Via Electronic Mail

Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th & Constitution Avenue, N.W.
Washington, DC 20230

Re: Comments on Draft Safe Harbor Materials

Dear Mr. Fredell:

Visa U.S.A. ("Visa") is pleased to submit this comment letter to the Department of Commerce in response to its request for comment on the materials released with the Safe Harbor Letter from Ambassador Aaron ("Safe Harbor Letter") dated April 19, 1999 (collectively, "Safe Harbor Documents" or "Documents"). These Documents -- the International Safe Harbor Privacy Principles ("Safe Harbor Principles"), Frequently Asked Questions ("FAQs"), and the Draft Paper on EU Procedures ("Draft Procedures Paper") -- are intended to provide guidance to U.S. organizations seeking to comply with the European Union's ("EU") Directive on Data Protection ("Data Protection Directive"). Visa appreciates the extensive efforts of the Department of Commerce in negotiating and developing the Safe Harbor Documents, and thanks the Department of Commerce for the opportunity to comment on them.

The Visa payments system is the largest consumer payment system in the world. Visa is a joint venture comprised of more than 21,000 financial institution members from around the world that have issued over 640 million Visa payment cards, which are accepted at more than 14 million merchant locations and over 400,000 automated teller machines worldwide. Visa -- which provides transaction authorization, clearing and settlement, and risk management services to its financial institution members -- supports more than one trillion dollars in Visa-related payment transactions annually throughout the world. At peak volume, Visa's systems process over 2,400 card-related transactions per second.

The efforts of the Department of Commerce to develop the Safe Harbor Documents have enormous ramifications for the U.S. economy and, consequently, for all businesses and consumers in the United States. The importance of information to the modern American economy cannot be overstated. Many experts attribute the unparalleled strength of the U.S. economy in large measure to the enormous investments in information technology that have been made by U.S. businesses over the last decade. Federal Reserve Board Chairman Alan Greenspan, for instance, underscores this point when he writes, "the plethora of information on the characteristics of consumers" has been a "critical component of our ever more finely hewn competitive market system."⁽¹⁾ Greenspan further explains that "[s]uch information has enabled producers and marketers to fine tune production schedules to the ever greater demands of our consuming public for diversity and individuality of products and services....It has enabled financial institutions to offer a wide variety of customized insurance and other products. Detailed data obtained from consumers as they seek credit or make product choices help engender the whole set of sensitive price signals that are so essential to the functioning of an advanced information based economy such as ours."⁽²⁾ Thus, undue restrictions on the flow of information to and among U.S. companies -- such as the restrictions that could flow from the inappropriate application of the Data Protection Directive -- could have devastating consequences for the U.S. economy.

Furthermore, undue restrictions on the flow of information to U.S. organizations also could undermine the ability of U.S. businesses to compete with businesses from abroad, including those located in the EU. The Department of Commerce rightly recognizes that the Data Protection Directive has significant trade implications for U.S. businesses and the American economy: the introduction to the Safe Harbor Principles itself states that the Department of Commerce is issuing the Safe Harbor Principles "under its statutory authority to foster, promote, and develop international commerce" and for the purpose of "facilitat[ing] trade and commerce between the United States and European Union." It is crucial that the Data Protection Directive, which was developed to address privacy concerns in the EU Member States, not be allowed to be used by the EU -- or any of the individual EU Member States -- as a weapon to impair the competitiveness of U.S. businesses that have invested heavily in information technologies and are now legitimately reaping the rewards of those investments.

As the introduction to the Safe Harbor Principles also recognizes, the U.S. has historically taken a very different approach to privacy issues from that taken by the EU. Companies within the United States -- particularly regulated entities like Visa's member financial institutions -- are already subject to an extensive existing legal privacy framework, which may include constitutional and common law principles, federal and state statues and regulations, and self-regulatory efforts. Any safe harbor that is adopted must recognize the strength and legitimacy of the U.S. privacy approach, and must not diminish the viability of that approach by permitting the EU to unilaterally impose, albeit indirectly, EU requirements on U.S. organizations. In particular, such a safe harbor must not provide European subjects with greater privileges with respect to their information held by American organizations, than U.S. citizens have with respect to their information held by those same American organizations.

In the Safe Harbor Letter, Ambassador Aaron states that U.S. organizations could come within the safe harbor by self certifying that they adhere to the Safe Harbor Principles. Visa applauds this approach. Such self-certification is essential; U.S. organizations must not be subjected to the burdens of obtaining certification by so-called privacy alliances or self-proclaimed "authorities" that they comply with the Safe Harbor Principles.

In addition, the Safe Harbor Letter requests comment on the weight that should be given to the various FAQs relative to the Safe Harbor Principles. Visa strongly believes that the Safe Harbor Principles and the FAQs should be given equal weight. If the Safe Harbor principles are to provide "clear and predictable guidance to U.S. organizations seeking to comply with" the Data Protection Directive,⁽³⁾ it is crucial that American businesses and other organizations be able to rely with absolute certainty on both the Safe Harbor Principles and their accompanying guidance, the FAQs. Consequently, Visa recommends that the Safe Harbor Principles and/or each of the FAQs be modified to include the statement that the two documents are to be given equal weight by U.S. organizations seeking to come within the Safe Harbor Principles.

In General

Visa believes that it is absolutely essential that U.S. organizations be provided a feasible period of time within which they may choose to be subject to the Safe Harbor Principles. In this regard, strong arguments can be made that, for such an important decision, U.S. organizations should be provided the same period of time that was provided to EU Member States with respect to the Data Protection Directive: three years. In any event, it is crucial that U.S. organizations be given a minimum of eighteen months after adoption of any safe harbor within which organizations may choose to be subject to the Safe Harbor Principles. In fact, given the regulatory and practical restrictions on Visa's member financial institutions between now and the first year of the new millennium, Visa strongly recommends that any such date be no earlier than the first quarter of 2001.

