[Federal Register Volume 65, Number 142 (Monday, July 24, 2000)]
[Notices]
[Pages 45666-45686]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-18489]



[[Page 45665]]

-----------------------------------------------------------------------

Part III





Department of Commerce





-----------------------------------------------------------------------



International Trade Administration



-----------------------------------------------------------------------



Issuance of Safe Harbor Principles and Transmission to European 
Commission; Notice

  Federal Register / Vol. 65, No. 142 / Monday, July 24, 2000 / 
Notices  

[[Page 45666]]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration


Issuance of Safe Harbor Principles and Transmission to European 
Commission

AGENCY: International Trade Administration, Department of Commerce.

ACTION: Notice of publication.

-----------------------------------------------------------------------

SUMMARY: The U.S. Department of Commerce, under its authority to 
foster, promote, and develop international commerce, is formally 
issuing the Safe Harbor Privacy Principles and transmitting them to the 
European Commission. Upon receipt of the Principles, the Commission is 
expected to issue an ``adequacy determination'' for the safe harbor 
arrangement. In addition to being published in the Federal Register, 
these documents can be found on the International Trade 
Administration's website (www.ita.doc.gov/ecom).

Background

    The Principles, which include a set of Frequently Asked Questions 
(FAQs) that supplement the Safe Harbor Privacy Principles, are intended 
to serve as authoritative guidance to U.S. companies and other 
organizations receiving personal data from the European Union. Upon 
receipt of the Principles, the Commission is expected to issue an 
``adequacy determination'' for the safe harbor arrangement. 
Organizations receiving personal data transfers from the EU and 
complying with the Principles will be considered to meet the 
``adequacy'' requirements of the European Union's Directive on Data 
Protection.

Further Information: Further information will be provided about the 
effective dates of operation of the safe harbor, after the European 
Commission has provided its ``adequacy determination.''

    Dated: July 19, 2000.
Rebecca J. Richards,
International Trade Specialist, International Trade Administration/
Trade Development.
July 17, 2000.

Mr. John Mogg, Director DG Internal Market, European Commission, 
Office C 107-6/72, Rue de la Loi, 200, 1049 Brussels, BELGIUM

Dear Mr. Mogg:
    I am pleased to provide you with several documents: 1) the 
``Safe Harbor Privacy Principles,'' issued by the U.S. Department of 
Commerce on July 21, 2000; 2) Frequently Asked Questions (FAQs) that 
supplement the Safe Harbor Principles; 3) an overview on how 
organizations' safe harbor commitments will be enforced in the 
United States; 4) a memorandum on damages available to individuals; 
5) the July 14, 2000 letter from the Federal Trade Commission; and 
6) the July 14, 2000 letter from the U.S. Department of 
Transportation.
    The Department is providing these documents under its authority 
to foster, promote, and develop international commerce. Both the 
Safe Harbor Principles and the FAQs (``the Principles'') are 
intended to serve as authoritative guidance to U.S. companies and 
other organizations receiving personal data from the European Union 
and wishing to establish a predictable basis for the continuation of 
such transfers. The enforcement overview and other supporting 
documents are intended to explain how U.S. enforcement mechanisms, 
based either on law and regulation or self-regulation, will satisfy 
the requirements of the Enforcement Principle and ensure that an 
organization's commitment to adhere to the Principles will be 
effectively enforced. The safe harbor documents of course need to be 
read against the U.S. legal system and its well known features, such 
as class actions and contingency fees, which allow consumers even 
with novel claims relatively ready and inexpensive access to the 
courts and damages where justified.
    Organizations can be assured of the benefits of the safe harbor 
by self-certifying that they adhere to the Principles. The 
Department of Commerce will arrange for a list to be maintained of 
all organizations that self-certify their adherence to the 
Principles. Both the list and the notifications submitted by 
organizations containing information with regard to their 
implementation of the Principles will be made publicly available as 
will any proper and final adverse determination made by a U.S. 
enforcement body and notified to the Department of Commerce (or its 
designee) that a safe harbor organization has persistently failed to 
comply with the Principles. Where in complying with the Principles, 
an organization relies in whole or in part on self-regulation, its 
failure to comply with such self-regulation must also be actionable 
under Section 5 of the Federal Trade Commission Act prohibiting 
unfair and deceptive acts or another law or regulation prohibiting 
such acts.
    On the basis of these documents, our expectation is that the 
European Commission will determine that this safe harbor framework 
provides adequate protection for the purposes of Article 25.1 of the 
Data Protection Directive and data transfers from the European Union 
would continue to organizations that participate in the safe harbor. 
As a result, adherence to the Principles on these terms will reduce 
the uncertainty about the impact of the ``adequacy'' standard on 
personal data transfers to such organizations from EU Member States.
    On the basis of our dialogue, we understand that the Commission 
and Member States will use the flexibility of Article 26 and any 
discretion regarding enforcement to avoid disrupting data flows to 
U.S. organizations during the implementation phase of the safe 
harbor and that the situation will be reviewed in mid 2001. This 
will give U.S. organizations an opportunity to decide whether to 
enter the safe harbor and (if necessary) to update their information 
practices. We will encourage U.S. organizations to enter the safe 
harbor as soon as possible to enhance privacy protection and because 
participation in the safe harbor provides greater certainty that 
data flows will continue without interruption.
    During the dialogue, you sought assurances that where the United 
States enacted privacy legislation providing greater privacy 
protection than the safe harbor, such protection should be applied 
to safe harbor data too, in cases where the law applied with respect 
to U.S. citizens only, but was silent on its applicability with 
respect to non-U.S. citizens. You noted that the EU Directive on 
Data Protection applies to all personal information processed in 
Europe, regardless of the individuals' citizenship or residency. I 
would like to confirm that we agree that privacy legislation should 
not apply differently on the basis of nationality, as provided for 
in paragraph 19(e) of the OECD guidelines and paragraph 70 of the 
explanatory memorandum and to assure you that if such legislation 
were proposed in Congress, we would work within the legislative 
process to avoid any such effects. We will also continue our 
efforts, in line with our general commitment to regulatory co-
operation in the context of the Transatlantic Economic Partnership, 
to keep you informed of legislative and other developments in the 
United States in the field of privacy protection of which we are 
aware, with particular attention to any such developments that may 
create allowable exceptions to the Principles. Of course, you can 
raise any concerns about these issues under the review arrangements 
provided for.
    Similarly, on a number of occasions I raised with you the 
concerns of U.S. industry about the possible effects of the safe 
harbor as regards jurisdiction and applicable law. I would like to 
confirm that it is the U.S. intention that participation in the safe 
harbor does not change the status quo ante for any organization with 
respect to jurisdiction, applicable law and liability in the 
European Union. Moreover, our discussions with respect to the safe 
harbor have not resolved nor prejudged the questions of jurisdiction 
or applicable law with respect to websites. All existing rules, 
principles, conventions and treaties relating to international 
conflicts of law continue to apply and are not prejudiced in any way 
by the safe harbor arrangement.
    Finally, the Department of Commerce will notify the Commission 
in advance of any proposed FAQs or revisions to existing ones.

Sincerely,

Robert S. LaRussa, Acting

Safe Harbor Privacy Principles Issued by the U.S. Department of 
Commerce on July 21, 2000

    The European Union's comprehensive privacy legislation, the 
Directive on Data Protection (the Directive), became effective on 
October 25, 1998. It requires that transfers of personal data take 
place

[[Page 45667]]

only to non-EU countries that provide an ``adequate'' level of privacy 
protection. While the United States and the European Union share the 
goal of enhancing privacy protection for their citizens, the United 
States takes a different approach to privacy from that taken by the 
European Union. The United States uses a sectoral approach that relies 
on a mix of legislation, regulation, and self regulation. Given those 
differences, many U.S. organizations have expressed uncertainty about 
the impact of the EU-required ``adequacy standard'' on personal data 
transfers from the European Union to the United States.
    To diminish this uncertainty and provide a more predictable 
framework for such data transfers, the Department of Commerce is 
issuing this document and Frequently Asked Questions (``the 
Principles'') under its statutory authority to foster, promote, and 
develop international commerce. The Principles were developed in 
consultation with industry and the general public to facilitate trade 
and commerce between the United States and European Union. They are 
intended for use solely by U.S. organizations receiving personal data 
from the European Union for the purpose of qualifying for the safe 
harbor and the presumption of ``adequacy'' it creates. Because the 
Principles were solely designed to serve this specific purpose, their 
adoption for other purposes may be inappropriate. The Principles cannot 
be used as a substitute for national provisions implementing the 
Directive that apply to the processing of personal data in the Member 
States.
    Decisions by organizations to qualify for the safe harbor are 
entirely voluntary, and organizations may qualify for the safe harbor 
in different ways. Organizations that decide to adhere to the 
Principles must comply with the Principles in order to obtain and 
retain the benefits of the safe harbor and publicly declare that they 
do so. For example, if an organization joins a self-regulatory privacy 
program that adheres to the Principles, it qualifies for the safe 
harbor. Organizations may also qualify by developing their own self-
regulatory privacy policies provided that they conform with the 
Principles. Where in complying with the Principles, an organization 
relies in whole or in part on self-regulation, its failure to comply 
with such self-regulation must also be actionable under Section 5 of 
the Federal Trade Commission Act prohibiting unfair and deceptive acts 
or another law or regulation prohibiting such acts. (See the annex for 
the list of U.S. statutory bodies recognized by the EU.) In addition, 
organizations subject to a statutory, regulatory, administrative or 
other body of law (or of rules) that effectively protects personal 
privacy may also qualify for safe harbor benefits. In all instances, 
safe harbor benefits are assured from the date on which each 
organization wishing to qualify for the safe harbor self-certifies to 
the Department of Commerce (or its designee) its adherence to the 
Principles in accordance with the guidance set forth in the Frequently 
Asked Question on Self-Certification.
    Adherence to these Principles may be limited: (a) To the extent 
necessary to meet national security, public interest, or law 
enforcement requirements; (b) by statute, government regulation, or 
case law that create conflicting obligations or explicit 
authorizations, provided that, in exercising any such authorization, an 
organization can demonstrate that its non-compliance with the 
Principles is limited to the extent necessary to meet the overriding 
legitimate interests furthered by such authorization; or (c) if the 
effect of the Directive or Member State law is to allow exceptions or 
derogations, provided such exceptions or derogations are applied in 
comparable contexts. Consistent with the goal of enhancing privacy 
protection, organizations should strive to implement these Principles 
fully and transparently, including indicating in their privacy policies 
where exceptions to the Principles permitted by (b) above will apply on 
a regular basis. For the same reason, where the option is allowable 
under the Principles and/or U.S. law, organizations are expected to opt 
for the higher protection law where possible.
    Organizations may wish for practical or other reasons to apply the 
Principles to all their data processing operations, but they are only 
obligated to apply them to data transferred after they enter the safe 
harbor. To qualify for the safe harbor, organizations are not obligated 
to apply these Principles to personal information in manually processed 
filing systems. Organizations wishing to benefit from the safe harbor 
for receiving information in manually processed filing systems from the 
EU must apply the Principles to any such information transferred after 
they enter the safe harbor. An organization that wishes to extend safe 
harbor benefits to human resources personal information transferred 
from the EU for use in the context of an employment relationship must 
indicate this when it self-certifies to the Department of Commerce (or 
its designee) and conform to the requirements set forth in the 
Frequently Asked Question on Self-Certification. Organizations will 
also be able to provide the safeguards necessary under Article 26 of 
the Directive if they include the Principles in written agreements with 
parties transferring data from the EU for the substantive privacy 
provisions, once the other provisions for such model contracts are 
authorized by the Commission and the Member States.
    U.S. law will apply to questions of interpretation and compliance 
with the Safe Harbor Principles (including the Frequently Asked 
Questions) and relevant privacy policies by safe harbor organizations, 
except where organizations have committed to cooperate with European 
Data Protection Authorities. Unless otherwise stated, all provisions of 
the Safe Harbor Principles and Frequently Asked Questions apply where 
they are relevant.
    Personal data'' and ``personal information'' are data about an 
identified or identifiable individual that are within the scope of the 
Directive, received by a U.S. organization from the European Union, and 
recorded in any form.
    Notice: An organization must inform individuals about the purposes 
for which it collects and uses information about them, how to contact 
the organization with any inquiries or complaints, the types of third 
parties to which it discloses the information, and the choices and 
means the organization offers individuals for limiting its use and 
disclosure. This notice must be provided in clear and conspicuous 
language when individuals are first asked to provide personal 
information to the organization or as soon thereafter as is 
practicable, but in any event before the organization uses such 
information for a purpose other than that for which it was originally 
collected or processed by the transferring organization or discloses it 
for the first time to a third party.\1\
---------------------------------------------------------------------------

