Privacy Letter
May 14, 1999
The Honorable David L. Aaron
Under Secretary for International Trade
International Trade Administration
U.S. Department of Commerce
Room 3850
14th Street and Constitution Avenue, N.W.
Washington, DC 20230
Re: Comments on International Safe Harbor Privacy Principles and Related Documents
Dear Ambassador Aaron:
The Securities Industry Association1 ("SIA") appreciates the progress that the Department of Commerce ("DOC") has made in its negotiations with the European Commission ("EC") regarding the European Union's Directive on Data Protection. The latest safe harbor documents are a substantial improvement over earlier drafts, especially because of their new recognition that rules issued by industry self-regulatory organizations ("SROs") can be an effective source of protection for personal data privacy. Again, SIA thanks DOC for its efforts on behalf of American investors.
Despite this measurable progress, however, SIA continues to believe that the principles of privacy protection that apply within the United States ("US") should be established through the US domestic legislative and regulatory process. Especially in light of the active debate concerning privacy that is currently underway in the US, SIA believes the safe harbor principles should not establish standards of privacy protection that are substantially more onerous than current law. It is for this reason that we consistently have urged that heavily-regulated industries like the securities industry be provided different treatment than other, less-regulated industries and that expert regulators be given the opportunity to create appropriate applicable privacy standards in the exercise of their regulatory discretion.
Furthermore, SIA would emphasize that it is very important that DOC preserve flexibility in the safe harbor to allow DOC and EU officials to modify their regulatory approach as circumstances change. Data privacy protection is a dynamic process — technologies are rapidly evolving, consumer expectations are changing, and laws and regulations are currently under revision. For example, there are currently many legislative proposals in Congress that would significantly revise the regulatory regime under which securities firms operate. Additionally, the Administration has put forward a privacy initiative. The safe harbor principles should not be so rigid in application that either DOC or EU regulators would be unable to reflect such changes as they deal with data privacy issues. Furthermore, DOC should bear in mind that, because Article 33 of the Directive requires the EC to review its safe harbor arrangements and implementation of the Directive before October 2001, the current safe harbor documents can retain some flexibility and do not need to resolve definitively every issue affecting data privacy.
The specific comments on the draft safe harbor principles that follow should not be taken as an endorsement by SIA of their basic premises. Nevertheless, in light of the efforts by the DOC to negotiate a safe harbor that might be acceptable to all sides, we believe it is appropriate to provide specific comments on the draft principles as written — to ensure at the very least that industry and DOC share a common understanding of what is being agreed to with the EU.
Turning now to the specific provisions of the safe harbor documents, SIA's proposed revisions are presented below in order of the relevant provisions in those documents.
1. International Safe Harbor Privacy Principles
Heavily-regulated industries.
As mentioned above, SIA appreciates the efforts made by DOC to bring heavily-regulated industries within the scope of the safe harbor. The current language stating that government regulation and SRO rules can bring a company within the safe harbor if they "effectively protect personal data privacy" is a step in the right direction. This language, however, is still inadequate and fails to recognize that the intense scrutiny faced by companies in heavily-regulated industries (such as the securities industry) forces such companies to act responsibly when processing personal data. SIA has previously highlighted to DOC the various regulatory obligations under which securities firms operate, and DOC should continue to be vigilant in its negotiations in pressing for automatic inclusion of such heavily-regulated industries within the safe harbor.
If DOC is unable to obtain such protection for heavily-regulated industries, the current language should be modified to replace the word "effectively" with "specifically." If US legislators or regulators adopt measures that deal specifically with data privacy, the choices made by those officials should be given substantial deference. American legislators and industry regulators are in the best position both to know what practices pose the greatest dangers for data privacy and to understand the costs and benefits of additional privacy regulations. Thus, once legislators or regulatory organizations have taken action to address data privacy for a particular industry, that action should be sufficient to bring that industry within the safe harbor and should not be second-guessed by European officials.
Data Transfers Pursuant to Agreements That Incorporate the Safe Harbor Principles.
