Via Electronic Mail
The Honorable David L. Aaron
International Trade Administration
Department of Commerce
14th & Constitution Avenue, N.W.
Washington, DC 20230
Attn: Mr. Eric Fredell
Task Force on Electronic Commerce
Re: Comments on November 15 Safe Harbor Proposals
Dear Ambassador Aaron:
On behalf of E. I. du Pont de Nemours & Co. ("DuPont"), we are pleased to submit these comments regarding the November 15, 1999 drafts of the Safe Harbor Proposal.
I. Introduction
DuPont is a global company with 97,000 employees doing business in all 50 states of the United States and in 64 other countries, including Europe. Electronic commerce has been embraced as a fundamental component of the company's business strategy.
DuPont wishes to emphasize that the focus of these comments is on substantive improvements, but is not intended to be critical of the substantial progress that has been already achieved. Our comments are organized as follows:
· Section II addresses several general topics of concern with regard to the proposed adoption and implementation of the Safe Harbor. The essential purpose of these comments is to identify topics on which DuPont believes clarification will facilitate a more rapid adoption and implementation of the Safe Harbor Principles upon the conclusion of negotiations.
· Section III provides specific comments on the language of the Proposals, as viewed from DuPont's perspective as a global manufacturer that is committed to implementing effective privacy management on a consistent basis throughout its operations.
II. General Comments
1. The Proposals indicated an increasing emphasis on the role of contracts in assuring that "adequacy" has been established with regard to transfers of European-sourced information. At the same time, pursuant to Article 26, the Directive reserves to data protection authorities certain approval rights with regard to the adequacy of these contractual undertakings. No indication exists in the current Principles or FAQs that contracts or agreements intended to adhere to the Safe Harbor Principles will prove to be acceptable. DuPont is concerned that any company's ability to adopt the Safe Harbor Principles might be compromised for a substantial time by a process that would require multiple--and possibly inconsistent-- approvals within the EU relating to the model or form contract provisions that it may implement. DuPont encourages the Department of Commerce to address with the EU the need for establishing, as a part of the final Safe Harbor understandings, an accelerated process for the development of uniform contract provisions or approval procedures that will be adopted by the Member States (and other relevant data protection authorities).
2. It is unclear under the latest Proposals how companies may transition personal data that has been collected prior to either the effective date of the Directive or any successfully negotiated Safe Harbor. DuPont wishes to encourage the development of improved guidance with regard to how pre-Safe Harbor personal data may have its usefulness preserved under the Safe Harbor. In particular, while the notion of post-collection consent is expressed in the principle on choice, the possible requirement of obtaining that consent with regard to all personal data that has been previously collected promises to be logistically impractical. DuPont proposes that clear guidance be provided; one approach would be to allow all personal information held prior to certification to the Safe Harbor to be "grandfathered" in, exempt from the requirements of the Safe Harbor Principles. As a secondary proposal, should the first not be acceptable to the EU, a timetable for bringing previously-held personal data into compliance could be established which at least mirrors the compliance grace periods which are part of the national laws passed pursuant to the Directive.
3. The November 15 materials do not explicitly confirm that, upon self-certification to the Principles by a U.S. recipient of European-sourced personal data, there will be no requirement for an EU transferor to submit prior notification to, and receive approval from, local EU data protection authorities. DuPont recommends that the final version of the Safe Harbor Principles and supporting materials explicitly set forth the procedures required with regard to interacting with Data Protection authorities, if any, in the event a U.S. data-importing entity has self-certified its compliance with the Safe Harbor Principles. At the same time, perhaps in the form of a new FAQ, clarification is encouraged with regard to (a) the need for any related contracts to be pre-approved by the data protection authorities in the nation of export, and (b) the liability, if any, which the data transferor retains, if any, with regard to any subsequent actions of a transferee which are not consistent with the notice that has been provided to the relevant data subjects (together with any appropriate consents).
4. The global operations of DuPont, like those of many multi-national corporations, operate through a complex network of computers and telecommunications facilities. These systems are operated to best assure the efficiency, security and availability of the related information assets that we manage. But, as a general matter, these systems have redundant, dynamic qualities that permit any information asset within the system to be stored or used from different locations. Although the Directive clearly focuses upon European-sourced personal information, clarification is strongly encouraged with respect to the possible compliance requirements that exist in several scenarios:
· Personal data is originally collected outside of the EU on data subjects located outside the EU, but that data is subsequently transferred for storage or processing within the EU and further transferred to a different entity in the United States.
· Personal data is originally collected inside the EU but the subsequent transfer may be to a number of different countries, where the decision is based on systems management considerations that are automatically executed by the system without regard to the relevant privacy law environments.
