[Congressional Record Volume 145, Number 158 (Wednesday, November 10, 1999)]
[Senate]
[Pages S14547-S14551]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. SHELBY (for himself and Mr. Bryan):
  S. 1903. A bill to amend the privacy provisions of the Gramm-Leach-
Bliley Act; to the Committee on Banking, Housing, and Urban Affairs.


               consumer's right to financial privacy act

  Mr. SHELBY. Mr. President, I rise today to offer the ``Consumer's 
Right to Financial Privacy Act'' for myself and Senator Bryan. This 
bill would address the significant deficiencies in the Financial 
Services Modernization Act passed by this very body last week.

  Our bill would provide that consumers have (1) notice of the 
categories

[[Page S14548]]

of nonpublic personal information that institutions collect, as well as 
the practices and policies of that institution with respect to 
disclosing nonpublic information; (2) access to the nonpublic personal 
information collected and shared; (3) affirmative consent, that is that 
the financial institution must receive the affirmative consent of the 
consumer, also referred to as an opt-in, in order to share such 
information with third parties and affiliates. Lastly, my provision 
would require that this federal law not preempt stronger state privacy 
laws. This bill is drafted largely after the amendment Senator Bryan 
and I offered in the Conference on Financial Services Modernization, 
but failed to get adopted due to the Conference's rush to pass a 
financial modernization bill, no matter what the cost.
  I know some think that opt-in is extreme, but I have to tell you that 
is what the American people want. Over the past year I have learned a 
great deal about the activities of institutions sharing sensitive 
personal information. Many may not be aware, but it had become a common 
practice for state department of motor vehicles to sell the drivers 
license information, including name, height, weight, social security 
number, vehicle identification number, motor vehicle record and more. 
Some states even sold the digital photo image of each driver's license.
  I was not aware of this practice going on. When I learned about it 
and studied it a little closer, I found several groups who were 
outraged by this practice. One such group was Eagle Forum. Another such 
group was the ACLU. Still another group was the Free Congress 
Foundation. Before I knew it, there was an ad hoc coalition of groups 
not only supporting the issue of driver's license privacy, but 
demanding it.
  Thanks to the hard work of these groups, I was able to include an 
opt-in provision for people applying for drivers licenses at their 
state department of motor vehicles. That provision sailed through the 
Senate and then the House. That bill was signed into law by President 
Clinton. Despite significant lobbying by the direct marketing industry, 
not one member of the House or Senate took to the floor and said, ``I 
believe we should not allow consumers to choose whether or not their 
drivers license information, including their picture, should be sold or 
traded away like an old suit.'' No, no one objected to the opt-in. As a 
result, I believe very strongly that Congress has already set the bar 
on this issue. Opt-in is not just reasonable, it is the right thing to 
do.

  Meanwhile, the ad hoc coalition, which is continuing to grow and 
includes every ideology from conservative to liberal, has signed on to 
four basic principles with regard to financial privacy. The principles 
include notice, access and consent, but also a requirement that weak 
federal laws not preempt stronger state laws. Our amendment 
incorporates those four basic principles.
  Now my basic question is this, why would anyone oppose this bill? 
Only if you believe the financial services industry cannot make money 
by doing business above the table and on the level for everyone to see 
in the ``sunshine'' if you will. If you believe that financial 
institutions make money only by deceiving their customers or leaving 
those customers in the dark, then maybe you should oppose this bill. I 
do not subscribe to such a belief.
  Industry will tell you that if they are required to include an opt-
in, consumers will not, and therefore business will shut down. What 
does that tell you that consumers won't choose to opt-in? It means 
people don't want their information shared. If that is such a problem, 
it seems to me the business would spend more time educating the 
consumer as to the benefits of information sharing. That is where the 
burden to convince the consumer to buy the product should be--on the 
business.
  During the financial modernization debate, the financial industry, 
along with Citigroup communicated to Congress that they would not be 
able to operate or function appropriately with an opt-in requirement. I 
find that very difficult to comprehend, seeing as Citibank signed an 
agreement with their German affiliates in 1995 affording German 
citizens the opportunity to tell Citibank ``no,'' they did not want 
their personal data shared with third parties. I have a copy of the 
contract to prove it.
  Entitled, Agreement on ``Interterritorial Data Protection'' one can 
see this is an agreement on the sharing of customer information between 
Citibank (South Dakota), referred in the document as CNA, and its 
German affiliates. On page two paragraph 4, entitled, Use of 
Subcontractors, Transmission of Data to Third Parties, number 2 reads:

