Ambassador David L. Aaron
Electronic Commerce Task Force
U.S. Department of Commerce, Room 2009
14th and Constitution Ave., NW
Washington DC 20230
VIA E-MAIL: Ecommerce@ita.doc.gov
Dun & Bradstreet Comments
RE: March 17, Draft International Safe Harbor Privacy Principles
Dear Ambassador Aaron:
On behalf of Dun & Bradstreet (D&B), I
respectfully submit for your review the following comments regarding the
March 17, Draft International Safe Harbor Privacy Principles. Dun &
Bradstreet has submitted comments and has participated extensively in the
Safe Harbor discussions since the inception of those discussions. Therefore,
we are commenting only on those sections of the principles, FAQ's and procedural
documents that are newly submitted since the last draft.
General Comments
We congratulate and commend the Department of
Commerce, specifically Ambassador Aaron and Barbara Wellbery, and the European
Commission for their untiring work in achieving this tentative Safe Harbor
agreement. It is a critical step in assuring that the flow of data between
companies in the European Member States and the United States remains uninterrupted
and that many important societal functions that result from those flows
are unencumbered. Overall, Dun & Bradstreet is very supportive of the
agreement and the principles it establishes. Specifically, we are pleased
that the agreement recognizes the unique ways - both legal and self-regulatory
- that the United States provides data protection while still respecting
the European Union's regulatory framework. Our comments are limited, therefore,
to areas where we believe the principles and the other supporting documents
could be enhanced or clarified.
Specific Comments
One primary concern D&B has is that no documentation
has yet been provided describing the specific steps and procedures that
must be taken in an escalation of a complaint from an European data subject.
While the text of the Article 25.6 decision and the draft letter of submittal
from European Commission to the Department of Commerce both explain how
and when transfers of data can be blocked under extraordinary circumstances,
there is no documentation available suggesting the steps that must be taken
when an ordinary complaint is raised. FAQ's #11 and 5 do outline the procedures
that self-regulatory enforcement bodies and the panel of data protection
authorities should use to handle complaints. However, the procedures and
protections for escalating these complaints through the Commission and
the Department of Commerce are not described. It is important for the European
Commission to acknowledge this process as part of the Article 25.6 decision
or at the least in its transmittal letter.
D&B also has specific questions regarding
the new FAQ #5 that describes the role of the data protection authorities
as an enforcement option under the safe harbor. First and foremost, D&B
is extremely pleased that the Commission and the Department of Commerce
have been able to reach agreement on this enforcement option. As we have
explained before, without this enforcement option D&B and many other
US companies would not be able to participate in the safe harbor. This
is because our online business -- which qualifies for the self-regulatory
enforcement option -- is a small part of our business and we are not subject
to the authority of other existing US regulatory bodies. However, we would
like to receive clarification on some of the points in FAQ #5.
In agreeing to comply with the Data Protection
Authorities (DPA's), US companies must agree to comply with any advice
given by the DPA's including compensatory measures. D&B would like
to see this enforcement option be more in line with that of the US self-regulatory
bodies that do not assess compensatory damages. However, at the very least,
we believe that the DPA's should provide some guidance on how a decision
to award compensatory damages will be assessed and some guidelines for
the amount of damages that might be awarded. The FAQ goes on to state that
the advice may include "any remedies for the individuals concerned that
the DPA's consider appropriate." Again, more detail on appropriate remedies
should be described in procedures provided by the DPA's. We suggest that
remedies, including damages, should be no more stringent than those imposed
on European companies operating within Europe.
Thank you for your consideration of Dun &
Bradstreet's comments and for your unrelenting work to reach agreement
with the European Commission on the safe harbor proposal. Should you have
any questions regarding these comments, please feel free to contact me
at (202-463-2159).
Sincerely yours,
Alden Schacher
Director, Government Affairs
The Dun & Bradstreet Corporation