Ronald L. Plesser
Stuart P. Ingis
Alisa M. Bergman
Piper Marbury Rudnick & Wolfe LLP
1200 Nineteenth St., N.W.
Washington, D.C. 20036
(202) 861-3900

Date: December 3, 1999

The Individual References Services Group ("IRSG") welcomes the opportunity to submit comments to the Department of Commerce ("Department") on the November 15 safe harbor documents. The IRSG appreciates the Department's efforts in this area, and we commend you for the significant developments you have made in the negotiations with the European Commission to harmonize the distinct approaches to privacy protection.

We are particularly encouraged by the important progress that has been made with regard to the treatment of public records and publicly available information under the safe harbor. However, we believe that there may exist potential ambiguities concerning the application of the public records exemption that the Department should clarify. In addition, we recommend that the Department ensure a significant amount of time during which to evaluate self-regulatory initiatives to ascertain compliance with the safe harbor principles.

I. The Public Records and Publicly Available Information Exemptions

The IRSG strongly supports the exemption under the safe harbor for public records and believes that this exemption is essential to ensuring the dissemination of public record information. Moreover, we believe that the current documents provide important clarifications in the access FAQ to enable the use of small amounts of other information as organizing or indexing mechanisms in compilations of public record information without transforming the characterization of information as public record information. We set forth below several further clarifications concerning the public records exception.

First, we assume that the definition of public records set forth in the access FAQ was intended to account for the derogation in Article 26.1(f) for records from public record registers "open to consultation either by the public in general or by any person who can demonstrate legitimate interest." Thus, an organization should not be required to provide access to public record information as long as such information is made available to at least some segments of the public. For purposes of the Directive, whether certain records are available to all, or some, members of the public is not a relevant distinction. Alternatively, the Department could broaden the definition set forth in the FAQ to mirror that contained in Article 26.1(f).

Second, as discussed below, the IRSG believes that the safe harbor could benefit from two further clarifications: 1) the Department could further clarify what is now implicit--that the safe harbor's public records exception applies to European records; and 2) it also could further clarify the treatment of compilations of mixed information under the public record exemption where an organization provides access through a separate channel to non-public record information contained in the compilation.

The Department should further clarify that the exemption applies to European public records

Endnote no. 7 to the April version of the access FAQ indicated that the EC proposed to limit the public records exception to United States public records. The documents currently under discussion do not include such a limitation. Accordingly, it is our understanding that the exception now applies to EC public records as well.

Such an interpretation is essential to the value inherent in a public records exception. Because the majority of public record information transferred to the United States will be from European sources, an exception that does not encompass European public records would, in most cases, be a nullity.

Indeed, Article 26.1(f) of the Directive would seem to dictate this interpretation. Article 26.1(f) states in relevant part:

Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection . . . may take place on condition that . . . the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

The plain language of the EC Directive is consistent with coverage of European public records under the exemption.

Moreover, as we indicated in our prior comments, it is unclear whether European organizations comply with access requirements in connection with European public record information. A contrary interpretation could hold US companies to higher standards than those required of Europeans, putting them at a competitive disadvantage.

For these reasons, along with the change in the text since the April version, we believe that the public records exception applies to public records that originate in Europe and suggest that this interpretation be explicitly stated in the FAQs.

The access FAQ should clarify that certain compilations containing public record information remain within the public records exception

As currently drafted, the access FAQ could be interpreted to require that access be provided to a compilation that combines both public record and non-public information. Such an interpretation is inconsistent with one of the rationales behind the public records exception that individuals already can access the public record information directly from the governmental entity that is the initial and most accurate source of the data. As such, we believe that the access FAQ should clarify that where an organization offers access through a separate channel to the non-public record information included in a compilation, the compilation itself remains within the public records exemption.

If an organization can segregate information so as to provide access to the non-public information--information that an individual cannot obtain from a government source--it is unnecessary to provide access to the compilation. A requirement to provide access to the public record information would unnecessarily burden companies with little ensuing benefit to data subjects.

Accordingly, the access principle should apply only to the extent that individuals do not have access to their own records at the government source. Through the provision of access to non-public information and the ability to go directly to the public record sources, individuals will have effective means of accessing all information about them.

II. Self-Regulation

The IRSG strongly supports the current principle that enables self-regulatory enforcement mechanisms to satisfy the safe harbor. We believe that self-regulation, in many cases, provides the most effective means of privacy protection. Indeed, the IRSG has very effective enforcement mechanisms in place. The IRSG's self-regulatory principles are backed by government enforcement of violations, cut-off of data to companies that act contrary to the principles, and a requirement of independent third-party assurance reviews.

The draft documents indicate that an agreement has yet to be reached on the duration of the interim period for implementation of the safe harbor principles. We recommend that the Department provide a two-year window during which self-regulatory initiatives such as the IRSG can evaluate their programs to determine whether such programs are compliant with the safe harbor principles and, where appropriate, make changes should they desire to come into compliance. A shorter time frame may make it difficult for organizations to participate in the safe harbor.

III. Conclusion

The IRSG thanks the Department for its consideration of our views and all of its efforts to refine the safe harbor principles. In further clarifying the scope of the public records exception to address any potential ambiguities expressed above, the Department will help ensure the continued dissemination of public records information for many beneficial purposes.