       For marketing purposes, the transfer of personal data to 
     third parties provided by the Card Service Companies (that is 
     Citicorp of Germany and Citicorp Card Operations of Germany) 
     is prohibited, except in those cases where such personal data 
     is transferred to affiliated companies engaged in banking 
     business in order to market financial services; the transfer 
     of such data beyond the aforementioned scope to third 
     parties, shall require the Card Service Companies' express 
     approval. Such approval is limited to the scope of the Card 
     Customers' consent as obtained on the application form.

  That ladies and gentlemen, is an opt-in to operate in Germany, by 
none other than Citigroup, the number one proponent of financial 
modernization. Now if they can offer financial privacy to individuals 
in Germany, why on God's green earth can't they agree to an opt-in here 
in America? Do Germans have special rights over Americans? I should 
hope not.
  Mr. President, simply put, this bill is what Americans want. This 
bill is workable as proven in the Citicorp agreement. The truth is that 
the American people do not understand the intricacies of banking law or 
securities regulation. They probably do not know or care much about 
affiliates or operating subsidiaries. What I do know, is that if you 
walked outside and polled people from New York City to Los Angeles, CA, 
and everywhere in between, they would not only understand financial 
privacy, 90 percent of them would demand financial privacy and the 
ability to tell an institution ``no.''
  Mr. President, in passing the financial modernization bill, Congress 
gave mammoth financial services companies significant expanded powers 
and unprecedented ability to collect, share, buy and sell a consumers 
nonpublic personal financial information. During the debate, many 
members promised they would address privacy, but only in a separate 
bill at a later time. Well, Mr. President, the time is now and the bill 
is the ``Consumer's Right to Financial Privacy Act.''
  The financial industry may have won the battle by keeping stronger 
financial privacy provisions out of the financial modernization bill. 
But I assure you they have not won the war. They cannot win the war on 
financial privacy because the American people just won't allow it.
  Mr. President, I ask unanimous consent that the agreement on 
``International Data Protection'' be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

             Agreement on Interterritorial Data Protection


                             by and between

     1. Citicorp Kartenservice GmbH, Wilhelm-Leuschner-Str. 32, 
           60329 Frankfurt/M, Germany (CKS)
     2. Citicorp Card Operations GmbH, Bentheimer Strae 
           118, 48529 Nordhorn, Germany (CCO)

       (CKS and CCO hereinafter collectively referred to as: Card 
     Service Companies)

     3. Citibank (South Dakota), N.A., Attn.: Office of the 
           President, 701 E. 60th Street North, Sioux Falls, South 
           Dakota 57117 (CNA)
     4. Citibank Privatkunden AG, Kasernenstrae 10, 40213 
           Dusseldorf, Germany (CIP)


                                recital

       1. CIP has unrestricted authority to engage in banking 
     transactions. As a license of VISA International, CIP issues 
     the Citibank Visa Card''. Additionally, since July 1st, 1995, 
     CIP has been cooperating with the Deutsche Bahn AG in issuing 
     the ``DB/Citibank BahnCard'' with a cash-free payment 
     function--hereinafter referred to as ``DB/Citibank-
     BahnCard''--on the basis of a Co-Branding Agreement concluded 
     between Deutsche Bahn AG and CIP on November 18th, 1994. 
     After the conclusion of the Agreement, the co-branding 
     business was extended to include the issuance of the DB/
     Citibank BahnCard without a cash-free payment function, known 
     as BahnCard ``pure''.
       2. CIP transferred to CKS the operations of the Citibank 
     Visa credit card business, including accounting and 
     electronic data processing, on the basis of the terms of a 
     Service Agreement (non-gratuitous contract for services) 
     dated March 24, 1998, supplemented as of June 1, 1989 and 
     November 30, 1989. Details are contained in the ``CKS Service