In addition, any safe harbor that is adopted must provide for a transitional period in which U.S. organizations may choose in the future to be subject to the Safe Harbor Principles. Otherwise, a substantial trade barrier would be erected for U.S. organizations that are not yet in existence or, for instance, that had not yet entered EU markets, since such an organization would not be able to compete in European markets on an equal footing with EU firms until the U.S. organization fully subscribed to the Safe Harbor Principles. Such a transitional period also is essential with respect to U.S. companies that engage in mergers or acquisitions of EU companies: without such a transitional period, U.S. companies would be effectively precluded from merging with, or acquiring, European companies unless the U.S. entity already had chosen to be subject to the Safe Harbor Principles.

Introductory Paragraphs

The first several introductory paragraphs to the Safe Harbor Principles discuss the fundamental differences in approach to privacy taken by the U.S. and the EU. It goes on to describe how they were developed, and states that the purpose of the Safe Harbor Principles is to create a presumption of "adequacy" for U.S. organizations for purposes of the Data Protection Directive. Given this discussion of the very specific genesis and application of the Safe Harbor Principles, it is surprising, then, that the last sentence of the second paragraph of the introduction concludes that "[b]ecause these principles were solely designed to serve this specific purpose, their adoption for other purposes may be inappropriate." (Emphasis added.) In order to avoid creating uncertainty, Visa recommends that this language be modified to state that "their adoption for other purposes is inappropriate."

Furthermore, the introduction to the Safe Harbor Principles declares that "[w]here an organization is subject to U.S. statutory, regulatory, administrative or other body of law (or body of rules issued by national securities exchanges, registered securities associations, registered clearing agencies, or a Municipal Securities Rule-making Board) that also effectively protects personal data privacy, [the organization] qualifies for the safe harbor to the extent that its activities are governed by such laws or rules." The banking industry is among the most highly regulated industries in the U.S., and federal and state banking regulators regularly examine for, and zealously enforce, compliance with statutes and regulations, including those relating to the protection of consumer information. Therefore, Visa strongly recommends that the Department of Commerce state, either in the Safe Harbor Principles or the FAQs, that regulated U.S. financial institutions are among those organizations that are subject to a "body of law . . . that also effectively protects personal data privacy" and, therefore, that such financial institutions can qualify for the safe harbor by virtue of that extensive regulatory structure.

In addition, the first sentence of the fifth paragraph of the introduction to the Safe Harbor Principles states that organizations that decide to adhere to the Safe Harbor Principles must comply with them and "publicly declare that they do so." In order to avoid uncertainty over what actions, if any, would constitute such a "declaration," and since neither the Safe Harbor Principles nor the FAQs provide any guidance on this matter, we recommend that the word "declare" be replaced with the word "state" or "acknowledge." Such a modification also would avoid creating needless liability for U.S. organizations that comply with the Safe Harbor Principles.

The last sentence of the sixth paragraph of the introduction states that adherence to the principles is not required for participation in the safe harbor "where data is manually processed." Visa believes that such a manual exclusion from all of the requirements of the Safe Harbor Principles is absolutely essential. However, such an exclusion is appropriate not only where information is manually "processed," but also where it is manually "accessed." Thus, we strongly recommend that this sentence be amended to read as follows:
 

Adherence to these principles is not required for participation in the safe harbor where data is manually processed or accessed.

The Notice Principle

The first sentence of the Notice Principle states that an organization must, among other things, inform an individual about "the types of third parties to which it discloses the information." Since numerous types of U.S. businesses commonly engage third-party servicers, processors, or similar entities to perform a variety of data management functions on behalf of the business, we recommend that the FAQs be modified to clarify that references to "third parties" in any of the Safe Harbor Principles do not include agents, servicers or processors that are engaged by an organization to perform activities which the organization could, but chooses not to, perform itself. Such a modification would appropriately reflect the fact that the American legal system has long held that communications between a principal and its agent or servicer generally do not constitute communications between two separate entities. In this regard, American Jurisprudence 2d states:
 

The fundamental idea of agency has its conception in something lawful that a person may do and a delegation by such person to another of the power lawfully to do that thing. It is, accordingly, a consequence of the relationship that whatever an agent does in the lawful prosecution of the transaction entrusted to him is the act of the principal, and it is a fundamental maxim of agency that...he who acts through another acts by or for himself.⁽⁴⁾

In addition, the Notice Principle states that notice must be provided to the individual "before the organization uses such information for a purpose other than that for which it was originally collected." (Emphasis added.) In the modern American information-based economy, information frequently is collected for more than a single purpose. For instance, customer information is frequently collected not only for purposes of improving the organization's service to that customer, but also for fraud and risk control purposes. Consequently, we respectfully recommend that this portion of the last sentence of the Notice Principle be modified to state that notice should be provided to the individual "before the organization uses such information for a purpose other than those for which it was originally collected or discloses it to a third party."

