May 14, 1999
The McGraw-Hill Companies (hereafter "McGraw-Hill") appreciates this opportunity to comment on the draft International Safe Harbor Principles posted on April 19, 1999, as well as on a number of related documents posted on that date and on April 30, 1999.
I. Introduction/Summary
McGraw-Hill is a global publishing, information and media, and financial services company with 16,000 employees located in over 40 states of the U.S., and in 30 other countries. We distribute our products and services via traditional media, as well as electronically, to customers around the globe. Our customers, employees and shareholders have a vital stake in promoting global electronic commerce and in the growth of information flow across borders, including between the U.S. and the European Union (EU). We recognize that appropriate and fair information practices are essential for achieving those objectives, and have devoted considerable effort to developing and implementing such practices within our company, informing employees on the importance of customer privacy protection and developing and conducting ongoing staff training.
We also recognize that for the potential of electronic commerce to be realized - an estimated $1.3 trillion in online sales by 2002, customers must understand how data collected from them will be used and trust the organizations with which they are interacting online to use and handle their data responsibly. Concurrent with efforts to incorporate our Customer Privacy Policy into our internal business processes, we have worked with other businesses, trade associations and policy makers to encourage industry-wide development and implementation of sound privacy practices.
McGraw-Hill supports the concept of a safe harbor approach to avoid disruption of transatlantic data flows in the wake of the implementation of the EU Data Protection Directive. We applaud the Department of Commerce for its vigorous efforts to negotiate safe harbor provisions with representatives of the European Commission (EC) with the goal of preserving the free flow of data between the U.S. and the Member States of the European Union (EU). In our view, the documents currently under review reflect considerable progress toward that goal. To a great extent, we believe this progress is attributable to the Department's commendable willingness to solicit and to seriously consider the views of U.S. organizations on the practical impact and future implications of proposed safe harbor provisions.
The April 19 draft Safe Harbor Principles and associated explanatory papers contain a number of improvements that should facilitate the efforts of U.S. companies and other organizations to achieve safe harbor status. The documents also more clearly spell out how organizations could attain the safe harbor and what such a status will mean in practical terms. We are gratified that the current documents respond to some of the concerns expressed in McGraw-Hill's previous submissions to the Department of Commerce on this issue.
However, we believe that both the Principles and the explanatory papers contain some ambiguities, gaps, and errors that should be corrected. At the same time, some issues omitted from these drafts should be addressed. In the following comments, we have tried to make our suggestions as specific and substantive as possible, in light of the time pressures under which the negotiators are working. Naturally, in this context, we have focused on the changes which we believe are needed, rather than on the many provisions which we strongly support in their current form.
Our comments are organized as follows:
Section II addresses the April 19 text of the Safe Harbor Principles. We suggest wording changes in the preamble, and comment on the text of five of the seven principles. In some cases, these comments flag issues dealt with in more detail in comments on the Frequently Asked Questions (FAQ) documents, or give our response to positions taken by the EC. We propose substantive wording changes in the Data Integrity, Access, and Enforcement Principles.
Section III comments on the draft FAQ on the access principle. We suggest changes in four of the ten answers provided, and propose that this FAQ be expanded to flesh out some applications of the "reasonableness" principle to the issue of correction or amendment of information, as well as to access.
Section IV comments on the "Draft Paper on EU Procedures" which was also posted on April 19. This paper leaves many questions unanswered about standing, provisional relief, exhaustion of remedies, and the role of U.S. authorities. In our view, it may not be possible to conclude a review of this paper without also reviewing the actual text of the formal EC decision implementing the safe harbor agreement.
Section V addresses six of the additional draft FAQ's posted on April 30, on Self-Certification, Sensitive Data, Verification, Journalistic Exceptions, Human Resources Data, and Secondary Liability.
Section VI responds to several issues raised by Ambassador Aaron in the public briefing on May 7, including the weight to be accorded the FAQ's, the role of contracts, and grace periods. We also identify in this section some issues which should be addressed in the exchange of letters between the U.S. and the EU authorities.
