Oracle wishes to thank the Department of Commerce for the opportunity to comment on the Safe Harbor Principles and FAQs and for the Department's continuing representation of American industry in the negotiations with the EU on privacy and transborder data flows.
Oracle Corporation is the world's leading supplier of software for information management, and the world's second largest independent software company. With annual revenues of more than $8.3 billion, the company offers its database, tools and application products, along with related consulting, education, and support services, in more than 145 countries around the world.
As a leading provider of Internet solutions and database technologies, Oracle is committed to maintaining the private nature of user and employee information while assuring that the market benefits from the free flow of information and ideas. Oracle believes that these goals are not inconsistent. As a global company, Oracle respects the cultural and societal norms that have prompted the EU to push for international protection of their citizens' information. Oracle is, however, concerned that an attempt to replicate the legal infrastructures and societal norms of European countries may work at cross-purposes with different systems in place in other countries such as the US. All countries can agree on the need to provide credible and effective protection of the personally identifiable information of all citizens supported by appropriate dispute resolution, redress or enforcement mechanisms. International business is working with governments towards that end. In the US, that work has taken place through industry sector codes, broader self regulation initiatives, seal and audit systems, elaborate self policing systems and final recourse to appropriate governmental agencies, most notably the Federal Trade Commission.
Oracle is providing comments to the Safe harbor principles and FAQs as well as request for clarification on some issues. We would be happy to work with the Department of Commerce to further clarify the questions or elaborate on the comments.
Applicability/Scope of Safe Harbor
Despite the progress made and new mechanisms in place, substantial concerns remain that privacy protection in the US may not meet the test of "adequacy" as set forth in the EU Data Protection Directive. The Safe Harbor Provisions are an attempt to provide an adequacy carve out to prevent the disruption of dataflows for those companies that can meet the requirements of the final principles. The Department of Commerce has, in numerous statements, made clear that these Safe Harbor Principles are based in large part on EU law and are meant to apply only to relevant transborder flows of personally identifiable data. The Department of Commerce has likewise stated that these Safe Harbor Principles are not meant to be the basis for US privacy standards or regulation.
Despite the assurance and best intent of the Department of Commerce, we continue to be faced with a different business reality. Companies involved in electronic commerce hosted on servers in the US, serving global customers will provide the same mechanisms of choice and protections to all users of the server. Thus, the requirements to provide mechanisms for choice, redress and access specified in the Safe Harbor Principles and FAQs will become the defaults for all customers of the server. In light of the desire of many companies to migrate users to online interactions, those requirements may well become the market standards.
The broader scope of application that we see as likely, or at least possible, does not necessarily outweigh the benefits provided by the safe harbor. We are concerned, however, that the Department of Commerce take this possibility appropriately into account as part of its negotiating position and want to assure that when businesses evaluate the appropriateness of the principles for their business they should do considering all the reasonably foreseeable implications of their decisions.
Comparable Treatment and Technological Developments
The Safe Harbor provisions may provide benefits for US companies, as long as they are applied neutrally and equally. Concerns have been raised that the companies self-certifying to the Safe Harbor provisions might actually be subject to more stringent review than EU companies. We would suggest that a statement regarding the neutral and non-discriminatory application of the Safe Harbor principles in the chapeau text would thus be appropriate. Oracle would also like to point out that self-regulatory solutions based on disclosed privacy policies, tied to credible and specified methods of dispute resolution, redress or enforcement can provide more direct information to consumers than laws and regulations with which they may be unfamiliar. Thus consumers in the self-regulatory jurisdictions may be able to make more informed decisions about whether to provide personally identifiable information.
Oracle supports both policies and technologies that provide users and customers with the information and mechanisms they need to make and effect informed decisions about their personally identifiable information. Since these are individual decisions, Oracle encourages the development of technologies and policies that empower individuals to make decisions appropriate to the transaction or interaction based on the their needs or preferences and the type/sensitivity of the information. Monolithic, governmentally imposed solutions provide less flexibility to the consumer and substitute the preferences and judgment of the lawmaker for that of the individual.
Oracle also recommends that the Safe Harbor provisions make more explicit reference to the ability to address a number of these problems with current and developing technologies that empower users and consumers. These technologies used in concert with effective self-regulatory polices will continue to play an important and expanding role in the protection of privacy. The Safe Harbor should reflect some incentives for the international recognition and adoption of these technological and self-regulatory solutions.
