Dear Ambassador Aaron:

Dun & Bradstreet (D&B), welcomes the opportunity to comment on the Department of Commerce's (the Department) April 19, 1999 draft "International Safe Harbor Privacy Principles" and the accompanying documents. D&B appreciates the Department's continued and steadfast effort to resolve the difficult issues raised by the European Data Protection Directive's "adequacy" requirement in a manner that recognizes the differences in the legislative framework governing data use in the United States and Europe.

D&B fully supports the Department's overarching goal of creating a safe harbor for US companies recognized by the European Commission and the Union's Member States. D&B operates in all European Union Member States and transfers business information from those countries to the United States and other non-European jurisdictions. D&B, therefore, has a particular interest in the timely resolution of these issues.

While all of the principles and accompanying documents are of importance, our comments are focused on those issues that D&B believes are priorities for final acceptance of and ultimate participation in the safe harbor.

Safe Harbor Principles

D&B finds the privacy principles, as drafted, to be generally consistent with our current data privacy practices. In a few areas, the principles could use clarification to more clearly impart to companies what is expected of them.

Notice and Choice: As drafted, both principles suggest the primary responsibility for providing notice and choice rests with the initial data collector. For D&B, the data collector would be our European operating companies. What responsibility would our US business have for providing notice and choice under these principles? With respect to the choice principle specifically, D&B believes that the parenthetical "where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice" is crucial to the choice provision and should not be relegated to parentheses but instead added to the text of the principle.

Onward Transfer: D&B is concerned with the endnote that suggests the Commission wants explicit consent when third parties are not participating in the safe harbor. D&B's core business involves transferring information to third parties who are our customers. Clearly, D&B's use of data in this manner is consistent with - actually is the entire - purpose for which the data was collected. Our customers enter into agreements that limit the use of our data and restrict the transfer of D&B data to any other party. To require that either (a) our customers enter into the safe harbor or (b) that D&B be required to gain "explicit" consent from data subjects would require disproportionate effort and would negate the benefit of entering into the safe harbor.

Further, D&B seeks clarification on the principle itself. Would D&B satisfy the principle's requirement for written agreements that "provide at least the same level of privacy protection as is required by the relevant safe harbor principles" with our existing licenses that stipulate customers keep information confidential and use it only for the purpose for which we provide it?

Enforcement: D&B supports the content of the existing enforcement principle. However, we do have comments intended to strengthen and clarify the principle.

First, we would suggest that the note to the principle become a part of the principle itself and that the word "may" in the first sentence be changed to a must. D&B suggests this change because we believe that companies who are engaged in electronic commerce should be required to participate in a seal or other certification program in order to engender online trust with their customers. D&B was a founding member of both the Online Privacy Alliance and the BBBOnline privacy seal/certification program. The company has invested significant resources in both programs because we believe that sound data privacy practices and assurances of those practices for individuals are critical if electronic commerce is to prosper. Without this suggested change, companies could interpret the enforcement principle to allow for a lesser obligation in the online environment.

Second, we believe that the inclusion of option three of the mechanisms, that allows companies to commit to cooperate with the data protection authorities, is essential. While option one would cover our business that is transacted on the Internet, there would be no enforcement mechanism available for our traditional products and services without this option as D&B is in a non-regulated industry. Further, in conjunction with this option, D&B supports the language in the text of the submittal letter that would allow organizations to "put in place the safeguards deemed necessary by the EU for transfers of personal data from the EU to the US by incorporating the relevant safe harbor principles into agreements entered into with parties transferring personal data from the EU."

Finally, with respect to the enforcement mechanisms, it would be useful to have some more detail presented regarding how a US company would formally agree to cooperate with the data protection authorities.

Frequently Asked Questions & Procedures Document

Procedures Document: Dun & Bradstreet is extremely pleased that the procedures document has been developed and supports the content as currently outlined. Substantively, we would suggest that a more robust explanation be given regarding a situation that might be considered an "exceptional case" whereby provisional measures would be taken at a national level. D&B believes that the procedures document is the cornerstone of the safe harbor proposal and should be adopted as a part of the principles or at least carry the same weight as the principles. The decision to participate in a safe harbor will entail a cost/benefit analysis. Without a guarantee that this process will be adhered to, the cost of agreeing to and implementing the principles might not be worth participation in the safe harbor.

Frequently Asked Questions (FAQ's): Generally, D&B is supportive of the FAQ's in that they shed light on some issues that could be difficult to interpret using only the safe harbor principles. However, we remain skeptical of giving the FAQ's the same weight as the principles themselves. The principles as drafted are necessarily broad and therefore encompass the widest possible range of industry practices. The FAQ's provide useful guidance in interpreting the principles but obviously fail to cover every specific question. How can these incomplete FAQ's possibly hold the same legal or administrative importance in the event a complaint is lodged?

D&B has comments on the substance of the access; self-certification and verification FAQ's. Regarding access, D&B is very concerned about endnote seven that suggests that the Commission wants the public records exemption limited only to US public records. The access principle requires that individuals be given access to information about them and be able to correct and amend that information where it is inaccurate. D&B provides access to all information about a data subject that is contained in our Business Information Report - including information that we have obtained from public records. However, under no circumstances would D&B correct or amend information obtained from a public records source without verification and approval from that source. Ultimately, it is up to the data subject to endeavor to have the information corrected at the source.

With respect to self-certification and verification, D&B is not opposed to filing a letter with the US Department of Commerce. However, we would like clarification regarding the role, if any, the Department would play in verification of the attestations of companies. The detail of the submission information in the self-certification FAQ as drafted suggests that the Department intends to verify the self-certification.

Conclusion

Dun & Bradstreet remains supportive of the Department of Commerce's efforts to develop a data privacy safe harbor that will allow US companies to continue the transfer of data from Europe to the US. We believe that D&B is significantly in compliance with the principles as drafted as long as they are kept broad and are left to flexible implementation in order to accommodate diverse business operations. We would welcome the opportunity to participate in the continuing dialogue to reach mutually agreed upon data protections to ensure the free, unfettered flow of data and to gain the trust and confidence of European data subjects. Again, we applaud the work of the US government in trying to resolve these complicated issues and we appreciate the opportunity to provide our comments.

Sincerely yours,

Alden Schacher
Manager, Government Affairs
(202) 463-2159