II. April 19 Draft Principles
A. Preamble
The third paragraph of the preamble to the Principles describes three "different ways" that an organization might qualify for the safe harbor: by joining a private sector developed privacy program; by being subject to certain statutory, regulatory, or formal self-regulatory regimes; or by contract. Some modifications of this paragraph could help reduce the potential for misleading interpretations of this important point.
First, this paragraph does not provide an exhaustive list of methods for achieving compliance with the safe harbor, and we do not believe it was intended to do so. That intention should be made clearer by using the phrase "for example" at the beginning of the second sentence.
Second, the second sentence could be misinterpreted to provide that safe harbor status cannot be achieved by participation in a private sector privacy program unless that program involves more than one organization, and is external to the organization seeking safe harbor status, such that the organization must "join" the program. As we understand it, this has never been the intent of the safe harbor principles. If a company devises and implements its own privacy program that meets safe harbor standards, it may claim the safe harbor. The possibility of a misreading should be eliminated by adding the following underlined words to the second sentence: "If an organization implements or joins a private sector developed privacy program that adheres to these principles, it qualifies for the safe harbor."
Third, we believe that the sentence ending in endnote 1 is essential and must be retained. It does not make any difference in terms of the privacy of individual Europeans if a U.S. organization that receives personal data about them handles the data in a certain way because it is bound to do so by contract, rather than by company policy, self-regulatory regime, or U.S. regulatory stricture. These different methods should also not make any difference in terms of the safe harbor.
We also urge the U.S. to stick to its position concerning the text associated with endnotes 2 and 3. It would be absurd and discriminatory to deny safe harbor treatment because of how a U.S. organization handles data which falls within an exception to the Data Protection Directive or applicable Member State law. Similarly, manually processed data should be excluded from the scope of the safe harbor principles, since the transatlantic data flows involved are necessarily small.
Finally, we note with some concern the expansion of the scope covered by the principles to include proprietary information, which was specifically excluded from coverage in the November 4, 1998 draft. To some extent, the Access Principle FAQ treatment of confidential commercial information ameliorates this problem, so we discuss it further below.
B. Choice Principle
This principle now identifies a broad range of "sensitive information" (paralleling Article 8 of the Data Protection Directive) whose use for a purpose incompatible with the disclosures to the data subject requires an opt-in. McGraw-Hill supports the general approach of special rules for handling particularly sensitive information. Indeed, our privacy policy recognizes a category of "sensitive data" which includes information not listed in this principle, such as certain types of personal financial data. As our experience shows, special considerations for "sensitive information" which meet customers needs and expectations can be provided without explicitly using the "opt-in" method. We further are concerned that the categories listed in the draft safe harbor principle could be given too broad an interpretation. For example, many consumer behaviors, such as membership in a health club or subscription to certain magazines, may be indicative of health status, but should not for that reason be considered "health information" in the "sensitive" category. Similarly, publicly available information on marital status should not be treated as "information concerning the sex life of the individual." To avoid these interpretations, the category could be limited to "specific" medical and health information, information "specifically" concerning sex life, etc. It may also be useful to address this in the Sensitive Data FAQ.
C. Onward Transfer Principle
We oppose the EC proposal described in endnote 5. If a written agreement between an organization and a third party recipient obligates the latter to provide at least as much protection as would be required by these principles, the interests of the data subject are adequately protected and one or more parties is accountable for a violation. There is no reason to require an additional "explicit notice and choice" by the data subject, to whom by definition the possibility of onward transfer has already been disclosed.
D. Data Integrity Principle
The current draft of this principle states that "an organization may only process personal information relevant to the purposes for which it has been gathered." This formulation is confusing, and seemingly contradictory to the Notice and Choice principles, which allow the organization to use the data for any purpose that has been disclosed to the data subject, or other purposes not "incompatible with" the disclosed purposes.
In a digital information environment, "processing" of data is virtually synonymous with "use" of that data. If a use is "not incompatible" with a disclosed purpose, but is deemed (by someone) not to be "relevant" to those purposes, is the use permissible or not? This sentence adds an unnecessary level of confusion and should be eliminated, so that the principle would read: "To the extent necessary for the purposes for which personal information may be used, all organizations should take reasonable steps to ensure that data is accurate, complete and current."