Choice
Oracle has some questions regarding the application of the choice provisions as contemplated in the Safe Harbor.
In the cases of opt out, if a consumer is asked to provide information, on a voluntary basis, would the non-mandatory nature of the request satisfy opt out? In the same situation, where there was a voluntary request for sensitive information, would consumer's act of providing the information be sufficient to qualify as an opt in?
Many sites use, and disclose the use of, cookies to validate members on the "members only" part of the website. Users have the choice of providing the information or not gaining access to that part of the site. Is the option to provide information or not use the site one of the contemplated opt out mechanisms?
Onward Transfer
In the case of an onward transfer, where a company relies on a written agreement requiring the third party to provide at least the same amount of privacy protection as the safe harbor, which party is expected to enforce the agreement in case of breach by the third party? At who's expense?
Access
Oracle strongly supports the continued insistence on the bracketed term "[reasonable]". The OECD Guidelines access right was not absolute. The majority of companies are in the business of selling products or services not related to customer files. Customer file information will be provided to the customer as part of customer service interactions. Companies have a marketing and customer service rationale to satisfy reasonable customer information requests. Many companies, as part of general information system improvements, have begun to deploy mechanisms by which customers can directly access and correct or update various contact information fields and preferences. These arrangements provide greater customer access to information, increase the accuracy of corporate information and reduce long-term information maintenance costs for the companies. Such improvements are best made as part of a larger IT or Website overhaul and implementation of technology. Companies must weigh a number of factors in determining when and how to implement such systems. Policy makers should be cognizant of these natural market trends and must consider that these trends evolve as a result of market needs. Getting ahead of these trends or legislating solutions beyond articulated market need may inhibit rather than facilitate appropriate privacy solutions.
Enforcement
The US has traditionally recognized damages where harmful use of the information is proved. The EU has much lighter burden of harmful collection that can include inadvertent collection of information with no actual harm or intended use. What law is being referenced by "applicable law"?
Education
There is no question that citizens, businesses and even government representatives can all benefit from greater education related to the privacy issue. Oracle suggests that if Safe Harbor principles are accepted by government and business representatives, a joint government-private sector initiative to promote better understanding of the context, meaning and application of the principles and the FAQs would be useful.
New FAQs
Self-Certification:
Are the elements of the privacy policy listed in the FAQ meant to serve as a checklist, or as required elements?
We suggest the insertion of language relating to good faith or reasonableness to qualify the statement of adherence to the Safe Harbor Principles. The Principles, as written, are very broad, with some level of specification in the FAQs. This will of necessity be an ongoing process of elaboration. There may be miscomprehension of how to apply the principles to a given situation that might result in inadvertent misrepresentations. While these inadvertent misrepresentations must be corrected promptly upon notice, they should not be actionable. We assume that "may be actionable" was meant to deal with these issues, but believe that a more explicit statement would be preferable.
Financial and Insurance Risk Management
Mortgage and credit card information should be expanded to include more general bad debt and other credit type information upon which a number of financial decisions are made.
Under Safe Harbor are there any criteria on what level of specificity must be provided in refusing to enter a financial transaction with a potential customer? Is there any need to provide some or all of the underlying information that formed the basis of the decision?
Human Resources Data
If a company has taken advantage of both the Safe Harbor and a contractual derogation which controls?
In the US there are public policy imperatives which allow for interdepartmental use of information to protect public safety (e.g. Medical information about a train engineer or pilot that might compromise their ability to do the job). Does the Safe Harbor respect those public policy imperatives?
Regarding Q2, are choice mechanisms for employees available for employment related functions? Would a blanket statement like "the information collected shall be used for normal employment functions including, but not limited to: processing of salary, pension and medical information, compiling of employee performance and utilization data, making resource allocation and promotion decisions" be appropriate, or are different statements required because of differing levels of sensitivity of data? This question goes to the complexity of implementation.
Last sentence, as it relates to the "*" and "decisions of competent European authorities". Does this refer to decisions by EU DPAs or Labor groups about compliance with only Safe Harbor provisions or does it refer to other criteria or regulations?
Submitted, May 14, 1999