VIA E-MAIL (Ecommerce@ita.doc.gov)

The Honorable David L. Aaron
Under Secretary of International Trade
U.S. Department of Commerce
14th Street & Constitution Avenue, NW
Room 3850
Washington, DC 20230

Dear Ambassador Aaron:

We write to submit the comments of The Direct Marketing Association, Inc. ("The DMA") in response to your letters of April 19 and April 30 to industry representatives and to the issues raised in the open meeting at the Department of Commerce on May 7.

We are very encouraged by the progress that has been made since the original release of the draft safe harbor principles last year. Likewise, we appreciate the continued openness and inclusion of industry as this approach has developed.

There are several remaining issues that are of critical importance that we believe must be addressed before The DMA and its members can support the principles in their entirety, or make use of the mechanism. We strongly believe the outstanding issues can be resolved in an acceptable manner that will allow for such a framework.

We set forth below these issues, an explanation of their importance to The DMA, and suggest potential changes that would address our concerns.

I. Overall Safe Harbor Framework

Much progress has been made in clarifying the scope of the safe harbor, the manner in which it will be implemented, and in clarifying the meaning of the principles. Although The DMA is supportive of the safe harbor approach, this mechanism is but one of many alternatives for compliance. The DMA feels strongly that the existing mechanisms contained within the Directive itself should be preserved and that these Principles should not impede their development or use. Included among these different alternatives for compliance are contracts and consent.

The value of these alternatives is that they provide flexibility in solutions that can serve different types of companies in different ways. For this reason, it is crucial that the safe harbor mechanisms be viewed as distinct from other mechanisms for compliance. To preserve these alternatives, the final version of the safe harbor Principles should state clearly that entering the safe harbor remains only one of the ways for the data protection of a U.S. company receiving personal data from the European Union to be considered "adequate" for purposes of the Directive.

One overall concept that applies broadly to the Directive is the general notion that legitimate rights of individuals must be balanced against the legitimate needs of business. This concept is found in Article 7(f) of the Directive and should be reflected in the safe harbor documents and applicable to the entire safe harbor. Article 7(f) sends a deliberate legal message that neither of these rights or needs is absolute. Recipients of information in the United States should not be faced with absolute principles while their counterparts in Europe are allowed to operate under a more flexible framework incorporating this important balancing concept.

This balancing concept is reflected in the reasonableness provisions of the access requirement, which is addressed below. As The DMA mentioned in its November comments, a balancing-of-interests test is similar to the approach taken in 1995 by the Privacy Working Group of Vice President Gore's Information Infrastructure Task Force. We reemphasize that this sliding scale approach should be applied more generally to the safe harbor principles and the accompanying FAQs. In particular, we propose a sentence be added to the preamble to the principles that reflects this concept.

A. Self-certification

The DMA supports the concept of self-certification to the safe harbor principles. This concept provides a means of defining a practical policy framework without requiring individual determinations of adequacy. Such individual determinations would otherwise be a significant source of uncertainty and require unnecessary and burdensome efforts.

Two concepts exist within the self-certification process as described that should be revised. First, companies that self-certify should not be required to file a notice of this self-certification with the Department of Commerce or any other third party. Second, the FAQ should clarify that The DMA's Committee on Ethical Business Practice and similar peer-review programs fall within the third-party investigatory body that would handle unresolved complaints. We discuss these below.

1. Self-certification of the company should not require the filing of notification with a third party

There has been a lot of discussion during the negotiations as to how a company would self certify that it is in compliance with the safe harbor. As we understand it, these discussions have included certifying with the European Commission or with the Department of Commerce as is currently stated in the FAQ. Self-certification should not require affirmative notification to the Department of Commerce or any third party repository; this would be unnecessary and burdensome. The making available of a statement of self-certification upon request to government authorities should be sufficient to satisfy the safe harbor.

In recent discussions involving notices for compliance with the Digital Millennium Copyright Act, it has become apparent that such notification requirements are not as simple as they may appear. Any legitimate reason is of such minimal consequence that it would pale in comparison to the burden such a process would impose.

Additionally, The DMA is concerned that requiring statements of compliance with law could set unwarranted precedent in these areas within the United States. For example, companies in the United States are not required to certify that they are in compliance with United States advertising laws or other laws. Moreover, it should be noted that the European systems themselves are moving away from registration systems of data processors, and where they exist , there are broad exceptions to the registration requirement.

