The McGraw-Hill Companies

Suite 900

1200 G Street, N.W.

Washington, D.C. 20005

(202) 383-3700

 

December 3, 1999

 

Electronic Commerce Task Force

U.S. Department of Commerce

Room 2009

14th and Constitution Avenue, N.W.

Washington, DC 20230

Re: Comments of The McGraw-Hill Companies on November 15 draft International Safe Harbor Principles.

The McGraw-Hill Companies (hereafter "McGraw-Hill") appreciates this opportunity to comment on the draft International Safe Harbor Principles and related documents posted on November 15, 1999.

 

As noted in our previous comments to the Department of Commerce on this topic, McGraw-Hill is a global publishing, information and media, and financial services company with 16,500 employees located in over 40 states of the U.S., and in 30 other countries. We distribute our products and services via traditional media, as well as electronically, to customers around the globe. Our customers, employees and shareholders have a vital stake in promoting global electronic commerce and in the growth of information flow across borders, including between the U.S. and the European Union (EU). We recognize that appropriate and fair information practices are essential for achieving those objectives, and have devoted considerable effort to developing and implementing such practices within our company, and in explaining them to our customers.

 

As you know, McGraw-Hill supports the concept of a safe harbor approach to avoid disruption of transatlantic data flows in the wake of the implementation of the EU Data Protection Directive. We commend the Department of Commerce for the considerable progress it has made in negotiating safe harbor provisions with representatives of the European Commission (EC). The most recent set of documents reflects significant improvements in a number of areas, and provides, we believe, a solid foundation for the safe harbor. At the same time, we have identified some areas in which we believe that further clarifications would greatly strengthen that foundation. These clarifications are needed in all three categories of documents posted last month: in the draft Safe Harbor Privacy Principles themselves; in some of the FAQ's, which we are glad to see are now explicitly incorporated by reference in the Principles document; and in the draft exchange of letters between the parties, and the draft summary of the implementing EC decision. The three sections of the following comments address these three categories in order.

 

I. November 15 Draft Principles

 

In general, McGraw-Hill supports the principles articulated in this document. However, we do have two concerns with the way that some of the principles are presented, as well as two suggestions concerning the preamble.  First, with regard to the Access Principle, we commend the negotiators for explicitly recognizing that under some circumstances, disproportionate burden or expense can justify denying access. Unfortunately, while the Access Principle extends beyond access itself, to correction, amendment or deletion of data, the "disproportionality" exception is limited to access. In other words, the Access Principle seems to require companies to incur any burden or expense required to correct, amend, or delete data deemed to be inaccurate, regardless of how miniscule a threat to personal privacy the inaccuracy represents. Surely it is reasonable to recognize that the expense and difficulty of evaluating a claimed inaccuracy, and of correcting it in all of the company's databases, must be balanced against the benefit accruing to the data subject. Neither the Access Principle itself, nor the relevant FAQ's, address this question. The most economical way of drafting the needed change might be to substitute "fulfilling this principle" for "providing access," so that the relevant phrase would read, "except where the burden or expense of fulfilling this principle would be disproportionate to the risks to the individual's privacy in the case in question…".

 

Second, we are troubled by the multiple recurrences (e.g., in the first paragraph of the Choice Principle, in the Onward Transfer Principle, and in the Data Integrity Principle) of the phrase "[uses of data] subsequently authorized by the individual." This phrase essentially replaces references (in the April draft of the same document) to purposes or uses "disclosed to the individual in a notice." The change is confusing and potentially misleading. An individual need not explicitly "authorize" an additional or new use, so long as it is disclosed to him or her with an opportunity to opt out.

 

To give a hypothetical example from The McGraw-Hill Companies, assume that non-sensitive personal information is initially collected in connection with a service provided by Standard & Poor's, accompanied by a notice that allows the information to be used within Standard & Poor's. Later, in a corporate reorganization, this service is transferred to Business Week, and the individual is notified that the information may henceforth be used within Business Week. The individual does not opt out of that use. Under these circumstances, and even assuming arguendo that this new purpose is incompatible with the purpose disclosed at the time of collection, Business Week should be free to use the data. However, as the Choice Principle is currently drafted, that result is far from clear. Since, by assumption, the use is incompatible with the purposes for which the information was originally collected, the use can be made only if the individual has "subsequently authorized" use by Business Week. Whether the failure to take advantage of the opt-out constitutes such authorization is uncertain, and needlessly so.

 

We recognize that, where sensitive data is involved, the second paragraph of the Choice Principle refers to "subsequently authorized by the individual through the exercise of opt in choice"[emphasis added]. It seems inadvisable to assume that the omission of the last seven words of this phrase in the other references to "subsequently authorized" uses will clearly communicate that opt out is sufficient in those other circumstances. We recommend that the April language - "disclosed to the individual in a notice" - be restored, or at least that this issue be clarified in an FAQ.

 

With regard to the preamble, the last sentence of the fifth paragraph is confusing. Organizations should not be required to apply safe harbor principles to manual files even as to information transferred into such files after the entry of the organization into the safe harbor. Otherwise, manual files would be treated no differently than automated files.

