library Email this page members only
about uscib global network what's new
    Search      
Home Policy Advocacy: USCIB Committees and Working Groups Dispute Resolution: USCIB and ICC Arbitration Calendar of Events: USCIB and Partner Events Trade Services: USCIB Services to Facilitate U.S. Exports/Imports ATA Carnet: USCIB's Duty-Free and Tax-Free Temporary Exports/Imports
USCIB

Positions & Statements
contact us
membership info
membership info

Positions & Statements

 

USCIB Comments to the November 15

Department of Commerce Safe Harbor Documents

 

December 3, 1999

 

The Honorable David L. Aaron

Under Secretary

International Trade

Department of Commerce

14th and Constitution Avenue, N.W.

Washington, D.C.

 

Dear Ambassador Aaron:

 

The members of the United States Council for International Business (USCIB) again thank you for your continuing negotiations with the European Commission to resolve outstanding issues regarding implementation of the E.U. Privacy Directive. As we have stated in the past, USCIB members support the concept of a safe harbor as a practical means to resolve the potential restriction on the transborder flow of data from the E.U. to the U.S. However, ultimate support for the safe harbor will depend on the final version of the principles.

 

In our previous comments, the USCIB asserted that where a conflict exists between the U.S. and the E.U. on data protection principles, the resolution should be based on internationally agreed upon principles – the 1980 OECD Privacy Guidelines, not adoption of the E.U. principles set forth in the E.U. Directive. Such an approach is consistent with the concept of "adequacy" rather than equivalency. We are pleased that several of our suggested changes and requests for clarification on the principles and FAQs issued on April 19, 1999 have been addressed. There are several remaining issues in from our comments submitted on May 14, 1999 that have not been addressed. However, recognizing the significant progress from the April 19, 1999 draft, we are limiting our comments to issues that our members believe are essential to ensure industry’s support for the final safe harbor documents.

 

·         Choice:

 

The USCIB strongly supports the deletion of the last portion of the first paragraph of this principle. Compliance with the deleted sentence is impractical and overly burdensome most importantly because a company subscribing to the safe harbor may not know at the time at which choice is provided each and every third party to which data may be transferred. Moreover, this issue is addressed in the Onward Transfer Principle.

 

·         Onward Transfer:

 

Our members seek clarification regarding a written agreement between an organization that subscribes to the safe harbor and a third party to which it is transferring data to require the third party to provide at least the same level of privacy protection as required by the relevant principles. We would like to confirm that this does not mean that the written agreement binds the third party to subscribe to the safe harbor.

 

·         FAQ 5 – The Role of Data Protection Authorities:

 

Our members believe that a commitment to cooperate with data protection authorities mustbe an enforcement mechanism option. This is essential given that significant portions of many of our member companies’ business is not regulated and a self-regulatory enforcement mechanism does not exist. Therefore, without this option, they will not be able to comply with the enforcement principle for those portions of their business. Our members believe that this option is essential and do not support an automatic termination date for this option.

 

·         FAQ 6 – Self-Certification:

 

USCIB members do not believe that organizations subscribing to the safe harbor should be required to provide self-certification letters "not less than annually." A more logical requirement would be to require notification to the Department of Commerce or its designee if there has been a material change in the subscribing organization’s self-certification declaration.

 

·         FAQ 11 – Dispute Resolution and Enforcement:

 

The response to the first question indicates that data protection authorities must agree to an enforcement mechanism whereby subscribing organizations commit to cooperate with them. As stated above, we believe that this must be an enforcement mechanism option. Moreover, it is important to clarify that the phrase "provided those authorities agree" does not mean that each data protection authority has the option to serve as an enforcement body. If that is the case, it would defeat the purpose of the safe harbor, a harmonized resolution to the potential restriction on the transborder flow of data, if it requires companies to seek the agreement of every member state authority to utilize it.

 

·         Summary of the Main Operative Provisions of a Possible Decision on the Basis of Article 25.6 of the Data Protection Directive Concerning the US "Safe Harbor:"

 

The summary clarifies when a Member State authority may suspend data flows to organizations that subscribe to the safe harbor. It was the understanding of USCIB members that there were four cumulative criteria to be met. However, the summary does not so indicate. It appears as though the second sentence of the relevant paragraph is a definition of "irreparable harm." It was our understanding that irreparable harm was one of four cumulative factors to be met. Moreover, we think harm should also be qualified with the term "unreasonable."

 

·         Draft Letter from the Department of Commerce to the European Commission:

 

Footnote 1 of the letter states that "the duration of the interim period is not yet agreed." USCIB members believe that in order to ensure that they can adapt their business practices to comply with the safe harbor principles and to ensure the continued flow of data from the E.U. to the U.S. the interim period should be 18 months and in no event expire prior to the approval of a model contract by the Commission.

 

·         Draft Letter from the European Commission to the Department of Commerce:

 

The letter includes a section on "Use of Contracts – Article 26 Decisions." In many circumstances existing contracts and proposed Model Contracts such as the ICC Model Contracts require the data importer to comply with the laws of the country from which data is being exported. USCIB members believe it is essential that the safe harbor principles be considered the law of an exporting E.U. member state in the context of contractual arrangements. This should be the case without the need to renegotiate existing individual contracts or proposed model contracts that require the data importer to comply with the law of the country from which data is being exported. Suggested language to capture this issue could be: "In the context of a contractual solution, the safe harbor principles can be considered the law of the E.U. member state from which data is exported, without the need to renegotiate or explicitly state it in a contract. This could apply to existing approved contracts and proposed model contracts where the data importer is required to comply with the laws of the exporting country without revision."

 

·         Regulated Industries – Financial Services:

 

The heavily regulated US financial services industry will be subject to significant new privacy regulations stemming from Title V of the just-enacted Financial Services Modernization Act (S. 900). The Act imposes new privacy and security obligations on financial services institutions, requires disclosures and choice for the sharing of customer information, and directs both federal and state regulators to adopt rules and examination guidelines to assure compliance with the new law and with the Fair Credit Reporting Act. Financial services companies will be required to publicize their privacy policies and update or restate them at least annually, subjecting them to potential civil liability and regulatory action if they do not live up to their commitments. The Act does not preempt more restrictive state laws and regulations, which are already under consideration in a number of states. Given the extensive new privacy requirements under the act, we would recommend that: a) the Commission finds that the total privacy regulatory framework applicable to the US financial services sector is adequate under the terms of the EU Data Protection Directive; or b) the Commission review that regulatory framework after all state and federal regulations pursuant to the act have been implemented (roughly a year to 18 months from now) in order to make an adequacy determination at that time; and c) the Commission immediately finds that US financial services regulators constitute a third-party enforcement agent under the terms of the safe harbor agreement. 

 

Similar consideration should be given to other regulated industries, such as healthcare products and services, for which regulations are being developed under the auspices of the Department of Health and Human Services. The regulations are expected to be issued in early 2000, with implementation to be required within 24 months.

 

Thank you for your consideration and your continued efforts on behalf of U.S. industry. Please do not hesitate to contact me or David Fares (212/ 703-5061) if you have any questions regarding these comments.

 

Sincerely,

 

Charles Prescott

Chair, Working Group on Privacy and Transborder Data Flows

 

 

 




ALL RIGHTS RESERVED 2013 | PRIVACY POLICY STATEMENT | CONTACT US