The Choice Principle

    Similarly, the Choice Principle states, among other things, that an organization must offer individuals the opportunity to choose whether and how personal information they provide is used or disclosed to third parties where such use is "incompatible with" the "purpose" for which it was originally collected or disclosed. Visa believes that it is imperative that the "incompatible with" standard be retained exactly as proposed; no other standard provides the flexibility necessary to be applied by the multitude of U.S. organizations, in extraordinarily diverse circumstances, which may choose to be subject to the Safe Harbor Principles. Moreover, in order to avoid any confusion on this point, Visa respectfully requests that any FAQs on the Choice Principle make clear that under the Safe Harbor Principles any information sharing by an organization is permissible without provision of choice to individuals, so long as the sharing is in connection with activities that are not incompatible with the purposes for which the information was originally collected or with any other purposes disclosed to the individual. In addition, as discussed above, information frequently is collected for more than one purpose. Thus, in order to avoid confusion on this point, Visa recommends that an "s" be added to the word "purpose" in the first sentence of the Choice Principle, so that it refers to the "purposes" for which information is collected.

    The Choice Principle also states that sensitive information is information "such as medical and health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships or information concerning the sex life of the individual." Visa supports inclusion of a definition of "sensitive information" in the Safe Harbor Principles. It is crucial, however, that the Department of Commerce receive assurances that the Safe Harbor Principles' definition of "sensitive information" be precisely coextensive with any EU definition of the same term. In this regard, because the listed types of information appears complete from an EU perspective, the words "such as" should be deleted and parentheses should be placed around the defined list.

The Onward Transfer Principle

    The second sentence of the Onward Transfer Principle provides that an organization may comply with that principle by entering into a written agreement with a third party which requires that the third party provide "at least the same level of privacy protection as is required by the relevant safe harbor principles." Such a third party, however, should not be required to provide the same level of protection for all information it maintains, but only for that information which is transferred to the third party by the organization. Thus, we recommend that the second sentence of the onward transfer principle be revised to read as follows:
 

Where an organization has not provided choice because a use is compatible with the purposes for which the data was originally collected or which was disclosed in a notice and the organization wishes to transfer the data to a third party, it may do so if it first either ascertains that the third party subscribes to the safe harbor principles or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant safe harbor principles for the data being transferred by the organization to that third party.
 

    The Security Principle states that organizations creating, maintaining, using or disseminating personal information must take "reasonable measures to assure its reliability for its intended use," among other things. The reliability of information, however, refers to the content of the information and its applicability to its intended use; it is not a security issue, and a reference to the reliability of information has no place in a security standard. Accordingly, Visa respectfully recommends that this phrase be deleted and the Security Principle be revised to read as follows:
 

Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

The Data Integrity Principle

    The first sentence of the data integrity principle states that an organization may only process personal information relevant to "the purposes for which it has been gathered." In accordance with the preceding comments, Visa applauds the reference to the multiple "purposes" for which an organization may gather data. However, in accordance with the Notice and Choice Principles, an organization is not limited to using data only for the purposes for which it has been gathered, but also for the purposes which have been disclosed in a notice to the individual. Accordingly, we recommend that the first sentence of the Data Integrity Principle be modified to read as follows:
 

Consistent with these principles, an organization may only process personal information relevant to the purposes for which it has been gathered or which were disclosed in a notice or otherwise.

The Access Principle

    The Endnote Number 6 to the Access Principle states that, while the European Commission is willing to accept language showing that the right of access is not absolute, the Commission nonetheless proposes to delete references in the Access Principle to a "reasonableness" standard for an individual's access to personal information held by an organization. Visa believes that it is absolutely essential that the reasonableness standard be retained. In particular, a reasonableness standard appropriately balances the needs of individuals to obtain access to their information held by an organization, with the needs of an organization to be protected from repetitive, overly broad or vexatious information requests. Moreover, no standard other than a reasonableness standard provides the flexibility necessary to be applied by the astonishing array of American organizations, in innumerably varied circumstances, which may choose to be subject to the Safe Harbor Principles. Thus, Visa strongly urges the Department of Commerce not to accede to the European Commission's proposal to modify the reasonableness standard.

    In addition, the first paragraph of the introductory paragraphs to the Safe Harbor Privacy Principles defines personal data as data about an "identified or identifiable individual." However, the first sentence of the Access Principle simply refers to personal information held by an organization on an individual. In order to avoid confusion on this point, Visa recommends that the words "identified or identifiable" be inserted before the words "personal information" in the first sentence of the Access Principle. Moreover, the second sentence of the Access Principle states that reasonableness of access depends on the nature and "sensitivity" of information collected. In order to ensure consistency with the definition of sensitive information which is contained in the Choice Principle, we recommend that the second sentence be modified to explicitly refer to that definition. As a result, Visa recommends that the Access Principle be modified to read as follows:
 

 Individuals musthave reasonable access to identified or identifiable personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature of the information collected, whether it is sensitive information as defined in the choice principle, its intended uses, and the expense and difficulty of providing the individual with access to the information.

The Enforcement Principle

    The first sentence of the Enforcement Principle states that effective privacy protection includes, among other things, "recourse for individuals to whom the data relate affected by non-compliance with the principles." (Emphasis added). Visa respectfully suggests that such a statement is overly broad, since recourse should be limited to an individual who is affected by non-compliance with respect to that individual's information. Thus, we recommend that the first sentence of the Enforcement Principle be modified to read as follows:
 

Effective privacy protection must include mechanisms for assuring compliance with the safe harbor principles, recourse for individuals affected by non-compliance with the principles regarding their personal information, and consequences for the organization when the principles are not followed.

    The second sentence of the Enforcement Principle delineates the required elements of the enforcement mechanisms referenced in the preceding sentence. However, by beginning the second sentence with the words "[a]t a minimum," unnecessary uncertainty -- and needless legal liability -- is created for organizations that choose to comply with the Safe Harbor Principles. Thus, Visa recommends that the three words "at a minimum" be deleted.