    \1\ It is not necessary to provide notice or choice when 
disclosure is made to a third party that is acting as an agent to 
perform task(s) on behalf of and under the instructions of the 
organization. The Onward Transfer Principle, on the other hand, does 
apply to such disclosures.
---------------------------------------------------------------------------

    Choice: An organization must offer individuals the opportunity to 
choose (opt out) whether their personal information is (a) to be 
disclosed to a third party \1\ or (b) to be used for a purpose that is 
incompatible with the purpose(s) for which it was originally collected 
or subsequently authorized by the individual. Individuals must be 
provided with clear and conspicuous, readily available, and affordable 
mechanisms to exercise choice.

[[Page 45668]]

    For sensitive information (i.e. personal information specifying 
medical or health conditions, racial or ethnic origin, political 
opinions, religious or philosophical beliefs, trade union membership or 
information specifying the sex life of the individual), they must be 
given affirmative or explicit (opt in) choice if the information is to 
be disclosed to a third party or used for a purpose other than those 
for which it was originally collected or subsequently authorized by the 
individual through the exercise of opt in choice. In any case, an 
organization should treat as sensitive any information received from a 
third party where the third party treats and identifies it as 
sensitive.
    Onward Transfer: To disclose information to a third party, 
organizations must apply the Notice and Choice Principles. Where an 
organization wishes to transfer information to a third party that is 
acting as an agent, as described in the endnote, it may do so if it 
first either ascertains that the third party subscribes to the 
Principles or is subject to the Directive or another adequacy finding 
or enters into a written agreement with such third party requiring that 
the third party provide at least the same level of privacy protection 
as is required by the relevant Principles. If the organization complies 
with these requirements, it shall not be held responsible (unless the 
organization agrees otherwise) when a third party to which it transfers 
such information processes it in a way contrary to any restrictions or 
representations, unless the organization knew or should have known the 
third party would process it in such a contrary way and the 
organization has not taken reasonable steps to prevent or stop such 
processing.
    Security: Organizations creating, maintaining, using or 
disseminating personal information must take reasonable precautions to 
protect it from loss, misuse and unauthorized access, disclosure, 
alteration and destruction.
    Data Integrity: Consistent with the Principles, personal 
information must be relevant for the purposes for which it is to be 
used. An organization may not process personal information in a way 
that is incompatible with the purposes for which it has been collected 
or subsequently authorized by the individual. To the extent necessary 
for those purposes, an organization should take reasonable steps to 
ensure that data is reliable for its intended use, accurate, complete, 
and current.
    Access: Individuals must have access to personal information about 
them that an organization holds and be able to correct, amend, or 
delete that information where it is inaccurate, except where the burden 
or expense of providing access would be disproportionate to the risks 
to the individual's privacy in the case in question, or where the 
rights of persons other than the individual would be violated.
    Enforcement: Effective privacy protection must include mechanisms 
for assuring compliance with the Principles, recourse for individuals 
to whom the data relate affected by non-compliance with the Principles, 
and consequences for the organization when the Principles are not 
followed. At a minimum, such mechanisms must include (a) readily 
available and affordable independent recourse mechanisms by which each 
individual's complaints and disputes are investigated and resolved by 
reference to the Principles and damages awarded where the applicable 
law or private sector initiatives so provide; (b) follow up procedures 
for verifying that the attestations and assertions businesses make 
about their privacy practices are true and that privacy practices have 
been implemented as presented; and (c) obligations to remedy problems 
arising out of failure to comply with the Principles by organizations 
announcing their adherence to them and consequences for such 
organizations. Sanctions must be sufficiently rigorous to ensure 
compliance by organizations.

Annex

List of U.S. Statutory Bodies Recognized by the European Union

    The European Union recognizes the following U.S. government bodies 
as being empowered to investigate complaints and to obtain relief 
against unfair or deceptive practices as well as rederess for 
individuals in case of non-compliance with the Principles implemented 
in accordance with the FAQs:

--The Federal Trade Commission on the basis of its authority under 
Section 5 of the Federal Trade Commission Act
--The Department of Transportation on the basis of its authority under 
Title 49 U.S.C. 41712.

Frequently Asked Questions (FAQs)

FAQ 1--Sensitive Data

    Q: Must an organization always provide explicit (opt in) choice 
with respect to sensitive data?
    A: No, such choice is not required where the processing is: (1) In 
the vital interests of the data subject or another person; (2) 
necessary for the establishment of legal claims or defenses; (3) 
required to provide medical care or diagnosis; (4) carried out in the 
course of legitimate activities by a foundation, association or any 
other non-profit body with a political, philosophical, religious or 
trade-union aim and on condition that the processing relates solely to 
the members of the body or to the persons who have regular contact with 
it in connection with its purposes and that the data are not disclosed 
to a third party without the consent of the data subjects; (5) 
necessary to carry out the organization's obligations in the field of 
employment law; or (6) related to data that are manifestly made public 
by the individual.

FAQ 2--Journalistic Exceptions

    Q: Given U.S. constitutional protections for freedom of the press 
and the Directive's exemption for journalistic material, do the Safe 
Harbor Principles apply to personal information gathered, maintained, 
or disseminated for journalistic purposes?
    A: Where the rights of a free press embodied in the First Amendment 
of the U.S. Constitution intersect with privacy protection interests, 
the First Amendment must govern the balancing of these interests with 
regard to the activities of U.S. persons or organizations. Personal 
information that is gathered for publication, broadcast, or other forms 
of public communication of journalistic material, whether used or not, 
as well as information found in previously published material 
disseminated from media archives, is not subject to the requirements of 
the Safe Harbor Principles.

FAQ 3--Secondary Liability

    Q: Are Internet service providers (ISPs), telecommunications 
carriers, or other organizations liable under the Safe Harbor 
Principles when on behalf of another organization they merely transmit, 
route, switch or cache information that may violate their terms?
    A: No. As is the case with the Directive itself, the safe harbor 
does not create secondary liability. To the extent that an organization 
is acting as a mere conduit for data transmitted by third parties and 
does not determine the purposes and means of processing those personal 
data, it would not be liable.

FAQ 4--Investment Banking and Audits

    Q: The activities of auditors and investment bankers may involve 
processing personal data without the consent or knowledge of the 
individual. Under what circumstances is this permitted by the Notice, 
Choice, and Access Principles?

[[Page 45669]]

    A: Investment bankers or auditors may process information without 
knowledge of the individual only to the extent and for the period 
necessary to meet statutory or public interest requirements and in 
other circumstances in which the application of these Principles would 
prejudice the legitimate interests of the organization. These 
legitimate interests include the monitoring of companies' compliance 
with their legal obligations and legitimate accounting activities, and 
the need for confidentiality connected with possible acquisitions, 
mergers, joint ventures, or other similar transactions carried out by 
investment bankers or auditors.

FAQ 5--The Role of the Data Protection Authorities

    Q: How will companies that commit to cooperate with European Union 
Data Protection Authorities (DPAs) make those commitments and how will 
they be implemented?
    A: Under the safe harbor, U.S. organizations receiving personal 
data from the EU must commit to employ effective mechanisms for 
assuring compliance with the Safe Harbor Principles. More specifically 
as set out in the Enforcement Principle, they must provide (a) recourse 
for individuals to whom the data relate, (b) follow up procedures for 
verifying that the attestations and assertions they have made about 
their privacy practices are true, and (c) obligations to remedy 
problems arising out of failure to comply with the Principles and 
consequences for such organizations. An organization may satisfy points 
(a) and (c) of the Enforcement Principle if it adheres to the 
requirements of this FAQ for cooperating with the DPAs.
    An organization may commit to cooperate with the DPAs by declaring 
in its safe harbor certification to the Department of Commerce (see FAQ 
6 on self-certification) that the organization:
    1. Elects to satisfy the requirement in points (a) and (c) of the 
Safe Harbor Enforcement Principle by committing to cooperate with the 
DPAs;
    2. Will cooperate with the DPAs in the investigation and resolution 
of complaints brought under the safe harbor; and
    3. Will comply with any advice given by the DPAs where the DPAs 
take the view that the organization needs to take specific action to 
comply with the Safe Harbor Principles, including remedial or 
compensatory measures for the benefit of individuals affected by any 
non-compliance with the Principles, and will provide the DPAs with 
written confirmation that such action has been taken.
    The cooperation of the DPAs will be provided in the form of 
information and advice in the following way:

--The advice of the DPAs will be delivered through an informal panel of 
DPAs established at the European Union level, which will inter alia 
help ensure a harmonised and coherent approach.
--The panel will provide advice to the U.S. organizations concerned on 
unresolved complaints from individuals about the handling of personal 
information that has been transferred from the EU under the safe 
harbor. This advice will be designed to ensure that the Safe Harbor 
Principles are being correctly applied and will include any remedies 
for the individual(s) concerned that the DPAs consider appropriate.
--The panel will provide such advice in response to referrals from the 
organizations concerned and/or to complaints received directly from 
individuals against organizations which have committed to cooperate 
with DPAs for safe harbor purposes, while encouraging and if necessary 
helping such individuals in the first instance to use the in-house 
complaint handling arrangements that the organization may offer.
--Advice will be issued only after both sides in a dispute have had a 
reasonable opportunity to comment and to provide any evidence they 
wish. The panel will seek to deliver advice as quickly as this 
requirement for due process allows. As a general rule, the panel will 
aim to provide advice within 60 days after receiving a complaint or 
referral and more quickly where possible.
--The panel will make public the results of its consideration of 
complaints submitted to it, if it sees fit.
--The delivery of advice through the panel will not give rise to any 
liability for the panel or for individual DPAs.

