BY ELECTRONIC MAIL
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230
Re: Request for Comments on Revised Safe Harbor Privacy Principles
Dear Mr. Fredell:
This letter constitutes the comments of Level 3 Communications, Inc. in response to the Department's revised "Safe Harbor" privacy principles (the "DOC Principles") to be applicable to transfers of personal data from the EU to the U.S. Level 3 is in the process of constructing a high speed, state-of-the-art packet switched telecommunications network both in the U.S. and in many EU countries, as well as acquiring connecting submarine cable facilities. As a telecommunications carrier Level 3 expects to be collecting, processing, storing and using data which in some instances will be personal data as defined in the EC Data Protection Directive. Given the integrated functioning of our domestic and foreign network, we recognize that compliance with the Directive as well as with individual data protection statutes in EU member countries, is important. Such compliance must encompass the provisions of Articles 25 and 26 concerning the export of personal data to third countries such as the U.S. At the same time, the bulk of our data processing will involve U.S. activities and must be conducted in accordance with U.S. law. Like many other companies we have been concerned about these multiple obligations and specifically the need to harmonize in a commercially feasible way our adherence to all applicable law. Level 3 has already adopted a privacy policy for visitors to its web page (http://www.Level3.com) and is developing a broad corporate-wide fair information practices manual.
We therefore welcome the Department's initiative and leadership in this emerging and difficult area of international business. Level 3 does not accept the premise that the existing level of privacy protection in the U.S. is inadequate. Nevertheless, the suggestion that adherence to a non-statutory code of conduct would be deemed by European data protection authorities to constitute the provision of "adequate" privacy protection for EC data is extremely helpful. We are prepared to work with the Department to assure that the proposal outlined in Ambassador Aaron's letter is successfully implemented. At the same time, we have many concerns and questions about the proposal. While we will comply with EU Directives and national privacy law within the EU member countries, U.S. companies and the U.S. government must also be concerned about attempts to apply EU law extraterritorially within the U.S. When Level 3 processes personal data within the U.S. it should not be subject to foreign rules of law and nothing to which Level 3 may agree in the present context should be understood as accepting the application of foreign law to its U.S. operations. Similarly, no undertaking in connection with the Safe Harbor Principles can be inconsistent with, or derogate from, U.S. law. To emphasize this point we suggest that the paragraph immediately preceding the Safe Harbor Principles be incorporated into the Principles themselves, rather than being relegated, as it currently is, to preliminary text of uncertain status.
More broadly, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which have been accepted in the U.S. as an important statement of national policy since their adoption in 1980, seek to balance reasonable privacy protection with the continued flow of transborder data. The Department should not lose sight of that balance which is crucial both as a matter of national policy and as a predicate to private sector investment in the tools of modern information-based societies. Excessive regulation, no matter how well motivated, can seriously damage the prospects for private sector investment. Especially in respect to rapidly developing telecommunications facilities, including the Internet, governmental intrusion must be carefully tailored to avoid chilling private sector investment in infrastructure.
While it would unduly complicate the Department's consideration of the safe harbor concept to consider the individual circumstances of a large number of industries, nevertheless it is important to note that telecommunications carriers like Level 3 are subject to a wide variety of U.S. privacy legislation which is specifically tailored to such carriers. Among the more significant statutory provisions are the following:
1. Electronic Communications Privacy Act of 1986;(1)
2. Communications Assistance for Law Enforcement Act ("CALEA");(2) and
3. Telecommunications Act of 1996.(3)
A variety of FCC regulations also establish privacy protections in regard to customer proprietary network information. These include rules based on 47 U.S.C. § 222.(4) According to the Commission, § 222 of the Telecommunications Act establishes "a comprehensive statutory design, which expressly recognizes the duty of all carriers to protect customer information and embodies the principle that customers must be able to control information they view as sensitive and personal from use, disclosure, and access by carriers."(5) The Commission has also adopted regulations concerning "Caller Identification Data." These provisions govern the delivery of Automatic Number Identification ("ANI") within the PSTN and establish certain privacy and notice obligations governing such use.(6)
In assessing the sufficiency of the DOC Principles in respect to telecommunications carriers, the existence of this corpus of U.S. law is relevant to the interpretation or application of the Data Protection Directive's Article 26 exceptions to the general ban on export of data to non-EC countries which lack "adequate" privacy protection rules or mechanisms. Moreover it must be kept in mind that both in the U.S. and in the EC telecommunications carriers are subject to general regulatory oversight.(7)
As indicated above, Level 3 supports the basic notion that adherence to the DOC Principles set forth in the Department's materials would constitute a safe harbor for purposes of Articles 25 and 26 of the EC's Data Protection Directive, i.e. would amount to a de jure determination that privacy protection is "adequate" for a company accepting the DOC Principles. The latest revisions to the initial principles and the new, supplemental documentation have significantly enhanced the safe harbor concept.
