library Email this page members only
about uscib global network what's new
    Search      
Home Policy Advocacy: USCIB Committees and Working Groups Dispute Resolution: USCIB and ICC Arbitration Calendar of Events: USCIB and Partner Events Trade Services: USCIB Services to Facilitate U.S. Exports/Imports ATA Carnet: USCIB's Duty-Free and Tax-Free Temporary Exports/Imports
USCIB

Positions & Statements
contact us
membership info
membership info

Positions & Statements

 

 

 

USCIB Comments on Safe Harbor Principles for E.U./U.S. Privacy Discussions

 

May 14, 1999

 

The Honorable David L. Aaron

Under Secretary

International Trade

Department of Commerce

14th and Constitution Avenue, N.W.

Washington, D.C.

 

The members of the United States Council for International Business (USCIB) thank you for your continuing negotiations with the European Commission to resolve outstanding issues regarding the implementation of the E.U. Privacy Directive.  USCIB members support the concept of a safe harbor as a practical means to resolve the potential restriction of the transborder flow of data from the E.U. to the U.S.  However, ultimate support for the safe harbor will depend on the final version of the principles developed.

 

USCIB members continue to assert that where a conflict exists between the U.S. and the E.U. on data protection principles, the resolution of the conflict should be based on internationally agreed upon principles, not adoption of the E.U. principles set forth in the E.U. Directive. Such an approach is consistent with the concept of "adequacy" rather than "equivalency." The 1980 OECD Privacy Guidelines provide that international agreement.

 

The U.S. approach of self-regulation operating in conjunction with existing laws and regulation is fully consistent with the OECD Guidelines. Therefore, the safe harbor principles should be implementable within the U.S. approach. Indeed, a resolution beyond the OECD Guidelines could arguably be perceived as a concession by the U.S. that the OECD Guidelines and U.S. privacy protection based on them do not represent effective privacy protection.

 

Below please find examples that compare several of the Draft Safe Harbor Principles of April 19, 1999 to the OECD Guidelines and the E.U. Directive. The comments below also identify concerns of USCIB members and requests for clarification.

 

·         Notice:

 

Comparison: The draft safe harbor principle includes notice of the types of organizations to which information will be disclosed. The OECD Guidelines do not have such a requirement. Chapter II, Section IV, Article 10(c) of the E.U. Directive states that "Members States shall provide . . . any further information such as --the recipients or categories of recipients of the data." However, the Directive then qualifies this by stating "in so far as such further information is necessary. . . " The draft safe harbor principle therefore goes beyond what the Directive requires.

 

USCIB Member Views: USCIB members do not believe that companies that subscribe to the safe harbor should be subjected to principles that exceed the E.U. Directive. At a minimum, the portion of the notice principle that addresses the types of third parties to which it discloses information should be qualified by the phrase "in so far as such further information is necessary . . ."

 

Request for Clarification: Which organizations are required to observe the notice principle? It is phrased as if it applies to an organization that is collecting information directly from a data subject. In most instances, that will not be the U.S. data importer, but rather the European data exporter, which may be a corporate affiliate of the U.S. data importer or even an unrelated company. In such a circumstance, how does the notice principle apply to the U.S. data importer?

 

·         Choice:

 

Comparison: The concept of "incompatible uses" as set forth in the parentheses is clearly stated in the OECD Guidelines. Additionally, the OECD Guidelines and its explanatory memorandum do not state that absolute opt-in must be offered for the collection and use of sensitive data.

 

USCIB Member Views: USCIB members believe that it is essential that the concept of "incompatible uses" be clearly stated in the safe harbor principles without parentheses. The use of parentheses could be misconstrued as giving this concept lesser weight than the rest of the principle. In addition, USCIB members recognize that sensitive data, such as medical information, require greater protection. However, greater protection does not justify an absolute presumption of opt-in for all sensitive data. At a minimum, the reference to opt-in in the text of the principle should be deleted. This deletion would also be consistent with the Sensitve Data FAQ.

 

Request for Clarification: Which organizations are obligated to observe the choice principle? As with the notice principle, it is phrased as if it applies to an organization that is collecting information directly from a data subject. In most instances, that will not be the U.S. data importer, but rather the European data exporter, who may be a corporate affiliate of the U.S. data importer or even an unrelated company. In such a circumstance, how does the choice principle apply to the U.S. data importer?

 

·         Onward Transfer:

 

OECD Guidelines Comparison: No such stand alone principle exists in the OECD Guidelines. The concept of "third-party uses" is incorporated in the "Purpose Specification" and the "Use Limitation" Principles of the OECD Guidelines. The OECD Guidelines do not stipulate that organizations must require third parties to whom they transfer information to provide at least the same level of privacy protection as originally chosen by the individual.

 

USCIB Member Views: Endnote 5 of the Draft Principles indicates that the Commission would like text added to the Onward Transfer Principle that requires explicit notice and choice when personal data is transferred to a third party that does not adhere to the safe harbor requirements. Such a requirement is overly burdensome and may result in more restrictive use of the data than the data subject intended.