    As noted above, organizations choosing this option for dispute 
resolution must undertake to comply with the advice of the DPAs. If an 
organization fails to comply within 25 days of the delivery of the 
advice and has offered no satisfactory explanation for the delay, the 
panel will give notice of its intention either to submit the matter to 
the Federal Trade Commission or other U.S. federal or state body with 
statutory powers to take enforcement action in cases of deception or 
misrepresentation, or to conclude that the agreement to cooperate has 
been seriously breached and must therefore be considered null and void. 
In the latter case, the panel will inform the Department of Commerce 
(or its designee) so that the list of safe harbor participants can be 
duly amended. Any failure to fulfill the undertaking to cooperate with 
the DPAs, as well as failures to comply with the Safe Harbor 
Principles, will be actionable as a deceptive practice under section 5 
of the FTC Act or other similar statute.
    Organizations choosing this option will be required to pay an 
annual fee which will be designed to cover the operating costs of the 
panel, and they may additionally be asked to meet any necessary 
translation expenses arising out of the panel's consideration of 
referrals or complaints against them. The annual fee will not exceed 
$500 and will be less for smaller companies.
    The option of co-operating with the DPAs will be available to 
organizations joining the safe harbor during a three-year period. The 
DPAs will reconsider this arrangement before the end of that period if 
the number of U.S. organizations choosing this option proves to be 
excessive.

FAQ 6--Self-Certification

    Q: How does an organization self-certify that it adheres to the 
Safe Harbor Principles?
    A: Safe harbor benefits are assured from the date on which an 
organization self-certifies to the Department of Commerce (or its 
designee) its adherence to the Principles in accordance with the 
guidance set forth below.
    To self-certify for the safe harbor, organizations can provide to 
the Department of Commerce (or its designee) a letter, signed by a 
corporate officer on behalf of the organization that is joining the 
safe harbor, that contains at least the following information:
    1. Name of organization, mailing address, email address, telephone 
and fax numbers;
    2. Description of the activities of the organization with respect 
to personal information received from the EU; and
    3. Description of the organization's privacy policy for such 
personal information, including:
    a. Where the privacy policy is available for viewing by the public,
    b. Its effective date of implementation,
    c. A contact office for the handling of complaints, access 
requests, and any other issues arising under the safe harbor,
    d. The specific statutory body that has jurisdiction to hear any 
claims against the organization regarding possible unfair or deceptive 
practices and

[[Page 45670]]

violations of laws or regulations governing privacy (and that is listed 
in the annex to the Principles),
    e. Name of any privacy programs in which the organization is a 
member,
    f. Method of verification (e.g. in-house, third party) *, and
---------------------------------------------------------------------------

    * See FAQ 7 on verification.
---------------------------------------------------------------------------

    g. The independent recourse mechanism that is available to 
investigate unresolved complaints.
    Where the organization wishes its safe harbor benefits to cover 
human resources information transferred from the EU for use in the 
context of the employment relationship, it may do so where there is a 
statutory body with jurisdiction to hear claims against the 
organization arising out of human resources information that is listed 
in the annex to the Principles. In addition the organization must 
indicate this in its letter and declare its commitment to cooperate 
with the EU authority or authorities concerned in conformity with FAQ 9 
and FAQ 5 as applicable and that it will comply with the advice given 
by such authorities.
    The Department (or its designee) will maintain a list of all 
organizations that file such letters, thereby assuring the availability 
of safe harbor benefits, and will update such list on the basis of 
annual letters and notifications received pursuant to FAQ 11. Such 
self-certification letters should be provided not less than annually. 
Otherwise the organization will be removed from the list and safe 
harbor benefits will no longer be assured. Both the list and the self-
certification letters submitted by the organizations will be made 
publicly available. All organizations that self-certify for the safe 
harbor must also state in their relevant published privacy policy 
statements that they adhere to the Safe Harbor Principles.
    The undertaking to adhere to the Safe Harbor Principles is not 
time-limited in respect of data received during the period in which the 
organization enjoys the benefits of the safe harbor. Its undertaking 
means that it will continue to apply the Principles to such data for as 
long as the organization stores, uses or discloses them, even if it 
subsequently leaves the safe harbor for any reason.
    An organization that will cease to exist as a separate legal entity 
as a result of a merger or a takeover must notify the Department of 
Commerce (or its designee) of this in advance. The notification should 
also indicate whether the acquiring entity or the entity resulting from 
the merger will (1) continue to be bound by the Safe Harbor Principles 
by the operation of law governing the takeover or merger or (2) elect 
to self-certify its adherence to the Safe Harbor Principles or put in 
place other safeguards, such as a written agreement that will ensure 
adherence to the Safe Harbor Principles. Where neither (1) nor (2) 
applies, any data that has been acquired under the safe harbor must be 
promptly deleted.
    An organization does not need to subject all personal information 
to the Safe Harbor Principles, but it must subject to the Safe Harbor 
Principles all personal data received from the EU after it joins the 
safe harbor.
    Any misrepresentation to the general public concerning an 
organization's adherence to the Safe Harbor Principles may be 
actionable by the Federal Trade Commission or other relevant government 
body. Misrepresentations to the Department of Commerce (or its 
designee) may be actionable under the False Statements Act (18 U.S.C. 
1001).

FAQ 7--Verification

    Q: How do organizations provide follow up procedures for verifying 
that the attestations and assertions they make about their safe harbor 
privacy practices are true and those privacy practices have been 
implemented as represented and in accordance with the Safe Harbor 
Principles?
    A: To meet the verification requirements of the Enforcement 
Principle, an organization may verify such attestations and assertions 
either through self-assessment or outside compliance reviews.
    Under the self-assessment approach, such verification would have to 
indicate that an organization's published privacy policy regarding 
personal information received from the EU is accurate, comprehensive, 
prominently displayed, completely implemented and accessible. It would 
also need to indicate that its privacy policy conforms to the Safe 
Harbor Principles; that individuals are informed of any in-house 
arrangements for handling complaints and of the independent mechanisms 
through which they may pursue complaints; that it has in place 
procedures for training employees in its implementation, and 
disciplining them for failure to follow it; and that it has in place 
internal procedures for periodically conducting objective reviews of 
compliance with the above. A statement verifying the self-assessment 
should be signed by a corporate officer or other authorized 
representative of the organization at least once a year and made 
available upon request by individuals or in the context of an 
investigation or a complaint about non-compliance.
    Organizations should retain their records on the implementation of 
their safe harbor privacy practices and make them available upon 
request in the context of an investigation or a complaint about non-
compliance to the independent body responsible for investigating 
complaints or to the agency with unfair and deceptive practices 
jurisdiction.
    Where the organization has chosen outside compliance review, such a 
review needs to demonstrate that its privacy policy regarding personal 
information received from the EU conforms to the Safe Harbor 
Principles, that it is being complied with and that individuals are 
informed of the mechanisms through which they may pursue complaints. 
The methods of review may include without limitation auditing, random 
reviews, use of ``decoys,'' or use of technology tools as appropriate. 
A statement verifying that an outside compliance review has been 
successfully completed should be signed either by the reviewer or by 
the corporate officer or other authorized representative of the 
organization at least once a year and made available upon request by 
individuals or in the context of an investigation or a complaint about 
compliance.

FAQ 8: Access

Access Principle
    Individuals must have access to personal information about them 
that an organization holds and be able to correct, amend or delete that 
information where it is inaccurate, except where the burden or expense 
of providing access would be disproportionate to the risks to the 
individual's privacy in the case in question, or where the legitimate 
rights of persons other than the individual would be violated.
    1. Q: Is the right of access absolute?
    1. A: No. Under the Safe Harbor Principles, the right of access is 
fundamental to privacy protection. In particular, it allows individuals 
to verify the accuracy of information held about them. Nonetheless, the 
obligation of an organization to provide access to the personal 
information it holds about an individual is subject to the principle of 
proportionality or reasonableness and has to be tempered in certain 
instances. Indeed, the Explanatory Memorandum to the 1980 OECD Privacy 
Guidelines makes clear that an organization's access obligation is not 
absolute. It does not require the exceedingly thorough search mandated, 
for example, by a subpoena, nor does it require access to all the 
different forms in which the