E. Access Principle
While we discuss some of the issues in more detail in our comments under the Access FAQ, we note here four points. First, the access principle should apply (as it did in the November 1998 draft and as it is formulated in the Access FAQ) only to non-public information that an organization holds about an individual. Second, the access principle should apply only to information collected by the organization from the individual; information obtained from a third party may be difficult or impossible for the organization to correct on behalf of the data subject.
Third, the bracketed language must be retained in the principle in order to give some guidance as to factors that determine whether or not access must be granted. Fourth, the last sentence should be expanded to read as follows (new language underlined): "Reasonableness of access and correction depends on the nature and sensitivity of the information collected, its intended uses, the expense and difficulty of providing the individual with access to the information or of correcting or amending it, and other relevant factors." The reasons for these changes are discussed in our comments on the Access FAQ, below.
F. Enforcement Principle
First, we agree with the position attributed to the EC in endnote 7, that the italicized paragraph should be included within the text of the principle. This paragraph sheds more light on what is needed to satisfy the Enforcement Principle and thus should have equal status with the principle itself.
That said, we believe that some parts of the italicized paragraph are ambiguous, notably the reference to achieving compliance "by committing to cooperate with data protection authorities located in the European Community, provided those authorities agree." Does this refer to the data protection authorities in the Member States, on the Community level, or both? What degree of "cooperation" is required? How would the necessary "commit[ment]" be manifested? These and other questions will need clearer answers before we can judge whether this method of assuring compliance with the safe harbor principles is a viable one.
In addition, it should be made clear in the italicized paragraph that organizations may use a combination of different methods to assure compliance with different aspects of the enforcement principles. For instance, a company may implement its own privacy policy that fulfills the other safe harbor principles (mechanism (1) of the italicized paragraph) but rely upon legal authorities such as the FTC to impose consequences for non-compliance with that policy (mechanism (2)).
Finally, in the text of the principle itself, we believe that the reference to awarding damages is misleading and should be stricken. While, in some cases, if an organization adopts policies consistent with the safe harbor principles but fails to carry them out, compensatory damages might be awarded, such cases will be rare. Relief is much more likely to take the form of a mandated change in organizational practices, correction of records, and the like. Even if monetary relief is involved, it is more likely to take the form of fines or civil penalties, or of restitution, rather than of damages as such. While the reference to damages applies only "where the applicable law or private sector initiatives so provide," the fact is that in most cases the laws and initiatives do not "so provide," and it is potentially misleading to suggest otherwise. We suggest that if the reference to damages is not stricken, the words "damages awarded" be replaced with "relief ordered," which is more general but probably more realistic.
III. Access FAQ
Please see section II(E) above for comments on the formulation of the Access Principle itself, which is the first paragraph of this FAQ paper. We believe it is especially important not to confine the list of relevant factors to the three listed in the current text of the principle. For example, the need for verification may necessitate intrusive inquiries to the access requester, and the impact of these inquiries on personal privacy is an appropriate factor to consider in determining whether it is reasonable to deny access to a requester who decline to respond to such inquiries. There may be other relevant factors as well. We also believe that the reasonableness criterion should apply to correction as well as to access, as discussed in more detail under "Correction or Amendment" below. Where the information in question was not collected from the data subject by the organization receiving the access request, it will often be difficult or impossible for that organization to enable the data subject to correct inaccuracies at the source (a third party); for this reason, the principle should be focused on information collected from the data subject by the organization receiving the request.
A. Comments on Q. 1
The answer to this question makes a number of important points, but the weight to be given to factors such as expense and burden is somewhat obscured by the fact that both examples given in the answer result in a finding that access is required despite some level of expense or burden. We suggest that the third paragraph and the first sentence of the fourth paragraph be slightly revised to read as follows (new language underlined):
"Expense and burden are important factors and should be taken into account but by themselves they are not controlling in determining whether providing access is reasonable. For example, if the information is used for decisions that will significantly affect the individual (e.g., the denial or grant of important benefits, such as insurance, a mortgage, or a job), then the organization would have to disclose that information even if it is relatively difficult or expensive to provide.