However, before it can commit itself to adherence to the DOC Principles, Level 3 must understand what status such adherence would have both at the EC and in the governments of the member countries in which Level 3 expects to be operating. While the documents released by the Department demonstrate substantial progress in this respect, we would suggest that it is essential to have a firm written commitment from the EC and from EU member governments indicating that acceptance and adherence to the DOC Principles or some other similar code of conduct will be deemed to establish a strong presumption that an adequate level of privacy protection exists for purposes of the Data Protection Directive and all applicable member state law.
DOC Principle 7 recognizes that enforcement is an important element, and Level 3 agrees that some mechanism must exist to assure such enforcement and the imposition of sanctions for noncompliance. One option would be to agree that disputes shall be resolved by binding arbitration according to the rules of the American Arbitration Association. Another would be to require that companies planning to export personal data on EC nationals to the U.S. incorporate the DOC Principles in their contracts with customers, employees, contractors (such as outside data processors) and others. Level 3 has no objection to attempting to develop agreed-upon language in such contracts although recent EC documentation analyzing the acceptability to EC regulators of the contract approach suggests that it may not be possible to achieve a meeting of the minds.(8) Once incorporated in contracts an alleged failure to adhere to the principles would be the predicate to a suit in U.S. courts, in which damages or injunctive relief may be sought by the plaintiff.(9) Level 3 would also accept binding arbitration based on alleged breach of contract if the DOC Principles were incorporated in its contracts. However, since any breach of the DOC Principles by definition will involve activities within the U.S., Level 3 would find it difficult to accept adjudication of such claims by courts or administrative agencies in the EU as is apparently contemplated by the Draft Paper on EC Procedures and in the FAQs concerning Human Resources Data. Certainly the U.S. courts are competent to apply the DOC Principles if they are accepted as binding and incorporated in formal documents. As the Draft Paper on EU Procedures itself recognizes, the presence of such a judicial or administrative system is considered when the initial "adequacy' determination is made. It is heavy handed and awkward to assume a disappointed data subject should be able to appeal an adverse U.S. decision to his/her own data protection authorities.(10)
With respect to sanctions, Level 3 suggests that individual instances of failure to comply with the DOC Principles should be sanctionable by the imposition of a fine but only after the matter has been resolved by the formal process agreed upon by the interested parties. The potential for financial penalties will assure that staff will take seriously their responsibilities to implement the Principles. In addition, if a company has been adjudicated to be responsible for multiple offenses the enforcement body should have the power to declare the offending company to be noncompliant in principle, a finding which could naturally lead to the loss of the freedom to process EU national personal data in the U.S.
Ambassador Aaron's letter seeks comments on the weight to be given the FAQs. It must be recognized that the FAQs will be considered in the nature of legislative history and will therefore inevitably be given substantial weight in interpreting the somewhat sparse principles themselves. This is not necessarily undesirable but it does suggest that very careful drafting is essential so that the FAQs do not alter the balances reached in the principles. Unfortunately we find many instances in which the FAQs appear to us to be internally inconsistent or to state principles we do not accept. By way of illustration the Access principle as drafted does not make access absolute albeit the square brackets and n. 6 to the text create substantial uncertainty on this point.
The discussion in the FAQs on Access is unfortunately not clear with respect to the question whether the right of access is absolute. Paragraphs one and three under question 1 appear to offer contradictory responses at least in the case where the use of data could "significantly" affect an individual. We understand that access is a fundamental concern to the Europeans; it is also a fundamental worry for U.S. companies which may find themselves burdened with substantial administrative costs. It should be made clear in the Access principle itself that the right of access is not absolute even if the reasonableness of access may appropriately vary from case to case. The FAQs must reinforce this rather than muddy the waters as they do now. In at least one respect the FAQs on Human Resources Data create an issue which is very troublesome. It emphasizes that where employee data is processed or stored in a third country, the safe harbor principles require the organization processing such data in the U.S. to cooperate in providing such access and that the U.S. organization handling EU human resources data outside the EU must "commit to cooperate in investigations and to comply with the decisions of competent European authorities in such cases." We would expect to cooperate with EC and Member State authorities. However, we do not understand why, if a process is established for protection of privacy rights in the U.S. which includes the signatory's binding legal commitment to formal redress or sanctions within the U.S. and which is, by definition "adequate," formal recourse is contemplated to enforcement agencies which have no jurisdiction within the U.S. It appears to us to be surplusage and to undermine the fundamental premise of the signatory's safe harbor undertaking. We therefore urge that references in any of the FAQs to the assertion of EC or Member States' jurisdiction over disputes arising from processing occurring in the U.S. be stricken.