[[Page S14549]]

     Agreement'', according to which CKS performs for CIP all 
     services pertaining to the Citibank Visa card business. 
     Concurrent with the application for a Citibank Visa Card, the 
     Citibank Visa Card customers agree to the transfer of their 
     personal data to CKS and to those companies entrusted by CKS 
     with such data processing.
       3. In the Co-Branding Agreement with the Deutsche Bahn AG 
     dated November 18, 1994, CIP assumed responsibility for the 
     issuance of the DB/Citibank BahnCard as well as for the 
     entire management and operations associated with this 
     business.
       4. On the basis of a Service Agreement dated April 1, 1995, 
     CIP transferred the entire operations of the DB/Citibank-
     BahnCard business, including data processing and accounting, 
     to the Card Service Companies. Details are contained in the 
     ``BahnCard Service Agreement''. Concurrent with the 
     application for issuing a DB/Citibank BahnCard, the BahnCard 
     customers agree to the transfer of their personal data to CCO 
     and to those companies entrusted by CCO with such data 
     processing.
       5. Due to reasons of efficiency, service and 
     centralization, the Card Service Companies have entrusted CNA 
     with the processing of the Citibank Visa card business and of 
     the DB/Citibank BahnCard business as of July 1, 1995. In 
     light of such considerations, the Card Service Companies--as 
     principals--and CNA--as contractors--concluded the ``CNA 
     Service Agreement'', to which CIP expressly consented.
       6. The performance of the CNA Service Agreement requires 
     the Card Service Companies to transfer the personal data of 
     the Citibank Visa card customers and the DB/Citibank BahnCard 
     customers--hereinafter collectively referred to as ``Card 
     Customers''--to CNA and further requires CNA to process and 
     use these data.
       In order to protect the Card Customers' rights with respect 
     to both the data protection law, as well as the banking 
     secrecy, and in order to comply with the banking supervisory 
     and data protection requirements.
       The contractual parties agree and covenant as follows:


                        Sec. 1  Basic Principles

       The parties hereto undertake to safeguard the Card 
     Customers' right to protection against unauthorized capture, 
     storage and use of their personal data and their right to 
     informational self-determination. The scope of such 
     protection shall be governed by the standards as laid down in 
     the German Federal Data Protection Law 
     (Bundesdatenschutzgesetz, abbreviated to ``BDSG''). The 
     parties hereto additionally agree to comply with the banking 
     secrecy regulations.


           Sec. 2  instructions of the card service companies

       1. CNA shall process the data provided by the Card Service 
     Companies solely in accordance with the Card Service 
     Companies' instructions and rules, and the provisions 
     contained in this Agreement. CNA undertakes to process and 
     use the data only for the purpose for which the data have 
     been provided by the Card Service Companies to CNA, said 
     purposes including those as described in the CNA Service 
     Agreement. The use of such data for purposes other than 
     described above requires the Card Service Companies' express 
     written consent.
       2. At any time, the Card Service Companies may make 
     inquiries to CNA about the personal data transferred by the 
     Card Service Companies and stored at CNA, and the Card 
     Service Companies may require CNA to perform corrections, 
     deletions or blockings of such personal data transferred by 
     the Card Service Companies to CNA.


        Sec. 3  inspection rights of the Card Service Companies

       At regular intervals, an (joint) agent appointed by the 
     Card Service Companies shall verify whether CNA complies with 
     the terms and conditions of this Agreement, and in particular 
     with the data protection law as well as the banking secrecy 
     regulations. CNA shall grant the Card Service Companies' 
     agent supervised unimpeded access to the extent necessary to 
     accomplish the inspection and review of all data processing 
     facilities, data files and other documentation needed for 
     processing and utilizing the personal data transferred by the 
     Card Service Companies in a fashion which is consistent with 
     the CNA Operational Policies. CNA shall provide the agent 
     with all such information as deemed necessary to perform this 
     inspection function.


