The Honorable David Aaron
Under Secretary for International Trade
International Trade Administration
Department of Commerce
14^th Street and Constitution Avenue NW
Washington, DC

Dear Ambassador Aaron:

The Software & Information Industry Association appreciates the opportunity to comment on the latest draft of the "safe harbor" documents prepared by the European Commission and the Department of Commerce.

The Software & Information Industry Association (SIIA) was formed by the January 1, 1999 merger of the Software Publishers Association and Information Industry Association. The SIIA is the principal trade association in the world for code and content companies competing in the digital age. Our member companies develop products for the education, home, consumer, corporate, government, enterprise and Internet markets, representing all aspects of this growing industry. More importantly, our members are involved in virtually every aspect of electronic commerce, from providing the products that make e-commerce possible to leveraging e-commerce to market, sell, support and develop their product lines.

While SIIA is pleased to see that many of the issues that we have raised in our past comments have been addressed, we continue to have concerns regarding the direction and benefit of the safe harbor for many companies involved in the transfer of customer data or the collection of data through electronic commerce activities.

Timing

The question of when the safe harbor would be available to U.S. companies has not been resolved by European and US officials. SIIA suggests that companies be given a minimum of two years to bring their practices into compliance with the safe harbor principles. We believe this is reasonable since for many companies with extensive operations and relationships with marketing partners and resellers, implementation of the safe harbor principles will be a significant commitment. In addition, not even all of the European Union member countries have adopted the Directive into their own national laws, so it is not reasonable to expect U.S. companies to move forward on their safe harbor commitments before the EU member states have followed through on their legal obligations to transpose the directive into national law.

In addition, because many companies believe that it may be more appropriate to address their compliance with the EU Directive via a contract approach, in no case should the effective date occur before the European authorities have issued guidance on acceptable model contracts and industry has been given adequate time to examine these contracts.

Fraud Prevention

Many SIIA member companies are engaged in fraud prevention and detection services for both online and offline environments. In addition, new services have emerged as electronic commerce continues to grow. With this new electronic marketplace, the potential for credit card abuse is significant and threatens to undermine small- and medium-sized businesses. For companies that create, market, sell and deliver digital products, detecting potential fraud in a timely manner is crucial as these products (software, online services, content, music, and news, to name a few) are delivered immediately and can be easily reproduced by thieves and pirates. As a result, many companies now offer fraud screening, detection and prevention services specifically targeted to help online merchants reduce their liability and provide protection for their legitimate consumers.

The use of personal data is necessary, in many cases, to verify identity, credit card usage, proper authorization and a host of other services. Notification of the use of this data may not be possible nor appropriate in many cases. It is unclear whether use of data to prevent fraud is covered by provisions that allow the use of data for the best interests of an individual or in the public interest.

Choice

SIIA strongly supports the deletion of the marked text in the current draft. The question of the transfer of personal data to third parties is adequately covered in the principle of onward transfer.

Onward Transfer

There is some confusion over the extent to which a company must examine the privacy practices of a receiving company before transferring data. Language that requires a company to "ascertain" whether another organization is in compliance with the safe harbor or otherwise subject to data protection provisions is overly burdensome and unrealistic. The transferring company should not be required to determine whether another has or should adopt a proscribed approach to privacy. The transferring company should only be required to require the receiving party to self-certify that it meets whatever criteria are appropriate.

In addition, it is unclear whether a receiving party that states that it complies with the safe harbor principles has, from the perspective of the Department of Commerce, committed itself to entering the safe harbor.

FAQ 7: Verification

SIIA feels strongly that the safe harbor may provide a means by which many small and medium-sized businesses can reap the benefits of electronic commerce. The guidance provided by the safe harbor documents is valuable for companies that lack the corporate resources to develop and implement policies that would comply with the Data Directive.

However, requiring companies to conduct an annual self-assessment may be overly burdensome, particularly in cases where privacy practices have not been materially altered in the previous year or where the company is participating in an ongoing, third-party verification program. Should privacy practices change, self-assessment to ensure that the new policies have been implemented fully is appropriate. Further reporting, auditing or certification requirements may discourage small and medium-sized companies from being able to reap the benefits of the safe harbor.

FAQ 11: Dispute Resolution Mechanisms

Many SIIA member companies are deeply engaged in data processing, electronic commerce and online sales of digital products; each of these transactions often requires the collection and use of personal data. However, because many of our member companies are unregulated and there are no relevant third-party self-regulatory mechanisms available to them for some of the types of data they handle, cooperating with data protection authorities as outlined in the enforcement mechanism FAQ is an important option that should not be able to be withdrawn by an individual data protection authority. We strongly oppose the inclusion of language that implies that the various data protection authorities in EU member companies can choose to participate or not participate with the safe harbor implementation. The language "provided those authorities agree" in sentence (3) of the first paragraph should be struck.

In addition, SIIA is concerned about committing the Federal Trade Commission to review cases referred by EU member companies on a priority basis. While any complaints that arise from European individuals, data protection authorities (DPAs) or other companies should be addressed in a timely and fair manner, the Federal Trade Commission should prioritize the cases it pursues on criteria it develops and deems appropriate. It may be more appropriate to pursue a specific case because the potential harm to an individual is significant rather than because it was referred by a European DPA or a private-sector self-regulatory mechanism.

Thank you again for the opportunity to comment. We appreciate your willingness to work with industry representatives throughout this process. If you have any questions, please do not hesitate to contact me or Lauren Hall of my staff.
 

Sincerely,

Ken Wasch
President