USCIB Letter to Commerce Secretary Mineta on the Euopean Initiative
to Create a "Management System Standard" for Data Privacy
October 24, 2000
The Honorable Norman Y. Mineta
Secretary of Commerce
U.S. Department of Commerce
14th and Constitution Avenue, NW
Washington, DC 20230
Dear Secretary Mineta:
I am writing to express the concern of our members regarding a European initiative to create a "management system standard" for data privacy under the auspices of CEN/ISSS. USCIB members have consistently opposed the development of a privacy standard. Our members believe that such a standard is not needed given the international consensus regarding the appropriate balance of effective privacy protection and the free flow of information espoused in the 1980 OECD Privacy Guidelines. In fact, the OECD Ministerial Declaration on the Protection of Privacy on Global Networks issued in Ottawa, Canada in October 1998 states: ". . . that the technology-neutral principles of the 1980 OECD Privacy Guidelines continue to represent international consensus and guidance concerning the collection and handling of personal data in any medium, and provide a foundation for privacy protection on global networks. . ."
Given this international consensus, our members strongly believe that there is no need for a European privacy standard. Moreover, the adoption of a European standard can have international ramifications. Bilaterally, it could impact the implementation of the Safe Harbor Arrangement. The Safe Harbor Arrangement already requires U.S. based companies participating in the Safe Harbor to handle personally identifiable data relating to E.U. citizens in a particular manner. A European privacy standard could impose additional costs to companies that conduct business between the E.U. and the U.S. by requiring the use of specific tools exclusively dedicated to handle all personally identifiable information consistent with the privacy standard, even though the standard exceeds the definition of fair information practices within the U.S.
Additionally, the creation of a European privacy standard could be introduced to the International Standards Organization (ISO) as the basis for an international standard. ISO has already contemplated and rejected the idea of an international privacy standard. Indeed, ISO correctly determined that a privacy management system could not bridge the vastly different cultural, legal, regulatory and philosophical approaches to data privacy.
However, a CEN/ISSS standard could circumvent the normal ISO procedure through a "fast-track" process. A "fast-track" procedure, if approved by the relevant ISO body, can limit debate on the standard providing only a single opportunity for comments on the standard as submitted, and then a vote. If a two-thirds majority casts a vote in favor of the standard and not more than one-quarter of the total number of votes cast oppose it, the draft standard will proceed to a final vote of all the ISO member bodies with the same supra-majority required as set forth above.
In summary, a European privacy standard could have significant ramifications for U.S. business. We hope that the U.S. Government and the Department of Commerce in particular will continue their active engagement with their European counterparts on this very important issue.
Please do not hesitate to contact us if you have any questions regarding these comments.
Thomas M.T. Niles
Cc: Mr. Robert LaRussa, Undersecretary for International Trade, Department of Commerce
Mr. Peter Swire, Chief Counselor for Privacy, Office of Management and Budget
Mr. Elliot Maxwell, Special Advisor to the Secretary on the Digital Economy, Department of State
Mr. Raymond Kammer, Director, National Institute of Standards and Technology