    Furthermore, that same sentence states that enforcement mechanisms must include "independent" recourse mechanisms. However, whether a recourse mechanism is independent is irrelevant, so long as that mechanism is effective. It is possible, for instance, that effective recourse may be provided through the collective actions of a group of organizations. Consider the example of Visa, which sets and enforces rules with which its financial institution members must comply. It is possible that such collective enforcement, by Visa or other entities, might not be deemed independent, although there might be no doubt as to its effectiveness. Thus, Visa recommends that the word "independent" be deleted from the second sentence of the Enforcement Principle.

    In addition, the second sentence of the Enforcement Principle states that enforcement mechanisms must include "follow up procedures" for verifying that the claims businesses make about their privacy practices are true and that privacy practices "have been implemented as presented." We believe that words "follow up" could only serve to create confusion and should be deleted. More importantly, in order to provide appropriate flexibility -- and avoid creating unnecessary liability -- for organizations, we recommend that the words "have been implemented as" be replaced with the words "are consistent with those." Otherwise, an organization could be subject to litigation regarding whether its privacy practices were implemented exactly as presented. Similarly, the third sentence of the Enforcement Principle states that "[s]anctions must be sufficiently rigorous to ensure compliance by organizations." The reference to "sufficiently rigorous" would create legal liability for U.S. organizations seeking to comply with the Safe Harbor Principles without creating any resulting benefits for individuals: an organization either complies with the principles and receives the benefits of the safe harbor, or it does not. Therefore, Visa strongly recommends that sentence be deleted. As a result, we recommend that the Enforcement Principle contain two sentences, the second of which should be revised to read as follows:
 

Such mechanisms must include (a) readily available and affordable recourse mechanisms by which an individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices are consistent with those presented; and (c) obligations to remedy problems arising out of failure to comply with these principles by organizations announcing their adherence to them and consequences for such organizations.

    The Note following the Enforcement Principle states that an organization may satisfy the requirements of the principle through compliance with legal or regulatory supervisory authorities, among other means. This is an essential statement which appropriately recognizes the role existing federal and state law should play for U.S. organizations that choose to comply with the Safe Harbor Principles. It also is consistent with the Safe Harbor Principles provision, discussed above, which states that if an organization is subject to U.S. statutory, regulatory, administrative or other body of law that also effectively protects personal data privacy, it qualifies for the safe harbor to the extent that its activities are governed by such laws or rules.

    In addition, Endnote Number 7 indicates that the European Commission would like the text of the Enforcement Principle to state clearly that all the requirements of that principle must be met for all participants in the safe harbor. Visa strongly recommends that such a statement not be added. The European Commission's position on this point would undermine the importance which should be placed on each of the seven principles by raising the Enforcement Principle to a higher level of importance than each of the others. Moreover, failure by an organization to comply with one of the Safe Harbor Principles simply should not be permitted to diminish the legal or other effect of the organization's compliance with the other principles.

In General

    For the reasons discussed above with respect to the Access Principle, Visa respectfully recommends that the Access Principle be revised to read as follows:
 

Individuals should have reasonable access to identified or identifiable personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature of the information collected, whether it is sensitive information as defined in the choice principles, its intended uses, and the expense and difficulty of providing the individual with access to the information.

Question One

    Question One asks, "Is the right of access absolute?" The answer to Question One explicitly states that "an organization's access obligation is not absolute." Thus, to ensure consistency, Visa recommends either that: (i) the answer to Question One start with the word "No."; or (ii) the text of Question One be revised to ask "How extensive is the right of access?"

    The first sentence of the answer to Question One states that, under the Safe Harbor Principles, the right of access is "fundamental" to privacy protection. However, the right of access under the Safe Harbor Principles is no more fundamental than any of the other rights contained in those principles. Thus, we recommend that the word "fundamental" be replaced with the word "important." In addition, the second sentence of the answer to Question One states that the obligation of an organization to provide access to personal information it holds about an individual is subject to the principle of proportionality and has to be tempered "in certain instances." Without elucidation, the reference to "certain instances" serves only to create unnecessary uncertainty, and Visa urges that it be deleted.

    With respect to the statement that "an organization's access obligation is not absolute," the fourth sentence of the answer to Question One states that this obligation does not require "the exceedingly thorough search mandated, for example, by a subpoena." We believe that such a reference could suggest an inappropriately strict standard. Thus, Visa respectfully recommends that the word "exceedingly" be removed from that clause or, alternatively, that the entire clause be removed from that sentence. In other words, we recommend that the fourth sentence of the first paragraph of the answer to Question One be modified to state either that:

It does not require the thorough search mandated, for example, by a subpoena, nor does it require access to all the different forms in which the information may be maintained by the organization.

 

It does not require access to all the different forms in which the information may be maintained by the organization.

    The second paragraph of the answer to Question One states that, in response to individuals' access requests, organizations should first be guided by the concern(s) that led to the request in the first place. Further, this paragraph indicates that an organization may engage the individual in a dialogue in order to better understand the motivation for the request and to locate responsive information. The last sentence of the second paragraph states that individuals do not have to justify requests for access to their own data. However, in keeping with the paragraph's emphasis on the importance of a dialogue between the individual and the organization, Visa recommends the addition of the following sentence to the end of the second paragraph of the answer to Question One:
 

An organization may itself reasonably limit its search if the subject is unwilling or unable to do so.

    In addition, the first sentence of the third paragraph of the answer to Question One states that expense and burden, while important factors which should be taken into account, are not "controlling" in determining whether providing access is reasonable. We believe that the word "controlling" is too strong and should be replaced with the words "the sole factors."

