Federal Express Corporation ("FedEx") submits these comments in response to the notice published by the International Trade Administration in the Federal Register concerning public comments on the International Safe Harbor Privacy Principles ("safe harbor principles"). 64 Fed. Reg. 19,747 (Notice of Publication) (ITA 1999).
The International Trade Administration ("ITA") seeks public comment on the so-called safe harbor principles, and on their potential effect on U.S. companies. Generally, the safe harbor principles are for use by U.S. companies that process data that may be subject to the European Union ("EU") Directive on Data Protection ("EU Directive").(1)
II. OVERVIEW OF FEDEX
FedEx is the world's largest express all-cargo integrated transportation company. FedEx specializes in fast, reliable transportation services for documents, packages, and freight of all sizes and weights. FedEx offers seven international document and package delivery services and four international freight services, most of which include customs clearance services. FedEx operates 625 planes and 42,500 vehicles, and relies on over 145,000 employees to deliver more than 3.2 million items every day in over 210 countries around the world.
FedEx has long been recognized as a vanguard in the development of advanced business-to-business and business-to-customer technology and processes. For example, FedEx was a leader in the express delivery service sector in the development of business models centered on customer information services.
To provide its services, FedEx collects and manages massive quantities of data, primarily through the completion of an air way bill by its customers. Such data normally consists of customer information such as names, addresses, telephone numbers, zip codes, billing information, and general product descriptions. FedEx manages the majority of such data using the "Customer Operations Service Master On-line System" ("COSMOS"). COSMOS makes FedEx's door-to-door express shipments possible. COSMOS permits the tracking of packages from the moment they are picked up to their final destination, and it can be used by customers to print invoices and manifests. Advanced technology permits FedEx to store data efficiently and to provide data to customers in their preferred format.
FedEx customizes its software to fit customer's particular needs. Its suppliers and customers may further customize FedEx software in order to obtain specific types of information. For example, invoicing management reports can be downloaded electronically into a customer's network and allow data manipulation for internal analysis. Customers may also use this database to schedule pickups and customize FedEx's services in other ways.
In 1998, FedEx averaged more than 62 million on-line transactions each day, most of which involved the customer information referenced above. This data is required to complete the air way bill which, in essence, is the contract between FedEx and its customer for the provision of express delivery services. The data is primarily used to complete shipping documentation, and for shipping and tracking purposes. Most of this information is stored in FedEx's data processing facility in Memphis, Tennessee.
III. THE SAFE HARBOR PRINCIPLES
A. Notice
1. Prospective Application
While the U.S. and EU have agreed that enforcement action under the EU Directive be suspended, it is not clear that there will be safe harbor for companies that processed data between the EU Directive implementation date of October 25, 1998,(2) and the date the safe harbor principles become effective. The safe harbor principles are not clear as to whether they will have retroactive application to this "pipeline" data.
For example, the safe harbor principles provide that a company assumes notice obligations "when individuals are first asked to provide" information about them.(3) This apparently means that the safe harbor provisions only will apply to information collected after the safe harbor principles become effective. The EU Directive however provides that processing of data already "under way" at the time the EU Directive becomes effective in the respective Member states must be brought into conformity within three years of such effective date. (4)
As noted above, FedEx processes tremendous amounts of electronic data. Indeed, between October 25, 1998 and April 30, 1999, FedEx processed over 112 billion electronic transactions. The costs and administrative burden associated with any form of retroactive compliance with the safe harbor principles would be prohibitive, even with a grant of grace period similar to that contained in EU Directive Article 32(1). Accordingly, the safe harbor principles should only apply to data collected for the first time after the safe harbor principles enter into effect. In the alternative, the safe harbor afforded under the safe harbor principles should cover pipeline data, i.e., data collected after October 25, 1998, and prior to the date the safe harbor principles enter into force.
2. Use of Information
EU Directive Article 26(c) provides that a transfer of personal data to a third-party may take place when "necessary for the conclusion or performance of a contract concluded in the interest of the data subject." Although this provision is important, the safe harbor principles do not contain a similar provision. The Notice principle must clearly provide that notice is required only in those instances where the information collected will be used for purposes other than that for which its was originally collected.
Customers initiate contact with FedEx in a number of ways, including
through the Internet, by telephone, at a customer service center, or by
simply dropping a shipment in a drop box. In some instances, such as the
drop box, FedEx does not interface with the customer and there is no time
when "individuals are first asked" for personal information. In such cases,
any requirement that an organization contact the individuals to provide
notice imposes an undue administrative burden. The Notice principle, the
related FAQ and other guidance information, should clearly provide that
notice shall take into account the circumstances surrounding the transaction,
and may include methods such as hypertext links and other forms of contemporaneous,
but not adjacent, notice.
