1 See Memoranda to International Committee Nos. 35-98, dated November 20, 1998, 18-99, dated April 27, 1999,
and 20-99, dated May 3, 1999.
2 The Institute’s comment letter will be posted to the Department of Commerce Electronic Task Force web site,
at http://www.ita.doc.gov/ecom/menu.htm, with all other comments received on the safe harbor.
[10990]
May 18, 1999
TO: ELECTRONIC COMMERCE ADVISORY COMMITTEE No. 8-99
INTERNATIONAL COMMITTEE No. 23-99
TECHNOLOGY TASK FORCE
RE: INSTITUTE COMMENTS ON DRAFT SAFE HARBOR FROM EU DATA
PROTECTION DIRECTIVE
______________________________________________________________________________
As reported to you earlier, the US and the European Union have been engaged in ongoing
negotiations over the terms of a safe harbor that would protect US businesses from enforcement actions
under the EU Data Protection Directive.1 On May 14, 1999, the Institute submitted comments to the
Department of Commerce on the draft documents that will comprise the safe harbor.2 These
documents include the safe harbor privacy principles and nine sets of frequently asked questions (FAQs)
that provide further explanation of those principles. A copy of the comment letter is attached. The
Institute’s main comments are summarized below.
Institute Comments
Specific privacy regulations adopted by securities regulators must be given appropriate
deference. In its letter, the Institute argued that the Securities and Exchange Commission and the
National Association of Securities Dealers understand the structure and organization of mutual fund
organizations and, as a result, are in the best position to craft rules that would appropriately regulate the
protection of individual privacy in the industry. Should one of these regulators promulgate a rule
specifically relating to privacy, firms that are subject to and in compliance with it should qualify for the
safe harbor, regardless of whether the rule precisely mirrors the safe harbor principles.
The transition period must be long enough to allow US firms to come into compliance with
the safe harbor. The Institute commented that the transition period for compliance with the safe
harbor must be long enough to allow regulators to act and companies to respond and must take into
account the difficulties modifying systems during 1999 and 2000, particularly in light of the Y2K
problem. We suggested that the transition period, at a minimum, should be eighteen months long.
The principles of notice, choice and onward transfer must allow for uses of information that
are not incompatible with the relationship between an investment company and its shareholders.
The Institute stressed that the principles of notice, choice and onward transfer in the safe harbor must
be interpreted to permit companies to efficiently provide customers with the service and the products
that they have come to expect. The restrictions on choice and onward transfer should not hinder firms
from using information to create benefits for shareholders, such as unified account statements.
The FAQs should have the same force of law as the safe harbor principles. The Institute
commented that the FAQs should be given significant weight relative to the safe harbor principles,
similar to that between statutory provisions and regulations that expand upon them.
Rights of access must be reasonable. The Institute strongly supported including explicit
language in the safe harbor principle and the FAQ on access that a consumer’s right of access to
information about him or her should be tempered by reasonableness. The Institute also supported
making clear that companies may deny access to the extent it would reveal confidential commercial
information.
The role of the Department of Commerce in the self-certification process should be limited
to the maintenance of a list. The Institute strongly supported the concept that companies wishing to
rely on the safe harbor can “self certify” their compliance with the safe harbor by notifying the
Department of Commerce. However, the Institute’s letter stated that the detailed reporting obligations
outlined in the FAQ on self-certification are burdensome and unnecessary. The Institute argued that the
Department of Commerce’s role should be limited to maintaining a list of companies, and contact
persons at those companies, that have self-certified their compliance with the safe harbor terms.
Next Steps
The Department of Commerce and the European Commission intend to continue negotiations
over the terms of the safe harbor, taking into account comments received by both sides, with the goal of
announcing an agreement at the next EU-US summit in Germany on June 21, 1999.
Robert C. Grohowski
Assistant Counsel
Attachment