Ambassador David L. Aaron
Undersecretary for International Trade
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

Comments re: International Safe Harbor Privacy Principles

Dear Ambassador Aaron:

We are the authors of four recent books and monographsData Privacy Law:
A Study of United States Data Protection (Michie 1996), Privacy in the
Information Age (Brookings 1997), None of Your Business: World Data Flows,
Electronic Commerce, and the European Privacy Directive (Brookings 1998), and
Data Protection Law and On-line Services: Regulatory Responses in Belgium,
France, Germany and United Kingdom (European Commission, forthcoming
1999)examining the European Union^“s data protection directive (Directive
95/46/EC), the ^”adequacy^‘ of United States privacy protection under Articles 25
and 26 of that directive, and substantive data protection law in several
European Union Member States. Four of us are law professors who teach and
research extensively in the areas of privacy and information law; the fifth is
director of economic studies at The Brookings Institution and a former deputy
assistant attorney general in the Antitrust Division of the Justice Department
and former associate director in the Office of Management and Budget.

The views we express below are ours alone; they do not necessarily
represent the views of the institutions with which we are affiliated nor have
we received any financial or other compensation for preparing these comments.

In our respective writings and public statements concerning privacy, we
have disagreed frequently and, on occasion, sharply about the desirable level
of substantive privacy protection for personal information and about the
constitutionality, effectiveness, and the advisability of various means of
achieving privacy protection. We submit these comments jointly today to
highlight the fact that, despite our divergent views on other privacy issues,
on these critical points we are in complete agreement. In addition to these
joint comments, Professor Swire is also submitting a set of technical
observations.

We appreciate the opportunity to submit comments on the November 4,
1998, draft of International Safe Harbor Privacy Principles, and we applaud the
Department of Commerce, you, and your colleagues for pursuing discussions with
the European Union to create a set of international principles that would be
recognized globally as meeting the requirements of Article 25 and 26 of
Directive 95/46/EC. Agreement on such principles would diminish the threat that
enforcement of the data protection directive might interrupt trade with the
European Union and reduce the transaction costs associated with complying with
the Directive.

The key to creating effective principles and achieving the benefits
that such principles promise, however, is in their specificity and
comprehensiveness. Specific, comprehensive principles make it comparatively
easy for consumers, businesses, and regulators alike to know what is expected,
what level of privacy is provided, and whether there is compliance. Such
principles also diminish the room for conflicting interpretations by
information collectors and users and by national data protection regulators,
thereby increasing the certainty that the principles will, in fact, constitute
^”adequate^‘ data protection and therefore a safe-harbor under Directive
95/46/EC.

We believe that the proposed International Safe Harbor Privacy
Principles are too vague and incomplete to serve their intended purpose.
Specifically, we believe the following examples reflect substantial
difficulties for international data transfers that this proposed draft does
not resolve:

1. The applicability of the ^”Safe Harbor^‘ is ambiguous

We find the scope of application of the ^&emdash;safe harbor^“ perplexing. The
preamble seems to merge sectoral regulation that may provide a statutory basis
for ^”adequacy^‘ with collective, industry self-regulatory schemes and isolated
independent mechanisms. Yet, many issues for compliance and the sufficiency of
each of these means to satisfy ^”adequacy^‘ are different. In addition, the ^&emdash;safe
harbor^“ does not delineate how to treat a company that subscribes to the
principles in connection with one set of activities, such as on-line services,
but engages in many others such as employee data transfers. Furthermore, the
draft exempts ^”proprietary information^‘ from the principles without any
definition. We do not understand what this term means in relation to the
generally accepted definition of ^”personal information^‘ as information relating
to an identified or identifiable person.

2. Transparency is not yet accomplished

The ^&emdash;safe harbor^“ leaves a number of critical issues for transparency
unresolved. For example, the notice requirement does not include any disclosure
of the identity of the organization collecting personal information. We also
believe the provision on access leaves significant ambiguity in the ability of
individuals to see the information relating to them. ^”Reasonable access^‘ is
only vaguely defined in the clause and likely to be interpreted quite
differently by the various stakeholders. At the same time, the blanket
exclusion of public record information from the access right raises serious
questions about whether the resulting data protection is ^”adequate^‘ under
Directive 95/46/EC.

In addition, the ^&emdash;safe harbor^“ is silent on the transparency of those
companies subscribing to the principles; there is no provision for the public
disclosure of companies promising to adhere to the ^&emdash;safe harbor. ^“ For example,
a statement in corporate disclosure documents such as Form 10K or 10Q filed
with the Securities and Exchange Commission would make adherence public and
indicate that a particular company thought compliance was material to its
business practices.