"By contrast, if the information requested is not sensitive or not used for decisions that will significantly affect the individual (e.g., marketing data that is used to determine whether or not to send the individual a catalog),(2) A lesser degree of expense or burden in providing access would be sufficient to make it reasonable to deny access. Even in this situation, if information is readily available and inexpensive to provide, an organization would have to provide access to factual information that the organization stores about the individual."
We support the U.S. position of retaining the parenthetical associated with endnote (2). In the vast majority of cases, marketing data is not so sensitive as to render expense and burden irrelevant in determining whether access should be required.
Finally, as noted in section II(A) above, the deletion of the provision making the safe harbor principles inapplicable to proprietary information makes it doubly important to preserve the text preceding endnote 3, under which access may be denied to confidential commercial information. We support the definition of this phrase provided in the draft FAQ and would oppose narrowing this category to encompass only trade secrets as defined in the Economic Espionage Act.
B. Comments on Q.7:
It seems unlikely that information obtained from U.S. public records concerning a European citizen would often be transferred from Europe to the U.S. Only in such a rare case would the safe harbor principles be relevant to U.S. public records. (By contrast, the safe harbor would not apply if a Danish citizen, for instance, complains to the Danish data protection authorities concerning information about that person gleaned from U.S. public records and stored and processed in the United States. Since there has been no transfer of personal data from the EU to the US, no safe harbor is needed.) Thus, the EC position as explained in endnote 7 - that access to public records can be denied only if U.S. public record data is involved - would render this answer a virtual nullity.
Any FAQ concerning access to public record data must apply to European public record data, except for those circumstances in which the U.S. organization obtains the data directly from a public register within a Member State. In the latter case, under Article 26(1)(f) of the Data Protection Directive, the transfer outside the EU falls wholly outside the scope of the "adequacy" requirement, and therefore the safe harbor principles need not be fulfilled in order for the transfer to take place. As noted in subsection E below, the FAQ should also address the issue of correction or amendment of public record data held by a U.S. organization, including the circumstances under which it may be reasonable to deny a data subject's request for such correction.
The concept of public record data being "kept separately " from other information probably does not reflect commercial or technical reality. The operative issue is not how the information is "kept," but whether it can conveniently be retrieved in a manner that separates out public record data from non-public information. Even this is not often likely to be the case (and there may be no sound commercial reason for differentiating between the two categories of data), but if it is the case, organizations should not be required to provide access to separately retrievable public record data, regardless of how the data is "kept" when it is not being accessed.
C. Comments on Q. 8:
The example of "publicly available information" given in the question - "newspaper archives" - is inapposite, because the journalism FAQ makes it clear that such information is not subject to the safe harbor principles at all, and therefore there can be no requirement to provide access to it under any circumstances. "Commercially available directories" may provide a better example.
The comments above concerning the phrase "kept separately" apply here too. If publicly available information can be separated from non-public information, it should not be necessary to disclose the former.
D. Comments on Q. 10:
It should be spelled out that if the requester refuses to supply information (including personally identifiable information which may be "sensitive") sufficient to allow the organization to confirm his or her identity, the organization can refuse access without violating the Access Principle.
E. Correction or Amendment
The principle to which the FAQ is directed covers not only access to information held by an organization, but also the data subject's ability to correct and amend that information. The FAQ, however, only addresses the access issue. The FAQ could be expanded to note that the same factors which should be considered in deciding whether it is reasonable to respond positively to an access request - nature and sensitivity of information, intended use, expense and difficulty - are also applicable in determining whether it is reasonable for the organization to give the data subject the opportunity to correct or amend the information. In this regard, the relevant third factor would include the expense and difficulty of evaluating the accuracy of the purported correction or amendment. Additional factors of critical importance here include whether the organization has the legal right to alter information obtained, e.g., from a public record, and whether the organization's agreement to change the data in its own records would provide any benefit to the data subject (e.g., if the assertedly "incorrect" data remains unchanged in the public record or publicly available source database). Finally, it should be specified that in appropriate circumstances (e.g., public records or publicly available information), the organization can fulfill its obligation to "enable" the data subject to correct the data by directing him or her to the public register, directory compiler, or other entity that has the power to change the "original" source data.
