Ambassador David L. Aaron
Undersecretary for International Trade
United States Department of Commerce
14th Street and Constitution Avenue, NW, Suite 350
Washington, DC 20230
Dear Ambassador Aaron:
The Information Technology Industry Council ("ITI") is pleased to offer these comments on the November 15, 1999 "International Safe Harbor Privacy Principles" and associated FAQs. ITI is the association of leading information technology ("IT") companies. Our members had worldwide revenues of more than $440 billion in 1998 and directly employ more than 1.2 million people in the United States. ITI advocates growing the economy through innovation and market-based policies.
ITI's members are the leaders of the fast-evolving Internet economy that is fueling the expansion of the U.S. economy. Information technology is responsible for 35% of the growth of the U.S. economy in the past four years. According to a recent University of Texas study, the "Internet Economy" grew 68% from 1998 to 1999, pumping about $507 billion into the U.S. economy and employing 2.3 million Americans. Jobs in the IT industry pay an average of $53,000, compared to $30,000 in the economy at large. To put the Internet economy in perspective, it now generates more annual revenue than such well-established American industries as airlines ($335 billion) and telecommunications ($300 billion).
The Safe Harbor Arrangement
ITI applauds the U.S. Department of Commerce and the European Commission representatives for their considerable efforts and extensive consultations with stakeholders on both sides of the Atlantic to create a clear and predictable safe harbor for U.S. organizations. We believe the parties are now within striking distance of an appropriate and successful safe harbor arrangement and should be able to finalize the arrangement in the coming weeks on the basis of the principles shared with the public on November 15.
In particular, ITI applauds the draft Article 25.6 decision to make a "finding" of adequacy for the U.S. safe harbor instead of just a presumption. This and the decision to conduct enforcement in the U.S. and recognize data subjects' ability to self-regulate and handle customer concerns represent significant progress. We also wish to emphasize the importance of allowing U.S. organizations to satisfy the enforcement principle by committing to cooperate with European data protection authorities ("DPAs"), discussed in more detail in our comments.
Comments
The following comments comprise ITI positions on remaining outstanding issues, requests for clarification and support for areas where significant progress has been made.
Self-certification:
ITI strongly supports the principle of self-certification by declaration to the U.S. Department of Commerce or its nominee. This option will allow U.S. organizations to be explicit in their adherence to safe harbor principles without creating unnecessary administrative burdens or regulation.
We request clarification on which organizations are required to file self-certification letters in order to avail themselves of the safe harbor benefits. Is the self-certification intended only to provide those organizations subject to a body of law that effectively protects personal privacy with a means for asserting their compliance with the safe harbor arrangement (as is implied in the principles) - or must all organizations which seek to be covered file such a letter? Specifically, must members of self-regulatory "seal programs" or organizations that develop their own self-regulatory privacy policies also file self-certification letters with the Department of Commerce?
Contractual provisions:
ITI strongly supports the U.S. government position that U.S. organizations should be able to provide the Article 26 safeguards by including the principles in written agreements with parties transferring data from the EU member states. We also support the U.S. position that such model contracts should be authorized by the European Commission and the Member States within one year after the safe harbor arrangement's finalization and that, should such authorization take longer, the safe harbor interim period should be extended by the same amount of time.
In the spirit of "technology neutrality," we request that the phrase "written agreements" be clarified to include agreements memorialized in any appropriate fixed form, including electronic formats. Such a clarification would remain true to the apparent purpose of the provision without unnecessarily impeding data transfers with an anachronistic requirement for paper-based agreements.
Notice:
It appears from this principle that in situations where the purpose of collection is clear and obvious from the context and the organization has no plans to share the information with third parties or use the information for unrelated purposes, the only affirmative disclosure required is a means for contacting the organization with inquiries or complaints. We request clarification as to whether this understanding is correct.
Choice:
ITI continues to support the "opt-out" approach advanced by the U.S. government, as we did in our May 1999 comments, noting that Article 26 requires "adequacy," not "parity" with European data protections. We continue to oppose a requirement of explicit notice before information is transferred to third parties not covered by "adequate" protections or the Data Protection Directive.
ITI also supports the U.S. position that "opt-in" should only be required for data that "specifies" - as opposed to "reveals" - sensitive information. Because "reveals" is too vague, and potentially too broad as well, it would not provide the legal certainty sought by the safe harbor arrangement.
Onward transfer:
ITI supports the limitation on secondary liability for information transferred to third parties when the U.S. organization ascertains that the third party subscribes to the principles or is subject to the Directive or another finding of adequacy, or enters into a written agreement requiring the appropriate level of privacy. We also reiterate our request from our May 1999 comments for clarification on the liability of third party transferees. For example, what if a third party transferee violates a written agreement to abide by the safe harbor principles and is not in the safe harbor itself or subject to a relevant body of law?
Security and data integrity:
ITI supports the principle of "reasonableness" incorporated in both of these principles.
Access:
ITI's May 1999 comments suggested that the access principle should reflect the concepts of "proportionality and balance." The current draft's reference to weighing the burden and expense of providing access against the risk to privacy effectively responds to this suggestion and we commend the EU and US representatives for striking the appropriate balance in this sensitive area.
We agree with the principle in the third question of FAQ 8 that organizations cannot be required to provide direct access to their databases. This is especially important in light of the security principle. We also agree with the answer to the tenth question in FAQ 8 that organizations should not be required to provide access unless supplied with sufficient information to confirm the identity of the person making the request.
Enforcement:
ITI strongly supports the approach to enforcement referenced in your cover letter and the Article 25.6 decision summary whereby all enforcement would be carried out in the United States, subject to limited exceptions.
We request that the U.S. seek one clarification in the Article 25.6 decision: One of the circumstances under which a Member State might disrupt data flows is when a U.S. enforcement body has found that the organization is not complying with the safe harbor principles. For non-governmental enforcement bodies, we request that this condition be clarified to apply only where the US organization has previously subjected itself to the enforcement body's authority. This will assure that only legitimate and approved enforcement bodies have the power to trigger one of the conditions for potentially disrupting data flows. We also request that a similar clarification be added to FAQ 11 under "Persistent Failure to Comply," so that Department of Commerce would only publicly list referrals from dispute resolution bodies or self-regulatory bodies to which the U.S. organization had subjected itself.
ITI strongly supports the option of committing to cooperate with European DPAs, described in FAQ 5, as a means of satisfying the enforcement principle. This option is critical to the success of the safe harbor arrangement because it covers a large class of data transfers that would otherwise fall outside the safe harbor. We reiterate our previous concern, raised in ITI's May 1999 comments, that Member States must still agree to this option and urge the U.S. government to stress the importance of this option to European Commission and Member State representatives.
We support the requirement in FAQ 5 that aggrieved persons must first raise their issue or complaint with the U.S. organization. However, we request that FAQ 5 be clarified so it is clear that it is sufficient for the U.S. organization to commit to cooperate with its European subsidiary or affiliate, which in turn would interact directly with the appropriate DPA.
Conclusion
Thank you again for your hard work and please do not hesitate to contact ITI with any questions about our comments. We are grateful for the diligence and judgement exercised by all parties to the safe harbor arrangement and hope it will be finalized soon.
Best regards,
Rhett Dawson
President