December 1, 1999

Via Electronic Mail

Eric Fredell
Electronic Commerce Task Force
Room 2009
United States Department of Commerce
14th & Constitution Avenue, N.W.
Washington, DC 20230

Re: Comments on Draft Safe Harbor Materials

Dear Mr. Fredell:

Visa U.S.A. ("Visa") is pleased to submit this comment letter to the Department of Commerce in response to its request for comment on the International Safe Harbor Privacy Principles ("Safe Harbor Principles") and related documents released with the letter from Ambassador Aaron ("Safe Harbor Letter") dated November 15, 1999 (collectively, "Safe Harbor Documents"). The Safe Harbor Documents are intended to provide guidance to U.S. organizations seeking to comply with the European Union's ("EU") Directive on Data Protection ("Data Protection Directive"). Visa appreciates the ongoing and extensive efforts of the Department of Commerce in developing the Safe Harbor Documents, and in negotiating the U.S. position on this matter with the European Commission. Visa also thanks the Department of Commerce for the opportunity to comment on the Safe Harbor Documents.

Visa is the largest consumer payments system in the United States and in the world. Visa is part of a worldwide association of over 21,000 financial institution members that individually offer Visa-brand payment services. Consumers hold more than 800 million Visa-brand cards globally, and these cards are accepted at more than 16 million merchant locations and at more than 480,000 automated teller machines.

Visa -- which provides transaction authorization, clearing and settlement, and risk management services to its financial institution members -- supports more than $1.4 trillion in payment transactions annually around the globe. Visa's transaction volume in
the United States alone is approximately $600 billion per year. At peak volume, Visa's systems process over 2,800 card-related transactions per second.

The efforts of the Department of Commerce in developing the Safe Harbor Documents have enormous ramifications for the U.S. economy and, consequently, for all businesses and consumers in the United States. The importance of information to the
modern American economy cannot be overstated. Many experts -- including Federal Reserve Board Chairman Alan Greenspan -- attribute the unparalleled strength of the U.S. economy in large measure to the enormous investments in information technology that have been made by U.S. businesses over the last decade. Thus, undue restrictions on the flow of information to and among U.S. companies -- such as the restrictions that could flow from the inappropriate application of the Data Protection Directive -- could have devastating consequences for the U.S. economy.

Furthermore, inappropriate restrictions on the flow of information to U.S. organizations also could undermine the ability of U.S. businesses to compete with non-U.S. companies, including those located in the EU. The Department of Commerce rightly recognizes that the Data Protection Directive has significant trade implications for U.S. businesses and the American economy: the introduction to the Safe Harbor Principles itself states that the Department of Commerce is issuing the Safe Harbor Principles "under its statutory authority to foster, promote, and develop international commerce" and for the purpose of "facilitat[ing] trade and commerce between the United States and European Union." It is crucial that the Data Protection Directive, which was developed to address privacy concerns in the EU Member States, not be allowed to be used by the EU -- or any of the individual EU Member States -- as a weapon to impair the competitiveness of U.S. businesses that have invested heavily in information technologies and are now legitimately reaping the rewards of those investments.

As the introduction to the Safe Harbor Principles also recognizes, while the U.S. and the EU share the goal of enhancing privacy protection for their citizens, the U.S. has historically taken a very different approach to privacy issues from that taken by the EU.  Companies within the United States -- particularly regulated entities like Visa's member financial institutions -- are already subject to an extensive existing legal privacy framework, which may include constitutional and common law principles, federal and state statutes and regulations, and self-regulatory efforts. Particularly given the extensive privacy provisions incorporated into the Financial Services Modernization Act of 1999 (the "Gramm-Leach-Bliley Act"), signed into law on November 12, 1999, any safe harbor that is adopted must recognize the strength and legitimacy of the U.S. privacy
approach. Moreover, such a safe harbor must not diminish the viability of that approach by permitting the EU to unilaterally impose, albeit indirectly, EU requirements on U.S. organizations.

International Safe Harbor Privacy Principles

The introduction to the Safe Harbor Principles declares that U.S. "[o]rganizations subject to a statutory, regulatory, administrative or other body of law (or body of rules issued by national securities exchanges, registered securities associations, registered clearing agencies, or a Municipal Securities Rule-making Board) that effectively protects personal privacy may assure safe harbor benefits by self-certifying to the Department of Commerce or its nominee." Without question, the banking industry is among the most highly regulated industries in the U.S.; federal and state regulators regularly examine for, and zealously enforce, financial institutions' compliance with an extensive body of statutes and regulations, including those relating to the protection of consumer information. In addition, as Ambassador Aaron indicates in the Safe Harbor Letter, U.S.
financial institutions are now subject to comprehensive new privacy requirements that are contained in the Gramm-Leach-Bliley Act.¹  As a result, Visa strongly urges the Department of Commerce to explicitly state in the Safe Harbor Principles that regulated U.S. financial institutions are among those organizations that are subject to a "body of law . . . that effectively protects personal privacy" and, thus, that such financial institutions can qualify for the safe harbor by virtue of their compliance with that
extensive regulatory structure. Such an explicit statement would be indispensable in giving U.S. financial institutions and their customers appropriate certainty about such institutions' qualification for the safe harbor.

Safe Harbor Letter

In the Safe Harbor Letter, Ambassador Aaron states that, given enactment of the Gramm-Leach-Bliley Act, the U.S. believes that the Frequently Asked Questions ("FAQs") on Risk Management are no longer necessary for entities covered by the privacy provisions of that Act. Visa strongly supports this approach, which would help clarify that regulated financial institutions qualify for the safe harbor simply because of their comprehensive U.S. privacy regulatory structure. In fact, any other approach would create unnecessary confusion about the qualification of regulated financial institutions for the safe harbor. Moreover, to avoid creating such confusion, if the Department of Commerce determines to issue the Risk Management FAQs for entities that are not covered by the Gramm-Leach-Bliley Act privacy provisions, we recommend that the text of the Risk Management FAQ itself make it clear that the FAQ does not apply to financial institutions that are subject to the privacy provisions of this new federal statute.

Once again, Visa appreciates the substantial efforts of the Department of Commerce in developing the Safe Harbor Documents. If you have any questions concerning these comments, or if we can otherwise be of assistance in connection with
this matter, please do not hesitate to contact me at (650) 432-3111.

Sincerely yours,

Russell W. Schrader

1. Among other things, the Gramm-Leach-Bliley Act imposes dual obligations on a U.S. financial institution before it may disclose a customer's personal financial information to a nonaffiliated third party. First, the Act requires that every financial institution give to each individual customer, at the start of the relationship, a notice of the institution's policies and practices regarding the disclosure of customer financial information. This disclosure also must be provided at least once a year to the customer during the life of the relationship. The mandated privacy notice is comprehensive. For instance, this notice must include the financial institution's policies and practices on the disclosure of customer financial information to nonaffiliated third parties, and the categories of information that may be disclosed to such parties. It also must include the institution's policy on disclosing information on former customers, as well as categories of data that are collected by the financial institution. The privacy notice also must state the institution's procedures for protecting the confidentiality and security of customer information. Finally, the notice must include the affiliate-sharing notice and opt-out opportunity required by the federal Fair Credit Reporting Act, if the financial institution wishes to share non-experience customer credit information among its affiliated companies. Second, the Gramm-Leach-Bliley Act requires a U.S. financial institution to give its customers: clear and conspicuous notice that information about them could be shared with nonaffiliated third parties; an opportunity to opt out of such sharing before it occurs; and an explanation of how the customer can opt out.