Ambassador David L. Aaron
Undersecretary for International Trade
United States Department of Commerce
14th Street & Constitution Avenue, N.W., Room 350
Washington DC 20230

Re: Proposed International Safe Harbor Data Privacy Principles

Dear Ambassador Aaron:

This letter responds to your request for comments on the November 15, 1999 draft "International Safe Harbor Privacy Principles," which include the "Frequently Asked Questions."

IBM appreciates the efforts of the International Trade Administration and the Commerce Department to create an accessible method for US firms to comply with Article 25 of the European Union Data Protection Directive. Significant progress has been achieved by the United States and European Commission in the discussions held in the past year. IBM supports the continuation of your efforts.

The growth of the Internet and networked technologies brings with it the ability for information to be managed and exchanged more easily than ever before. These technological capabilities are certainly delivering benefits to the US economy, and will spread their benefits even more broadly as they are implemented internationally. The increasingly international nature of data flows not only means that transactions and services will be delivered faster, more efficiently and cheaply than ever before. It also means that societies face a challenge to meet the privacy expectations of individuals whose personally identifiable data may travel across national borders.

In that regard IBM has strongly supported private-sector self-regulation to establish domestic and international privacy policies and enforcement mechanisms. For example, we have engaged in the Online Privacy Alliance and the Global Business Dialogue on Electronic Commerce, and have supported seal programs such as BBBOnline and TRUSTe. An important reason we have done so is that we believe that such mechanisms are the most effective way to meet the privacy expectations of individuals while dealing with fast-changing and global nature of the Internet and similar networked media.

Achieving recognition on the part of the European Union that such self-regulatory mechanisms can adequately protect individual privacy under the EU Data Privacy Directive is an important achievement for the Safe Harbor Principles, and will be an important precedent for other international settings where societies attempt to achieve mutual recognition for their approaches to data protection and privacy. As well, it will be important to achieve recognition by the Member States of the European Union of their responsibility to accept continued enforcement responsibility for the Data Protection Directive, on behalf of their data subjects, against US organizations that are willing to cooperate with Member States in resolving complaints arising under their national-law counterparts to Article 25 of the Data Protection Directive.

As to the November 15 draft, IBM would emphasize the importance of resolving the several open issues, so that the Safe Harbor can be finalized. We limit our comments here to the issues of particular concern:

Ÿ Transition Period

An adequate transition period should be established for US organizations to implement the Safe Harbor Principles. IBM does not have a view as to the exact length, but in no event should the transition period end before the European Commission has approved model clauses for contractual agreements under Article 26 of the Directive. This is so that US organizations can have a clear sense as to which type of compliance mechanism is most useful for their circumstances. In addition, the transition period should be long enough for organizations to review their internal policies and implement revisions as needed to comply, typically at least a 12-month process.

A transition period of this length should pose no hardship for the European Union, since in many of the EU Member States the process is ongoing of national governments and data protection authorities adopted and revising their national laws and regulations, so as to give guidance to their domestic data processing operations as well as international transfers. As well, an adequate transition period will give more US organizations time to enroll and participate, and make the Safe Harbor a more likely success.

Ÿ Enforcement Principle/FAQ Number 5 -- Ability to Cooperate with Data Protection Authorities

IBM strongly supports the idea that US organizations should be able to comply with the Enforcement Principle by self-certifying to the Safe Harbor Principles and then through their European subsidiaries or affiliates, commiting to cooperate with the European data protection authorities to handle complaints or inquiries. This is a critical part of the Safe Harbor.

There are some instances where organizations that handle European data in the US are not currently covered by US regulatory or self-regulatory regimes that are directly focused on data privacy--e.g., human resources data, medical or pharmaceutical data, or customer data that has not been gathered from business-to-consumer Web sites. In the absence of such regimes, US organizations should have the ability to commit to cooperate with their European affiliates or subsidiaries in responding to inquiries or orders from European data protection authorities, in investigating and resolving disputes over the handling of such data.

In this regard, we seek further discussion of, and clarification as to, the jurisdictional issues raised by FAQ Number 5. Specifically, we would like confirmation that it is sufficient for purposes of the Safe Harbor that the US organization would cooperate with its EU affiliate or subsidiary, which would in turn be responsible for interacting with the relevant Data Protection Authority and complying with its requirements.

In IBM's view, the cooperation commitment is a workable approach to enforcement that can be used to complete the US-EU arrangement on how US organizations can comply with the Data Protection Directive. It also gives US organizations the alternative of responding within the European Union rather than in the US, in cases where that makes the most sense given the structure of their relationships with employees, customers, and regulators in Europe.

Finally, IBM also supports the more-detailed comments filed by the Information Technology Industry Council, Software and Information Industry Association, and US Council for International Business.

Thank you for your consideration of these comments.
 

Sincerely,

Harriet P. Pearson
Director, Public Affairs
IBM
202-515-5036
hpearson@us.ibm.com