2. The FAQ on self-certification should clarify the requirement of a third-party investigation of unresolved complaints

The FAQ on self-certification sets out certain information that would be required for disclosure in a self-certification. While The DMA does not support such a notification to the Department of Commerce as described above, the reference in the FAQ to "third part[ies] that will investigate unresolved complaints" should be clarified. The DMA interprets this provision to suggest that investigations should be conducted in the first instance by the company with which a consumer has a concern. The experience of The DMA's members is that a large percentage of concerns are resolved by the company when this process is followed and therefore suggests that the principles be clarified to reflect this interpretation.

Likewise, in the event that there exist situations that are not resolved, The DMA seeks clarification as to whether its Committee on Ethical Business Practice or ethics boards of other similar organizations would satisfy this requirement.

Additionally, the FAQ should clarify that this requirement would be satisfied when the United States company commits to cooperate with the European Union data protection authority. The DMA suggests that language reflecting this concept be added to the "third party" requirement in the FAQ.

B. Time frame

Comments were requested at the open meeting on May 7^th as to the appropriate time frame for implementation of the safe harbor. As we understand it, one option that has been proposed is for an initial three-month period following the formal agreement on the principles and FAQs by the United States and the European Union, which would provide companies with an opportunity to evaluate the safe harbor option. Following the three-month period, it is envisioned that there will be a grace period of six months for implementation of the safe harbor.

The DMA supports such a two-step process that will provide a company with time to evaluate whether to adopt the safe harbor and then a grace period for the company to implement the safe harbor principles. The DMA is concerned, however, that there must exist sufficient time to fully evaluate the potential impact of the safe harbor on member businesses and to evaluate the other options that are available to comply with the safe harbor, including contractual means. To this end, we suggest a minimum initial evaluation period of six months. Likewise, The DMA suggests at least a one-year grace period for companies to come into compliance. This time frame would allow more time for companies to implement the principles without interrupting the normal flow of their business operations. Some flexibility should also be built into the principles to allow for the opportunity, if necessary, for extensions to the grace period.

Some existing companies who heretofore chose to do business in Europe, and many others not yet in existence may, well in the future, elect to self-certify after the initial time period allotted to evaluate the principles. These companies should have the same opportunity to have a grace period for implementation as the ones that decide to participate during the "first wave" of self-certifications. The grace period for implementation following the company's self-certification should also be a period of at least one year. This rolling grace period will provide companies that sign on to the safe harbor sufficient time to come into compliance.

In any event, United States companies should not be required to come into compliance with the Directive through the safe harbor prior to the time when European companies will have to be in compliance. For example, the Directive allows member states up to three years to phase in requirements for ongoing processing. United States companies should not be required to comply with the safe harbor principles for data processing prior to the time period required by member states as they implement the Directive.

C. The FAQs should be accorded significant weight for interpretation of the principles

Another ongoing area of discussion focuses on the relationship between the principles and the FAQs. The FAQs and their development have been essential to clarifying the meaning and implications of the principles. Our members are still evaluating the most recently released FAQs. To the extent that these companies are comfortable with the substance of the FAQs, the FAQs should be accorded significant value as they will be used as a means of complying with the safe harbor. Thus, while the FAQs will not likely carry the level of precedential value of the principles themselves, they should be afforded significant weight in interpreting the principles. To this extent, The DMA views the FAQs as interpretive guidance much in the way that commentary or legislative history is treated in other contexts. This relationship should be explicitly defined in the safe harbor documents.

D. Incorporation of the safe harbor principles into contracts as expressed in the preamble to the principles should be preserved

Clauses reflecting adherence to the safe harbor principles should be able to be included in contracts which themselves would then be deemed adequate. While the use of a safe harbor to provide a mechanism for compliance with the Directive is totally separate from a contractual arrangement, there may exist reasons to incorporate some or all of the safe harbor principles into contracts.

In order to preserve the widest array of possibilities for compliance by different companies, some companies may elect to incorporate the safe harbor principles into contracts or other mechanisms. This concept is reflected in the preamble to the principles and should be maintained. Using the safe harbor principles as a basis for contracts ought to, by definition, ensure an adequate level of protection. However, it is important to reinforce the fact stated earlier that the use of safe harbor principles in contracts should not affect the contract or other mechanisms otherwise available under the Directive. In addition, the safe harbor Principles should not be set forth as the standard against which the adequacy of a particular contract is measured.