  Sec. 4  use of subcontractors, transmission of data to third parties

       1. CNA may not appoint non-affiliated third parties, in 
     particular subcontractors, to perform and fulfill CNA's 
     commitments and obligations under this Agreement.
       2. For marketing purposes, the transfer of personal data to 
     third parties provided by the Card Service Companies is 
     prohibited, except in those cases where such personal data is 
     transferred to affiliated companies engaged in the banking 
     business in order to market financial services; the transfer 
     of such data beyond the aforementioned scope to third parties 
     shall require the Card Service Companies' express approval. 
     Such approval is limited to the scope of the Card Customers' 
     consent as obtained on the application form. The personal 
     data of customers having obtained a BahnCard ``pure'' may 
     only be used or transferred for BahnCard marketing purposes.
       CNA and the Card Service Companies undertake to institute 
     and maintain the following data protection measures:
     1. Access control of persons
       CNA shall implement suitable measures in order to prevent 
     unauthorized persons from gaining access to the data 
     processing equipment where the data transferred by the Card 
     Service Companies are processed.
       This shall be accomplished by:
       a. Establishing security areas;
       b. Protection and restriction of access paths;
       c. Securing the decentralized data processing equipment and 
     personal computers;
       d. Establishing access authorizations for employees and 
     third parties, including the respective documentation;
       e. Identification of the persons having access authority;
       f. Regulations on key-codes;
       g. Restriction on keys;
       h. Code card passes;
       i. Visitors books;
       j. Time recording equipment;
       k. Security alarm system or other appropriate security 
     measures.
     2. Data media control
       CNA undertake to implement suitable measures to prevent the 
     unauthorized reading, copying, alteration or removal of the 
     data media used by CNA and containing personal data of the 
     Card Customers.
       This shall be accomplished by:
       a. Designating the areas in which data media may/must be 
     located;
       b. Designating the persons in such areas who are authorized 
     to remove data media;
       c. Controlling the removal of data media;
       d. Securing the areas in which data media are located;
       e. Release of data media to only authorized persons;
       f. Control of files, controlled and documented destruction 
     of data media;
       g. Policies controlling the production of back-up copies.
     3. Data memory control
       CNA undertakes to implement suitable measures to prevent 
     unauthorized input into the data memory and the unauthorized 
     reading, alteration or deletion of the stored data on Card 
     Customers.
       This shall be accomplished by:
       a. An authorization policy for the input of data into 
     memory, as well as for the reading, alteration and deletion 
     of stored data;
       b. Authentication of the authorized personnel;
       c. Protective measures for the data input into memory, as 
     well as for the reading, alteration and deletion of stored 
     data,
       d. Utilization of user codes (passwords);
       e. Use of encryption for critical security files.
       f. Specific access rules for procedures, control cards, 
     process control methods, program cataloging authorization;
       g. Guidelines for data file organization;
       h. Keeping records of data file use;
       i. Separation of production and test environment for 
     libraries and data files
       j. Providing that entries to data processing facilities 
     (the rooms housing the computer hardware and related 
     equipment) are capable of being locked,
       k. Automatic log-off of user ID's that have not been used 
     for a substantial period of time.
     4. User control
       CNA shall implement suitable measures to prevent its data 
     processing systems from being used by unauthorized persons by 
     means of data transmission equipment.
       This shall be accomplished by:
       a. Identification of the terminal and/or the terminal user 
     to the DP system;
       b. Automatic turn-off of the user ID when several erroneous 
     passwords are entered, log file of events, (monitoring of 
     break-in-attempts);
       c. Issuing and safeguarding of identification codes;
       d. Dedication of individual terminals and/or terminal 
     users, identification characteristics exclusive to specific 
     functions;
       e. Evaluation of records.
     5 Personnel control
       Upon request, CNA shall provide the Card Service Companies 
     with a list of the CNA employees entrusted with processing 
     the personal data transferred by the Card Service Companies, 
     together with a description of their access rights.
     6. Access control to data
       CNA commits that the persons entitled to use CNA's data 
     processing system are only able to access the data within the 
     scope and to the extent covered by the irrespective access 
     permission (authorization).
       This shall be accomplished by:
       a. Allocation of individual terminals and/or terminal user, 
     and identification characteristics exclusive to specific 
     functions;
       b. Functional and/or time-restricted use of terminals and/
     or terminal users, and identification characteristics;
       c. Persons with function authorization codes (direct 
     access, batch processing) access to work areas;
       d. Electronic verification of authorization;
       e. Evaluation of records.
     7. Transmission control
       CNA shall be obligated to enable the verification and 
     tracing of the locations/destinations to which the Card 
     Customers' data are transferred by utilization of CNA's data 
     communication equipment/devices.
       This shall be accomplished by:
       a. Documentation of the retrieval and transmission 
     programs;