[[Page 45671]]

information may be maintained by the organization.
    Rather, experience has shown that in responding to individuals' 
access requests, organizations should first be guided by the concern(s) 
that led to the requests in the first place. For example, if an access 
request is vague or broad in scope, an organization may engage the 
individual in a dialogue so as to better understand the motivation for 
the request and to locate responsive information. The organization 
might inquire about which part(s) of the organization the individual 
interacted with and/or about the nature of the information (or its use) 
that is the subject of the access request. Individuals do not, however, 
have to justify requests for access to their own data.
    Expense and burden are important factors and should be taken into 
account but they are not controlling in determining whether providing 
access is reasonable. For example, if the information is used for 
decisions that will significantly affect the individual (e.g., the 
denial or grant of important benefits, such as insurance, a mortgage, 
or a job), then consistent with the other provisions of these FAQs, the 
organization would have to disclose that information even if it is 
relatively difficult or expensive to provide.
    If the information requested is not sensitive or not used for 
decisions that will significantly affect the individual (e.g., non-
sensitive marketing data that is used to determine whether or not to 
send the individual a catalog), but is readily available and 
inexpensive to provide, an organization would have to provide access to 
factual information that the organization stores about the individual. 
The information concerned could include facts obtained from the 
individual, facts gathered in the course of a transaction, or facts 
obtained from others that pertain to the individual.
    Consistent with the fundamental nature of access, organizations 
should always make good faith efforts to provide access. For example, 
where certain information needs to be protected and can be readily 
separated from other information subject to an access request, the 
organization should redact the protected information and make available 
the other information. If an organization determines that access should 
be denied in any particular instance, it should provide the individual 
requesting access with an explanation of why it has made that 
determination and a contact point for any further inquiries.
    2. Q: What is confidential commercial information and may 
organizations deny access in order to safeguard it?
    2. A: Confidential commercial information (as that term is used in 
the Federal Rules of Civil Procedure on discovery) is information which 
an organization has taken steps to protect from disclosure, where 
disclosure would help a competitor in the market. The particular 
computer program an organization uses, such as a modeling program, or 
the details of that program may be confidential commercial information. 
Where confidential commercial information can be readily separated from 
other information subject to an access request, the organization should 
redact the confidential commercial information and make available the 
non-confidential information. Organizations may deny or limit access to 
the extent that granting it would reveal its own confidential 
commercial information as defined above, such as marketing inferences 
or classifications generated by the organization, or the confidential 
commercial information of another where such information is subject to 
a contractual obligation of confidentiality in circumstances where such 
an obligation of confidentiality would normally be undertaken or 
imposed.
    3. Q: In providing access, may an organization disclose to 
individuals personal information about them derived from its data bases 
or is access to the data base itself required?
    3. A: Access can be provided in the form of disclosure by an 
organization to the individual and does not require access by the 
individual to an organization's data base.
    4. Q: Does an organization have to restructure its data bases to be 
able to provide access?
    4. A: Access needs to be provided only to the extent that an 
organization stores the information. The access principle does not 
itself create any obligation to retain, maintain, reorganize, or 
restructure personal information files.
    5. Q: These replies make clear that access may be denied in certain 
circumstances. In what other circumstances may an organization deny 
individuals access to their personal information?
    5. A: Such circumstances are limited, and any reasons for denying 
access must be specific. An organization can refuse to provide access 
to information to the extent that disclosure is likely to interfere 
with the safeguarding of important countervailing public interests, 
such as national security; defense; or public security. In addition, 
where personal information is processed solely for research or 
statistical purposes, access may be denied. Other reasons for denying 
or limiting access are:
    a. Interference with execution or enforcement of the law, including 
the prevention, investigation or detection of offenses or the right to 
a fair trial;
    b. Interference with private causes of action, including the 
prevention, investigation or detection of legal claims or the right to 
a fair trial;
    c. Disclosure of personal information pertaining to other 
individual(s) where such references cannot be redacted;
    d. Breaching a legal or other professional privilege or obligation;
    e. Breaching the necessary confidentiality of future or ongoing 
negotiations, such as those involving the acquisition of publicly 
quoted companies;
    f. Prejudicing employee security investigations or grievance 
proceedings;
    g. Prejudicing the confidentiality that may be necessary for 
limited periods in connection with employee succession planning and 
corporate re-organizations; or
    h. Prejudicing the confidentiality that may be necessary in 
connection with monitoring, inspection or regulatory functions 
connected with sound economic or financial management; or
    i. Other circumstances in which the burden or cost of providing 
access would be disproportionate or the legitimate rights or interests 
of others would be violated.
    An organization which claims an exception has the burden of 
demonstrating its applicability (as is normally the case). As noted 
above, the reasons for denying or limiting access and a contact point 
for further inquires should be given to individuals.
    6. Q: Can an organization charge a fee to cover the cost of 
providing access?
    6. A: Yes. The OECD Guidelines recognize that organizations may 
charge a fee, provided that it is not excessive. Thus organizations may 
charge a reasonable fee for access. Charging a fee may be useful in 
discouraging repetitive and vexatious requests.
    Organizations that are in the business of selling publicly 
available information may thus charge the organization's customary fee 
in responding to requests for access. Individuals may alternatively 
seek access to their information from the organization that originally 
compiled the data.
    Access may not be refused on cost grounds if the individual offers 
to pay the costs.

[[Page 45672]]

    7. Q: Is an organization required to provide access to personal 
information derived from public records?
    7. A: To clarify first, public records are those records kept by 
government agencies or entities at any level that are open to 
consultation by the public in general. It is not necessary to apply the 
Access Principle to such information as long as it is not combined with 
other personal information, apart from when small amounts of non-public 
record information are used for indexing or organizing public record 
information. However, any conditions for consultation established by 
the relevant jurisdiction are to be respected. Where public record 
information is combined with other non-public record information (other 
than as specifically noted above), however, an organization must 
provide access to all such information, assuming it is not subject to 
other permitted exceptions.
    8. Q: Does the Access Principle have to be applied to publicly 
available personal information?
    8. A: As with public record information (see Q7), it is not 
necessary to provide access to information that is already publicly 
available to the public at large, as long as it is not combined with 
non-publicly available information.
    9. Q: How can an organization protect itself against repetitious or 
vexatious requests for access?
    9. A: An organization does not have to respond to such requests for 
access. For these reasons, organizations may charge a reasonable fee 
and may set reasonable limits on the number of times within a given 
period that access requests from a particular individual will be met. 
In setting such limitations, an organization should consider such 
factors as the frequency with which information is updated, the purpose 
for which the data are used, and the nature of the information.
    10. Q: How can an organization protect itself against fraudulent 
requests for access?
    10. A: An organization is not required to provide access unless it 
is supplied with sufficient information to allow it to confirm the 
identity of the person making the request.
    11. Q: Is there a time within which responses must be provided to 
access requests?
    11. A: Yes, organizations should respond without excessive delay 
and within a reasonable time period. This requirement may be satisfied 
in different ways as the explanatory memorandum to the 1980 OECD 
Privacy Guidelines states. For example, a data controller who provides 
information to data subjects at regular intervals may be exempted from 
obligations to respond at once to individual requests.

FAQ 9--Human Resources

    1.Q. Is the transfer from the EU to the United States of personal 
information collected in the context of the employment relationship 
covered by the safe harbor?
    1. A: Yes, where a company in the EU transfers personal information 
about its employees (past or present) collected in the context of the 
employment relationship, to a parent, affiliate, or unaffiliated 
service provider in the United States participating in the safe harbor, 
the transfer enjoys the benefits of the safe harbor. In such cases, the 
collection of the information and its processing prior to transfer will 
have been subject to the national laws of the EU country where it was 
collected, and any conditions for or restrictions on its transfer 
according to those laws will have to be respected.
    The Safe Harbor Principles are relevant only when individually 
identified records are transferred or accessed. Statistical reporting 
relying on aggregate employment data and/or the use of anonymized or 
pseudonymized data does not raise privacy concerns.
    2. Q: How do the Notice and Choice Principles apply to such 
information?
    2. A: A U.S. organization that has received employee information 
from the EU under the safe harbor may disclose it to third parties and/
or use it for different purposes only in accordance with the Notice and 
Choice Principles. For example, where an organization intends to use 
personal information collected through the employment relationship for 
non-employment-related purposes, such as marketing communications, the 
U.S. organization must provide the affected individuals with choice 
before doing so, unless they have already authorized the use of the 
information for such purposes. Moreover, such choices must not be used 
to restrict employment opportunities or take any punitive action 
against such employees.
    It should be noted that certain generally applicable conditions for 
transfer from some Member States may preclude other uses of such 
information even after transfer outside the EU and such conditions will 
have to be respected.
    In addition, employers should make reasonable efforts to 
accommodate employee privacy preferences. This could include, for 
example, restricting access to the data, anonymizing certain data, or 
assigning codes or pseudonyms when the actual names are not required 
for the management purpose at hand.
    To the extent and for the period necessary to avoid prejudicing the 
legitimate interests of the organization in making promotions, 
appointments, or other similar employment decisions, an organization 
does not need to offer notice and choice.
    3. Q: How does the Access Principle apply?
    3. A: The FAQs on access provide guidance on reasons which may 
justify denying or limiting access on request in the human resources 
context. Of course, employers in the European Union must comply with 
local regulations and ensure that European Union employees have access 
to such information as is required by law in their home countries, 
regardless of the location of data processing and storage. The safe 
harbor requires that an organization processing such data in the United 
States will cooperate in providing such access either directly or 
through the EU employer.
    4. Q: How will enforcement be handled for employee data under the 
Safe Harbor Principles?
    4. A: In so far as information is used only in the context of the 
employment relationship, primary responsibility for the data vis-a-vis 
the employee remains with the company in the EU. It follows that, where 
European employees make complaints about violations of their data 
protection rights and are not satisfied with the results of internal 
review, complaint, and appeal procedures (or any applicable grievance 
procedures under a contract with a trade union), they should be 
directed to the state or national data protection or labor authority in 
the jurisdiction where the employee works. This also includes cases 
where the alleged mishandling of their personal information has taken 
place in the United States, is the responsibility of the U.S. 
organization that has received the information from the employer and 
not of the employer and thus involves an alleged breach of the Safe 
Harbor Principles, rather than of national laws implementing the 
Directive. This will be the most efficient way to address the often 
overlapping rights and obligations imposed by local labor law and labor 
agreements as well as data protection law.
    A U.S. organization participating in the safe harbor that uses EU 
human resources data transferred from the Europe Union in the context 
of the employment relationship and that wishes such transfers to be 
covered by the safe harbor must therefore commit to cooperate in 
investigations by and to comply with the advice of competent

[[Page 45673]]

EU authorities in such cases. The DPAs that have agreed to cooperate in 
this way will notify the European Commission and the Department of 
Commerce. If a U.S. organization participating in the safe harbor 
wishes to transfer human resources data from a Member State where the 
DPA has not so agreed, the provisions of FAQ 5 will apply.

FAQ 10--Article 17 Contracts

    Q: When data is transferred from the EU to the United States only 
for processing purposes, will a contract be required, regardless of 
participation by the processor in the safe harbor?
    A: Yes. Data controllers in the European Union are always required 
to enter into a contract when a transfer for mere processing is made, 
whether the processing operation is carried out inside or outside the 
EU. The purpose of the contract is to protect the interests of the data 
controller, i.e. the person or body who determines the purposes and 
means of processing, who retains full responsibility for the data vis-
a-vis the individual(s) concerned. The contract thus specifies the 
processing to be carried out and any measures necessary to ensure that 
the data are kept secure.
    A U.S. organization participating in the safe harbor and receiving 
personal information from the EU merely for processing thus does not 
have to apply the Principles to this information, because the 
controller in the EU remains responsible for it vis-a-vis the 
individual in accordance with the relevant EU provisions (which may be 
more stringent than the equivalent Safe Harbor Principles).
    Because adequate protection is provided by safe harbor 
participants, contracts with safe harbor participants for mere 
processing do not require prior authorization (or such authorization 
will be granted automatically by the Member States) as would be 
required for contracts with recipients not participating in the safe 
harbor or otherwise not providing adequate protection.