3. Third-Party Disclosure
FedEx is concerned about the requirement that notice be provided regarding "the types of third parties to which it discloses the information." As noted above, FedEx routinely collects personal information for shipment, tracking, routing, scheduling, regulatory compliance, law enforcement, and resource allocation purposes. During the course of a single shipment, FedEx is required (either by law, or in order to provide the service that FedEx has been contracted to supply) to transfer such personal information to a number of "third-parties" in order to complete the shipment. Third-parties may include: government authorities including customs authorities, customs brokers, freight forwarders and logistics suppliers, joint venture partners, and product manufacturers and vendors. In most cases, it is virtually impossible to determine at the time information is first collected, i.e., the completion of an air way bill, the exact identity of third parties to which personal information may be disclosed. Although the Notice principle provides that an organization inform individuals about the "types" of third parties to which it discloses information, the related FAQ and other guidance information should reflect that a simple statement that informs a customer that information is provided to third-parties in order to complete a shipment (or provide the service contracted) satisfies this requirement. The Notice principle should be clarified so that disclosure is only necessary when the information will be transferred to third parties for purposes other than that for which it was originally collected.
B. Choice
The Choice principle contemplates that individuals may "opt out" where personal information is to be "used or disclosed to third parties (where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice)." This Principle is confusing as to the circumstances in which an individual may opt out and, as a result, its application in current form may lead to absurd results. For example, an individual may chose to opt out with respect to information supplied to a foreign government authority for purposes other than completing the shipment. Yet, in some cases if the information is not supplied to the government authority, the shipment may not be completed. In addition, given the "express" nature of the service, it is possible that by the time an individual decides to opt out the shipment may have been completed.
The Choice principle, the related FAQ and other guidance information should clearly provide that the "opt-out" choice is applicable only in instances where "such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice." FedEx suggests that this safe harbor principle be clarified in part as follows:
2. CHOICE: An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties other than those necessary for the performance of a contract (where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice). They must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise this option. (underlined text is suggested text)
C. Onward Transfer
As noted above, FedEx must routinely transfer information to third parties to complete shipments and the identity of the party is not readily known at the time that personal information is first collected. As a result, it is unreasonable to require that FedEx first ascertain that a third party subscribes to the safe harbor principles, or that it enter into an agreement with the third party to assure that the third party will provide an adequate level of protection. In addition, the negotiation of such agreements with governmental entities may not be possible. Consequently, it should be clarified that the Onward Transfer principle does not apply to transfer of information supplied by an individual in order to contract the services of a service supplier. In addition, transfers of information to governmental entities that are required by law or regulation in order to complete the supply of an international service should not be subject to the Onward Transfer requirements.
The Onward Transfer principle potentially imposes monitoring and secondary liability on companies that are otherwise in full compliance with the safe harbor principles: a company may be liable for actions and abuses by third parties. FedEx suggests that the Onward Transfer principle, the related FAQ, and other guidance information clarify that the disclosing organization shall have no further monitoring responsibility or liability for the use or misuse of the personal information by the third party on a transfer has been made under the terms of the safe harbor principles.
D. Access
FedEx requests that the word "reasonable" remain in the Access principle. In the alternative FedEx proposes the use of the word "adequate" to describe the type of access that might be permitted, i.e. "'adequate' access means the ability to review, and, if necessary, correct inaccurate information."
E. Enforcement
FedEx supports the use of sector and industry self-policing mechanisms for ensuring compliance with the safe harbor principles as expressed in the note to the Enforcement principle. Given the broad range of methods by which information is collected and processed, and given that many of those methods have industry and sector-specific approaches, mechanisms for enforcing and monitoring the application and compliance of the safe harbor principles must take into account such industry and sector-specific nuances in order achieve effective and fair results. To this end, non-governmental organizations and industry and sectoral associations should be given a role in the development of self-policing enforcement mechanisms.
IV. CONCLUSION
FedEx appreciates the opportunity to provide comments on the safe harbor principles.
Respectfully Submitted,
| M. Rush O'Keefe, Jr.
Vice President, Legal Regulatory Affairs Sarah S. Prosser
|
Jimmie V. Reyna
WILLIAMS, MULLEN, CHRISTIAN & DOBBINS 900 17th Street, NW Suite 700 Washington, DC 20006 (202) 293-0213 Special Trade Counsel for Federal Express Corporation |
1. Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement
of such data.
4. See, EU Directive Article 32(1) which states: "[m] ember States shall ensure that processing already under way on the date the national provisions adopted pursuant to this Directive enter into force, is brought into conformity with these provisions within three years of this date."