The Honorable David L. Aaron
Under Secretary of Commerce for International Trade
U.S. Department of Commerce
Room 3850
14th Street and Constitution Avenue, N.W.
Washington, DC 20230
Re: Comments on International Safe Harbor Privacy Principles and Related Documents
Dear Ambassador Aaron:
This letter responds to your request for comments on the draft dated November 15, 1999 of the "International Safe Harbor Privacy Principles" and associated FAQs. The Securities Industry Association ("SIA")(1) is again pleased to participate in this important process, which will shape the landscape for international data flow for years to come. Given that many of its members increasingly transact business on both sides of the Atlantic, the SIA is particularly interested in an appropriate resolution of the bilateral negotiations between the Department of Commerce ("DoC") and the European Commission. SIA would like to thank the DoC for the substantial progress it has made in negotiating the Safe Harbor Privacy Principles with the EC.
Although, in its previous comments dated May 14, 1999, SIA proposed several changes to the previous iteration of the Safe Harbor Privacy Principles, we focus our comments here on two broad points. SIA continues to believe that its previous proposals should be incorporated in the Safe Harbor Privacy Principles if possible. Given the short timeframe for this latest round of comments, however, SIA will limit its comments to the two points that are most significant to its members.
Financial Services Modernization Act
First, the DoC should be vigilant in its efforts to obtain from the EC a declaration that Title V of the Financial Modernization Act, in combination with the Fair Credit Reporting Act ("FCRA"), provides "adequate" protection for customer information handled by the securities industry. Congress has recently enacted a comprehensive system of federal privacy regulation, and the DoC should take the position with the EC that this new privacy regime provides adequate protection for customer information in the United States. Accordingly, it should be unnecessary for securities firms to self-certify under the Safe Harbor or designate a self-regulatory organization ("SRO") to enforce their privacy commitments.
Congress enacted Title V after considerable debate and input from privacy advocates, securities firms, and other members of the financial services industry. Title V imposes affirmative privacy and security obligations on securities firms, requires disclosures and often customer choice with respect to the sharing and reuse of customer information, and directs the Securities and Exchange Commission ("SEC") to adopt regulations and examination guidelines to ensure that securities firms comply with Title V's provisions and the FCRA.
Given the comprehensive privacy regulations to which securities firms are subject, and the ready availability of mechanisms to enforce those regulations, the EC should not insist on supplementing the privacy regulation scheme Congress has enacted. Article 25 of the EU Directive, after all, requires "adequate," not "equivalent," protection. Title V, especially when combined with the FCRA and the regulatory oversight provided by the SEC and SROs such as NASD-R and the NYSE, clearly provides "adequate" protection for the securities industry's consumers, even if it does not precisely match all of the particulars of the EU Directive. DoC and the EC should bear in mind that the SEC and the securities SROs have substantial authority and resources to receive customer complaints about and take action against firms that fail to comply with the comprehensive federal regulatory scheme or fail to fulfill their representations under their privacy policies, which Title V mandates that they develop and regularly inform customers about. Furthermore, such firms potentially face civil liability as well, including class actions.
At the very least, the EC should defer any determination that Title V and the other relevant privacy regulations are inadequate until after the Safe Harbor transition period. If the EC wishes to see how Title V is interpreted and applied in practice, it can make a later adequacy determination after observing these developments. Requiring American firms to comply with the Safe Harbor immediately -- before the Title V reforms have even had the opportunity to prove themselves in action -- could needlessly interfere with Congress's intention to create a comprehensive federal privacy regulatory scheme through legislation and regulations. Furthermore, a requirement of immediate compliance would require securities firms to spend considerable resources meeting the precise requirements of the Safe Harbor -- in addition to Title V's requirements -- when the EC might later determine that Title V, the FCRA, and regulations thereunder satisfy Article 25's adequacy requirement.
Transition Period
Second, DoC should insist that the Safe Harbor include a transition period of at least 18 months for firms to determine whether to self-certify under Safe Harbor and implement necessary changes. Eighteen months is the minimum amount of time in which firms can make a reasonable, well-informed decision about whether self-certification is in their best interests and then implement any decision to self-certify.
The SEC is just beginning its rulemaking process, and regulations under Title V of the Financial Service Modernization Act and the FCRA will not come into effect for at least a year and possibly longer. Furthermore, half of the EU Member States have yet to enact national laws implementing the Directive. Accordingly, firms do not yet have sufficient information to evaluate their various compliance options and to design disclosure statements, contracts, databases, training materials, and other materials that will take into account these laws and regulations.
Securities firms should not be forced to decide whether to self-certify before they have had an opportunity to assess and comply with the new privacy environment in the United States and European Union. By incorporating a reasonable transition period, DoC and the EC will encourage more US firms to participate in the Safe Harbor and thereby help to make the Safe Harbor program a success.
We appreciate the opportunity to express our views.
Sincerely,
/s/
Marc E. Lackritz
President
1. The Securities Industry Association brings together the shared interests of more than 740 securities firms to accomplish common goals. SIA member-firms (including investment banks, broker-dealers, and mutual fund companies) are active in all U.S. and foreign markets and in all phases of corporate and public finance. The U.S. securities industry manages the accounts of more than 50 million investors directly and tens of millions of investors indirectly through corporate, thrift, and pension plans. The industry generates more than $300 billion of revenues yearly in the U.S. economy and employs more than 600,000 individuals. (More information about the SIA is available on its home page: http://www.sia.com.)