5. Neither the Directive nor the Safe Harbor Proposals provide a definition to the critical phrase of "direct marketing." This term has different interpretations in different cultures and markets and, because of the specific obligations which attach when data is to be used for "direct marketing purposes," there is an urgent need for clarification of the kinds of activity which do and do not constitute "direct marketing." In that regard, a particular concern that has arisen in contemplating the implementation of the Safe Harbor relates to telemarketing activities that may be conducted. The challenge, of course, relates to the manner in which business processes are implemented, and records preserved, regarding the availability of "opt-out" consent. DuPont wishes to strongly encourage clarification of optional methods that might be implemented to achieve compliance with the Directive while still preserving the utility of telemarketing as an effective business tool.
6. DuPont is concerned that existing and contemplated self-regulatory bodies will not meet the needs of multi-national corporations, because these self-regulatory bodies are largely business-sector specific in nature. At the same time, multi-national businesses need to establish consistent data management practices throughout their organizations. As a result, multi-national corporations with business interests spanning across multiple business sectors are challenged to understand how to move forward with any self-regulatory body when the likely result only provides partial coverage to the full range of business activities involving personal information that are contemplated within a complex multi-national business. DuPont encourages the Department of Commerce to provide guidance on how to approach effective implementation in the absence of suitable "generic" self-regulatory bodies.
7. The Treaty of Amsterdam will create a supranational data protection authority in the EU, as well as extend the Directive's applicability to additional EU institutions. Representatives of the EU Mission to the United States have publicly expressed concern that the Treaty of Amsterdam may create problems regarding any proposed resolution of the Safe Harbor proposals and, in their current form, the proposals do not address how the Proposals, if finalized through your negotiations, will become binding upon the individual data protection authorities of the Member States or the proposed Treaty of Amsterdam authority. DuPont encourages the United States to discuss in further detail with the EU the process in Europe for obtaining the ratification and adoption of the adequacy of the Safe Harbor Principles. Clarification on these issues will give U.S. companies a greater sense of confidence that your negotiations have produced a meaningful path forward to which it and others can commit.
III. Specific Comments
1. DuPont acknowledges the current lack of agreement with the EU on issues relating to the breadth of notice required by the Directive that will satisfy the principle regarding choice. In particular, there is no guidance in the U.S. Proposals regarding the nature of a notice that addresses whether or not data will be transferred to other countries. As discussed in our earlier comments, it is likely that any multi-national corporation might transfer personal information to multiple jurisdictions for storage and use. If a notice requirement may only be satisfied by a notice that explicitly names all countries to which data may be transferred, such a requirement quickly becomes impractical to administer (in contrast to a notice which simply states that "data may be sent to countries outside the EU"). DuPont requests that guidelines, rules, and examples be provided regarding the adequacy of notice with regard to these types of cross-border transfers.
2. Paragraph 2 of the introduction to the Principles states that the Principles are "intended for use solely by U.S. organizations." However, no clarification is provided as to the type of entity that qualifies as a "U.S. organization." For example, it is debatable whether (a) a subsidiary incorporated in the United States of an EU-based parent corporation or (b) a joint venture operating in the United States, between a U.S.-based company and a foreign-based company are to be considered as "U.S. organizations." DuPont encourages the Department of Commerce to provide clarification as to their understanding of the effectiveness of the Safe Harbor Proposals to provide a safe harbor to these types of affiliated organizations doing business in the United States.
3. In the introduction to the Proposed Principles, paragraph 5, parts (a) and (b) address possible exceptions for adherence to the Principle in certain cases. One of the instances in which the EU and the United States could achieve greater certainty with regard to these exceptions relates to the requirements of fulfilling subpoenas and/or discovery requests in civil litigation. Increasingly, these requests will involve the disclosure of personal information. DuPont wishes to encourage that the language in paragraph 5 be revised to make more clear that complying with legal orders in official proceedings is a permitted exception to adherence to the Safe Harbor Principles.
4. The data integrity Principle has been revised to state that "… an organization should take reasonable steps to ensure that data is reliable for its intended us, accurate, complete and current." This change, which appears to involve a shift of the substantive language from the security Principle, is significant. In the context of computer network security, the emphasis on data reliability appeared to suggest the need for assuring the security prevented the subsequent unauthorized alteration of data. In the context of data integrity, the same language now appears to impose an affirmative responsibility very different in nature. Under the proposed language, ensuring data reliability suggests a requirement to verify the accuracy of the collected data. The Proposal that "reasonable steps are required" is inadequate to provide sufficient guidance to this very different structuring of the Principles. DuPont encourages the Department of Commerce to either reverse the placement of the relevant language so that the concept of reliability remains in the context of the security Principle, or, in the alternative, clarify that offering data subjects the opportunity to accept and correct inaccurate data will constitute a "reasonable step" that satisfies the proposed language.
IV. Conclusion
On behalf of DuPont, we wish to thank the Department of Commerce for its consideration of these comments. We are committed to supplementing these comments with any further information, comments or input that you believe will be of assistance. Please do not hesitate to contact us in that regard.
Respectfully submitted,
Donald A. Cohn
E. I. du Pont de Nemours and Company
by Jeffrey B. Ritter
Kirkpatrick & Lockhart LLP
(202) 778-9396
Fax: (202) 778-9100
jritter@kl.com