II. Safe Harbor Privacy Principles

The DMA commends the Department of Commerce on the development of the FAQs and refinement of the principles since the original release of the proposed safe harbor last year. It is evident that the Department of Commerce has been very thoughtful and receptive to the comments of a variety of different interests. The current drafts recognize the practical limitations on businesses while at the same time protecting consumer privacy. Likewise, the current draft shows progress in allowing for the adoption of the sectoral approach to privacy that exists in the United States.

The DMA has several remaining comments with regard to specific principles and FAQs that will improve them and help provide further clarification.

A. Notice and choice

1. The notice principle should not limit the ability of companies to use or disclose customer information for legitimate marketing purposes when prompt notice is provided upon entering into a customer relationship

The notice principle currently states that "notice must be provided . . . before the organization uses such information for a purpose other than that for which it was originally collected or discloses it to a third party." In the fast-moving world of telephone orders and coupon clipping, companies often begin using customer information for marketing purposes soon after establishing a relationship with the consumer. Yet, the kind of clear and conspicuous notice required by the principle may need to wait until the shipment of a purchased good or a communication via postal mail.

The notice principle should not operate to encumber companies in their ability to use or disclose customer information for legitimate marketing purposes as long as they furnish notice promptly upon entering into a customer relationship. This is consistent with Article 11(2) of the Directive which refers to "disproportionate effort." To clarify this, the text of the principle should be modified by deleting everything that follows the word "practicable" in the last sentence.

2. The notice and choice principles should be satisfied to the extent that the European organization that is transferring the data is compliant with European law with regard to these principles

As currently drafted, in many if not most instances, the notice and choice principles and, indeed, the safe harbor itself would be unusable for many DMA members. This occurs where DMA members rent or buy mailing lists that have been collected in Europe by third parties, or whose European affiliates have the customer relationship. United States companies do not interact with the individuals on the lists at the time of collection and would be unable to comply with the notice and choice principles as currently drafted.

To address this issue, language should be added indicating that the notice and choice principles can be satisfied to the extent that the United States company obtains the data from sources that are compliant with the law in the European member states as they relate to notice and choice.

B. Onward transfer

The footnote to the onward transfer principle states that the European Commission would like text added to this principle that would require explicit notice and choice when personal data is transferred to a third party that does not adhere to the safe harbor requirements. The DMA disagrees with this suggestion, as its practical effect would be to drastically reduce the ability to enter into contractual agreements with third parties as long as the third party agrees to provide the same level of privacy protection as required by the relevant safe harbor principles. Using subcontractors that have not self-certified under the safe harbor program to perform services would be prohibited if this suggestion of the European Commission is adopted. The DMA recommends that a third party's ability to contractually comply with the safe harbor principles be retained, thus preserving the potential utility of the safe harbor for the sizeable number of companies that rely on subcontractors.

C. Access

1. The "reasonableness" of access and the description of reasonableness should be kept in the access principle

The current access principle continues to leave unresolved whether the concept of reasonableness will be included within the text of the principle. The DMA firmly believes that the key element in determining whether to provide access is found in the term "reasonable." The FAQ on access significantly clarifies the access principle and resolves much of the concerns that we expressed in our prior comments. To give this FAQ its full impact, however, the reasonableness concept should be included within the principle. It is The DMA's understanding that the European Commission is concerned with the use of the term "reasonable" as this term may have different connotations in Europe. From a United States perspective, the term reasonable is preferable, but the word "proportional" would also satisfy our concerns.

Of equal importance, the sentence stating that "[r]easonableness of access depends on the nature and sensitivity of the information collected, its intended uses, and the expense and difficulty of providing the individual with access to the information" should remain in the principle. The principle as it exists should be maintained because it reflects the importance of the sensitivity of the information in gauging the extent to which a company should provide access.

Additionally, the FAQ on access currently would require that access be provided to information that is neither sensitive nor used for decisions that will significantly affect the individual if the information is "readily available and inexpensive to provide." The level of expense and difficult required should in every instance be proportional to the sensitivity of the data. Thus, for information with minimal sensitivity, the level of expense or difficulty may be disproportionate unless it can be retrieved in the normal course of business by measures that are taken on a regular basis with respect to that information. This concept should be clarified within the FAQ.