    Furthermore, the second sentence of the third paragraph states that information that is used for decisions that will significantly affect the individual would have to be disclosed, even if it is relatively difficult or expensive to provide. As an example, the sentence references the denial or grant of important benefits such as insurance, among other things. However, not all insurance can reasonably be considered significant. For instance, credit insurance which provides coverage in relatively low dollar amounts, and at relatively low cost, cannot be considered "significant" in this context. Thus, we recommend the addition of the word "significant" prior to the word "insurance" in the second sentence of the third paragraph of the answer to Question One, or that the reference to insurance be deleted entirely. Additionally, Endnote Number 2 states that the European Commission would prefer to insert wording that clarifies that marketing decisions can be significant and/or involve sensitive information, such as where a decision to send a catalog depends on the use of sensitive information. Visa believes that such a reference is unnecessary and could create significant confusion. Accordingly, we recommend that this proposed wording not be inserted.

    The first sentence of the fourth paragraph of the answer to Question One discusses information that is not sensitive or is not used for decisions that will significantly affect the individual, such as marketing data that is used to determine whether or not to send the individual a catalog. In order to more fully reflect how such marketing data is commonly used by U.S. entities today, we recommend that the words "or product offering" be added after the word "catalog." That same sentence presently states that, with respect to information that is not sensitive or is not used for decisions that would significantly affect the individual, an organization would have to provide access to "factual information that the organization stores about the individual." In order to clarify that such "factual" data does not include an organization's internal analyses of the individual, and to address the points raised above, we recommend that the text of the first sentence of the fourth paragraph of the response to Question One be revised to read as follows:
 

If the information requested is not sensitive or not used for decisions that will significantly affect the individual (e.g., marketing data that is used to determine whether or not to send the individual a catalog or product offering), but is readily available and inexpensive to provide, an organization would have to provide access to the information. Access need only be provided as to facts regarding the individual, not analyses or formulas.

To similarly clarify the text of the penultimate sentence in the fourth paragraph of the response to Question One, we recommend that sentence be revised to read as follows:
 

Where the confidential commercial information can be readily separated from other factual information subject to an access request, the organization should redact the confidential information and make available the non-confidential information.

Question Two

    Question Two asks, "What is confidential commercial information?" The second sentence of the answer to Question Two states that a particular computer program an organization uses, such as a modeling program, or the details of that program "may be" confidential commercial information. To clarify the answer, and to provide greater certainty for organizations seeking to comply with the Safe Harbor Principles, we recommend that the words "are examples of" replace the words "may be" in that sentence.

    Endnote Number 3 states that the European Commission believes that the term "confidential commercial information" is too broad, and advocates use of the concept of "trade secrets" as defined in the Economic Espionage Secrets Act. Visa believes that the concept of "trade secrets" is far too narrow in this context and should be avoided. In particular, the Safe Harbor Principles will apply to U.S. organizations, to which U.S. confidentiality protections should apply.

Question Three

    Question Three asks whether an organization may disclose to individuals personal information about them derived from its databases or whether access to the database itself is required. With the heightened concerns about fraud and security risk that have arisen in the modern information age, it is crucial that access to the database itself not be required. Mandating such access could, for instance, permit an unscrupulous computer hacker to access and corrupt information relating to other individuals. As a result, to make absolutely clear that access by the individual to an organization's database is not required, Visa strongly recommends that the word "generally" in the answer to Question Three be deleted.

Question Four

    Question Four asks whether an organization has to restructure its databases to provide access. In order to make the answer to Question Four more responsive to this question, we respectfully recommend that the text of the answer be modified to more clearly state that an organization need not restructure its databases, but instead must only provide access through its existing access mechanisms. In addition, in order to reduce uncertainty, we recommend that the word "itself" in the second sentence of the answer to Question Four be deleted. Consequently, we recommend that the answer to Question Four be revised to read as follows:
 

Access needs to be provided only to the extent that an organization stores the information, and only through the organization's existing access mechanisms. The access principle does not create any obligation to retain, maintain, reorganize, or restructure personal information files.

Question Five

     The first sentence of Question Five states that the reply to Question One makes clear that access may be denied in "certain" circumstances. Visa believes that the reference here to "certain" circumstances is too limited a reading of the answer to Question One. As a result, Visa recommends that the word "certain" in the first sentence of Question Five be replaced with the word "appropriate."

    The second sentence of the response states that an organization can refuse to provide access to information to the extent disclosure is "likely" to interfere with the safeguarding of important countervailing public interests. Endnote Number 5 indicates that the European Commission believes this standard is too lax. Visa urges the retention of the existing standard, since any stronger standard would create too great a burden on the organization which is attempting to protect the U.S. public interest.

    The first sentence of the answer to Question Five confirms that there are circumstances, other than those discussed in the reply to Question One, in which organizations would not have to provide individuals with access to their personal information, "although such circumstances are limited and specific." Once again, we believe that the reference to "limited and specific" circumstances creates unnecessary uncertainty and should be deleted. As a result, we recommend the first sentence of the answer to Question Five be revised to read simply, "Yes."

    Furthermore, the third bullet contained in the second paragraph of the answer to Question Five states that access may be denied to the extent that it would likely to involve the disclosure of information that contains references to other individuals which "cannot be redacted." Since almost any information can be redacted given virtually unlimited effort and expense, it is very important that this clause be appropriately limited. Thus, we recommend that the third bullet be amended to read:
 

involve the disclosure of information that contains references to other individual(s) and such references cannot readily be redacted;

    Furthermore, it also is important that the answer to Question Five recognize that access to information may be denied to the extent it would be likely to compromise an organization's fraud and security systems. Thus, we recommend that a new bullet be added at the end of the list of bullets contained in the second paragraph of the answer to Question Five which states as follows:
 

impair the organization's fraud and security systems.

