Electronic Commerce Task Force
U.S. Department of Commerce
Room 2009
14th and Constitution Aves., NW
Washington DC 20230

RE: Comments of the Software & Information Industry Association

To Whom It May Concern:

The Software & Information Industry Association (SIIA) is pleased to provide its comments on the proposed safe harbor with the European Union. We welcome the opportunity to share the perspective of our member companies as the Department continues its negotiations with Europe.

SIIA appreciates the efforts of the Department of Commerce in incorporating the views of industry throughout this process. We look forward to continuing to work with the International Trade Administration and the DOC as discussions with European officials continue.

General Observations

1. In general, SIIA remains concerned that the benefits of the safe harbor have not been sufficiently articulated for companies that choose to adopt the safe harbor principles. Many companies will choose to adopt contractual solutions to address data protection concerns. However, for those companies that choose the safe harbor approach or in cases where contractual solutions are not appropriate, questions remain about the extent to which adherence to safe harbor principles provide flexibility in resolving disputes under the Data Directive.

2. SIIA is concerned that the language of the enforcement principle is unclear and will therefore be difficult for companies to implement. The separation of the enforcement paragraph into a "principle" paragraph and a corresponding "note" may be unduly confusing; combining the two into a single paragraph may resolve some of the difficulty.

In addition, some clarification should be made between the requirements outlined under the principle paragraph and that under the note. The principle language outlines mechanisms for assuring compliance, establishing recourse for individuals and identifying consequences for non-compliance; the note language outlines how compliance can be achieved. However, it is unclear how the requirements outlined in the note language relate to those in the principle. In particular, do the three characteristics of an acceptable compliance mechanism only pertain to the first compliance option outlined in the note? How should companies committing to cooperate with European data protection officials provide dispute resolution mechanisms? To what extent must companies in compliance with the Data Directive provide information regarding dispute resolution or remedy obligations?

3. SIIA appreciates the continuing efforts of the Department of Commerce to clarify that companies need not provide access to information collected from public records as long as that information is maintained separately. However, SIIA believes that some direction is needed to clarify that providing access to public record information does not imply that a company has any obligation to correct that data or that consumers should expect that companies can correct public record information, as in many cases companies are unable to do so.

SIIA looks forward to continuing to work with the Department of Commerce throughout this process.
 

Sincerely,

Ken Wasch/s
Ken Wasch
President