The format of these comments is to set forth in an indented paragraph the text of each principle as we would recommend amendment of the same, with brackets showing deleted text and underlining showing added text, with a number in parenthesis referring to an explanatory note which follows. Some more general comments follow at the end.

Notice

1. NOTICE: An organization must inform individuals about the purposes for which it collects information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than [that] those (1) for which it was originally collected or discloses it to a third party for the third party's own use unrelated to the organization which shared the information (2).

(1) The first sentence refers to the "purposes" (plural) for which information is collected, and that should be reflected here as well. There can be more than one purpose for which the organization collects the information.

(2) Where a third party is an outsourced vendor, processor, or other agent of the organization, the information is not being shared with the third party for the third party's own use, but rather in connection with the organization's own use. This should not be considered a true "third party"
sharing. Likewise, where an organization participates with another party on a joint venture, co-branded, agency or similar arrangement, the information is still being used for purposes of the organization which provided it, even if there are also purposes of the other party--for example, an insurance agency providing customer names and addresses to an insurance company for the insurance company to do a mailing to the agency's customers.

Choice

2. CHOICE: An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties (where such use or transfer (1) is incompatible with the purposes (2) for which it was originally collected or with any other purposes (2) or transfer (1) disclosed to the individual in a notice). They must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise
this option. For sensitive information, such as medical and health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information concerning the sex life of the individual they must be given affirmative or explicit (opt in) choice (for such incompatible use or transfer described above) (3).

(1) The "or transfer" language seems necessary to complete the thought--to clarify that the parenthetical applies to both use and transfer. Otherwise, it would appear that choice is not necessary for compatible use, but is necessary for compatible transfer.

(2) Same as note (1) under Notice.

(3) It should be clear that the opt-in alternative for sensitive information is still subject to the same incompatible use or transfer trigger as uses or transfers of less sensitive information.

Onward Transfer

3. ONWARD TRANSFER: An organization may only disclose personal information to third parties consistent with the principles of notice and choice. Where an organization has not provided choice because a use or transfer (1) is compatible with the purpose for which the data was originally collected or which was disclosed in a notice and the organization wishes to transfer the data to a third party, it may do so if it first either ascertains that the third party subscribes to the safe harbor principles or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection for that information (2) as is required by the relevant safe harbor principles.

(1) Same as note (1) under Choice.

(2) The same level of protection should only have to be for the information provided, and not for all other information that the third party otherwise has.

Security

4. SECURITY: Organizations creating, maintaining, using or disseminating personal information must take [reasonable measures to assure its reliability for its intended use and] (1) reasonable
precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

(1) This phrase is not appropriate because it is not a security standard. Security has to do with preventing unauthorized access, disclosure or alteration of the information--it has to do with preserving what is there, not with evaluating the purpose of the content.

Data Integrity

5. DATA INTEGRITY: Consistent with these principles, an organization may only process personal information relevant to the purposes for which it has been gathered or which was disclosed in a notice (1). To the extent necessary for those purposes, an organization should take
reasonable steps to ensure that data is accurate, complete, and current.

(1) Same idea as note (1) under Choice in order to be consistent.

Access

6. ACCESS: Individuals must have reasonable access to identifiable (1) personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature and sensitivity of the information collected, its intended uses, and the expense and difficulty of providing the individual with access to the information.

(1) This addition may be implied, but it is better to be explicit about it.

General Comment: The "reasonableness" standard is an absolute necessity to prevent abuse of this right.

Enforcement

7. ENFORCEMENT: Effective privacy protections must include mechanisms for assuring compliance with the safe harbor principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organization when the principles are not followed. [At a minimum, s]Such (1) mechanisms must include (a)
readily available and affordable [independent] (2) recourse mechanisms by which an individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) [follow up] (3) procedures for verifying
that the attestations and assertions businesses make about their privacy practices are true and that privacy practices [have been implemented as] are consistent with those (4) presented; and (c) obligations to remedy problems arising out of failure to comply with these principles by
organizations announcing their adherence to them and consequences for such organization. [Sanctions must be sufficiently rigorous to ensure compliance by organizations.] (5)

(1) This "at a minimum" language is unnecessary and suggests that the (a), (b) & (c) items which follow are not really sufficient and more is really needed.

