federal government, industry has been able to develop practices that protect the consumer while at the same time preserving the leadership of our members in the information age. Through peer review The DMA sets standards, enforces, and educates. The DMA's Ethics Policy Committee sets privacy standards. A different DMA body, the Committee on Ethical Business Practice, responds to cases of alleged violations of the Association's Guidelines on Ethical Business Practice. This committee, composed of a cross section of companies in the industry, enforces the guidelines. Most cases that are brought are resolved through this Committee and its recommendations.
To educate consumers, The DMA has been very active in creating educational material on and off the Web to empower consumers in their understanding of information practices. Through our Mail, Telephone and, effective January 10, 2000, e-Mail Preference Services, we facilitate consumers' choice over use of their information. In fact, last July the DMA Privacy Promise went into effect. This promise requires as a condition of membership in The DMA that companies offer notice, opt out, and in-house suppress, and comply with the Mail and Telephone Preference Services and, in January 2000, the e-Mail Preference Service.
* * *
The Department of Commerce has come a long way in its development of
a safe harbor mechanism, and The DMA encourages its continued efforts to
negotiate final documents with the European Commission. As noted before,
we support the proposed concept of a safe harbor provided that our concerns
can be addressed. Such a safe harbor could result in a predictable way
to comply with the Data Directive and foster continued growth and consumer
confidence in our $1.4 trillion industry. The uses of industry privacy
programs that fall within the safe harbor principles will assist many DMA
members in complying. We appreciate the opportunity to express our views
and the continued openness and inclusion of industry as this approach is
developed.
Sincerely,
Jerry Cerasale
Senior Vice President
Government Affairs