Question Six

    The answer to Question Six clarifies that an organization may charge a fee to cover the cost of providing access to an individual. In particular, Visa applauds the recognition in the last sentence of the answer to Question Six that charging a fee may be useful in discouraging "repetitive and vexatious requests." However, in keeping with the important recognition contained in the second sentence of the second paragraph of the reply to Question One that access requests that are broad in scope may present serious difficulties for an organization, we recommend that the last sentence of the answer to Question Six be revised to read as follows:
 

Charging a fee may be useful in discouraging repetitive, vexatious and overly broad requests.

Questions Seven and Eight

    Each of the answers to Questions Seven and Eight states that an organization is not required to provide access to personal information derived from public records so long as such information is "kept separately from" other information. However, the third sentence of the answer to Question Eight states that access to such information need not be provided so long as it is not "combined with" other non-publicly available information. In order to ensure consistency, we recommend that the words "kept separately from" which are contained in the second sentence of the reply to Question Seven, and in the first sentence of the reply to Question Eight, be replaced in each instance with the words "not combined with."

    In addition, Endnote Number 7 indicates that the European Commission is proposing to limit the term "public records" in the text of the response to Question Seven to U.S. public records. There is simply is no reason to so limit the term; otherwise, different standards would arbitrarily apply to public data depending on where the data originated. Visa believes that the text should continue to apply to any public records, including EU public records, particularly since these are EU data subjects in most cases.

    Endnote Number 8 states that the European Commission would like to insert language relating to publicly available information which avoids creating an exemption that can be used as a "subterfuge" for avoiding fair information requirements generally and access requirements specifically. Visa urges the Department of Commerce not to accede to this request; to attempt to include such standards would foment needless litigation against U.S. organizations.

Question Nine

    For purposes of consistency with the responses to Questions One and Six, and in order to recognize that organizations may appropriately protect themselves against overly broad requests for access, we respectfully recommend that the text of Question Nine be revised to read as follows:
 

How can an organization protect itself against repetitious, vexatious or overly broad requests for access?

Question Eleven

    Question Eleven asks whether there is a time within which responses must be provided to access requests. The reply to Question Eleven indicates that no particular time frame is required. Instead, the answer states that "organizations should respond without excessive delay and within a reasonable time period." To avoid confusion about whether there is a single appropriate time frame within which responses to access requests must be provided, we recommend that the word "[y]es" be removed from the first sentence of the answer to Question Eleven.

    The first sentence of the answer to the Self-Certification FAQ states that, to self-certify for the safe harbor, organizations must provide "to the Department of Commerce, or its designee," a letter which contains certain specified information. As discussed above, companies within the U.S. -- particularly regulated entities like Visa's member financial institutions -- are already subject to an extensive existing legal privacy framework. It is imperative that any safe harbor approach that is adopted recognize the strength and legitimacy, and not diminish the viability, of the U.S. privacy approach. Accordingly, Visa believes that it is appropriate for federally-regulated financial institutions to provide any self-certification letters not to the Department of Commerce, but instead to their own existing federal regulators. Thus, Visa recommends that the first sentence of the response to the Self-Certification FAQ be modified to read as follows:
 

To self-certify for the safe harbor, organizations will need to provide to the Department of Commerce or its designee (or, if the organization is regulated by a federal financial institution regulatory agency, to that agency), a letter, signed by a corporate officer, that contains at least the following information:

The third bullet of the response to the Self-Certification FAQ states that an organization must, as part of the self-certification letter, include a "description of the organization's privacy policy." Since submission of an actual copy of the organization's privacy policy should be as appropriate (if not more so) than a description of that policy, Visa recommends that the words "or copy" be inserted after the word "description," so that the beginning of this bullet would be revised to read:
 

· description or copy of the organization's privacy policy, including . . .
 

    The third subclause of the third bullet of the response to the Self-Certification FAQ requires that an organization include in its self-certification letter "a contact person" for the handling of complaints, access requests and other issues arising under the safe harbor. In order to provide maximum flexibility and to avoid the need to file amendments if, for example, the named contact person changes, we recommend that subclause be revised to read as follows:
 

-- a contact person, office or location for the handling of complaints, access requests, and any other issues arising under the safe harbor,

    The next subclause of the third bullet requires a statement of the "specific statutory bodies that have jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices." Since the authority of such bodies is derived from various sources, and since the word "jurisdiction" typically is used only in connection with the judicial bodies, Visa recommends that this subclause be revised to read as follows:
 

-- the regulatory agency or other organization that has authority to hear any claims against the organization regarding possible unfair or deceptive practices,

    Furthermore, the fifth subclause of the third bullet in the answer to the Self-Certification FAQ states that the self-certification letter must include the "name of any privacy programs in which the organization is a member." Visa believes that this subclause has no relation to self-certification, or to any other aspect of the Safe Harbor Principles, and thus recommends that the entire subclause be deleted. In addition, the sixth subclause requires an organization to disclose the "method of verification (e.g. in-house, third party)." As discussed above, in order to appropriately recognize the role of federal regulators in the U.S. approach to privacy, we recommend that this subclause be modified to read as follows:
 

-- method of verification (e.g. in-house, regulator, other third party), and

    The seventh subclause of the third bullet requires a statement of the "third party that will investigate unresolved complaints." Since the relevant factor in this regard is how complaints are resolved, rather than identification of the specific entity or entities responsible for investigating complaints, Visa recommends that this subclause be revised to read:
 