FAQ No 11: Dispute Resolution and Enforcement

    Q: How should the dispute resolution requirements of the 
Enforcement Principle be implemented, and how will an organization's 
persistent failure to comply with the Principles be handled?
    A: The Enforcement Principle sets out the requirements for safe 
harbor enforcement. How to meet the requirements of point (b) of the 
Principle is set out in the FAQ on verification (FAQ 7). This FAQ 11 
addresses points (a) and (c), both of which require independent 
recourse mechanisms. These mechanisms may take different forms, but 
they must meet the Enforcement Principle's requirements. Organizations 
may satisfy the requirements through the following: (1) Compliance with 
private sector developed privacy programs that incorporate the Safe 
Harbor Principles into their rules and that include effective 
enforcement mechanisms of the type described in the Enforcement 
Principle; (2) compliance with legal or regulatory supervisory 
authorities that provide for handling of individual complaints and 
dispute resolution; or (3) commitment to cooperate with data protection 
authorities located in the European Union or their authorized 
representatives. This list is intended to be illustrative and not 
limiting. The private sector may design other mechanisms to provide 
enforcement, so long as they meet the requirements of the Enforcement 
Principle and the FAQs. Please note that the Enforcement Principle's 
requirements are additional to the requirement set forth in paragraph 3 
of the introduction to the Principles that self-regulatory efforts must 
be enforceable under Article 5 of the Federal Trade Commission Act or 
similar statute.
    Recourse Mechanisms. Consumers should be encouraged to raise any 
complaints they may have with the relevant organization before 
proceeding to independent recourse mechanisms. Whether a recourse 
mechanism is independent is a factual question that can be demonstrated 
in a number of ways, for example, by transparent composition and 
financing or a proven track record. As required by the enforcement 
principle, the recourse available to individuals must be readily 
available and affordable. Dispute resolution bodies should look into 
each complaint received from individuals unless they are obviously 
unfounded or frivolous. This does not preclude the establishment of 
eligibility requirements by the organization operating the recourse 
mechanism, but such requirements should be transparent and justified 
(for example to exclude complaints that fall outside the scope of the 
program or are for consideration in another forum), and should not have 
the effect of undermining the commitment to look into legitimate 
complaints. In addition, recourse mechanisms should provide individuals 
with full and readily available information about how the dispute 
resolution procedure works when they file a complaint. Such information 
should include notice about the mechanism's privacy practices, in 
conformity with the Safe Harbor Principles.\1\ They should also co-
operate in the development of tools such as standard complaint forms to 
facilitate the complaint resolution process.
---------------------------------------------------------------------------

    \1\ Dispute resolution bodies are not required to conform with 
the enforcement principle. They may also derogate from the 
Principles where they encounter conflicting obligations or explicit 
authorizations in the performance of their specific tasks.
---------------------------------------------------------------------------

    Remedies and Sanctions. The result of any remedies provided by the 
dispute resolution body should be that the effects of noncompliance are 
reversed or corrected by the organization, in so far as feasible, and 
that future processing by the organization will be in conformity with 
the Principles and, where appropriate, that processing of the personal 
data of the individual who has brought the complaint will cease. 
Sanctions need to be rigorous enough to ensure compliance by the 
organization with the Principles. A range of sanctions of varying 
degrees of severity will allow dispute resolution bodies to respond 
appropriately to varying degrees of non-compliance. Sanctions should 
include both publicity for findings of non-compliance and the 
requirement to delete data in certain circumstances.\2\ Other sanctions 
could include suspension and removal of a seal, compensation for 
individuals for losses incurred as a result of non-compliance and 
injunctive orders. Private sector dispute resolution bodies and self-
regulatory bodies must notify failures of safe harbor organizations to 
comply with their rulings to the governmental body with applicable 
jurisdiction or to the courts, as appropriate, and to notify the 
Department of Commerce (or its designee).
---------------------------------------------------------------------------

    \2\ Dispute resolutions bodies have discretion about the 
circumstances in which they use these sanctions. The sensitivity of 
the data concerned is one factor to be taken into consideration in 
deciding whether deletion of data should be required, as is whether 
an organization has collected, used or disclosed information in 
blatant contravention of the Principles.
---------------------------------------------------------------------------

    FTC Action. The FTC has committed to reviewing on a priority basis 
referrals received from privacy self-regulatory organizations, such as 
BBBOnline and TRUSTe, and EU Member States alleging non-compliance with 
the Safe Harbor Principles to determine whether Section 5 of the FTC 
Act prohibiting unfair or deceptive acts or practices in commerce has 
been violated. If the FTC concludes that it has reason[s] to believe 
Section 5 has been violated, it may resolve the matter by seeking an 
administrative cease and desist order prohibiting the challenged 
practices or by filing a complaint in a federal district court, which 
if successful could result

[[Page 45674]]

in a federal court order to same effect. The FTC may obtain civil 
penalties for violations of an administrative cease and desist order 
and may pursue civil or criminal contempt for violation of a federal 
court order. The FTC will notify the Department of Commerce of any such 
actions it takes. The Department of Commerce encourages other 
government bodies to notify it of the final disposition of any such 
referrals or other rulings determining adherence to the Safe Harbor 
Principles.
    Persistent Failure to Comply. If an organization persistently fails 
to comply with the Principles, it is no longer entitled to benefit from 
the safe harbor. Persistent failure to comply arises where an 
organization that has self-certified to the Department of Commerce (or 
its designee) refuses to comply with a final determination by any self-
regulatory or government body or where such a body determines that an 
organization frequently fails to comply with the Principles to the 
point where its claim to comply is no longer credible. In these cases, 
the organization must promptly notify the Department of Commerce (or 
its designee) of such facts. Failure to do so may be actionable under 
the False Statements Act (18 U.S.C. 1001).
    The Department (or its designee) will indicate on the public list 
it maintains of organizations self-certifying adherence to the Safe 
Harbor Principles any notification it receives of persistent failure to 
comply, whether it is received from the organization itself, from a 
self-regulatory body, or from a government body, but only after first 
providing thirty (30) days' notice and an opportunity to respond to the 
organization that has failed to comply. Accordingly, the public list 
maintained by the Department of Commerce (or its designee) will make 
clear which organizations are assured and which organizations are no 
longer assured of safe harbor benefits.
    An organization applying to participate in a self-regulatory body 
for the purposes of re-qualifying for the safe harbor must provide that 
body with full information about its prior participation in the safe 
harbor.

FAQ 12--Choice--Timing of Opt Out

    Q: Does the Choice Principle permit an individual to exercise 
choice only at the beginning of a relationship or at any time?
    A: Generally, the purpose of the Choice Principle is to ensure that 
personal information is used and disclosed in ways that are consistent 
with the individual's expectations and choices. Accordingly, an 
individual should be able to exercise ``opt out'' (or choice) of having 
personal information used for direct marketing at any time subject to 
reasonable limits established by the organization, such as giving the 
organization time to make the opt out effective. An organization may 
also require sufficient information to confirm the identity of the 
individual requesting the ``opt out.'' In the United States, 
individuals may be able to exercise this option through the use of a 
central ``opt out'' program such as the Direct Marketing Association's 
Mail Preference Service. Organizations that participate in the Direct 
Marketing Association's Mail Preference Service should promote its 
availability to consumers who do not wish to receive commercial 
information. In any event, an individual should be given a readily 
available and affordable mechanism to exercise this option.
    Similarly, an organization may use information for certain direct 
marketing purposes when it is impracticable to provide the individual 
with an opportunity to opt out before using the information, if the 
organization promptly gives the individual such opportunity at the same 
time (and upon request at any time) to decline (at no cost to the 
individual) to receive any further direct marketing communications and 
the organization complies with the individual's wishes.

FAQ 13--Travel Information

    Q: When can airline passenger reservation and other travel 
information, such as frequent flyer or hotel reservation information 
and special handling needs, such as meals to meet religious 
requirements or physical assistance, be transferred to organizations 
located outside the EU?
    A: Such information may be transferred in several different 
circumstances. Under Article 26 of the Directive, personal data may be 
transferred ``to a third country which does not ensure an adequate 
level of protection within the meaning of Article 25(2)'' on the 
condition that it (1) is necessary to provide the services requested by 
the consumer or to fulfill the terms of an agreement, such as a 
``frequent flyer'' agreement; or (2) has been unambiguously consented 
to by the consumer. U.S. organizations subscribing to the safe harbor 
provide adequate protection for personal data and may therefore receive 
data transfers from the EU without meeting those conditions or other 
conditions set out in Article 26 of the Directive. Since the safe 
harbor includes specific rules for sensitive information, such 
information (which may need to be collected, for example, in connection 
with customers' needs for physical assistance) may be included in 
transfers to safe harbor participants. In all cases, however, the 
organization transferring the information has to respect the law in the 
EU Member State in which it is operating, which may inter alia impose 
special conditions for the handling of sensitive data.