2. Public records from both the United States and Europe should be kept outside of the scope of the access principle

Endnote 7 to the FAQ on access states that the EC proposes limiting the public record exemption to U.S. public records for access. This would require companies to provide European individuals with access to European public record information. As it is unclear that European organizations provide such access to public record information, this would hold United States companies to higher standards than those required of Europeans. Moreover, as these records are available to the public, individuals already possess the ability to obtain the information directly from the public record source.

The majority of public record information transferred to the United States will be from European sources. Consequently, the public records exemption should apply equally to both European and United States public record information.

D. Human Resources Data FAQ

The FAQ on Human Resources Data states that "where an organization intends to use personal data collected through the employment relationship for the marketing of goods and services to present or former employees and notice to that effect has not been provided by the European organization transferring the data, the US organization would need to provide notice and choice before using employee data for such purposes." In practice, marketing to a former employee may occur without knowledge by the United States organization at the time of the solicitation that a person is a former employee of the European organization. This solicitation would use traditional marketing data, not human resources data. The former employee may not be aware of this fact and unduly accuse the United States organization of using employee data for marketing in violation of the safe harbor. To further reduce potential confusion, the text "collected through the employment relationship" should be added following the reference to "employee data" in the statement above.

E. Enforcement

The Note following the enforcement principle allows organizations to satisfy the principle "by committing to cooperate with data protection authorities located in the European Community or their authorized representatives provided those authorities agree." The DMA believes that commitment of an organization to cooperate with the data protection authority alone should be sufficient to satisfy the enforcement principle. Organizations should not additionally be required to seek agreement of the data protection authorities. Such a requirement may have the effect of negating the binding nature of the safe harbor principles on the member states. To address this concern, we suggest that the text "provided those authorities agree" be deleted from the note.

The DMA encourages the continued efforts of the Department of Commerce to negotiate a safe harbor. We support the proposed concept of a safe harbor provided that the above-described concerns can be addressed. Such a safe harbor could result in a predictable way to comply with the Data Directive and foster continued growth and consumer confidence in our $1.4 trillion industry. We believe that the utility of the safe harbor will ultimately be determined on a company-by-company basis. The uses of industry privacy programs that fall within the safe harbor principles will assist many DMA members in complying. We appreciate the opportunity to express our views to the Department of Commerce and we look forward to participating in future discussions.

The DMA

The DMA is the largest trade association for businesses involved in direct marketing and database marketing. The DMA represents more than 4,300 companies in the United States and 54 other nations. Our members are leaders in the development of global commerce, supported by the exchange of information across borders. The DMA's leadership is continuing to extend in the Internet and electronic commerce areas with its recent acquisitions of the Internet Alliance and the Association for Interactive Media.

Founded in 1917, its members include direct marketers from almost every consumer and business-to-business segment, as well as the non-profit sector. Included are catalogers, financial service companies, book and magazine publishers, retail stores, industrial manufacturers, Internet marketers, and a host of other vertical segments as well as the service industries that support them. Many of our members have for decades engaged in the transfer of data from the E.U. and include what we believe are the majority of the companies that will be affected by any agreement reached with the European Union.

The DMA has worked for many years on numerous successful consumer protection initiatives on behalf of our members. Led by The DMA, and in coordination with the federal government, industry has been able to develop practices that protect the consumer while at the same time preserving the leadership of our members in the information age. Through peer review The DMA sets standards, enforces, and educates. The DMA's Ethics Policy Committee sets privacy standards. A different DMA body, the Committee on Ethical Business Practice, responds to cases of alleged violations of Association Guidelines on Ethical Business Practice. This committee, composed of a cross section of companies in the industry, enforces the guidelines. Most cases that are brought are resolved through this Committee and its recommendations.

To educate consumers, The DMA has been very active in creating educational material on and off the Web to empower consumers in their understanding of information practices. Through our mail, telephone, and soon to be deployed e-Mail Preference Services, we facilitate consumer choice over use of their information. In fact, in July the Privacy Promise goes into effect. This promise requires as a condition of membership to The DMA that companies subscribe to and comply with the mail, telephone, and e-Mail Preference Services.

Sincerely,

Jerry Cerasale
Senior Vice President
Government Affairs