We have reviewed the Draft International Safe Harbor Privacy Principles dated 15 November 1999 and all of the associated other documents

December 2, 1999

Electronic Commerce Task Force
U.S. Department of Commerce
Ecommerce@ita.doc.gov

We have reviewed the Draft International Safe Harbor Privacy Principles dated 15 November 1999 and all of the other associated documents. We appreciate the extensive and diligent efforts expended by the Department of Commerce in addressing this important issue and the opportunity to provide our comments below.

Grace Period

We support a grace period of 18 months.

FAQ 6 - Self-Certification

For consistency with other representations discussed in the FAQ, modify the first sentence of the answer to include the italicized words "organizations can provide to the Department of Commerce, or its designee, a letter, signed by a corporate officer, or other authorized representative of the organization that contains…"

FAQ 13 - Airline Passenger Reservations

Considering the close similarities in the data processing of airline reservations/frequent flyer programs and hotel reservations/frequent guest programs, we strongly suggest the following changes:

Modify the FAQ title to "Airline Passenger or Hotel Reservations"

Modify the question to include the italicized words :

"When can airline passenger or hotel reservations and other travel information, such as frequent flyer or frequent guest information, and special handling needs, such as meals to meet religious requirements or physical assistance, be transferred to organizations located outside of the EU?"

Modify the answer to include the italicized words:

"Such information may be transferred in several different circumstances. Under Article 26 of the Directive, personal data may be transferred "to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)" on the condition that it (1) is necessary to provide the services requested by the consumer to fulfill the terms of a travel reservation or an agreement, such as a "frequent flyer" or "frequent guest" agreement; or (2) has been unambiguously consented to by the consumer. In addition to those and other circumstances, such information can be transferred to U.S. organizations subscribing to the safe harbor, provided that the European transferor has adhered to the terms of the relevant Member State laws. For example, customers may inform airlines or hotels (or travel agents) of the need for physical assistance or other special needs. The transfer of such information to organizations within the safe harbor is permissible because adherence to the principles provides adequate protection of personal information, even where this includes sensitive information."

Add specific verbiage to address the subsequent utilization of the information for the same purposes at a later time.

"Information regarding special handling needs that has been provided under conditions (1) or (2) as listed above by customers who are not members of frequent flyer or frequent guest programs may be stored by the airline or hotel company for a reasonable timeframe. This stored information may be used to provide services for reservations made subsequent to the initial request."

If you have any questions or need additional information please contact me.

Chris Zoladz
Vice President, Information Protection
Marriott International, Inc.
10400 Fernwood Road, Dept. #52.923.30
Bethesda, MD 20817
301/380-4094
chris.zoladz@marriott.com