[[Page S14550]]

       b. Documentation of the remote locations/destinations to 
     which a transmission paths (logical paths).
     8. Input control
       CNA shall provide for the retrospective ability to review 
     and determine the time and the point of the Card Customers' 
     data entry into CNA's data processing system.
       This shall be accomplished by:
       a. Proof established within CNA's organization of the input 
     authorization;
       b. Electronic recording of entries.
     9. Instructional control
       The Card Customers' data transferred by the Card Service 
     Companies to CNA may only be processed in accordance with 
     instructions of the Card Service Companies.
       This shall be accomplished by:
       a. Binding policies and procedures for CNA employees, 
     subject to the Card Service Companies' prior approval of such 
     procedures and policies,
       b. Upon request, access will be granted to those Card 
     Service Companies' employees and agents who are responsible 
     for monitoring CNA's compliance with this Agreement (c.f. 
     Sec. 3 hereof.)
     10. Transport control
       CNA and the Card Service Companies shall implement suitable 
     measures to prevent the Card Customers' personal data from 
     being read, copied, altered or deleted by unauthorized 
     parties during the transmission thereof or during the 
     transport of the data media.
       This shall be accomplished by:
       a. Encryption of the data for on-line transmission, or 
     transport by means of data carriers, (tapes and cartridges);
       b. Monitoring of the completeness and correctness of the 
     transfer of data (end-to-end check).
     II. Organization control
       CNA shall maintain its internal organization in a matter 
     that meets the requirements of this Agreement.
       This shall be accomplished by:
       a. Internal CNA policies and procedures, guidelines, work 
     instructions, process descriptions, and regulations for 
     programming, testing, and release, insofar as they relate to 
     data transferred by Card Service Companies;
       b. Formulation of a data security concept whose content has 
     been reconciled with the Card Service Companies;
       c. Industry standard system and program examination;
       d. Formulation of an emergency plan (back-up contingency 
     plan).


                   Sec. 6  Data Protection Supervisor

       1. CNA undertakes to appoint a Data Protection Supervisor 
     and to notify the Card Service Companies of the appointee(s). 
     CNA shall only select an employee with adequate expertise and 
     reliability necessary to perform such a duty, and provide the 
     Card Service Companies with appropriate evidence thereof.
       2. The Data Protection Supervisor shall be directly 
     subordinate/accountable to CNA's General Management. He shall 
     not be bound by instructions which obstruct or hinder the 
     performance of his duty in the field of data protection. He 
     shall cooperate with the Card Service Companies' agent--as 
     indicated in Sec. 3 hereof--in monitoring the performance of 
     this Agreement and adhering to the data protection 
     requirements in conjunction with the data in question. In the 
     event that CNA chooses to change the person who serves as a 
     Data Protection Supervisor, CNA shall give timely notice to 
     the Card Service Companies of such change. The Data 
     Protection Supervisor shall be bound by confidentiality 
     obligations.
       3. The Data Protection Supervisor shall be available as the 
     on-site contact for the Card Service Companies.