FAQ 14--Pharmaceutical and Medical Products

    1. Q: If personal data are collected in the EU and transferred to 
the United States for pharmaceutical research and/or other purposes, do 
Member State laws or the Safe Harbor Principles apply?
    1. A: Member State law applies to the collection of the personal 
data and to any processing that takes place prior to the transfer to 
the United States. The Safe Harbor Principles apply to the data once 
they have been transferred to the United States. Data used for 
pharmaceutical research and other purposes should be anonymized when 
appropriate.
    2. Q: Personal data developed in specific medical or pharmaceutical 
research studies often play a valuable role in future scientific 
research. Where personal data collected for one research study are 
transferred to a U.S. organization in the safe harbor, may the 
organization use the data for a new scientific research activity?
    2. A: Yes, if appropriate notice and choice have been provided in 
the first instance. Such a notice should provide information about any 
future specific uses of the data, such as periodic follow-up, related 
studies, or marketing. It is understood that not all future uses of the 
data can be specified, since a new research use could arise from new 
insights on the original data, new medical discoveries and advances, 
and public health and regulatory developments. Where appropriate, the 
notice should therefore include an explanation that personal data may 
be used in future medical and pharmaceutical research activities that 
are unanticipated. If the use is not consistent with the general 
research purpose(s) for which the data were originally collected, or to 
which the individual has consented subsequently, new consent must be 
obtained.
    3. Q: What happens to an individual's data if a participant decides 
voluntarily or at the request of the sponsor to withdraw from the 
clinical trial?
    3. A: Participants may decide or be asked to withdraw from a 
clinical trial at any time. Any data collected previous to withdrawal 
may still be processed along with other data collected as part of the 
clinical trial, however, if this was

[[Page 45675]]

made clear to the participant in the notice at the time he or she 
agreed to participate.
    4. Q: Pharmaceutical and medical device companies are allowed to 
provide personal data from clinical trials conducted in the EU to 
regulators in the United States for regulatory and supervision 
purposes. Are similar transfers allowed to parties other than 
regulators, such as company locations and other researchers?
    4. A: Yes, consistent with the Principles of Notice and Choice.
    5. Q: To ensure objectivity in many clinical trials, participants, 
and often investigators, as well, cannot be given access to information 
about which treatment each participant may be receiving. Doing so would 
jeopardize the validity of the research study and results. Will 
participants in such clinical trials (referred to as ``blinded'' 
studies) have access to the data on their treatment during the trial?
    5. A: No, such access does not have to be provided to a participant 
if this restriction has been explained when the participant entered the 
trial and the disclosure of such information would jeopardize the 
integrity of the research effort. Agreement to participate in the trial 
under these conditions is a reasonable forgoing of the right of access. 
Following the conclusion of the trial and analysis of the results, 
participants should have access to their data if they request it. They 
should seek it primarily from the physician or other health care 
provider from whom they received treatment within the clinical trial, 
or secondarily from the sponsoring company.
    6. Q: Does a pharmaceutical or medical device firm have to apply 
the Safe Harbor Principles with respect to notice, choice, onward 
transfer, and access in its product safety and efficacy monitoring 
activities, including the reporting of adverse events and the tracking 
of patients/subjects using certain medicines or medical devices (e.g. a 
pacemaker)?
    6. A: No, to the extent that adherence to the Principles interferes 
with compliance with regulatory requirements. This is true both with 
respect to reports by, for example, health care providers, to 
pharmaceutical and medical device companies, and with respect to 
reports by pharmaceutical and medical device companies to government 
agencies like the Food and Drug Administration.
    7. Q: Invariably, research data are uniquely key-coded at their 
origin by the principal investigator so as not to reveal the identity 
of individual data subjects. Pharmaceutical companies sponsoring such 
research do not receive the key. The unique key code is held only by 
the researcher, so that he/she can identify the research subject under 
special circumstances (e.g. if follow-up medical attention is 
required). Does a transfer from the EU to the United States of data 
coded in this way constitute a transfer of personal data that is 
subject to the Safe Harbor Principles?
    7. A: No. This would not constitute a transfer of personal data 
that would be subject to the Principles.

FAQ 15--Public Record and Publicly Available Information

    Q: Is it necessary to apply the Notice, Choice and Onward Transfer 
Principles to public record information or publicly available 
information?
    A. It is not necessary to apply the Notice, Choice or Onward 
Transfer Principles to public record information, as long as it is not 
combined with non-public record information and as long as any 
conditions for consultation established by the relevant jurisdiction 
are respected.
    Also, it is generally not necessary to apply the Notice, Choice or 
Onward Transfer Principles to publicly available information unless the 
European transferor indicates that such information is subject to 
restrictions that require application of those Principles by the 
organization for the uses it intends. Organizations will have no 
liability for how such information is used by those obtaining such 
information from published materials.
    Where an organization is found to have intentionally made personal 
information public in contravention of the Principles so that it or 
others may benefit from these exceptions, it will cease to qualify for 
the benefits of the safe harbor.

Safe Harbor Enforcement Overview

Federal and State ``Unfair and Deceptive Practices'' Authority and 
Privacy

July 19, 2000.

    This memorandum outlines the authority of the Federal Trade 
Commission (FTC) under Section 5 of the Federal Trade Commission Act 
(15 U.S.C. 41-58, as amended) to take action against those who fail to 
protect the privacy of personal information in accordance with their 
representations and/or commitments to do so. It also addresses the 
exceptions to that authority and the ability of other federal and state 
agencies to take action where the FTC does not have authority.\3\
---------------------------------------------------------------------------

    \3\ We do not discusss here all the various Federal statutes 
that address privacy in specific contexts or state statutes and 
common law that might apply. Statutes at the federal level that 
regulate the commercial collection and use of personal information 
include the Cable Communications Policy Act (47 U.S.C. 551), the 
Driver's Privacy Protection Act (18 U.S.C. 2721), the Electronic 
Communications Privacy Act (18 U.S.C. 2701 et seq.), the Electronic 
Funds Transfer Act (15 U.S.C. 1693, 1693m), the Fair Credit 
Reporting Act (15 U.S.C. 1681 et seq.), the Right to Financial 
Privacy Act (12 U.S.C. 3401 et seq.), the Telephone Consumer 
Protection Act (47 U.S.C. 227), and the Video Privacy Protection Act 
(18 U.S.C. 2710), among others. Many states have analogous 
legislation in these areas. See, e.g., Mass. Gen. Laws ch. 167B, 16 
(prohibiting financial institutions from disclosing customer's 
financial records to a third party without either the customer's 
consent or legal process), N.Y. Pub. Health Law Sec. 17 (limiting 
use and disclosure of medical or mental health records and giving 
patients the right of access thereto).
---------------------------------------------------------------------------

FTC Authority Over Unfair or Deceptive Practices

    Section 5 of the Federal Trade Commission Act declares ``unfair or 
deceptive acts or practices in or affecting commerce'' to be illegal. 
15 U.S.C. 45(a)(1). Section 5 confers on the FTC the plenary power to 
prevent such acts and practices. 15 U.S.C. 45(a)(2). Accordingly, the 
FTC may, upon conducting a formal hearing, issue a ``cease and desist'' 
order to stop the offending conduct. 15 U.S.C. 45(b). If it would be in 
the public interest to do so, the FTC can also seek a temporary 
restraining order or temporary or permanent injunction in U.S. district 
court. 15 U.S.C. 53(b). In cases where there is a widespread pattern of 
unfair or deceptive acts or practices, or where it has already issued 
cease and desist orders on the matter, the FTC may promulgate an 
administrative rule prescribing the acts or practices involved. 15 
U.S.C. 57a.
    Anyone who does not comply with an FTC order is subject to a civil 
penalty of up to $11,000, with each day of a continuing violation 
constituting a separate violation.\4\ 15 U.S.C. 45(l). Likewise, anyone 
who knowingly violates an FTC rule is liable for $11,000 for each 
violation. 15 U.S.C. 45(m). Enforcement actions can be brought by 
either the Department of Justice, or if it declines by the FTC. 15 
U.S.C. 56.
---------------------------------------------------------------------------

    \4\ In such an action, the United States district court can also 
order injunctive and equitable relief appropriate to enforcing the 
FTC order. 15 U.S.C. 45(l).
---------------------------------------------------------------------------

FTC Authority and Privacy

    In exercising its section 5 authority, the FTC takes the position 
that misrepresenting why information is being collected from consumers 
or how the information will be used constitutes a deceptive 
practice.\5\ For example, in 1998, the FTC filed a complaint against

[[Page 45676]]

GeoCities for disclosing information it had collected on its Web site 
to third parties for purposes of solicitation, and without prior 
permission, despite its representations to the contrary.\6\ The FTC 
staff has also asserted that the collection of personal information 
from children, and sale and disclosure of that information, without the 
parents' consent is likely to be an unfair practice.\7\
---------------------------------------------------------------------------

    \5\ ``Deceptive practice'' is defined as a representation, 
omission or practice that is likely to mislead reasonable consumers 
in a material fashion.
    \6\ See www.ftc.gov/opa/1998/9808/geocitie.htm.
    \7\ See staff letter to Center for Media Education, www.ftc.gov/os/1997/9707/cenmed.htm. In addition, the Children's Online Privacy 
Protection Act of 1998 confers on the FTC specific legal authority 
to regulate the collection of personal information from children by 
website and online service operators. See 15 U.S.C. 6501-6506. In 
particular, the act requires online operators to give notice and to 
obtain verifiable parental consent before collecting, using, or 
disclosing personal information from children. Id., Sec. 6502(b). 
The act also gives parents a right of access and to refuse 
permission for the continued use of the information. Id.
---------------------------------------------------------------------------

    In a letter to Director General John Mogg of the European 
Commission, FTC Chairman Pitofsky noted the limitations on the FTC's 
authority to protect privacy where there has not been a 
misrepresentation (or no representation at all) as to how the 
information collected will be used. FTC Chairman Pitofsky letter to 
John Mogg (September 23, 1998). However, companies that want to avail 
themselves of the proposed ``safe harbor'' will have to certify that 
they will protect the information they collect in accordance with 
prescribed guidelines. Consequently, where a company certifies that it 
will safeguard the privacy of information and then fails to do so, such 
action would be a misrepresentation and a ``deceptive practice'' within 
the meaning of section 5.
    As the FTC's jurisdiction extends to unfair or deceptive acts or 
practices ``in or affecting commerce,'' the FTC will not have 
jurisdiction over the collection and use of personal information for 
noncommercial purposes, charitable fund-raising for example. See 
Pitofsky letter, p. 3. However, the use of personal information in any 
commercial transaction will satisfy this jurisdictional predicate. 
Thus, for example, the sale by an employer of personal information on 
its employees to a direct marketer would bring the transaction within 
the purview of Section 5.

