Institute Comments on EU Data Protection DirectiveWashington, DC, May 18, 1999 - The U.S. and the European Union have been engaged in ongoing negotiations over the terms of a safe harbor that would protect U.S. businesses from enforcement actions under the E.U. Data Protection Directive. On May 14, 1999, the Institute submitted a comment letter to the Department of Commerce on the draft documents that will comprise the safe harbor. These documents include the safe harbor privacy principles and nine sets of frequently asked questions (FAQs) that provide further explanation of those principles. The Institute's comments are summarized below. Specific privacy regulations adopted by securities regulators must be given appropriate deference. In its letter, the Institute argued that the Securities and Exchange Commission and the National Association of Securities Dealers understand the structure and organization of mutual fund organizations and, as a result, are in the best position to craft rules that would appropriately regulate the protection of individual privacy in the industry. Should one of these regulators promulgate a rule specifically relating to privacy, firms that are subject to and in compliance with it should qualify for the safe harbor, regardless of whether the rule precisely mirrors the safe harbor principles. The transition period must be long enough to allow U.S. firms to come into compliance with the safe harbor. The Institute commented that the transition period for compliance with the safe harbor must be long enough to allow regulators to act and companies to respond and must take into account the difficulties modifying systems during 1999 and 2000, particularly in light of the Y2K problem. We suggested that the transition period, at a minimum, should be eighteen months long. The principles of notice, choice, and onward transfer must allow for uses of information that are not incompatible with the relationship between an investment company and its shareholders. The Institute stressed that the principles of notice, choice, and onward transfer in the safe harbor must be interpreted to permit companies to efficiently provide customers with the service and the products that they have come to expect. The restrictions on choice and onward transfer should not hinder firms from using information to create benefits for shareholders, such as unified account statements. The FAQs should have the same force of law as the safe harbor principles. The Institute commented that the FAQs should be given significant weight relative to the safe harbor principles, similar to that between statutory provisions and regulations that expand upon them. Rights of access must be reasonable. The Institute strongly supported including explicit language in the safe harbor principle and the FAQ on access that a consumer's right of access to information about him or her should be tempered by reasonableness. The Institute also supported making clear that companies may deny access to the extent it would reveal confidential commercial information. The role of the Department of Commerce in the self-certification process should be limited to the maintenance of a list. The Institute strongly supported the concept that companies wishing to rely on the safe harbor can "self certify" their compliance with the safe harbor by notifying the Department of Commerce. However, the Institute's letter stated that the detailed reporting obligations outlined in the FAQ on self-certification are burdensome and unnecessary. The Institute argued that the Department of Commerce's role should be limited to maintaining a list of companies, and contact persons at those companies, that have self-certified their compliance with the safe harbor terms. The Department of Commerce and the European Commission intend to continue negotiations over the terms of the safe harbor, taking into account comments received by both sides, with the goal of announcing an agreement at the next EU-US summit in Germany on June 21, 1999.
|
