VIA FACSIMILE
AND ELECTRONIC MAIL
Mr. Eric Fredell
Electronic Commerce Task Force
International Trade Administration
U.S. Department of Commerce
Room 2009
14th Street and Constitution Avenue,
N.W.
Washington, D.C. 20230
RE: Request for Comments on Draft International Safe Harbor Principles
Dear Mr. Fredell:
Yahoo! Inc. (Yahoo!) files these comments on the Draft International Safe Harbor Principles of April 19, 1999 and associated Frequently Asked Questions, (collectively, the "Principles").
Yahoo! is a strong supporter of a self-regulatory approach to online privacy. Self-regulation offers the Internet industry the greatest flexibility to meet the needs of consumers with tools and policies that will not stifle the rapid pace of growth the Internet enjoys today. As a global Internet media company, Yahoo! is committed to ensuring the privacy of all of our users all over the world while offering the best of the Internet to everyone.
Yahoo! respectfully submits comments with respect to the Principles. We would like to note that in reviewing these Principles, we have narrowed our comments to address only the issues that we believe to be of paramount importance to our business and to the online industry.
Introductory text to Principles
In the fourth paragraph of the introductory text to the Principles, regarding how organizations may qualify for the safe harbor, it says:
"Organizations may also put in place the safeguards deemed necessary by the EU for transfers of personal data from the EU to the US by incorporating the relevant safe harbor principles into agreements entered into with parties transferring personal data from the EU."
The Commission has not agreed to inclusion of this sentence. Yahoo! believes that this language should remain in the Principles. Companies that have the relevant safe harbor principles written into agreements with transferring companies should be qualified for the safe harbor on this basis.
Onward Transfer Principle
Endnote 5 to the Onward Transfer principle specifies that "the Commission would like to add text to the Onward Transfer principle that requires explicit notice and choice when personal data is transferred to a third party that does not adhere to the safe harbor requirements." Clearly, Yahoo! provides notice and choice prior to personal data being transferred to a third party. However, if "explicit notice" means that the notice must reference whether the third party adheres to the safe harbor requirements, this additional language will create an enormous administrative burden on the company responsible for the notice. This will also have the effect of putting the companies responsible for the notice in the position of policing the status of others' self-certifications.
It is Yahoo!'s practice to attest to our own privacy practices and to refer users directly to our business partners for more information on their privacy practices as a part of making an informed choice about the use of their personal data.
A separate, but important issue, relating to the Onward Transfer principle is the lack of definition regarding who is considered to be a "third party." An organization that is acting in the capacity of agent, under an agency agreement, to a company in compliance with the Principles should not be deemed a separate third party for the purposes of the Onward Transfer principle. We suggest that "third party" be defined in the Principles to exclude any organization that acts only as agent on behalf of a company that does not have independent ownership or usage rights to user data that comes into its possession in the course of the agency relationship.
Access Principle
Endnote 6 to the Principles states that the Commission proposes to delete the word "reasonable" as a qualifier to access in the Access principle but may consider alternative wording to show that the right to access is not absolute. Yahoo! believes that even if the FAQ on Access is given full and equal weight with the Principles the word "reasonable" should remain as an essential qualifier to data access in the Access Principle.
In addition, inclusion of the bracketed text: "[Reasonableness of access depends on the nature and sensitivity of the information collected, its intended uses, and the expense and difficulty of providing the individual with access to the information.]" is critical to establishing the meaning of "reasonable access." Given the importance of the Access Principle, the term "reasonable" and its definition should not be relegated to the FAQs alone but should be fully incorporated in the Access Principle itself. This is particularly important since, at this time, there is has been no decision regarding the weight of the FAQs relative to the Principles.
FAQ on Access
The first FAQ on access clearly sets forth that expense, burden and the nature of information (whether it is used to make substantive decisions about an individual) among other things, are all factors that need to be taken into account when attempting to comply with a request for data access. The FAQ makes clear that if information is used to make substantive decisions, it should be provided even if "it is relatively difficult or expensive to provide." The FAQ also states that non-sensitive information (or information not used for substantive decisions), if readily available and inexpensive, should be made available.
What is implied, but is not explicitly stated, is that non-sensitive information (or information not used for substantive decisions), if relatively difficult or expensive to provide, does not need to be provided. For additional clarity, we request that this additional language be included in response to the first question of the FAQ on access.
The second FAQ defines "confidential commercial information." Yahoo! believes it is crucial that "confidential commercial information" remain defined as in the current draft and that exemptions from access remain to protect information that falls under this definition. Absent this language, companies run the risk that their competitors will use the Access principle to obtain proprietary and confidential information under the pretense of exercising their privacy rights.
Weight of Frequently Asked Questions relative to the Principles
A common practice in the Internet industry is to use Frequently Asked Questions, or FAQs, to address questions and concerns of users. These FAQs often address very specific concerns and give detailed guidance that users can rely upon. In this vein, if the Department of Commerce plans to offer multiple FAQ documents to modify the Principles, industry should be able to rely upon the examples and guidance offered in the FAQs as if such material were directly referenced in the Principles themselves.
Thank you very much for the opportunity to comment
on the Principles. Should you need further clarification on Yahoo!'s position,
please do not hesitate to contact me at (202) 887-6932.
Very sincerely yours,
John Scheibel
Washington Counsel and
Director of Government Relations