Section 5  Exceptions

    Section 5 establishes exceptions to the FTC's authority over unfair 
or deceptive acts or practices with respect to:
     Financial institutions, including banks, savings and 
loans, and credit unions;
     Telecommunications and interstate transportation common 
carriers;
     Air carriers; and
     Packers and stockyard operators.
    See 15 U.S.C. 45(a)(2). We discuss each exception, and the 
regulatory authority that takes its place, below.
Financial Institutions \8\
---------------------------------------------------------------------------

    \8\ On November 12, 1999, President Clinton signed the Gramm-
Leach-Bliley Act (Pub. L. 106-102, codified at 15 U.S.C. 6801 et 
seq.) into law. The Act limits the disclosure by financial 
institutions of personal information about their customers. The Act 
requires financial institutions to, inter alia, notify all customers 
of their privacy policies and practices with respect to the sharing 
of personal information with affiliates and non-affiliates. The Act 
authorizes the FTC, the Federal banking authorities and other 
authorities to promulgate regulations to implement the privacy 
protections required by the statute. The agencies have issued 
proposed regulations for this purpose.
---------------------------------------------------------------------------

    The first exception applies to ``banks, savings and loan 
institutions described in section 18(f)(3) [15 U.S.C. 57a(f)(3)]'' and 
``Federal credit unions described in section 18(f)(4) [15 U.S.C. 
57a(f)(4)].'' \9\ These financial institutions are instead subject to 
regulations issued by the Federal Reserve Board, the Office of Thrift 
Supervision,\10\ and the National Credit Union Administration Board, 
respectively. See 15 U.S.C. 57a(f). These regulatory agencies are 
directed to prescribe the regulations necessary to prevent unfair and 
deceptive practices by these financial institutions \11\ and to 
establish a separate division to handle consumer complaints. 15 U.S.C. 
57a(f)(1). Finally, authority for enforcement derives from section 8 of 
the Federal Deposit Insurance Act (12 U.S.C. 1818), for banks and 
savings and loans, and sections 120 and 206 of the Federal Credit Union 
Act, for Federal credit unions. 15 U.S.C. 57a(f)(2)-(4).
---------------------------------------------------------------------------

    \9\ By its terms, this exception does not apply to the 
securities sector. Therefore, brokers, dealers and others in the 
securities industry are subject to the concurrent jurisdiction of 
the Securities and Exchange Commission and the FTC with respect to 
unfair or deceptive acts and practices.
    \10\ The exception in section 5 originally referred to the 
Federal Home Loan Bank Board which was abolished in August 1989 by 
the Financial Institutions Reform, Recovery and Enforcement Act of 
1989. Its functions were transferred to the Office of Thrift 
Supervision and to the Resolution Trust Corporation, the Federal 
Deposit Insurance Corporation, and the Housing Finance Board.
    \11\ While removing financial institutions from the FTC's 
jurisdiction, Section 5 also stipulates that whenever the FTC issues 
a rule on unfair or deceptive acts and practices, the financial 
regulatory Boards should adopt parallel regulations within 60 days. 
See 15 U.S.C. 57a(f)(1).
---------------------------------------------------------------------------

    Although the insurance industry is not specifically included in the 
list of exceptions in Section 5, the McCarran-Ferguson Act (15 U.S.C. 
1011 et seq.) generally leaves the regulation of the business of 
insurance to the individual states.\12\ Furthermore, pursuant to 
section 2(b) of the McCarran-Ferguson Act, no federal law will 
invalidate, impair, or supersede state regulation ``unless such Act 
specifically relates to the business of insurance.'' 15 U.S.C. 1012(b). 
However, the provisions of the FTC Act apply to the insurance industry 
``to the extent that such business is not regulated by State law.'' Id. 
It should also be noted that McCarran-Ferguson defers to the states 
only with respect to ``the business of insurance.'' Therefore, the FTC 
retains residual authority over unfair or deceptive practices by 
insurance companies when they are not engaged in the business of 
insurance. This could include, for example, when insurers sell personal 
information about their policy holders to direct marketers of non-
insurance products.\13\
---------------------------------------------------------------------------

    \12\ ``The business of insurance, and every person engaged 
therein, shall be subject to the laws of the several States which 
relate to the regulation or taxation of such business.'' 15 U.S.C. 
1012(a).
    \13\ The FTC has exercised jurisdiction over insurance companies 
in different contexts. In one case, the FTC took action against a 
firm for deceptive advertising in a state in which it was not 
licensed to do business. The FTC's jurisdiction was upheld on the 
basis that there was no effective state regulation because the firm 
was effectively beyond the reach of the state. See FTC v. Travelers 
Health Association, 362 U.S. 293 (1960).
    As for the states, seventeen have adopted the model ``Insurance 
Information and Privacy Protection Act'' prepared by the National 
Association of Insurance Commissioners (NAIC). The Act includes 
provisions for notice, use and disclosure, and access. Also, almost 
all states have adopted the NAIC's model ``Unfair Insurance 
Practices Act,'' which specifically targets unfair trade practices 
in the insurance industry.
---------------------------------------------------------------------------

Common Carriers

    The second section 5 exception extends to those common carriers 
that are ``subject to the Acts to regulate commerce.'' 15 U.S.C. 
45(a)(2). In this case, the ``Acts to regulate commerce'' refer to 
subtitle IV of Title 49 of the United States Code and to the 
Communications Act of 1934 (47 U.S.C. 151 et seq.) (the Communications 
Act). See 15 U.S.C. 44.
    49 U.S.C. subtitle IV (Interstate Transportation) covers rail 
carriers, motor carriers, water carriers, brokers, freight forwarders, 
and pipeline carriers. 49 U.S.C. 10101 et seq. These various common 
carriers are subject to regulation by the Surface Transportation Board, 
an independent agency within the Department of Transportation. 49 
U.S.C. 10501, 13501, and 15301. In each instance, the carrier is 
prohibited from disclosing information about the nature, destination, 
and other aspects of its cargo that might be used to the shipper's 
detriment. See 49 U.S.C. 11904, 14908,

[[Page 45677]]

and 16103. We note that these provisions refer to information regarding 
the shipper's cargo and thus do not appear to extend to personal 
information about the shipper that is unrelated to the shipment in 
question.
    As for the Communications Act, it provides for the regulation of 
``interstate and foreign commerce in communication by wire and radio'' 
by the Federal Communications Commission (FCC). See 47 U.S.C. 151 and 
152. In addition to common carrier telecommunications companies, the 
Communications Act also applies to companies such as television and 
radio broadcasters and cable service providers which are not common 
carriers. As such, these latter companies do not qualify for the 
exception under section 5 of the FTC Act. Thus, the FTC has 
jurisdiction to investigate these companies for unfair and deceptive 
practices, while the FCC has concurrent jurisdiction to enforce its 
independent authority in this area as described below.
    Under the Communications Act, ``every telecommunications carrier,'' 
including local exchange carriers, has a duty to protect the privacy of 
customer proprietary information.\14\ 47 U.S.C. 222(a). In addition to 
this general privacy-protection authority, the Communications Act was 
amended by the Cable Communications Policy Act of 1984 (the Cable Act), 
47 U.S.C. 521 et seq., to mandate specifically that cable operators 
protect the privacy of ``personally identifiable information'' on cable 
subscribers. 47 U.S.C. 551.\15\ The Cable Act restricts the collection 
of personal information by cable operators and requires the cable 
operator to notify the subscriber of the nature of the information 
collected and how that information will be used. The Cable Act gives 
subscribers the right of access to the information about them and 
requires cable operators to destroy that information when it's no 
longer needed.
---------------------------------------------------------------------------

    \14\ The term ``customer proprietary network information'' means 
information that relates to ``the quantity, technical configuration, 
type, destination, and amount of use of a telecommunications 
service'' by a customer and telephone billing information. 47 U.S.C. 
222(f)(1). However, the term does not include subscriber list 
information. Id.
    \15\ The legislation does not expressly define ``personally 
identifiable information.''
---------------------------------------------------------------------------

    The Communications Act empowers the FCC to enforce these two 
privacy provisions, either at its own initiation or in response to an 
outside complaint.\16\ 47 U.S.C. 205, 403; id. 208. If the FCC 
determines that a telecommunications carrier (including a cable 
operator) has violated the privacy provisions of section 222 or section 
551, there are three basic actions it may take. First, after a hearing 
and determination of violation, the Commission may order the carrier to 
pay monetary damages.\17\ 47 U.S.C. 209. Alternatively, the FCC may 
order the carrier to cease and desist from the offending practice or 
omission. 47 U.S.C. 205(a). Finally, the Commission may also order an 
offending carrier to ``conform to and observe [any] regulation or 
practice'' that the FCC may prescribe. Id.
---------------------------------------------------------------------------

    \16\ This authority encompasses the right to redress for privacy 
violations under both section 222 of the Communications Act or, with 
respect to cable subscribers, under section 551 of the Cable Act 
amendment to the Act. See also 47 U.S.C. 551(f)(3) (civil action in 
federal district court is a nonexclusive remedy, offered ``in 
addition to any other lawful remedy available to a cable 
subscriber.'')
    \17\ However, the absence of direct damage to a complainant is 
not grounds to dismiss a complaint. 47 U.S.C. 208(a).
---------------------------------------------------------------------------

    Private persons who believe a telecommunications carrier or cable 
operator has violated the relevant provisions of the Communications Act 
or the Cable Act may either file a complaint with the FCC or take their 
claims to a federal district court. 47 U.S.C. 207. A complainant who 
prevails in a federal court action against a telecommunications carrier 
for failure to protect customer proprietary information under the 
broader section 222 of the Communications Act may be awarded actual 
damages and attorneys' fees. 47 U.S.C. 206. A complainant who files 
suit claiming a privacy violation under the cable-specific section 551 
of the Cable Act may, in addition to actual damages and attorneys' 
fees, also be awarded punitive damages and reasonable litigation costs. 
47 U.S.C. 551(f).
    The FCC has adopted detailed rules to implement section 222. See 47 
CFR 64.2001-2009. The rules set out specific safeguards to protect 
against unauthorized access to customer proprietary network 
information. The regulations require telecommunications carriers to:
     Develop and implement software systems that ``flag'' a 
customer's notice/approval status when the customer's service record 
first comes on-screen;
     Maintain an electronic ``audit trail'' to track access to 
a customer's account, including when a customer's record is opened, by 
whom, and for what purpose;
     Train their personnel on the authorized use of customer 
proprietary network information, with appropriate disciplinary 
processes in place;
     Establish a supervisory review process to ensure 
compliance when conducting outbound marketing; and
     Certify to the FCC, on an annual basis, how they are 
complying with these regulations.
Air Carriers
    U.S. and foreign air carriers that are subject to Federal Aviation 
Act of 1958 are also exempt from section 5 of the FTC Act. See 15 
U.S.C. 45(a)(2). This includes anyone who provides interstate or 
foreign transportation of goods or passengers, or who transports mail, 
by aircraft. See 49 U.S.C. 40102. Air carriers are subject to the 
authority of the Department of Transportation. In this regard, the 
Secretary of Transportation is authorized to take action ``preventing 
unfair, deceptive, predatory, or anticompetitive practices in air 
transportation.'' 49 U.S.C. 40101(a)(9). The Secretary of 
Transportation can investigate whether a U.S. or foreign air carrier, 
or a ticket agent, has engaged in an unfair or deceptive practice if it 
is in the public interest. 49 U.S.C. 41712. After a hearing, the 
Secretary of Transportation can issue an order to stop the illegal 
practice. Id. To our knowledge, the Secretary of Transportation has not 
exercised this authority to address the issue of protecting the privacy 
of personal information about airline customers.\18\
---------------------------------------------------------------------------

    \18\ We understand there are efforts underway within the 
industry to address the privacy issue. Industry representatives have 
discussed the proposed safe harbor principles and their possible 
application to air carriers. The discussion has included a proposal 
to adopt an industry privacy policy with participating firms 
expressly subjecting themselves to DOT authority.
---------------------------------------------------------------------------

    There are two provisions protecting the privacy of personal 
information that apply to air carriers in specific contexts. First, the 
Federal Aviation Act protects the privacy of pilot applicants. See 49 
U.S.C. 44936(f). While allowing air carriers to obtain an applicant's 
employment records, the Act gives the applicant the right to notice 
that the records have been requested, to give consent to the request, 
to correct inaccuracies, and to have the records divulged only to those 
involved in the hiring decision. Second, DOT regulations require 
passenger manifest information collected for government use in the 
event of an aviation disaster to ``be kept confidential and released 
only to the U.S. Department of State, the National Transportation Board 
(upon the NTSB's request), and the U.S. Department of Transportation.'' 
14 CFR part 243, 243.9(c) (as added by 63 FR 8258).