IV. Draft Paper on EU Procedures
Our comments concerning this draft paper focus on four main areas of ambiguity or omission.
A. Standing: The paper does not discuss who has standing to initiate a complaint of non-compliance with safe harbor principles. Standing should be limited to data subjects who have actually suffered or are threatened with real, substantial and legally cognizable injuries due to alleged non-compliance. Otherwise, the value of safe harbor status would be substantially diminished.
Article 28.4 of the Data Protection Directive indicates that national data protection authorities must entertain "claims lodged by any person, or by an association representing that person, concerning the protection of his [sic] rights and freedoms in regard to the processing of personal data." Potentially, this provision would confer standing on a much broader category of complainants than those actually threatened with substantial injury. Furthermore, Article 28.3 refers to investigative powers of these authorities "in performance of [their] supervisory duties." This could be read to allow a national data protection authority to self-initiate a complaint against a U.S. organization to investigate compliance with safe harbor commitments. Finally, national laws might extend standing beyond the limits contemplated in the Data Protection Directive.
There appears to be a real danger that challenges to safe harbor status could be brought by parties, such as competitors, officious intermeddlers, and data protection bureaucrats at the national level, who lack a concrete stake in the matter. This possibility should be ruled out by spelling out standing limitations in this document.
B. Provisional relief: Whenever an organization's compliance with safe harbor principles is challenged, a critical practical issue is whether personally identifiable data may continue to flow from Europe to the U.S. organization while the challenge is being considered under the procedure outlined in the paper. The draft paper appears to sidestep this question by referring to "the exceptional conditions laid down in the [Article 25.6] decision" as providing the standards for deciding whether data flows will be interrupted pending a final decision. The applicable procedures are to be described in an annex to the paper, which has not been provided. Procedural issues aside, it is virtually impossible to evaluate the draft paper without knowing the standards under which a national data protection authority may, upon a complaint alleging non-compliance with safe harbor procedures, unilaterally cut off the flow of data to an organization that has self-certified its entitlement to safe harbor status. Accordingly, the U.S. should not sign off on this paper without having reviewed a draft of the Article 25.6 decision on the safe harbor system, as well as the annex referred to in the paper itself. Those documents should allow the EC to interrupt data flows on a provisional basis only in a true emergency situation. Otherwise, the main benefit of the safe harbor system to the U.S. - the preservation of transatlantic data flows--would be seriously undermined.
C. Exhaustion of remedies in the U.S.: The paper indicates that there will be "independent mechanisms … whether of a judicial or other nature" in the U.S. for resolution of disputes about the practices of organizations claiming a safe harbor, and that "data subjects are expected to use these channels" before they bring their complaints to data protection authorities in EU Member States. This falls well short of a clearly stated requirement that complainants first exhaust their potential remedies in the U.S. before initiating a case in an EU Member State. It also does not clearly specify that data subjects should first seek to resolve their complaint with the U.S. company involved, whether or not that company's complaint system constitutes an "independent mechanism" for dispute resolution.
The paper states that data protection commissioners "will normally not take up cases unless they are satisfied that the data subjects have themselves taken all reasonable steps to resolve dispute with the data recipients concerned and/or through the relevant dispute resolution mechanism." But this "normal" practice may not be possible if, in fact, the authorities "are under obligation to investigate complaints" (even if the complainant has neither approached the company nor invoked a U.S. dispute resolution mechanism) and must adhere to time limits, as the immediately preceding sentence of the paper states. The U.S. should ask that the E.U. make this "normal" practice a positive requirement for all complaints challenging the compliance of U.S. organizations with their safe harbor undertakings. If there is a legal problem with imposing this sort of "exhaustion of remedies" requirement uniformly upon proceedings before the data protection authorities in all the E.U. member states, that problem should be identified and addressed now, not after the safe harbor system is already in place.