-- how complaints are resolved

    The second sentence of the last paragraph of the answer to the Self-Certification FAQ states, "Both the list [of organizations that self-certify for the safe harbor] and the self-certification letters submitted by the organizations will be made publicly available." For the reasons stated above regarding the inappropriateness of making self-certification and related privacy policy documents publicly available, Visa recommends that this sentence be deleted entirely. Finally, in order to recognize the appropriate role and authority of federal financial institution regulators, as discussed above with respect to the first sentence of this answer, Visa recommends that the last sentence of the answer to the Self-Certification FAQ be revised to read as follows:
 

Any misrepresentation to the Department, to the organization's federal financial institution regulatory agency or to the general public concerning an organization's adherence to the safe harbor principles may be actionable by the Federal Trade Commission, the organization's principal regulatory agency if the organization is a regulated financial institution, or other relevant statutory body.

    The FAQ on Sensitive Data asks, "[m]ust an organization always provide explicit (opt in) choice with respect to sensitive data?" The answer lists five purposes for processing sensitive data, for which "such choice is not required." Such a list, however, cannot be exhaustive. It is not possible to identify with certainty all of the purposes for which such data may be processed without providing opt-in choice -- particularly given the short time frame for consideration of, and comment on, the Safe Harbor Documents -- and any attempt to create such a list would not provide U.S. organizations the requisite flexibility to implement the Safe Harbor Principles. Thus, Visa recommends that the words "for example" be inserted into the first clause of the response, so that it reads: "No, such choice is not required, for example, where the processing is . . . .

    The answer to the FAQ on Verification states that a U.S. organization may verify the accuracy of its "attestations and assertions" about its privacy practices either through self assessment or through outside compliance reviews. The second sentence of the first paragraph of the answer states that, under the self assessment approach, "such verification would have to indicate that an organization's published privacy policy is accurate, comprehensive, prominently displayed, completely implemented and accessible." Visa urges that a number of modifications be made to this sentence. First, in order to avoid uncertainty, we recommend that the words "have to indicate" be replaced with the clearer, more definitive word "state." Next, Visa recommends that the word "comprehensive" be deleted, because it has no relationship to verification or to any other aspect of the Safe Harbor Principles. In other words, there is no necessary relationship between the "comprehensiveness" of an organization's privacy policy and that organization's compliance with the Safe Harbor Principles. Third, we recommend that the words "prominently displayed" also be deleted since, for purposes of verification, the fact that an organization's privacy policy is "accessible" should be sufficient. Furthermore, we recommend that the word "completely" be deleted from the proposed phrase "completely implemented." An organization's privacy policy is either implemented or it is not; the word "completely" would serve only to create confusion. Finally, in order to clarify that the verification refers to an organization's safe harbor-related privacy policy, we recommend that the words "safe harbor-related" be added before the words "privacy policy." Thus, in sum, we recommend that the second sentence of the answer be revised to read:
 

Under the self assessment approach, such verification would state that an organization's published safe harbor-related privacy policy is accurate, implemented and accessible.

The second paragraph of the answer to the Verification FAQ discusses the outside compliance review approach. In order to recognize the appropriate role of federal regulatory agencies over financial institutions, as discussed above, Visa urges that the following sentence be added to the end of that paragraph:

Where the organization is a federally-regulated financial institution, such reviews are accomplished by that institution's regulatory agency with the results of that review reported to an appropriate officer of the institution.

Visa applauds the Commerce Department for inclusion of the FAQ on Financial and Insurance Risk Management. It is an essential part of any final set of safe harbor materials and should not be deleted or materially weakened under any circumstances. As the answer to this FAQ states, U.S. companies -- and Visa's member financial institutions -- regularly use personal information for risk management purposes, and it is absolutely crucial that risk management be deemed an "important public interest" requirement for purposes of any safe harbor that is adopted. The Note at the end of the answer to this FAQ indicates that the European Commission is evaluating whether all the risk management activities covered by the response are related to the public interest. Visa strongly believes that it is essential that each of the activities discussed in the text of the proposed answer be deemed to be related to the public interest for purposes of the safe harbor. For instance, as discussed in the FAQ response itself, bank credit card issuers use personal information in numerous ways for purposes of fraud and risk control. The second paragraph of the answer, which discusses these uses, must be retained as proposed. Similarly, it is very important that the discussion in the third paragraph of the answer regarding the effect of permitting "high risk customers and fraud perpetrators" to opt out of affiliate information sharing be retained.

The fourth paragraph of the response states that financial organizations also routinely use personal information to provide improved pricing, and more responsive service, to their customers. To underscore the importance of this point, Visa recommends that the following sentence be added to the end of the fourth paragraph of the answer:

As a result, limiting the ability of financial organizations to use information in these ways would limit the ability of such organizations to provide consumers with heightened service and pricing opportunities.

In sum, Visa strongly urges that the FAQ on Financial and Insurance Risk Management, and its accompanying response, be retained substantially as proposed.

The answer to the FAQ on Secondary Liability states that, as is the case with the Data Protection Directive itself, the safe harbor does not create secondary liability. In particular, the answer states that "[w]here an organization is acting as a conduit for the data and does not determine the purposes and means of processing the personal data, it would not be liable." This is a very important point, and Visa urges that this sentence be retained in its proposed form.

