Ambassador David L. Aaron

Electronic Commerce Task Force

U.S. Department of Commerce, Room 2009

14th and Constitution Ave., NW

Washington DC 20230

VIA E-MAIL: Ecommerce@ita.doc.gov
 

Dun & Bradstreet Comments

Dear Ambassador Aaron:
 

On behalf of Dun & Bradstreet (D&B), I respectfully submit for your review the following comments regarding the March 17, Draft International Safe Harbor Privacy Principles. Dun & Bradstreet has submitted comments and has participated extensively in the Safe Harbor discussions since the inception of those discussions. Therefore, we are commenting only on those sections of the principles, FAQ's and procedural documents that are newly submitted since the last draft.
 

General Comments
 

We congratulate and commend the Department of Commerce, specifically Ambassador Aaron and Barbara Wellbery, and the European Commission for their untiring work in achieving this tentative Safe Harbor agreement. It is a critical step in assuring that the flow of data between companies in the European Member States and the United States remains uninterrupted and that many important societal functions that result from those flows are unencumbered. Overall, Dun & Bradstreet is very supportive of the agreement and the principles it establishes. Specifically, we are pleased that the agreement recognizes the unique ways - both legal and self-regulatory - that the United States provides data protection while still respecting the European Union's regulatory framework. Our comments are limited, therefore, to areas where we believe the principles and the other supporting documents could be enhanced or clarified.
 

Specific Comments
 

One primary concern D&B has is that no documentation has yet been provided describing the specific steps and procedures that must be taken in an escalation of a complaint from an European data subject. While the text of the Article 25.6 decision and the draft letter of submittal from European Commission to the Department of Commerce both explain how and when transfers of data can be blocked under extraordinary circumstances, there is no documentation available suggesting the steps that must be taken when an ordinary complaint is raised. FAQ's #11 and 5 do outline the procedures that self-regulatory enforcement bodies and the panel of data protection authorities should use to handle complaints. However, the procedures and protections for escalating these complaints through the Commission and the Department of Commerce are not described. It is important for the European Commission to acknowledge this process as part of the Article 25.6 decision or at the least in its transmittal letter.
 

D&B also has specific questions regarding the new FAQ #5 that describes the role of the data protection authorities as an enforcement option under the safe harbor. First and foremost, D&B is extremely pleased that the Commission and the Department of Commerce have been able to reach agreement on this enforcement option. As we have explained before, without this enforcement option D&B and many other US companies would not be able to participate in the safe harbor. This is because our online business -- which qualifies for the self-regulatory enforcement option -- is a small part of our business and we are not subject to the authority of other existing US regulatory bodies. However, we would like to receive clarification on some of the points in FAQ #5.
 

In agreeing to comply with the Data Protection Authorities (DPA's), US companies must agree to comply with any advice given by the DPA's including compensatory measures. D&B would like to see this enforcement option be more in line with that of the US self-regulatory bodies that do not assess compensatory damages. However, at the very least, we believe that the DPA's should provide some guidance on how a decision to award compensatory damages will be assessed and some guidelines for the amount of damages that might be awarded. The FAQ goes on to state that the advice may include "any remedies for the individuals concerned that the DPA's consider appropriate." Again, more detail on appropriate remedies should be described in procedures provided by the DPA's. We suggest that remedies, including damages, should be no more stringent than those imposed on European companies operating within Europe.
 

Thank you for your consideration of Dun & Bradstreet's comments and for your unrelenting work to reach agreement with the European Commission on the safe harbor proposal. Should you have any questions regarding these comments, please feel free to contact me at (202-463-2159).
 

Sincerely yours,
 
 
 
 
 

Alden Schacher

Director, Government Affairs

The Dun & Bradstreet Corporation