April 5, 2000

Electronic Commerce Task Force

United States Department of Commerce

14^th Street and Constitution Avenue, NW, Suite 350

Washington, D.C. 20230

Dear Sir or Madam:

The Information Technology Industry Council ("ITI") is pleased to offer our comments on the March 2000 safe harbor documents. ITI is the association of leading information technology ("IT") companies. Our members had worldwide revenues of more than $460 billion in 1999 and directly employed more than 1.2 million people in the United States. ITI advocates growing the economy through innovation and market-based policies.

ITI commends you, your colleagues in the Commerce Department and your counterparts with the European Commission's Internal Market Directorate for your efforts to develop clear and predictable guidance for U.S. organizations transmitting data across the Atlantic. In particular, we are pleased that the conclusion reached indicates European recognition of the adequacy of the U.S. model of market-led privacy protection backed up by government enforcement authority and heightened protections in appropriate sectors, such as financial and health information. Both the U.S. and the European Union value personal privacy highly and recognize that there are multiple means of achieving effective privacy protection.

ITI strongly recommends that the U.S. government support this final version of the safe harbor arrangement. We request clarification on several matters and have several suggestions for fine-tuning the arrangement as it is finalized by both governments over the next several months:

The final sentence of the second paragraph in the preamble to the guidelines states: "The principles are not a substitute for the national provisions implementing the Directive in situations where those national provisions apply." This sentence seems to contradict the understanding we believe is in place that the safe harbor principles are indeed the set of requirements against which U.S. companies' data transfers will be enforced. We request clarification as to the intent of that sentence, which we believe may be to clarify that European member state law applies for an organization's operations within a member state, which of course is appropriate.

The last sentence of the "Choice" section of the Principles requires U.S. organizations to "treat as sensitive any information received from a third party where the third party identifies it as sensitive." We suggest adding the following parenthetical to the end of the sentence: "(within the meaning of the definition at the beginning of this paragraph)." This would make it clear that such third parties cannot designate as sensitive things so mundane as name and address, but could only clarify that certain data points fall into the Safe Harbor Principles' definition of sensitive information.

The last sentence of the Principles' paragraph on "Onward Transfers" was amended to include a clause "unless the organization knew or should have known the third party would process it in such a contrary way ..." We suggest modifying the clause to read "unless prior to the transfer the organization knew …" While we understand the idea that an organization should have some responsibility for the type of entities to which it transfers personal information, we believe the obligation should apply prior to the transfer. After the transfer has occurred, the organization that initially transferred has no control over what happens.

For FAQ 5, we have two points of clarification. First, we are concerned with the overbroad nature of the third declaration required for committing to cooperate with European data protection authorities (DPAs), "will comply with any advice given …" We would suggest instead the following language: "will receive a written opinion given by the DPAs as to the DPAs' view that the organization needs to take specific action, and will act in accordance with that opinion and provide the DPAs with written confirmation of its actions."

Also, in the third to last paragraph of FAQ 5, concerning referral of cases to the Federal Trade Commission and other U.S. federal or state bodies, it is unclear what standard of review such bodies will apply to referrals from DPAs. For the sake of due process and the viability and attractiveness of this option to U.S. companies, we suggest the following addition before the last sentence of that paragraph: "The FTC or other U.S. federal or state bodies will examine the DPA opinion and other relevant information comprising the record of the complaint or incident in order to make their decision."

Amendments to FAQ 6 appear to indicate that a company entering the safe harbor must do so for all personal information about European Union citizens received thereafter. This approach eliminates the option of subjecting some types of data to the safe harbor and using different means to protect other data. For example, some companies might already use contracts to protect human resources ("HR") data and prefer to use the safe harbor only for customer data. We recommend that the final draft offer U.S. organizations the flexibility to designate which classes of data will be covered by the safe harbor.

Also, FAQ 6 now specifies that any misrepresentations to the Department of Commerce or its designee in the course of self-certification might be actionable under the False Statements Act. While the intent of this statement appears to be descriptive only, it could be interpreted as implying an admission by companies certifying their safe harbor compliance. We recommend adding the additional phrase "to the extent applicable" to the end of the sentence to clarify its descriptive nature.

We request clarification on a statement in the third paragraph of FAQ 7, which requires organizations to retain their safe harbor implementation records. Does this bind organizations to retain such records indefinitely, or only for a reasonable amount of time? We suggest a clarification that such records need only be retained for a reasonable amount of time.

Finally, in subsection "g" of Question 5 in FAQ 8, concerning employee succession planning, we suggest an explicit reference to salary and salary change information.

Thank you again for your hard work on this very complex issue. We look forward to maintaining a constructive dialogue with you as the safe harbor arrangement is finalized and urge you to contact ITI whenever we can be of assistance.

Best regards,

Rhett Dawson

President