(2) Why do the "recourse mechanisms" have to be independent? As long as they work, they should be sufficient. The concept of "independent" is also too unclear--how independent is independent? For example, if an organization is a member of a group that has a complaint process, is that "independent"?

(3) Uncertain what this adds. Why does it matter that they are "follow up" procedures (whatever that means) rather than just procedures?

(4) The "have been implemented" language suggests too rigid a test, and a more flexible consistency test is needed.

(5) The provisions preceding this sentence already mention sufficient remedies and penalties. This last sentence introduces uncertainty and the invitation to litigate over whether the safe harbor is applicable or not because the sanctions are not "sufficiently rigorous".

General Comments

1. Beyond Europe. While we appreciate the efforts of the Commerce Department ("Commerce") to negotiate a privacy solution with the European Union, we are concerned that these safe harbor principles, while designed to meet a European context, will become in one way or another an American standard as well, even though they are apparently not intended by Commerce to do so. Therefore, we recommend that Commerce make very clear that these principles have been designed solely to meet the European context, and attempts to use them for other purposes would be inappropriate.

Additionally, since such statements of purpose may prove ineffective to limit the principles to the European context, it is important that Commerce view these principles with an eye to preserving and accounting for elements of the American context, such as our sectoral approach to regulation and our greater reliance on private enforcement and self-regulation.

2. Current Regulation is Adequate. The U.S. banking industry is heavily regulated with significant legal and regulatory controls that adequately protect the privacy of customer information. The European Union needs to understand better how regulation and enforcement works in this country
instead of looking for a replication of the bureaucratic form of regulation and enforcement with which Europe is familiar. Federal banking regulators will be quick to require banks to comply with privacy policies based on safety and soundness reasons as well as the requirement not to misrepresent to the public an important bank policy, and even without new laws or regulations such regulators have adequate existing authority to compel compliance.

3. Public Opinion and the Urge to Litigate. Public opinion in the U.S. is a powerful force, and has been roused several times in the last few years over privacy issues, resulting in very prompt suppression of the particular conduct or action that riled the public. Public opinion is a much quicker and a much more ruthless enforcer of fairness in privacy than any court or regulator could ever hope to be. Additionally, unlike Europe, the U.S. has an overabundance of class action plaintiff lawyers who serve as private enforcers of violations of representations made to the public.
There can be little doubt that there is currently adequate enforcement available through public opinion and private litigation to sanction those banks that do not comply with their published privacy policies, in addition to what is available already to bank regulators.

4. Third Parties. The issue of identifying or defining a "third party" for purposes of information sharing restrictions or opt-out notices is complex and needs to be limited to sharing with a "true" third party for that party's sole use. Outsourced processors and the like must be excluded
from the definition. Likewise, information used in connection with joint marketing efforts where both parties have their own use should be excluded as well. Similarly, the affiliate-sharing rules of the Fair Credit Reporting Act which were so carefully worked out in legislative compromises
over a lengthy period of years need to be respected.

5. Status of FAQs. We don't understand how the FAQs would get "equal" treatment with the principles without becoming principles themselves, and on the other hand if they are purely nice ideas they won't help. The FAQs provide more context in which to interpret the principles, and thus the FAQs should not be permitted to be ignored when they speak to an issue or provide further explanation.

Thank you for this opportunity to provide comments.

Daniel W. Morton
Vice President & Senior Counsel
The Huntington National Bank
Legal Department
41 South High Street
Columbus, Ohio 43287
614-480-5760
Fax: 614-480-5404
dan.morton@huntington.com