SIA fully supports the proposed language allowing parties to transfer data from the EU to the US based on agreements that incorporate the relevant safe harbor principles. Even if DOC is successful in achieving this language, however, some further explanation of the mechanics of this provision would be necessary either in the principles themselves or in the FAQ documents. Furthermore, the safe harbor documents should make clear that contractual agreements regarding the transfer of data from the EU to the US are not required to incorporate the safe harbor principles and that the Directive itself contemplates parties reaching less burdensome contractual arrangements.
Notification of Compliance to DOC.
SIA does not support requiring organizations to notify DOC of their compliance with the safe harbor principles. Any such requirement would simply add a bureaucratic hoop that thousands of organizations would have to jump through, without significantly advancing data privacy. Indeed, the Self-Certification FAQ suggests that organizations would be forced to certify their compliance and file documents with DOC each year. Instead of DOC notification, it should be sufficient that an organization publicly declares (in notices, advertisements, or a website) that it complies with the safe harbor principles. When complaints are brought against organizations, the existence of such public declarations would be as effective as a DOC registration file for determining whether the safe harbor principles and procedures are applicable. If, however, notification to DOC ultimately is required, language should be added to clarify that DOC does not have an obligation to investigate whether self-certifying organizations are in fact complying with the safe harbor principles. Any such investigation would place a severe administrative burden on DOC and would undercut the entire notion of self-certification.
Notice.
This principle should be clarified to state that organizations must provide notice to an individual only if and when they collect information directly from the individual. Every time an organization purchases marketing data, for example, it cannot be expected to provide notice to each individual about whom it now has data. Thus, the first sentence of this principle should be rewritten as follows: "An organization that collects information directly from individuals must inform the individuals . . . ."
Choice.
This principle could be made more clear. SIA suggests the following rewrite:
If an organization desires to use or transfer information about an individual in a manner that is incompatible with either the purpose for which the information originally was collected or with a disclosure made to the individual in a notice, the organization must offer the individual the opportunity to prevent such use or transfer (opt-out). The individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise this option. If the information is sensitive (i.e., medical and health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information concerning the sex life of the individual), the organization may use or transfer the information only after the individual affirmatively or explicitly authorizes the use or transfer (opt-in).
Onward transfer.
As currently drafted, the safe harbor principles appear to prohibit an organization from transferring data to a third party unless the organization either has "provided choice" or has ensured that the third party provides the privacy protection required by the safe harbor principles. This restriction apparently applies even if the organization has provided notice that it may transfer personal data to third parties. If this reading is correct, the safe harbor principles should be revised so that prior notice — in and of itself — is sufficient to permit transfers to third parties. Organizations would, of course, be required to act consistently with the notice they provide, but once an organization notifies an individual that it might transfer data to third parties, the individual's subsequent decision to allow the organization to use his or her data constitutes a choice by the individual to permit such transfers. Individuals who desire greater privacy protection regarding onward transfers can decline to deal with the organization and take their business to other organizations instead. Thus, there is no reason to impose blanket restrictions on data transfers by organizations that have openly disclosed the possibility of such transfers. The Onward Transfer principle therefore should be edited to include only the current first sentence. Furthermore, SIA opposes the EC's proposed "explicit notice and choice" requirement for onward transfers.
Security.
The current language regarding "reasonable measures to assure its reliability for its intended use" is unclear and could suggest an obligation to maintain the accuracy of data similar to the obligation contained under the Data Integrity principle. SIA suggests that this language be either deleted or modified to require only "reasonable security measures."
Data Integrity.
This principle should be modified to make clear that an organization's data must be accurate, complete, and current only when the organization is actually using the data. It would defy common sense to require organizations to constantly update and correct all of their records, regardless of whether those records are even being used. SIA therefore suggests replacing the second sentence with the following language: "An organization should take reasonable steps to ensure that data is accurate, complete, and current when using the data for those purposes."
Access.
SIA strongly supports the addition of the bracketed "reasonableness" language in the access principle. Although the Access FAQs provide some assurance that the access requirement is not absolute, the addition of the "reasonableness" language would guarantee that, in situations not covered by the FAQs, the access requirements will reflect important and relevant factors such as "the nature and sensitivity of the information collected, its intended uses, and the expense and difficulty of providing the individual with access to the information."
Enforcement.