Level 3 is confident that many U.S. companies will be expressing concerns about the details of the DOC's proposal, and will seek discussion and agreement with various bodies in the EC and at the member government level. The questions which will require resolution cannot be resolved hastily. Bearing in mind that the EC anticipated that three years would be required for member governments to take action to transpose the Data Protection Directive into national law, that only a few governments have done so as of this date, and that the UK's new Data Protection Act of 1998 will not come fully into force until 2001, it is obvious that a reasonable transition period is required and that 12 to 18 months is not excessive.
EC representatives have emphasized in public statements that adequate enforcement machinery is fundamental to the EC's privacy protection scheme, and that some mechanism must be available for data which are processed in the U.S. Level 3 does not disagree and the present text of the Enforcement principle is acceptable as it stands. Public efforts such as that developed by BBBOnline emphasize dispute resolution machinery. Our own internal Fair Information Practices Manual, which is currently under development, recognizes that enforcement is a crucial element of any data protection effort. However, imposing European administrative enforcement schemes on issues arising in the U.S. will pose serious problems for a variety of reasons not the least of which is the need to avoid inappropriate intrusions into U.S. sovereignty.
These are not simple issues and I hope the questions and suggestions set forth above will assist the Department in its further deliberations. Please feel free to call upon us if we can be of further help to you.
Very truly yours,
William Hunt
Regulatory Counsel
Level 3 Communications, Inc.
1450 Infinite Drive
Louisville, CO 80027
1. P.L. 99-508, 100 Stat. 1848, 18 U.S.C. §§ 1367, 2232, 2510-11, 2701-2711, 3117, 3121-3127 (1986), amending the Omnibus Crime Control and Safe Streets Act of 1968, P.L. No. 90-351, 82 Stat. 212.
2. P.L. No. 103-114, 108 Stat. 4279 (1994) codified as amended in sections of 18 U.S.C. and 47 U.S.C. See Notice of Proposed Rulemaking, 13 FCC Rcd. 3149 (1997) (subsequent history omitted).
3. 47 U.S.C. § 151 et seq. Section 222 of the Act provides broad protection of customer network information. See 47 U.S.C. § 222.
4. The Commission's CPNI policy and rules are set forth in its Second Report and Order, Customer Proprietary Network Information, Docket No. 96-115, 13 FCC Rcd 8061, 11 CR 382 (1998), clarified, 12 CR 187. The Commission's implementing CPNI rules appear in 47 C.F.R. §§ 64.2003-2009. Section 63.21(e) specifies that international carriers authorized under § 214 of the Act may not access or use specific U.S. customer proprietary network information that is derived from a foreign network without the customer's approval.
5. Second Report and Order, par. 3 (footnotes omitted).
6. 47 C.F.R Part 64 §§ 1601-1603.
7. The EC has itself adopted Directive 97/66/EC (December 15, 1997) concerning the processing of personal data and the protection of privacy in public telecommunications networks.
8. See e.g., Working Document - Transfers of personal data to third countries: applying Articles 25 and 26 of the EU data protection directive (July 24, 1998), and Working Document - Judging industry self-regulation: when does it make a meaningful contribution to the level of data protection in a third country (January 14, 1998), both of which take positions which U.S. industry may find difficult to accept.
9. It is also possible that the FTC would assert that any company's failure to adhere to its own announced policy would violate § 5 of the Federal Trade Commission Act, precipitating the filing of a Complaint . See, e.g., In the Matter of Geocities, FTC File No. 982 3015 (Aug. 13, 1998).
10. We recognize that a complainant living in a member state may face substantial difficulties in pursuing relief through a U.S. arbitration or judicial procedure. However as a practical matter before a dispute has escalated to that degree it is likely the local data protection authority will have intervened at the request of the data subject and will be in a position to bring substantial pressure to bear on a commercial entity whose continued operation in the foreign jurisdiction could be imperiled by substantial difficulties with the data subject.