April 5, 2000
 

Honorable David L. Aaron

Under Secretary for International Trade

International Trade Administration

U.S. Department of Commerce

Room 3850

14^th St. and Constitution Ave., NW

Washington, DC 20230
 

Re: European Union Privacy Directive Safe Harbor Principles
 

Dear Ambassador Aaron:
 

The Air Transport Association of America appreciates the opportunity to comment on the March 17^th version of the draft European Union privacy directive safe harbor principles and associated documents. ATA is the trade and service association of the larger U.S. passenger and cargo airlines. Many of our members operate between the United States and EU Member States.
 

As we noted in our December 3^rd letter to you, ATA members that serve EU Member States routinely collect and transmit from the EU to the United States information that is subject to the privacy directive. They do so in conjunction with contracts with their customers for both passenger and cargo services, to comply with governmental requirements--most notably those associated with the facilitation of entry into the United States of passengers and cargo--and for internal administrative purposes. Many of these information transfers thus are integral to consumer-initiated transactions in which the data are indispensable to providing service to the customer that he or she has sought. The transfers are consequently not only routine but also beneficial to consumers.
 

Speed and efficiency in the transfer of data are important considerations not just for airlines but also for their customers. Airlines operate in a high volume, extremely time-sensitive environment that must promptly respond to consumer demands. This is particularly so with the enormous growth of electronic commerce. Customers will suffer if the privacy directive is implemented in a way that impedes the airline industry's ability to meet those needs.
 

We understand that the safe harbor negotiations purposefully did not encompass Internet issues. With the continued expansion of electronic commerce, however, the jurisdictional reach of governmental mandates affecting such transactions needs to be carefully sorted out so that commercial enterprises can offer their services to consumers without running afoul of conflicting regulatory requirements. We therefore suggest that this matter be included in future discussions between the Commission and the U.S. Government.
 

The safe harbor principles and the FAQs establish a framework that should enable consumer and commercial needs to be met. Three FAQs are particularly helpful in understanding that framework in the context of aviation services.
 

First, FAQ 6 explicitly states that "safe harbor benefits are assured from the date on which an organization certifies to the Department…its adherence to the principles…." This effectiveness provision is important because it eliminates questions that could otherwise arise about what constitutes prima facie evidence of adherence.
 

Second, FAQ 8 makes clear that no specific record retention period is required. This means that retention periods that companies have already established will not need to be extended. Companies therefore will have the freedom to purge such records as circumstances warrant rather than being constrained by an artificial standard.
 

Third, we particularly appreciate the efforts of the Department of Commerce and its Commission counterparts in preparing FAQ 13. That FAQ clarifies the interplay between Article 26 and Article 25(2) for certain categories of information that airlines often transmit from Europe and the United States. It also clarifies the coverage of the safe harbor principles to personal data and sensitive information that can be contained in such transmissions.
 

New language about national law potentially superseding the principles has been added to FAQ 13 and the safe harbor principles. We do not wish to deprecate such sovereignty concerns. However, having spent so long developing the safe harbor principles that balance the goals of the privacy directive with the need to transfer data to the United States, we hope that the uniform approach embodied in the principles can be comprehensively implemented. We suggest that a mechanism be created to enable the Commission, interested Member States, and the U.S. Government to consult quickly if this matter becomes an issue.
 

We believe that two revisions to the safe harbor principles may create unintended ambiguity and therefore deserve more consideration before the document becomes final.
 

The first full paragraph on the second page of the principles deals with limitations upon adherence to them because of conflicting governmental mandates. New language in that provision recognizes that adherence to the principles can be limited where explicitly authorized "to the extent necessary to meet the overriding legitimate interests furthered by such authorizations…." We understand that the purpose of this new language is to narrow the permission to deviate from adherence to the principles. The introduction of the concept of "overriding legitimate interests" creates, however, a subjective criterion and therefore will produce uncertainty about the applicability of this provision. That uncertainty is unnecessary because this provision is only applicable where a statute, governmental regulation or case law produces conflicting obligations or explicit authorization to depart from the principles. Those objective, discernible preconditions do not require the subjective "overriding legitimate interests" concept and, indeed, will be undermined by it. We suggest the deletion of the "overriding legitimate interests" language.
 

New language in the onward transfer provision of the principles adds uncertainty to a provision that as originally drafted was quite clear. Our concern is that the insertion of the "should have known" component as an exception to the safe harbor that this provision creates could leave the impression that a transferor organization has an ongoing oversight responsibility for the third party to which it forwards data. The onward transfer provision demands, where notice and choice have not been afforded to the data subject, that the organization make a specified adequacy determination about the third party to which data are to be transferred. That is an appropriate due diligence responsibility. In contrast, the new "should have known" language opens the possibility of losing the protection that such due diligence was intended to provide to the transferor organization. It raises the possibility of continuing transferor oversight that is not realistic in the commercial context. For these reasons, we suggest that the language be deleted.
 

We realize that the European Union must formally approve these documents but we are hopeful that it will do so in the near future. We also anticipate that once they are approved, implementation issues will arise that will demand the attention of the Department and the Commission, as well as affected businesses. We thank you again for your efforts and those of your colleagues at the Department.
 

Sincerely,
 
 
 
 
 

James L. Casey