                   Sec. 7  Confidentiality Obligation

       CNA shall impose a confidentiality obligation on those 
     employees entrusted with processing the personal data 
     transferred by the Card Service Companies. CNA shall 
     furthermore obligate its employees to adhere to the banking 
     and data secrecy regulations and document such employees' 
     obligation in writing. Upon request, CNA shall provide the 
     Card Service Companies with satisfactory evidence of 
     compliance with this provision.


                  Sec. 8  Rights of Concerned Persons

       1. At any time, Card Customers whose data are transferred 
     by CIP to the Card Service Companies, and thereafter further 
     transferred by the Card Service Companies to CNA, shall be 
     entitled to make inquiries to CNA (who are required to 
     respond) as to: the stored personal data, including the 
     origin and the recipient of the data; the purpose of storage; 
     and the persons and locations/destinations to which such data 
     are transferred on a regular basis.
       The requested information shall generally be provided in 
     writing.
       2. The Card Service Companies shall honour the concerned 
     person's request to correct his personal data at any time, 
     provided that the stored data are incorrect. The same shall 
     apply to data stored at CNA.
       3. The concerned person may claim from the responsible Card 
     Service Companies the deletion or blocking of any data stored 
     at the Card Service Companies or CNA, in the event that: such 
     storage is prohibited by law; the data in question relate to 
     information about health criminal actions, violations of the 
     public order, or religious or political opinions, and its 
     truth/correctness cannot be proved by the Card Service 
     Companies; and such data are processed to serve Card Service 
     Companies' own purposes, and such data are no longer 
     necessary to serve the purpose of the data storage under the 
     agreement with the respective Card Customers.
       Notwithstanding the foregoing, the parties hereto submit to 
     the provisions of Sec. 35 of the German Federal Data 
     Protection Law (BDSG), and agree to be familiar with such 
     provisions.
       4. The concerned person may demand that the responsible 
     Card Service Companies block his or her personal data, if he 
     or she contests the correct nature thereof and if it is not 
     possible to determine whether such data is correct or 
     incorrect. This shall also apply to such data stored by CNA.
       5. If CIP. the Card Service Companies or CNA should violate 
     the data protection or banking secrecy regulations, the 
     person concerned shall be entitled to claim damages caused 
     and incurred thereby as provided in the German Federal Data 
     Protection Law (BDSG). CIP's and the Card Service Companies' 
     liability shall moreover extend to those claims arising from 
     breach of this Agreement and asserted against CNA and/or its 
     employees in performance of this Agreement.
       6. CNA acknowledges the obligation assumed by CIP and the 
     Card Service Companies towards the concerned person, and 
     undertakes to comply with all Card Service Companies' 
     instructions concerning such person. The concerned person may 
     also directly assert claims against CNA and file an action at 
     CNA's applicable place of jurisdiction.


              Sec. 9  Notification to the Concerned Person

       The Card Service Companies undertake to appropriately 
     notify the concerned Card Customers of the transfer of their 
     data to CNA.


                  Sec. 10  Data Protection Supervision

       1. According to the German Federal Data Protection Law 
     (BDSG), the Card Service Companies and CIP are subject to 
     public control exercised by the respective responsible 
     supervisory authorities.
       2. Upon request of CIP or either of the Card Service 
     Companies, CNA shall provide the respective supervisory 
     authorities with the desired information and grant them the 
     opportunity of auditing to the same extent as they would be 
     entitled to conduct audits at the Card Service Companies and 
     CIP; this includes the entitlement to inspections at CNA's 
     premises by the supervisory authorities or their nominated 
     agents, unless barred by binding instructions of the 
     appropriate U.S. authorities.


