November 19, 1998
Mr. Eric Fredell
Task Force on Electronic Commerce
International Trade Administration
Department of Commerce
14th and Constitution Avenue, NW
Washington, DC 20230
Re: Comments on International Safe Harbor Privacy Principles
Dear Eric:
The Investment Company Institute1 appreciates the opportunity to provide comments on the Commerce Department’s international safe harbor privacy principles. We welcome the principles as an important step towards gaining certainty over the enforcement of the European Union’s Data Privacy Directive.
This comment letter is directed to one aspect of the proposed safe harbor of particular importance to the US investment company industry. 2 The third paragraph of the draft states that "an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy." We interpret this sentence to mean that financial services companies that are subject to regulations and enforcement by self-regulatory organizations with respect to the protection of customer privacy will qualify for the safe harbor. We further understand that such will be the case even if those regulations do not embody all of the specific elements contained in the principles, so long as they still "effectively protect" the privacy of personal information. This approach, which the Institute supports, fosters the Clinton Administration’s goal of avoiding "one size fits all" regulation of privacy in the US by appropriately allowing an industry’s traditional regulator to take the lead in addressing privacy issues for that industry.
In the US, investment companies and their investment advisers and underwriters are subject to a stringent system of regulation administered by the Securities and Exchange Commission (SEC) under the various federal securities laws. In addition, the sales activities of investment company underwriters and their agents are regulated by the National Association of Securities Dealers (NASD). The NASD has proposed a rule specifically dealing with the confidentiality of customer data used for marketing purposes.3 The proposed rule would impose restrictions on the ability of NASD members to share customers’ financial information with other entities. We understand that the NASD intends to move forward with its rulemaking later this year, taking into account the comments the proposal received.
The Institute supports rulemaking by the NASD as the appropriate means to deal with privacy issues involving investment companies.4 Such rulemaking can advance the common public policy goal of protecting personal privacy while tailoring investment company privacy regulations to take into account certain unique features in the way investment companies operate and the nature of their relationships with shareholders. 5 It is possible, for example, that the NASD may determine to require disclosure rather than an opt-out procedure for certain types of information-sharing within an investment company complex in recognition of the fact that investors who purchase shares of a mutual fund, in effect, often are entering into a relationship with the entire fund family. As a result, a rigid opt-out requirement, with all its attendant costs, would neither be necessary nor appropriate in these circumstances. Should the NASD concur with this view, firms in compliance with NASD rules nevertheless should be able to avail themselves of the safe harbor.
Accordingly, the Institute and its members strongly urge that any safe harbor established with respect to the EU Directive allow an organization to qualify for the safe harbor on the basis of requirements established by its regulator with respect to the protection of personal information privacy for that industry. This should be the case even if the requirements do not precisely mirror each of the seven specific elements contained in the principles.
Sincerely,
Mary S. Podesta
Senior Counsel
ENDNOTES
1 Investment Company Institute is the national association of the American investment company industry. Its membership includes 7,335 open-end investment companies ("mutual funds"), 451 closed-end investment companies, and 9 sponsors of unit investment trusts. Its mutual fund members have assets of about $4.837 trillion, accounting for approximately 95% of total industry assets, and have over 62 million individual shareholders.
2 The Institute is a member of the Coalition of Service Industries. CSI has filed comments on the proposed international safe harbor that generally reflect the Institute’s views with respect to the proposed wording of the privacy principles. In addition to its general support for CSI’s comments, the Institute would like to reiterate CSI’s comment with respect to the principles of choice and onward transfer. Specifically, the parentheticals in those two principles limit their application to uses of information unrelated to the use(s) for which the information was initially disclosed. These parentheticals must be interpreted broadly. For example, a broker that collects information in order to enter into a brokerage relationship with a customer should be able to use that information to offer the customer the full range of products and services that might be suitable for that customer. In our view, using the information in that manner would be related to the brokerage relationship—the use for which the information was originally disclosed.
3 Proposed Rule 3121, NASDR Notice to Members 97-12 (March 1997).
4 In a letter dated May 5, 1998, the Institute urged the NASD to consider adopting a rule governing customer confidential financial information that appropriately addresses the Institute’s concerns with the NASD’s earlier proposal.
5 For example, unlike most other types of companies, investment companies are externally managed. They do not have their own employees and their operations are conducted by various affiliated organizations. Information flows among these organizations—the fund, investment adviser, principal underwriter, custodian, administrator, and transfer agent, among others—during the normal course of investment company operations. Some of these flows may implicate privacy concerns that should be addressed; others clearly do not.