SIA supports allowing organizations to meet the enforcement principle by committing to cooperate with data protection authorities located in the EC. Some American organizations may need this option in order to comply with the safe harbor until other means of enforcement are developed. Nevertheless, the clause "provided those authorities agreev should be deleted because it could provide European authorities substantial leverage to demand concessions from American organizations that need enforcement through this option. This enforcement option should not be an overwhelming burden for European data protection authorities because (1) they can almost always direct any inquiries simply to the European company that transfers data to the American company, and (2) they would be obliged in any event to investigate and make decisions on complaints arising from data transfers to the US, with perhaps less certain access to information and cooperation from the American organization.
2. Frequently Asked Questions (FAQs)
Access.
Confidential commercial information. SIA supports the exception from the access requirement for vconfidential commercial information." SIA opposes the EC's proposal that the FAQs instead use the concept of "trade secrets" as defined in the Economic Espionage Secrets Act. Although the EC's endnote is unclear in this regard, it appears to refer to the definition of "trade secret" in the Economic Espionage Act of 1996, 18 U.S.C. § 1839(3). Such a narrow definition of protectable information may be appropriate when the issue is whether to impose criminal penalties under the Economic Espionage Act, broader protection is required in the safe harbor principles, where the issue is what information an organization should be compelled to provide upon the mere request of an individual. Indeed, that is precisely the situation that the federal discovery rules aim to address with their definition of "confidential commercial information," and that is why DOC should not accede to the EC's request to change the scope of this exception. Businesses spend significant amounts of time and money to develop many types of proprietary information, and these businesses should not be robbed of that investment by an overly-broad access requirement.
Public records and publicly available information.
The FAQs currently do not require access to public records and publicly-available information if an organization maintains such information separately from other information. Organizations, however, cannot realistically be expected to bear the cost of maintaining two sets of records for every individual — one marked public and one marked private. This language therefore should be modified to exempt all public records and publicly-available information from the access requirement.
Self-certification.
As discussed above, the self-certification requirements are unnecessarily burdensome. Indeed, the detailed reporting obligations contained in the FAQs tend to eviscerate the whole notion of self-certification. DOC should eliminate these detailed requirements, as discussed in Part 1 above.
3. Miscellaneous issues
Applicability of FAQs.
The safe harbor documents should state explicitly that the FAQs represent the EC's understanding of how the safe harbor principles will be applied and that compliance with the FAQs will constitute a defense in any relevant proceeding or investigation conducted by EU or Member State authorities.
Transition period.
American businesses that plan to use the safe harbor are going to need at least 18 months after the principles are finalized in order to come into compliance. The principles obviously have been and continue to be subject to change, and organizations cannot be expected to bring their operations into immediate compliance. Indeed, the securities industry already is inundated with numerous major information technology projects -- ranging from Y2K compliance (including moratoriums on systems upgrades) to new order-monitoring requirements for NASDAQ broker/dealers -- that limit the ability of securities firms to respond immediately to new privacy regulations. The principles therefore should provide explicit assurance that EU and Member State authorities will not enforce the Directive against data transfers by American business from the EU to the US for at least 18 months after the safe harbor principles are finalized.
Furthermore, DOC should seek assurances that American businesses will not be singled out as Member States begin to enforce the Directive. Under the Directive, Member States have three years after they enact laws implementing the Directive to bring all processing operations into compliance with the Directive. DOC should ensure that, as Member States phase-in their enforcement of the Directive, American businesses receive the same treatment as European businesses and are not targeted by early enforcement efforts.
Retroactivity.
The safe harbor documents should make clear that the safe harbor requirements apply only to data that is transferred to the US after the effective date of the safe harbor principles.
We appreciate the opportunity to express our views.
Sincerely,
Marc E. Lackritz
President
Footnote:
1. The Securities Industry Association brings together the shared interests of more than 740 securities firms to accomplish common goals. SIA member-firms (including investment banks, broker-dealers, and mutual fund companies) are active in all U.S. and foreign markets and in all phases of corporate and public finance. The U.S. securities industry manages the accounts of more than 50-million investors directly and tens of millions of investors indirectly through corporate, thrift, and pension plans. The industry generates more than $300 billion of revenues yearly in the U.S. economy and employs more than 600,000 individuals.