Experian
701 Experian Parkway
Allen, TX 75013
972 390 3553 Telephone
972 390 3624 Facsimile
Ambassador David L. Aaron
Undersecretary for International Trade
United States Department of Commerce
14th Street & Constitution Avenue, Northwest, Room 350
Washington, D.C. 20230
Dear Ambassador Aaron:
Despite substantial progress in the bilateral discussions, Experian is very concerned about three safe harbor issues:
1. The US governmental structure for safe harbor and the precedents it sets for American public policy;
2. The uncertainty around Commission acknowledgment of the adequacy of well established US privacy laws like the Federal Fair Credit Reporting Act;
3. The placement of compliance burden on the importer of data and the importing country rather than on the exporter and exporting country because of member state financial resource issues.
US Government Structure and Precedents Going Forward
Experian believes, based on the documents distributed for comment, that the safe harbor is expected to work in the following fashion:
· The Department of Commerce publishes a set of principles and frequently asked questions pursuant to its mission of accommodating trade;
· Individual companies self certify that they will comply with these principles so that they may be considered as adequate by the European Community;
· A company can cite a law, self regulatory code or can self certify for purposes of an accountability, but Commission staff has said they prefer companies enter the safe harbor individually;
· The Federal Trade Commission would use authority pursuant to Section 5 of the FTC Act concerning deceptive practices to enforce the self-certifications, giving preference to complaints from European Union citizens.
Experian believes that this fundamentally changes the nature of the US system for protecting privacy. As you know, the US system is based on a mixture of self-regulation and sector specific laws to assure that information is used in an appropriate fashion. Sector specific laws begin with a majority of both houses of Congress passing the same law, and that law being signed by the President. Self-regulatory codes always begin with an industry drafting rules or principles, sometimes in consultation with government and sometimes not. Corporate restraint always begins with a corporation developing a code, and agreeing to live up to that code. Safe harbor, however, begins with an Executive Branch department drafting the principles and interpretation, companies self asserting that they will comply with these rules, and the FTC using that self certification to seek enforcement in the courts under FTC Act Section 5 deception authority. The process does not begin with law or voluntary codes, but rather with the government establishing a set of principles. Experian believes that this structure brings us too close to the Executive Branch of the government establishing a "fairness standard" for governing appropriate information use without legislative action of any kind.
The Federal Trade Commission has been very reluctant to use its fairness powers under Section 5 to govern privacy. However, the issuance of "standards" by the Commerce Department could quickly develop into that fairness standard. Experian believes that any standards should come from legislation or industry codes, not from the Executive Branch.
Commission Acknowledgment of US Privacy Laws
The Fair Credit Reporting Act is nearly thirty years old, and was amended recently. The law covers appropriate use, access, corrections, and remedies. The Article 29 and 31 committees have had ample opportunity and time to certify that the FCRA is adequate, yet they have chosen not to do so. This lack of action dilutes Experian's trust that they will make such a determination. Experian believes the FCRA provides a far more comprehensive set of safeguards and remedies than any similar scheme in the European Community.
The Placement of Burden on Importer rather than Exporter
Privacy assurance should rest with the party that is closest to the data subject and to laws that govern the collection of data. Logically, that would rest with the exporter of data in Europe, not the importer of the data in the United States. The contract solution is based on responsibility for enforcement remaining with the exporter. However, the safe harbor process shifts that responsibility. If responsibility rested with the exporter, then the government oversight burden would rest with the data protection staff of the member states. It has become crystal clear that the member states have not allocated adequate resources to both enforce their laws and maintain the data flows that create a dynamic market. Experian would have greater confidence in the safe harbor process if it were being issued by the Commission as guidance to the exporter, rather than by the Department of Commerce as guidance to importers.
Summary
Experian believes the safe harbor drafting process has helped clarify the issues. Experian also believes that both the Commission and Department of Commerce have developed guidance that does bridge the differences between the two parties. However, the end product falls short and my not be fixable. Experian believes that the safe harbor has created risk of an Executive Branch authored fairness standard, has not given appropriate deference to US privacy law, and has shifted the burden from the European exporter to the US importer. The safe harbor guidance should be shifted so the burden of assuring compliance with the principles rests with the exporter of data not the importer.
Thank you for the opportunity to comment. As always, Experian would be pleased to discuss these comments.
Sincerely,
Maxine Sweet
Vice President, Public Affairs
MS/jh