Ambassador David L. Aaron
Under Secretary of International Trade
International Trade Administration
Department of Commerce
14^th Street & Constitution Avenue, NW
Washington, DC 20230

Attention: Mr. Eric Fredell, Task Force on Electronic Commerce

Dear Ambassador Aaron:

The Magazine Publishers of America (MPA) is pleased to submit comments on the most recent version of the draft International Safe Harbor Privacy Principles, circulated for public comment on November 15, 1999. Our organization submitted comments on earlier drafts of the Safe Harbor in November of 1998 and May of this year. Our membership includes more than 225 domestic publishers of more than 1250 of the most-recognized magazines in this country, as well as about 70 international publishing companies. Many of our member companies are actively involved in international commerce and are vitally interested in a successful conclusion to the ongoing negotiations between the United States and the European Union on implementation of the EU's Directive on Data Protection for transfers of personally-identifiable data from EU Member States to the United States.

Overview

As stated in our earlier comments, MPA supports the concept of creating a safe harbor for US companies that implement effective privacy protection policies. MPA appreciates your steadfastness and determination in moving the safe harbor concept forward over the past year. The current draft and FAQ reflect the hard work of all involved and bring us much closer to the sectoral approach to privacy used in the United States, which combines legislation and regulation for certain types of information with a self-regulatory model for less sensitive types of personal information.

We are pleased that the current version makes clear that the safe harbor privacy principles are comprised of both the principles document and the Frequently Asked Questions. The questions provide much needed clarification of the principles and will make it much easier for companies to understand how to implement the safe harbor if they choose to.

We are also pleased that the draft principles make clear that these principles should not serve as a model for personal privacy protection in the United States. As the draft states, these principles are intended for use solely by US organizations receiving personal data from the European Union for the purpose of qualifying for the safe harbor. The draft correctly concludes that adoption of these principles for other purposes may be inappropriate. As support for this conclusion, we note that the types of personal information considered "sensitive" for this purpose are broader than those included within the definition of sensitive information generally used in the United States. Furthermore, while companies following the safe harbor will be required to self-certify their compliance to the Department of Commerce, US companies would certainly never be required to provide letters to various government agencies stating their compliance with all laws and regulations governing companies in the United States.

Another improvement in the revised draft and FAQ is the fleshing out of the variety of mechanisms available for US companies seeking to meet the safe harbor. FAQ 5, for example, explains how companies can choose to meet the enforcement principle by committing to cooperate with European Data Protection Authorities. FAQ 7 describes the ability of companies to use self-assessment to verify that their privacy policies conform to the safe harbor principles. This flexibility is crucial to make the safe harbor a success. Privacy protection is not one-size-fits-all. Not all companies will participate in private sector developed privacy programs - some may choose to implement comprehensive privacy programs internally.

During the course of the safe harbor negotiations, MPA has been among the journalistic organizations seeking a clear statement on the extent of the Directive's exemption for journalistic material. We have sought to make clear that information included in news archives is also exempt from the Directive's requirements. We believe that FAQ 2 correctly states that the First Amendment must govern the balancing of the rights of a free press with privacy protection interests. We agree with the conclusion in FAQ 2 that personal information gathered for journalistic purposes, whether used or not, as well as information contained in media archives, is not subject to the requirements of the safe harbor principles.

Comments on Specific Principles and FAQs

Notice

We are pleased with the modification of the notice principle to take into account the need of companies to have flexibility in determining when to provide notice to individuals. The revised principle continues to allow notice "as soon as is practicable." Further, as we suggested in our comments in May, the principle now requires notice prior to use or disclosure to a third party only for purposes not related to the purpose for which the data was collected. This will allow timely transfer of data necessary to fulfill customer expectations for service. We also support the statement in FAQ 12 that allows an organization to use information for direct marketing purposes when it is impracticable to provide choice prior to use of the information as long as an opt-out opportunity is offered at the same time.

Choice

As we discussed in our comments in May, we continue to be concerned about the description of sensitive information for which opt-in choice must be provided. We are very supportive of the US efforts to require opt-in only for personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual. We agree completely with the US concerns about the EU desire to state that opt-in is required for personal information revealing these characteristics. As we stated in May, we believe that "inferences" regarding these characteristics that may be drawn from, for example, magazine reading preferences are not an appropriate basis for triggering an opt-in choice requirement. We agree that restrictions on the use of such data may raise First Amendment concerns.

MPA also supports the US proposal to delete the sentence describing choice for disclosures to third parties that may not be complying with the safe harbor principles. If the EU Member States do not comply with this choice practice, US companies should not be unfairly burdened.

Onward Transfer

We support the revised onward transfer principle that allows organizations to transfer data to a third party that does not subscribe to the safe harbor if it enters into a written agreement or contract with the third party requiring the same level of privacy protection. We agree that organizations should not be held responsible for third party violations of the written agreement.

Access

We are pleased that the principle of proportionality with regard to access is still contained in both the principles and the FAQ. In the May version, the EU was proposing to remove this concept from the principles. Describing the need for proportionality in both places demonstrates clearly that the appropriate level of access depends on a balancing of the risks to individual's privacy with the expense and difficulty of providing the individual with access.

Enforcement

We agree with the Department of Commerce that the revisions in the enforcement provisions of the safe harbor improve the framework by giving deference to the self-regulatory process in the United States. As described in the Summary of the Article 25.6 Decision, EU authorities may only suspend data flows in limited circumstances, that is, when a US body has found an organization in violation of the principles and when there is substantial evidence of non-compliance and reasons to believe that the US body will not take effective and timely action.

Grace Period

As we described in our comments in May, we believe that implementation of the safe harbor will require a two-stage grace period to allow companies first to decide whether they want to participate in the safe harbor and second to implement the safe harbor requirements. We note that the current documents state that the interim period is not yet agreed. We believe that industry has concluded that completion of both stages will require at least 18 months. As described in FAQ 5, many decisions and implementation of private sector programs are awaiting completion of the safe harbor discussions. Industry will need time to ensure that privacy policies are in place, employees trained, and systems tested.
 

* * * * * * *

Sincerely,
 

Rita D. Cohen
Senior Vice President, Legislative and Regulatory Policy