D. Role of U.S. authorities: The draft paper contains several references to contact by the Member State data protection authority, and/or by the Commission, with "the third country authorities concerned." Who would that authority be in the case of the U.S.? Would it be the Commerce Department office in which the U.S. organization's certification of compliance with safe harbor principles has been filed? If so, what role would that office play, beyond providing a conduit for communications between the Member States and/or E.C. and the U.S. organization? Would the FTC be contacted, if the European complainant had previously filed a complaint with it charging the U.S. organization with unfair or deceptive practices? What if the complainant had not filed an FTC complaint? While it would not form a part of the final paper on EU Procedures, it is important to spell out somewhere - for the benefit of the European authorities as well as for the U.S. private sector -- that nothing in this safe harbor system expands the investigative or regulatory jurisdiction of any U.S. agency.
V. Additional FAQ's
A. Self-Certification
As noted in discussion at the May 7 briefing, a number of implementation issues may arise in prescribing the details of the self-certification process. For example, in many organizations (including McGraw-Hill) there may not be a single "contact person for the handling of complaints," etc. Rather, a privacy officer in each business unit is designated and disclosed to customers or prospects of that business unit, as the first stop in the complaint process. It should be made clear in this FAQ that Commerce (or its "designee") has the flexibility to accommodate a number of institutional models for privacy self-regulation.
The fourth indent under the third bullet should read: "the specific statutory bodies that may have jurisdiction to hear…". Organizations should not be required to concede jurisdiction of enforcement agencies in any specific case (for example, an agency may have jurisdiction over a claim but may lose it due to expiration of a statute of limitations). The goal should simply be to identify the agencies to which an aggrieved data subject, having exhausted his efforts to resolve a complaint with the company or through other non-governmental means, may wish to turn to seek relief.
In the final indent, the phrase "third party" should be changed to "independent recourse mechanism," in order to track the Enforcement Principle itself. In addition, the word "will" should be changed to "is available to". The self-certifying organization may not be in a position to guarantee the willingness of a third party, be it a trade association, mediator/arbitrator, U.S. government agency, or European data protection authority, to investigate a particular individual complaint. Especially since "misrepresentation" in the self-certification statement will be "actionable by the FTC," it is important that self-certifying organizations not be required to make representations about circumstances which they do not control.
B. Sensitive Data
As noted in section II(B) above, this FAQ could be expanded to rule out an excessively broad interpretation of the categories of information deemed to be "sensitive."
C. Verification
This FAQ refers to "the annual renewal of the self-certification process." The self-certification FAQ itself does not make any reference to annual renewal. McGraw-Hill opposes an annual renewal process as an unnecessary bureaucratic obstacle to maintaining safe harbor status. It should be sufficient to require organizations to update any information appearing in their self-certification letters which has become obsolete; such updating may be more or less frequent than annually. Annual verification documentation, as described in this FAQ, should be made available directly by the organization to members of the public upon request, but it should not be necessary to file it with a federal agency.
D. Journalistic Exceptions
We urge the U.S. to continue to oppose efforts to bring journalistic material under any aspect of the safe harbor commitments, in accordance with the primacy of First Amendment considerations as stated in this FAQ.
E. Human Resources Data
With regard to Question 2: under the Choice Principle, the trigger for giving employees a chance to opt out of uses of personal data is not necessarily whether the use is for "non-employment-related purposes," but whether the use is "incompatible with the purpose for which [the data] was originally collected or with any other purpose disclosed to the individual in a notice." Accordingly, the following should be added to the end of the first sentence of the second paragraph of this answer: ", unless such use has already been disclosed to the employee."
The examples given in response to Question 3 are not an exhaustive list of the additional exceptions that could apply to human resources data. This should be reflected by inserting "For example," at the beginning of the third sentence of this answer, and replacing "such" with "similarly" in the fourth sentence.
The last sentence of the response to Question 4 is confusing. It is not clear whether "competent European authorities" refers to data protection authorities or labor authorities. While the activities of a European subsidiary of a U.S. organization often will fall within the legal jurisdiction of such an authority, the parent U.S. organization may or may not, depending on the circumstances. As noted in section II(F) above, the "commit to cooperate with" formulation is ambiguous in a number of ways, and provides rather obscure guidance to organizations seeking to conform to safe harbor principles. Eliminating this sentence might avoid some confusion.