 

Finally, in the sixth paragraph, the first sentence should be ended after the words "substantive privacy provisions." Not only would this obviate the uncertainty referred to in endnote 1 about whether safe harbor principles would be embodied in model contracts; it also would more accurately state the European law, as we understand it, which allows specific transfers to be authorized based on contractual safeguards, whether or not an entire model contract has been promulgated by the Commission and/or a Member State.

 

McGraw-Hill agrees with the U.S. position expressed in endnote 2, and especially with endnote 3: the sensitive information category should not be expanded to cover data (e.g., health club membership) from which it could be argued that sensitive information (e.g., "health conditions") may be inferred.

 

II. FAQ's

 

FAQ 3 (secondary liability):

 

We have no objection to what we understand to be the intent of this FAQ, but it is out of place in its current form, since it has nothing to do with the safe harbor. It is true that "the safe harbor does not create secondary liability," but this statement could imply that the safe harbor creates primary liability, which it does not: the safe harbor does not create any liability. This second sentence should be deleted, or replaced with "The Data Protection Directive does not create secondary liability." The last sentence states circumstances under which certain parties would not be liable under the Data Protection Directive. To clarify this, the following phrase should be added at the end of this sentence: "under the Data Protection Directive, without regard to the safe harbor principles." In addition, the question should be rephrased by replacing "the safe harbor principles" with "the Data Protection Directive."

 

FAQ 6 (self-certification):

 

McGraw-Hill believes that item 3c should refer to "contact persons" for handling complaints, rather than remaining in the singular. In many organizations (including McGraw-Hill) there may not be a single "contact person for the handling of complaints," etc. Rather, a privacy officer in each business unit is designated and disclosed to customers of (or consumers who come into contact with) that business unit, as the first stop in the complaint process. It should be made clear in this FAQ that Commerce (or its "designee") has the flexibility to accommodate a number of institutional models for privacy self-regulation.

 

We also urge a small but important revision to item 3d. Organizations should not be required (especially in a publicly filed document) to concede jurisdiction of enforcement agencies in all future cases. For example, an agency may have jurisdiction over a particular claim but may lose it due to expiration of a statute of limitations; a company should not be foreclosed from asserting this defense because of the contents of its self-certification filing. The goal should simply be to identify the agencies to which an aggrieved data subject, having exhausted his efforts to resolve a complaint with the company or through other non-governmental means, may wish to turn to seek relief. To correct the problem, either this item should refer to agencies that may have jurisdiction over "any claims," or at a minimum the word "any" should be omitted.

 

FAQ 8 (Access):

 

McGraw-Hill is pleased that several of its specific suggestions on this FAQ were incorporated into the current draft. However, we still believe, as discussed above in our comments on the Access Principle itself, that this FAQ should address the proportionality principle with regard to correction or deletion of assertedly inaccurate data, as well as with regard to access.

We also remain somewhat concerned about the treatment of public record and publicly available data. The EC can have no principled objection to stating that the Safe Harbor does not apply to information obtained by or on behalf of a U.S. company directly from a public register within a Member State and then transferred to the U.S., since the Data Protection Directive itself allows such transactions without regard to the "adequacy" of protection in the transferee country. The FAQ should also address the issue of correction or amendment of public record data held by a U.S. organization, since it may often be impossible for that organization to correct any asserted inaccuracy "at the source." Finally, the new criterion (in questions 7 and 8) of whether public record or publicly available data is "not combined with" other data, while an improvement on the previous formulation of "kept separately," still misses the essential question: is it feasible to retrieve non-public record or other non-public data separately from public record or public source data? If the answer is yes, then it should not be necessary to provide access to public record or public source data.

 

FAQ 11(Dispute Resolution and Enforcement):

 

This new FAQ should prove useful in fleshing out the safe harbor obligations embodied in the Enforcement Principle. Our comments are relatively minor. First, some terminology seems to be used inconsistently. The "Remedies and Sanctions" paragraph, at least in the first sentence, should refer to "the independent recourse mechanism" rather than "the dispute resolution body." No such "body" is referred to in the principle which this FAQ is designed to explain, and the negotiators should avoid the possible implication that a separate entity, dedicated solely to the resolution of safe harbor disputes, is required. Similarly, the list of possible sanctions appearing in the third sentence should be preceded by "for example" to make it clear that the list is illustrative, not exhaustive.

 

FAQ 12 (Choice - Timing of Opt Out):

 

A drafting error in the second sentence of this new FAQ could cause confusion about the scope of the Choice Principle, and should be corrected. The Principle requires an opt out when a use or disclosure of personal information "is incompatible with the purpose(s) for which it was originally collected, or subsequently authorized by the individual" (please note McGraw-Hill's comments above concerning the last quoted phrase). The Principle does not in all cases require an opt out whenever information is "used for direct marketing," as the FAQ states. For example, a disclosure may be made at the time of collection (e.g., on the form on which the information is collected) that the information may be used to inform the consumer about related products and services offered by the same business unit that is collecting the information. Such a subsequent use may, under some circumstances, be considered a "use for direct marketing," but it is clearly not "incompatible with the purposes for which [the information] was originally collected," since that use was specifically disclosed as one of the purposes, and therefore the Choice Principle does not require an opt out. This imprecision may be corrected by inserting in the second sentence of FAQ 12, after "Accordingly," the phrase "where an opt out must be offered,".

