The Honorable David L. Aaron
Under Secretary for International Trade Affairs
International Trade Administration
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, D.C. 20230
Re: Comments concerning Draft Safe Harbor Documents
Dear Under Secretary Aaron:
In response to your request of November 15, 1999, the following comments concerning the draft safe harbor documents are submitted on behalf of the Pharmaceutical Research and Manufacturers of America (PhRMA).
Eligibility for Safe Harbor Protection
Both the draft preamble to the revised Safe Harbor Principles and the draft summary of the Article 25.6 Decision state that where "an organization relies in whole or in part on self regulation, its failure to comply with such self regulation must also be actionable under Section 5 of the Federal Trade Commission Act." In this regard, we assume that if a company self-certifies publicly that it will comply with the Safe Harbor principles it would then be subject to FTC action under Section 5 if it subsequently failed to abide by those principles.
In the alternative, we draw attention to the fact that the two drafts differ as to what would make an organization eligible for the Safe Harbor where its failure to comply with self-regulation was not actionable by the FTC. The draft preamble notes that "another law or regulation prohibiting such acts" would suffice; whereas the draft summary calls for "another government body with powers to take enforcement action in cases of deception or misrepresentation." As noted in our comments of July 31, 1998, "state and federal government regulation of the confidentiality of certain health information is already extensive," and we assume that this broad scope of regulation would suffice for Safe Harbor eligibility.
Furthermore, FAQ 5 notes that a company could "make a commitment to cooperate with the data protection authorities ("DPAs") in the European Union as one means of satisfying the enforcement principle under the safe harbor." Not only would such a commitment satisfy the enforcement principle, it would subject a company to "another government body with powers to take enforcement action in cases of deception or misrepresentation" - the condition noted in the draft summary of the Article 25.6 Decision. Thus, this approach would appear to provide a further alternative basis for Safe Harbor eligibility.
We would welcome confirmation of this interpretation of the various eligibility options available to a company.
Draft Safe Harbor Principles
Preamble/Grandfather Clause
In the preamble to the Safe Harbor Principles, the following statement is made:
"Organizations wishing to benefit from the safe harbor for receiving such information from the EU must apply the principles to any such information transferred after they enter the "safe harbor." "
We interpret this statement to mean that the principles need not be applied to data in existence prior to the date that the Safe Harbor obligations take effect - in other words, that such data will be grandfathered. Could you please confirm this interpretation?
CHOICE
We fully support Commerce's proposed amendments to the text as set forth in the rationale noted in footnotes 2 and 3.
ONWARD TRANSFER
We would appreciate an explicit statement that a written agreement with a third party for the purpose of onward transfer does not obligate the third party to become a member of the Safe Harbor.
Draft Frequently Asked Questions (FAQs)
FAQ 1 - Sensitive Data
The FAQ needs to be amended to include the fact that "opt-in" would not be required for data processing, and onward transfer, where the data processing is conducted for research in the public interest. We recommend the following amendment:
A: No, such choice is not required where the processing
is: (1) in the vital interests of the data subject or another person; (2)
necessary for the establishment of legal claims or defenses; (3)…; or
(6) related to data that are manifestly made public by the individual,
or (7) for reasons of substantial public interest. Substantial public interest
can include research being conducted for public health and regulatory purposes.
Also, there is a typo in part (3) of the answer - "of" should be amended to "or."
FAQ 6 - Self-Certification
We question the need for a requirement for annual re-certification of compliance to the Safe Harbor. Re-certification should be conditioned on a material change in circumstances.
FAQ 14 - Pharmaceutical and Medical Products
Q.5
Once a data subject has been informed of the conditions of the trial and has consented to participate in the trial under those conditions, there is no right to access. Hence, the following amendments should be made to the answer to this FAQ:
"A: No, such access does not have to be provided
to a data subject if this restriction has been explained when the data
subject entered the trial and consented to the conditions of the trial.
the disclosure of such information would jeopardize the integrity
of the research effort. Agreement to participate in the trial
under these conditions is a reasonable forgoing of the right of access.
Following the conclusion of the trial and analysis of the results, subjects
should have access to their data if they request it. They should seek it
primarily from the physician or other health care provider from whom they
received treatment within the clinical trial, or secondarily from the sponsoring
company.
Q.6
The answer would exempt from the safe harbor principles of notice, choice, onward transfer and access only those safety and efficacy monitoring activities that are specifically required by regulation. The intent of this FAQ is to ensure that the broader safety and efficacy monitoring activities that are now ongoing that support regulatory compliance but are not specifically mandated by regulation are also exempted. Hence the FAQ should be amended as follows:
"A: No. the extent that adherence to the
principles interferes with compliance with regulatory requirements. This
is true both with respect to reports by, for example,
health care providers, to pharmaceutical and medical device companies,
and with respect to reports by pharmaceutical and medical device companies
to government agencies like the Food and Drug Administration. "
Q.7
For the purpose of improving clarity, we recommend amending the last sentence of the question to read as follows:
"Does this Would
a transfer of this type of data constitute
a transfer of personal data that is subject to the Safe Harbor principles?
Transition Period
PhRMA supports a period of three years from the date of the exchange of letters during which the "stand-still" by the EU would remain in effect. This would provide U.S. organizations adequate opportunity to decide whether to enter the safe harbor, and if necessary to update their information practices. It should be kept in mind that an alternative approach to that of the Safe Harbor, through contractual transfer, still has not issued as an Article 26 Decision.
I would like to also take this opportunity to express
PhRMA's appreciation for your kind efforts on behalf of US companies during
these important negotiations with the EU.
Sincerely,
(signed)
Shannon S.S. Herzfeld