F. Secondary Liability
We have no objection to what we understand to be the intent of this FAQ, but it is out of place in its current form, since it has nothing to do with the safe harbor. It is true that "the safe harbor does not create secondary liability," but this statement could imply that the safe harbor creates primary liability, which it does not: the safe harbor does not create any liability. This second sentence should be deleted, or replaced with "The Data Protection Directive does not create secondary liability." The last sentence states circumstances under which certain parties would not be liable under the Data Protection Directive. To clarify this, the following phrase should be added at the end of this sentence: "under the Data Protection Directive, without regard to the safe harbor principles." In addition, the question should be rephrased by replacing "the safe harbor principles" with "the Data Protection Directive."
VI. Other Issues Identified at the May 7 Briefing
A. Weight of FAQ's. Because the FAQ's contain important explications of the scope of safe harbor principles, they should enjoy an official status and organizations should be able to rely upon them in self-certifying compliance with the principles.
B. Contracts. As mentioned in section II(A) above, contracts embodying the relevant safe harbor principles should receive the full benefit of safe harbor treatment, i.e., they should be encompassed within the Article 25.6 Commission Decision recognizing the safe harbor.
C. Grace Period. Based on its own experience in devising, implementing, evaluating and fine-tuning privacy policies within a large and diverse global company, McGraw-Hill strongly urges that there should be an extensive grace period for achieving full implementation of the safe harbor principles. The EC should extend the current standstill for at least one year after the exchange of letters.
The proposed two-step procedure, in which companies would have to file some notice of intent to pursue the safe harbor approach in order to obtain the full benefits of the continued standstill, seems unnecessarily complex, and invites abuse. Whether to seek safe harbor status, or to pursue some other method of maintaining (or of minimizing) transatlantic data flows could be a difficult decision for many organizations. If a short deadline for declaring this intention is imposed, most organizations will file such a notice to preserve their options. If many of them end up not perfecting their claim to safe harbor status, this could reflect negatively on the entire process.
D. Manual data
As mentioned above in section II(A), transatlantic flows of manually processed data are relatively de minimis. Those that exist are probably of long standing and have never been viewed as posing any threat to personal privacy. Manual data should be excluded from the safe harbor exercise.
E. Ongoing processing activity
McGraw-Hill supports the stated U.S. position of seeking a uniform three-year grace period for ongoing processing activities throughout the EU.
F. Exchange of letters
As discussed in section IV(B) above, the particular text of the Article 25.6 decision recognizing the safe harbor system is of crucial importance. Both this document and the accompanying complaint procedures paper (and its annexes) should be thoroughly reviewed before the exchange of letters takes place.
In addition, the exchange of letters should spell out the cardinal principle of all safe harbor arrangements: that a failure to qualify for the safe harbor does not equate to a finding of liability. In this context, a transfer of data to a U.S. organization that does not qualify for the safe harbor does not necessarily run afoul of Article 25.1 of the Directive or the national laws enacted pursuant thereto. Indeed, the EC letter should spell out that no adverse implication for Article 25 purposes may be drawn from the failure of a U.S. data recipient organization to pursue, or to achieve, compliance with the safe harbor principles. Whether or not the transfer is permitted should be determined through the operation of the provisions of the Directive (notably Article 25.2) and of applicable Member State laws without regard to the safe harbor system.
Furthermore, the USG should not agree to any letter that contains or implies a Commission finding, within the meaning of Article 25.4, that the U.S. lacks an adequate level of protection. Nor should the letter state or suggest that the discussions culminating in the exchange of letters were undertaken to avoid such a finding or to "remedy the situation resulting from" such a finding (see Article 25.5).
VII. Conclusion
We thank U.S. negotiators in advance for your consideration of the preceding comments, and also commend the open consultative process that you have employed throughout these negotiations. If we can provide any further information that would assist you, please do not hesitate to contact us.
|
|