III. Other Documents

 

McGraw-Hill appreciates the opportunity to review the drafts of the exchange of correspondence to accompany the safe harbor principles and FAQ's, and a summary of a possible decision by the EC implementing the safe harbor agreement. These documents are of crucial importance.

 

In general these drafts appear to provide a sound framework for implementation of the safe harbor. However, they lack a critical ingredient of any safe harbor arrangement, which is an explicit statement that failure to qualify for the safe harbor does not equate to a finding of liability. Indeed, the EC letter should spell out that no adverse implication for Article 25 purposes may be drawn from the failure of a U.S. data recipient organization to pursue, or to achieve, compliance with the safe harbor principles. Whether or not a data transfer to such an organization is permitted should be determined through the operation of the provisions of the Directive (notably Article 25.2) and of applicable Member State laws without regard to the safe harbor system. It should be made clear that other means of compliance besides the safe harbor must not be precluded.

In addition, there is some ambiguity in the terminology used in the three draft documents. For instance, the draft U.S. letter refers to the public availability of "any proper and final adverse determination pertaining to a safe harbor organization made by a US organization and notified to the Department of Commerce or its nominee" (emphasis added). The Commission's draft refers to such determinations as made by "an enforcement body in the US." The summary of the Article 25.6 decision refers, in a somewhat different context, to findings by "a US body" of noncompliance with safe harbor principles. It is not clear whether the source of these findings is expected to be a governmental agency such as the FTC, an industry self-regulatory body, or both.

The basic approach that the EC proposes to take in its Article 25.6 decision appears sound: issues of compliance with safe harbor obligations should generally be decided by U.S. entities in the first instance, unless a company explicitly chooses to fulfill their enforcement obligations through cooperation with Data Protection Authorities. Of course, the implementation of this approach in the draft documents is not free of ambiguity. In particular, the EC should be encouraged to spell out what constitutes "irreparable damage to the individuals concerned" which would, under the draft Article 25.6 decision summary, justify the suspension of data flows, even to a company or other organization that claims the safe harbor. Under the "human rights" approach favored by Europe, nearly any violation of the Data Protection Directive could creatively be characterized as inflicting "irreparable damage." If, to the contrary, the Commission intends that this predicate be satisfied only in exceptional and serious cases, involving concrete harm to an identifiable category of persons, this should be more clearly stated.

 

Similarly, the threshold of "reasons to believe that the relevant US enforcement body is not taking and will not take effectively and timely action" against suspected non-compliance with safe harbor obligations timely is potentially very elastic. Indeed, whenever there is "substantial evidence of non-compliance" which is not being remedied, the Commission could argue that the US enforcement body must, ipso facto, be ineffective. That interpretation would render this supposed safeguard against the interruption of data flows a nullity.

Finally, the draft letters, in the respective texts preceding endnote 1, broach the critical issue of the effective date of the safe harbor arrangement, or, more precisely, the date on which the Commission's current moratorium on exercise of its asserted power to disrupt transatlantic data flows in personally identifiable information will expire. McGraw-Hill strongly believes that there should be an extensive transition period for achieving full implementation of the safe harbor principles. We know from our own experience that devising, implementing, evaluating and fine-tuning privacy policies within a large and diverse global company consume considerable time and resources. Small and medium sized enterprises will face similar and in some cases even more daunting challenges. The benefits of the safe harbor exercise will be undermined if U.S. organizations do not have enough time both to decide whether to seek safe harbor status, and to plan, test and implement the sometimes drastic policy changes that will be needed in order to achieve that status.

 

CONCLUSION

 

McGraw-Hill applauds the progress the Department of Commerce has achieved toward the goal of preserving the free flow of data between the U.S. and the Member States of the EU. To a great extent, we believe this progress is attributable to the Department's commendable willingness to solicit and to seriously consider the views of U.S. organizations on the practical impact and future implications of proposed safe harbor provisions. We are confident that the additional suggested improvements outlined above will receive the same consideration, and we are hopeful that many of them will be reflected in the final work product of these protracted and difficult negotiations. If we can provide any further information that would assist you, please do not hesitate to call upon us.

Respectfully submitted,

Cynthia H. Braddon Co-Chair, The McGraw-Hill Companies Privacy Steering Committee Vice President Washington Affairs   Of Counsel:   Steven J. Metalitz SMITH & METALITZ, LLP 1747 Pennsylvania Avenue, N.W., Suite 825 Washington, D.C. 20006

Katherine D. Roome Co-Chair, The McGraw-Hill Companies Privacy Steering Committee Vice President and Associate General Counsel