 

Request for Clarification: What is the responsibility of an organization receiving information as the result of an onward transfer? What is the liability of an organization that transfers data to another organization that either violates the safe harbor principles if it subscribes to them, or violates the written agreement between the two organizations?

 

·         Access:

 

Comparison: The OECD Guidelines provide that an individual should have the right to have "communicated to him, data relating to him. . ." Therefore access is through a communication from the data controller to the data subject. The draft safe harbor principle does not clearly reflect the "communication" concept and may be construed to allow an individual to physically review files/databases. It is also important to note, that as specified in the draft safe harbor principle, the explanatory memorandum of the OECD Guidelines (Paragraph 58) states ". . . the right to access and challenge is not absolute."

 

USCIB Member Views: The concepts of "reasonable" access and "communication" must be clearly set forth in the principle itself and should not be in parentheses. USCIB members recognize that the "communication" concept is addressed in the draft FAQ, but also note the position of the Article 29 Committee in their official views of May 3, 1999 that the FAQs have no standing.

 

Request for Clarification: The Access FAQ states that: "If the information requested is not sensitive or not used for decisions that will significantly affect the individual . . . but is readily available and inexpensive to provide, an organization would have to provide access to factual information that the organization stores about the individual." Why should companies that have implemented efficient and sophisticated technologies be held to a higher requirement than other companies?

 

·         Enforcement:

 

Comparison: The OECD Guidelines contain an "accountability principle" that does not preclude effective and viable self-enforcing/auditing approaches.

 

USCIB Member Views:

 

1.       Generally, USCIB members believe that the content of the note relating to the enforcement principle is very important and should be included in the text of the principle rather than relegated to a note;

 

2.       The FAQ on verification recognizes that verification can be achieved through self-assessment. This recognition should also be included in the principle itself. Credible self-assessment can be an effective means of verifying compliance;

 

 

3.       USCIB members do not oppose a procedure that coordinates and recognizes the self-certification and verification procedures of subscribing companies in a consistent manner through some form of public notification. However, the procedures set forth in the Self-Certification and Verification FAQs are overly bureaucratic;

 

4.       USCIB members support inclusion of the third mechanism but oppose the last clause – "provided those authorities agree." This clause defeats the purpose of the safe harbor, a harmonized resolution to the potential restriction of the transborder flow of data, if it requires companies to seek the agreement of every member state authority to utilize it. The third mechanism could be useful in situations where a U.S. subscriber to the safe harbor is neither a participant in a third-party enforcement scheme nor subject to a regulatory oversight body that could hear an unresolved complaint. However, the inclusion of the above referenced clause could prevent some companies from complying with the enforcement principle if a data registrar refuses to agree to allow the company to commit to cooperate.

 

Request for Clarification: The third mechanism in the note needs to be clarified. Specific questions regarding the third mechanism in the note are:

1.       How would such a commitment regarding the third mechanism be made?;

 

2.                   If a U.S. parent makes such a commitment, does that create a new right to pursue the U.S. parent that does not exist in the Directive as it is directly applied to the E.U. data controller?; and

 

3.                   If a commitment to cooperate is made, how will the three elements of the enforcement principle be satisfied?

 

·         Additional Issues/Clarifications

 

Weight of the FAQs: USCIB members continue to debate the weight that should be given to the FAQs. However, we believe that if a matter included in the FAQs is critical to the application of the principle it should be included in the principle itself. Such inclusion is even more important given the official view of the Article 29 Committee issued on May 3, 1999, that the FAQs have no standing. Another concern is the extent to which a situation/clarification not within a FAQ would be deemed to be beyond the application of the safe harbor.

 

Manually Processed Data: USCIB members believe that organizations should be offered the option as to whether they would like to subscribe to the safe harbor for manually processed data.

 

Public Records: The text of the Access FAQ includes an exemption for public records. However, endnote 7 indicates that the E.U. proposes limiting that general exemption to U.S. public records only. Such a limitation could require companies that subscribe to the safe harbor to correct or amend the public record without the approval of its custodian. USCIB members believe that there should be a general exemption for public records without limitation.

 

Retroactivity: Does the safe habor apply to data collected prior to a company subscribing to it?

 

Procedure Document: The Procedure Document is very useful and USCIB members greatly appreciate the efforts of the Department of Commerce, in conjunction with the European Commission, to clarify the practical application of the safe harbor. Our members seek clarification on the authoritative status of this document? In our view, it should be given significant weight given that it identifies the benefits U.S. companies will receive for subscribing to the safe harbor, which is a defining element of a companies decision. In addition, it would be helpful if there was a definition of "exceptional circumstances."

 

Human Resources Data: A former employee may appear on a marketing list from independent sources other than human resources data. How would such a situation be handled?

 

Thank you for your consideration. Please do not hesitate to contact me or David Fares (212/ 703-5061) if you have any questions regarding these comments.

 

Sincerely,

 

Charles Prescott

Chair, Working Group on Privacy and Transborder Data Flows

 

 

 




ALL RIGHTS RESERVED 2013 | PRIVACY POLICY STATEMENT | CONTACT US