The response to the FAQ on Headhunters, Investment Bankers and Audits affirms that the safe harbor does not create an unqualified requirement to seek the consent of the individual, to inform the individual that data is being processed, or to give individuals access to their data. Among other things, the text of the response states that exceptions are permitted "where the public interest requires" (emphasis added). Without elucidation, use of the word "requires" is problematic, since it is not clear how the public can express such "requirements" or who determines when the public interest so "requires." Accordingly, Visa respectfully recommends that this phrase be modified to state that exceptions are permitted "where it is in the public interest."
 

In General

The Safe Harbor Letter states that the benefits for U.S. organizations from being in the safe harbor include a finding of "adequacy" for purposes of the Data Protection Directive by all 15 EU Member States. However, in numerous places the Draft Procedures Paper contemplates the existence of independent, additional requirements and enforcement actions by individual Member States, their data protection commissioners, national courts, and other authorities. The existence of such individual Member State enforcement authority would severely undermine, if not completely invalidate, the benefits of any safe harbor for U.S. organizations. In addition, these individual Member State actions would expose U.S. organizations to abusive, unfair or selective enforcement actions by individual EU Member States, their data protection commissioners or other authorities. For instance, if such individual enforcement actions were permitted, individual EU Member States could practice favoritism toward EU businesses by undertaking enforcement actions against U.S. companies. Such an outcome would open the door to trade protection rather than privacy protection, and must not be permitted. Thus, for any safe harbor to be effective for U.S. organizations, it is crucial that the safe harbor provide absolute protection for U.S. organizations from any individual enforcement actions by the Member States and their representatives.

In addition, the third paragraph of the Draft Procedures Paper states that the procedures paper is a "necessary part of any package resulting from [the U.S. - EU] dialogue about the 'safe harbor.'" The text acknowledges, however, that "not all these procedures are [yet] in place." Accordingly, at a minimum, it is essential that the procedures contemplated in the Draft Procedures Paper be finalized before any Safe Harbor is adopted. Otherwise, as noted above, the benefits for U.S. organizations from any safe harbor could be rendered meaningless by the subsequent adoption of EU procedures.

Introduction

The first sentence of the introduction to the Draft Procedures Paper states that the purpose of making findings of "adequate protection" under Article 25.6 of the Data Protection Directive is to provide greater "legal certainty" for transfers of personal data to third countries. As discussed above, the provision of such legal certainty for U.S. organizations is absolutely essential.

Consequently, Visa is concerned about the reference in the second sentence of the second paragraph of the introduction to automatic grants for transborder flows by those EU Member States that require prior notification and authorization procedures. Such individual Member State requirements should either be waived in all circumstances or be deemed approved upon notice. Otherwise, U.S. organizations would be subject to application processes in individual Member States, which would expose U.S. organizations to the types of trade abuses by EU Member States (i.e., selective enforcement) that are discussed above. Thus, Visa strongly urges that the words "or granted automatically" be deleted from the end of the second sentence of the second paragraph of the introduction to the Draft Procedures Paper.

In addition, the last sentence of the second paragraph of the introduction states that temporary national blocking action might "be justified in exceptional circumstances." In order to clarify that such circumstances are rare, Visa recommends that the last sentence of the second paragraph of the introduction be revised to read that:

(Temporary national blocking action might, however, be justified in certain limited exceptional circumstances, as defined in the decision.)

A. Complaints About Non-Compliance With the Requirements of an Article 25.6 Decision: Stage 4 -- The Article 31 Committee

The latter paragraphs of this section contain a discussion of individual Member States' national courts as an alternative forum for hearing complaints about non-compliance with an Article 25.6 decision. Visa is concerned, however, that the existence of such alternative forums simply is not consistent with the extensive procedures set forth in the Draft Procedures Paper. More specifically, the existence of such alternative forums would mean that, notwithstanding the procedures described in the Draft Procedures Paper, U.S. organizations still would be subject to suits before Member States' national courts, and also before Member States data protection commissioners or other appropriate authorities. As discussed above, the existence of these various Member State actions could eviscerate any certainty or protection provided to U.S. organizations by the safe harbor or the Draft Procedures Paper.

In addition, the last paragraph of this section of the Draft Procedures Paper states that further research is needed on instances where provisional measures are taken by a Member State court. This reference creates additional uncertainty for U.S. entities, and underscores the importance of resolving any uncertainties contained in the Draft Procedures Paper before any safe harbor is adopted.

B. Challenges to the Article 25.6 Decision

This section of the Draft Procedures Paper states that the decision that the protection provided by a particular law or set of rules or principles in a third country is "adequate" could be challenged on grounds of substance or of procedure. Two broad possibilities for such challenges are then discussed. The existence of any effective safe harbor, however, must invalidate any question about the "adequacy" of compliance with the EU Data Protection Directives by U.S. entities that satisfy the safe harbor. In other words, either a safe harbor provides adequate protection for U.S. organizations or it does not. U.S. organizations that satisfy any safe harbor must not be subject to any uncertainty about the adequacy of that safe harbor.

Once again, Visa appreciates the substantial efforts of the Department of Commerce Department in developing the Safe Harbor Principles and the FAQs, and negotiating the Draft Procedures Paper. If you have any questions concerning these comments, or it we can otherwise be of assistance in connection with this matter, please do not hesitate to contact me at (650) 432-3111.

Sincerely yours,

Russell Schrader

1. Letter from Alan Greenspan, Chairman, Board of Governors of the Federal Reserve System, to the Honorable Edward J. Markey (July 28, 1998).

2.  Id.

3.  Department of Commerce Press Release, "Department of Commerce Releases New Proposal for Data Privacy Protection" (April 19, 1999).

4.  3 Am Jur 2d, Agency § 2.