                      Sec. 11  Banking Supervision

       1. Any vouchers, commercial books of accounting, and work 
     instructions needed for the comprehension of such documents, 
     as well as other organizational documents shall physically 
     remain at the Card Service Companies, unless electronically 
     archived by scanning devices in a legally permissible 
     fashion.
       2. The Card Service Companies and CNA undertake to adhere 
     to the principles of proper accounting practice applicable in 
     Germany for computer-aided processes and the auditing 
     thereof, in particular FAMA 1/1987.
       3. The Card Service Companies undertake to submit a data 
     processing concept and a data security concept to the German 
     Federal Authority for the Supervision of Banks 
     (Bundesaufsichtsamt fur das Kreditwesen) prior to commencing 
     transfer of data to CNA.
       4. The remote processing of the data shall be subject to 
     the internal audit department of CIP and the Card Service 
     Companies. CNA agrees to cooperate with the internal auditors 
     of CIP and the Card Service Companies, who shall have the 
     right to inspect the files of CNA's internal auditors, 
     insofar as they relate to the data files transferred by the 
     Card Service Companies to CNA. The internal auditors of the 
     Card Service Companies and of CIP shall conduct audits of CNA 
     as required by due diligence.
       5. In a joint declaration to the Federal Banking 
     Supervisory Authority; CIP, the Card Service Companies and 
     CNA shall undertake to allow the inclusion of CNA in audits 
     in accordance with the provisions of Sec. 44 of the Banking 
     Law (Kreditwesengesetz abbreviated to KWG) at any time and 
     not to impede or obstruct such audits, provided that legal 
     requirements and/or instructions of U.S. authorities bind CNA 
     to the contrary.
       6. CNA shall request the US banking supervisory 
     authorities' confirmation in writing to the effect that no 
     objections will be raised against the intended remote data 
     processing concept. In the event that CNA cannot procure such 
     written confirmation upon the Card Service Companies' 
     request, the Card Service Companies and CIP may withdraw from 
     this Agreement and the underlying CNA Service Agreement.
       7. CIP, the Card Service Companies and CNA undertake to 
     abide by the requirements for interterritorial remote data 
     processing in bank accounting as set forth in the letter of 
     the Federal Authority for the Supervision of Banks dated 
     October 16, 1992. This letter is appended as a Schedule 
     hereto and forms an integral part of this Agreement.


                     Sec. 12  Indemnification Claim

       1. CNA shall indemnify the Card Service Companies within 
     the scope of their internal and contractual relationship from 
     any claims of damages asserted by the Card Customers, and 
     resulting from CNA's incompliance with the terms and 
     conditions of this Agreement.
       2. The Card Service Companies shall indemnify CNA within 
     the scope of their internal and contractual relationship from 
     any claims of damages asserted by the Card Customer, and 
     resulting from one or both of the

[[Page S14551]]

     Card Service Companies' incompliance with the terms and 
     conditions of this Agreement.


                     Sec. 13  Term of the Agreement

       1. This Agreement is effective as of July 1st, 1995, until 
     terminated. It may be terminated by any party hereto at the 
     end of each calendar year upon 12 months notice prior to the 
     expiration date, subject to each party's right of termination 
     of the Agreement for material, unremedied breach hereof. The 
     termination of this Agreement by any one of the parties shall 
     result in the termination of the entire Agreement with 
     respect to the other parties.
       2. CNA commits to return and delete all personal data 
     stored at the time of termination hereof in accordance with 
     the Card Service Companies' instructions.


                        Sec. 14  Confidentiality

       The parties hereto commit to treat strictly confidential 
     any trade, business and operating secrets or other sensitive 
     information of the other parties involved. This obligation 
     shall survive termination of this Agreement.


    Sec. 15  Data protection Agreement with Deutsche Bahn AG (DB AG)

       1. The Deutsche Bahn AG captures personal data at its 
     counters and appears as a joint issuer of the DB/Citibank 
     BahnCard. The parties hereto agree that the Deutsche Bahn AG 
     therefore bears responsibility for such data.
       2. The Deutsche Bahn AG and CIP concluded a Data Protection 
     Agreement as of February 13, 1996, defining the scope of data 
     protection obligations and commitments between the parties. 
     The parties hereto are familiar with said Data Protection 
     Agreement and acknowledge the obligations arising for CIP 
     thereunder.
       3. The parties hereto authorize CIP to provide DB AG with 
     written notification of this Agreement on Interterritorial 
     Data Protection.


