The Honorable David L. Aaron
Under Secretary
International Trade Administration
Department of Commerce
14th and Constitution Ave., N.W.
Washington, D.C.
Dear Ambassador Aaron:
On behalf of the over 11,000 direct and indirect members of the Information Technology Association of America (ITAA), I would like to thank you for all your efforts to negotiate a clear and predictable set of Safe Harbor Privacy Principles (Principles). Overall, ITAA supports your approach to create a safe harbor that would allow U.S. companies to be recognized by the European Union (E.U.) and its member states as providing adequate personal data protection.
The April 19th draft principles and accompanying documents provide a considerable amount of flexibility to accommodate the needs of a diverse group of industry sectors and go a long way in bridging the different approaches to data protection in the U.S. and Europe. The documents also provide much more detailed information on the actual implementation and administration of the Principles.
While the April 19th draft principles address some of our original concerns, we have remaining concerns and questions about the Principles and accompanying documents. Given the extent and nature of bracketed text and footnotes, it would be impossible for ITAA to support the Principles until we have had an opportunity to review a more final version.
In light of the limited amount of time left in the negotiation, we have tried to restrict our comments to only those issues we believe must be clarified or changed to meet the needs of the U.S. IT industry. We hope you find these remarks useful.
Finally, one general comment regarding the importance of the current negotiations. Regardless of its intent, the Safe Harbor Principles will set the floor for any potential domestic U.S. privacy laws or regulations. Any protection afforded to E.U. citizens by way of the Safe Harbor Principles we believe will have to be afforded to U.S. citizens. We ask that you bear this in mind while negotiating the final version of the Principles.
Adequacy
The current Safe Harbor negotiations should not be interpreted as a de facto admission that current U.S. privacy protections are not "adequate." The Principles or supporting documents need to state this unequivocally.
Status of the Principles, FAQs and Binding the Member States
To provide a reasonable degree of certainty, it is important that the legal status of the Safe Harbor Principles, FAQs and any other accompanying documents be clearly stated. Unlike the Principles, which we believe should have some formal legal standing, the FAQs should serve only to illustrate individual circumstances and should not be legally binding. The application of the principles should not be limited to the cases listed in the FAQs.
Additionally, it is imperative that the 15 E.U. member states as well as the European Commission are legally bound to the approach contained in the Principles. U.S. industry must have legal certainty that if they implement the Safe Harbor Principles in good faith, they will receive the treatment and due process outlined in the Principles and the accompanying documents.
Consumer Complaints
The accompanying document on the procedures for handling complaints about non-compliance with the rules is useful in that in helps shed light on how this process would work. The E.U. document on handling consumer complaints is useful as a guide, but it is unclear how heavily U.S. companies can rely on it as an authoritative document on how the complaint process would work. There seem to be certain provisions that would allow a consumer to circumvent the process. The document seems to be a discussion paper rather than a set of guarantees on how the process would work. In addition, we have several concerns and questions.
· There had been early discussion of a possible expedited dispute resolution process, but this is not reflected in the document. Will companies that subscribe to the Safe Harbor Principles have access to an expedited dispute resolution process?
· The document should include a provision that consumer complaints against companies should be kept confidential.
· The document states that temporary blocking of data flows to a third country by a member state can be justified in exceptional circumstances. Exceptional circumstances need to be defined.
· The complaint procedure does not prevent complaints from being filed in national courts. In fact, a data subject could pursue remedy in both a national court, as well as through a data commissioner or other member state authority. This provides a high degree of uncertainty for organizations subscribing to the Principles. At a minimum, the Safe Harbor Approach should prevent data subjects from taking action in national courts until after they have exhausted recourse through the data commissioner and the European Commission.
Manually Processed Data
It is unclear why manually processed data is not covered by the Safe Harbor Principles. While there are many examples of "mixed" data processing, there are few instances today of wholly non-automatic data processing. Furthermore, we see no reason why automatic data processing should be treated differently than that handled manually. The 1980 OECD Guidelines and the E.U. directive, for example, cover both. We would recommend that companies be given the option of applying the Safe Harbor Principles to any manually processed data if they so choose.
Access
The Principles must make clear that the right to access data is not absolute (see the explanatory text of the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data). The sensitivity of the data and the cost of providing access should temper the Access Principle. The language in brackets in the April 19th document must be made part of the Principle. We urge you to include the bracketed language in the access principle. Access is provided to maintain the quality and accuracy of data. It is in the best interest of both the data subject and the data collector to assure its accuracy. However, access must take into account the practicalities of business, particularly in the online environment. Many businesses maintain information in separate databases, making access to all information onerous. We urge you to continue to push for a definition of access tied based on "reasonable" and focused on maintaining data quality and accuracy.
Onward Transfer
We interpret the revision in the principle to include notice and choice to mean that data subjects can now opt out of the onward transfer of their data. This is largely consistent with the Online Privacy Alliance guidelines. We are concerned with the European Commission's request that the principle include explicit notice and choice when personal data is transferred to a third party that does not adhere to the Safe Harbor Principles. This would require continued contact with the data subject and considerable cost and administrative burden.
Enforcement
Given the FAQs on self-certification, verification and the document on how a complaint is handled, we feel the enforcement principle is now much clearer than originally drafted. Our only recommendation on the enforcement principle itself is that the note immediately following the principle be included in the text of the principle itself.
Grace Period
It would be useful to have further details about the length of the grace period for those companies that sign up to the Principles. Companies should be afforded adequate time to consider signing up to the Principles and than another period of time, which would be significantly longer, to implement the Principles if they chose to take advantage of the Safe Harbor. As many Member States have not passed legislation to implement the directive, we would ask that U.S. companies not be given less time to adhere to the Principles than European companies would be given to abide by the directive.
Frequently Asked Questions (FAQs)
The FAQs provide useful guidance in assessing how the Principles will be practically implemented and administered. The FAQs also help provide more specific guidance to industry sectors that may have unique concerns. Overall, the FAQs are informative, particularly those on verification, self-certification, and secondary liability. However, unless the legal status of the FAQs is clarified, it is difficult for us to determine how heavily to rely on them.
We would caution against having too much detail in the FAQs, which ultimately will fail to answer every possible question and should only serve as incomplete examples. To the extent that a principle needs clarification, it should be done in the principle itself. For example, much of the information in the FAQ on access would be best addressed in the principle itself. Similarly, it might make sense to address the administration and implementation of the Principles in a document that has more authoritative status than a FAQ.
Thank you for your continued consultation with industry. ITAA fully supports your efforts to reach a successful agreement with the European Commission on this important issue and stands ready to assist you in any way we can.
Sincerely,
Harris N. Miller
President