3. The Role of Consent
We are concerned that the ^&emdash;safe harbor^“ relies too heavily on consent
as an absolute basis for any treatment of personal information. Especially in
the case of sensitive information such as medical data, consent may not be
recognized as an appropriate ground for certain uses of personal information.
For example, it is doubtful whether consent should be considered valid where
medical care is provided to a sick patient on condition of using personal
medical information for marketing purposes.

4. Enforcement is ill-defined

We are unconvinced that the draft ^&emdash;safe harbor^“ provision on
enforcement adds a meaningful standard to the principles. The list of
mechanisms by which compliance might be assured does not contribute to clear
rules or practices for companies to follow or for individuals to pursue in the
vindication of claims. The draft gives no guidance on the content for ^”systems
for verifying that the attestations and assertions business make ... are true^‘
nor does the draft provide any indication as to how such measures might
overcome the rejection of non-independent supervision by data protection
authorities. Even with respect to remedies, the draft is too vague to provide
any guidance. Enforcement in the American legal system typically includes
causes of action and damages for violations of standards. The draft speaks of
^”recourse^‘ and ^”consequences,^‘ yet does not establish any useful criteria for
dispute settlement nor address the question of damages for injuries caused to
individuals by violations of the principles. In combination with the vagueness
of the substantive principles, the enforcement provision offers unclear
protection for individuals and uncertainty for U.S. business.

Moreover, we are concerned by the confusion regarding the legal effect
of the proposed International Safe Harbor Privacy Principles. Typically,
American law uses the term ^&emdash;safe harbor^“ to mean a set of precisely defined
practices recognized by a designated regulatory agency to satisfy an existing
legal obligation in the United States. In the absence of U.S. statutory
obligations, we understand this ^&emdash;safe harbor^“ is, instead, intended as a
designation by the European Union that U.S. companies complying with the terms
of these principles would qualify to transfer personal information to the
United States under Article 25(6) or Article 26 of Directive 95/46/EC. Under
Directive 95/46/EC, a determination of the sufficiency of these principles will
made by the Commission subject to referral to the Committee, consisting of
representatives from each of the Member States, established under Article 31 of
the Directive, and, if necessary, to referral to the Council of Ministers for
an overruling decision. In making the initial determination on the value of
these principles as ^”adequate^‘ data protection, the Commission consults with
the Working Party, composed of representatives of the data protection
supervisory agencies of the Member States, established under Article 29 of the
Directive. Although the opinion of the Article 29 Working Party is only
advisory, each of the group^“s members have enforcement responsibilities for
international data transfers. Hence, even if these principles are accepted by
the Commission and the Article 31 Committee or the Council of Ministers,
European law and Directive 95/46/EC require the data protection agencies in
each of the European member states to interpret whether there is compliance and
accord a significant margin for interpretation to those agencies.

The Working Party has addressed itself for the past two years to the
question of what constitutes ^”adequate^‘ data protection under Articles 25 and
26. Those views are collected in the Working Party^“s report this summer, Working
Document on Transfers of Personal Data to Third Countries: Applying Articles 25
and 26 of the EU Data Protection Directive. While our views on the substance of
the Working Party^“s conclusions differ, we are agreed that the current draft of
the International Safe Harbor Privacy Principles appear inconsistent with the
Working Party^“s conclusions. In particular, the vagueness and omission in the
draft International Safe Harbor Privacy Principles contradict the search for
specific substantive standards enumerated in the Article 29 Working Party^“s
opinions. We do not, therefore, believe that these principles will resolve the
international data flow issues for U.S. companies at the member state level and
urge you to explore the problems of interpretation that these principles will
create.

Thank you again for your efforts to create International Safe Harbor
Privacy Principles. We appreciate this opportunity to comment and we stand
ready, individually and collectively, to work with you to address the concerns
and ambiguities that we have identified and to provide any other assistance you
might require in completing your important task.

Respectfully submitted,

on behalf of

Fred H. Cate
Professor of Law
Indiana University School of Law Bloomington
Author, Privacy in the Information Age

Robert E. Litan
Director, Economic Studies
The Brookings Institution
Co-Author, None of Your Business

Joel R. Reidenberg
Professor of Law
Fordham University School of Law
Co-Author, Data Privacy Law and
Data Protection Law and On-line Services

Paul M. Schwartz
Professor of Law
Brooklyn Law School
Co-Author, Data Privacy Law and
Data Protection Law and On-line Services

Peter P. Swire
Professor of Law
Ohio State University College of Law
Co-Author, None of Your Business