                      Sec. 16  General Provisions

       1. This Agreement sets forth the entire understanding 
     between the parties hereto in conjunction with the subject 
     matter as laid down herein and none of the parties hereto has 
     entered into this Agreement in reliance upon any 
     representation, warranty or undertaking of any other party 
     which is not contained in this Agreement or incorporated by 
     reference herein. Any subsequent amendments to this Agreement 
     shall be in writing duly signed by authorized representatives 
     of the parties hereto.
       2. If one or more provisions of this Agreement becomes 
     invalid, or the Agreement is proven to be incomplete, the 
     validity and legality of the remaining provisions hereof 
     shall not be affected or impaired thereby. The parties hereto 
     agree to substitute the invalid part of this Agreement by 
     such a legally valid provision which constitutes the closest 
     representation of the parties' intention and the economical 
     purpose of the invalid term, and the parties hereto further 
     agree to be bound by such a valid term. An incompleteness of 
     this Agreement shall be bridged in a similar fashion.
       3. The Parties hereto submit to the jurisdiction and venue 
     of the courts of Frankfurt/M.
       4. This Agreement shall be governed by, interpreted and 
     construed in accordance with German law.

       What are the main features of the International Agreement?

       1. The parties on both sides of the Atlantic agree to apply 
     German Data Protectional Law to their handling of 
     cardholders' data (Sec. 1).
       2. Customer data may only be processed in the United States 
     for the purpose of producing the cards (Sec. 2).
       3. Citibank in the United States and in Europe is not 
     allowed to transfer personal data to third parties for 
     marketing purposes except in two cases:
       (a) Data of applicants for a RailwayCard with payment 
     function may be transferred to other Citibank companies in 
     order to market financial services; (b) Data of applicants 
     for a pure RailwayCard may only be used or transferred for 
     BahnCard marketing purposes, i.e., to try to convince the 
     cardholder that he should upgrade his RailwayCard to have a 
     ``better BahnCard'' with credit card function (Sec. 4 II).
       4. The technical requirements on data security according to 
     German law are spelt out in detail in Sec. 5.
       5. The American Citibank subsidiary has to appoint data 
     protection supervisors again following the German legal 
     requirements (Sec. 6).
       6. The German card customers have all individual rights 
     against the American Citibank subsidiary which they have 
     under German law. They can ask for inspection, claim 
     deletion, correction or blocking of their data and they can 
     bring an action for compensation under the strict liability 
     rules of German law either against German Railway, the German 
     Citibank subsidiary or directly against the American Citibank 
     subsidiary (Sec. 8).
       7. The Citibank subsidiaries in the United States accept 
     on-site audits by the German data protection supervisory 
     authority, i.e., the Berlin Data Protection Commissioner, or 
     his nominated agents, e.g. an American consulting or auditing 
     firm acting on his behalf (Sec. 10 II).
       This very important provision contains a restriction in 
     case US authorities instruct Citibank in their country not to 
     allow foreign auditors in. However, this restriction is not 
     very likely to become practical. On the contrary, US 
     authorities have already declared by way of a diplomatic note 
     sent to the German side that they will accept these audits. 
     This follows an agreement between German and United States 
     banking supervisory authorities on auditing the trans-border 
     processing of accounting data (cf. Sec. 11). Indeed this 
     previous agreement very much facilitated the acceptance of 
     German data protection audits by Citibank in the United 
     States. As far as data security concepts are concerned the 
     Federal Banking Supervisory Authority and the Berlin Data 
     Protection Commissioner will be working hand in glove.
       8. Finally--and this is not reproduced in the version of 
     the Agreement which you have received--German Railway has 
     been linked to this agreement between Citibank subsidiaries 
     in a specific provision.
                                 ______