[[Page 45678]]

Packers and Stockyards
    With regard to the Packers and Stockyards Act of 1921 (7 U.S.C. 181 
et seq.), the Act makes it unlawful for ``any packer with respect to 
livestock, meats, meat food products, or livestock products in 
unmanufactured form, or for any live poultry dealer with respect to 
live poultry, to engage in or use any unfair, unjustly discriminatory, 
or deceptive practice or device.'' 7 U.S.C. 192(a); see also 7 U.S.C. 
213(a) (prohibiting ``any unfair, unjustly discriminatory, or deceptive 
practice or device'' in connection with livestock). The Secretary of 
Agriculture has the primary responsibility to enforce these provisions, 
while the FTC retains jurisdiction over retail transactions and those 
involving the poultry industry. 7 U.S.C. 227(b)(2).
    It is not clear whether the Secretary of Agriculture will interpret 
the failure by a packer or stockyard operator to protect personal 
privacy in accordance with stated policy to be a ``deceptive'' practice 
under the Packers and Stockyards Act. However, the Section 5 exception 
applies to persons, partnerships, or corporations only ``insofar as 
they are subject to the Packers and Stockyards Act,'' Therefore, if 
personal privacy is not an issue within the purview of the Packers and 
Stockyards Act, then the exception in Section 5 may very well not apply 
and packers and stockyard operators would be subject to the authority 
of the FTC in that regard.

State ``Unfair and Deceptive Practices'' Authority

    According to an analysis prepared by FTC staff, ``All fifty states 
plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin 
Islands have enacted laws more or less like the Federal Trade 
Commission Act (``FTCA'') to prevent unfair or deceptive trade 
practices.'' FTC fact sheet, reprinted in Comment, Consumer Protection: 
The Practical Effectiveness of State Deceptive Trade Practices 
Legislation, 59 Tul. L. Rev. 427 (1984). In all cases, an enforcement 
agency has the authority ``to conduct investigations through the use of 
subpoenas or civil investigative demands, obtain assurances of 
voluntary compliance, to issue cease and desist orders or obtain court 
injunctions preventing the use of unfair, unconscionable or deceptive 
trade practices.'' Id. In 46 jurisdictions, the law allows private 
actions for actual, double, treble, or punitive damages and, in some 
cases, recovery of costs and attorney's fees. Id.
    Florida's Deceptive and Unfair Trade Practices Act, for example, 
authorizes the attorney general to investigate and file civil actions 
against ``unfair methods of competition, unfair, unconscionable or 
deceptive trade practices,'' including false or misleading advertising, 
misleading franchise or business opportunities, fraudulent 
telemarketing, and pyramid schemes. See also N.Y. General Business Law 
349 (prohibiting unfair acts and deceptive practices carried out in the 
course of business).
    A survey conducted this year by the National Association of 
Attorneys General (NAAG) confirms these findings. Of forty-three states 
that responded, all have ``mini-FTC'' statutes or other statutes that 
provide comparable protection. Also according to the NAAG survey, 39 
states indicated they would have the authority to hear complaints by 
non-residents. With respect to consumer privacy, in particular, 37 out 
of forty-one states that responded indicated that they would respond to 
complaints alleging that a company within their jurisdiction was not 
adhering to its self-declared privacy policy.

Damages for Breaches of Privacy, Legal Authorizations and Mergers 
and Takeovers in U.S. Law

July 19, 2000.

    This responds to the request by the European Commission for 
clarification of U.S. law with respect to (a) claims for damages for 
breaches of privacy, (b) ``explicit authorizations'' in U.S. law for 
the use of personal information in a manner inconsistent with the safe 
harbor principles, and (c) the effect of mergers and takeovers on 
obligations undertaken pursuant to the safe harbor principles.

A. Damages for Breaches of Privacy

    Failure to comply with the safe harbor principles could give rise 
to a number of private claims depending on the relevant circumstances. 
In particular, safe harbor organizations could be held liable for 
misrepresentation for failing to adhere to their stated privacy 
policies. Private causes of action for damages for breaches of privacy 
are also available under common law. Many federal and state statutes on 
privacy also provide for the recovery of damages by private individuals 
for violations.
The Right To Recover Damages for Invasion of Personal Privacy is Well 
Established Under U.S. Common Law
    Use of personal information in a manner inconsistent with the safe 
harbor principles can give rise to legal liability under a number of 
different legal theories. For example, both the transferring data 
controller and the individuals affected could sue the safe harbor 
organization which fails to honor its safe harbor commitments for 
misrepresentation. According to the Restatement of the Law, Second, 
Torts \19\:
---------------------------------------------------------------------------

    \19\ Second Restatement of the Law--Torts; American Law 
Institute (1997).

    One who fraudulently makes a misrepresentation of fact, opinion, 
intention or law for the purpose of inducing another to act or to 
refrain from action in reliance upon it, is subject to liability to 
the other in deceit for pecuniary loss caused to him by his 
---------------------------------------------------------------------------
justifiable reliance upon the misrepresentation.

    Restatement, Sec. 525. A misrepresentation is ``fraudulent'' if it 
is made with the knowledge or in the belief that it is false. Id., 
Sec. 526. As a general rule, the maker of a fraudulent 
misrepresentation is potentially liable to everyone who he intends or 
expects to rely on that misrepresentation for any pecuniary loss they 
might suffer as a result. Id., Sec. 531. Furthermore, a party who makes 
a fraudulent misrepresentation to another could be liable to a third-
party if the tortfeasor intends or expects that his misrepresentation 
would be repeated to and acted upon by the third-party. Id., Sec. 533.
    In the context of the safe harbor, the relevant representation is 
the organization's public declaration that it will adhere to the safe 
harbor principles. Having made such a commitment, a conscious failure 
to abide by the principles could be grounds for a cause of action for 
misrepresentation by those who relied on the misrepresentation. Because 
the commitment to adhere to the principles is made to the public at 
large, the individuals who are the subjects of that information as well 
as the data controller in Europe that transfers personal information to 
the U.S. organization could all have causes of action against the U.S. 
organization for misrepresentation.\20\ Moreover, the U.S. organization 
remains liable to them for the ``continuing misrepresentation'' for as 
long as they rely on the misrepresentation to their detriment. 
Restatement, Sec. 535.
---------------------------------------------------------------------------

    \20\ This might be the case, for example, where the individuals 
relied on the U.S. organization's safe harbor commitments in giving 
their consent to the data controller to transfer their personal 
information to the United States.
---------------------------------------------------------------------------

    Those who rely on a fraudulent misrepresentation have a right to 
recover damages. According to the Restatement:


[[Page 45679]]


    The recipient of a fraudulent misrepresentation is entitled to 
recover as damages in an action of deceit against the maker the 
pecuniary loss to him of which the misrepresentation is a legal 
cause.

    Restatement, Sec. 549. Allowable damages include actual out-of-
pocket loss as well as the lost ``benefit of the bargain'' in a 
commercial transaction. Id.; see, e.g., Boling v. Tennessee State Bank, 
890 S.W.2d 32 (1994) (bank liable to borrowers for $14,825 in 
compensatory damages for disclosing borrowers' personal information and 
business plans to bank president who had a conflicting interest).
    Whereas fraudulent misrepresentation requires either actual 
knowledge or at least the belief that the representation is false, 
liability can also attach for negligent misrepresentation. According to 
the Restatement, whoever makes a false statement in the course of his 
business, profession, or employment, or in any pecuniary transaction 
can be held liable ``if he fails to exercise reasonable care or 
competence in obtaining or communicating the information.'' 
Restatement, Sec. 552(1). In contrast with fraudulent 
misrepresentations, damages for negligent misrepresentation are limited 
to out-of-pocket loss. Id., Sec. 552B(1).
    In a recent case, for example, the Superior Court of Connecticut 
held that a failure by an electric utility to disclose its reporting of 
customer payment information to national credit agencies sustained a 
cause of action for misrepresentation. See Brouillard v. United 
Illuminating Co., 1999 Conn. Super. LEXIS 1754. In that case, the 
plaintiff was denied credit because the defendant reported payments not 
received within thirty days of the billing date as ``late''. The 
plaintiff alleged that he had not been informed of this policy when he 
opened a residential electric service account with the defendant. The 
court specifically held that ``a claim for negligent misrepresentation 
may be based on the defendant's failure to speak when he has a duty to 
do so.'' This case also shows that ``scienter'' or fraudulent intent is 
not a necessary element in a cause of action for negligent 
misrepresentation. Thus, a U.S. organization which negligently fails to 
fully disclose how it will use personal information received under the 
safe harbor could be held liable for misrepresentation.
    Insofar as a violation of the safe harbor principles entailed a 
misuse of personal information, it could also support a claim by the 
data subject for the common law tort of invasion of privacy. American 
law has long recognized causes of action relating to invasions of 
privacy. In a 1905 case,\21\ the Georgia Supreme Court found a right to 
privacy rooted in natural law and common law precepts in holding for a 
private citizen whose photograph had been used by a life insurance 
company, without his consent or knowledge, to illustrate a commercial 
advertisement. Articulating now-familiar themes in American privacy 
jurisprudence, the court found that the usage of the photograph was 
``malicious,'' ``false,'' and tended to ``bring plaintiff into ridicule 
before the world.'' \22\ The foundations of the Pavesich decision have 
prevailed with minor variations to become the bedrock of American law 
on this topic. State courts have consistently upheld causes of action 
in the realm of invasion of privacy, and at least 48 states now 
judicially recognize some such cause of action.\23\ Moreover, at least 
twelve states have constitutional provisions safeguarding their 
citizens' right to be free from intrusive actions,\24\ which in some 
cases could extend to protect against intrusion by non-governmental 
entities. See, e.g., Hill v. NCAA, 865 P.2d 633 (Ca. 1994); see also S. 
Ginder, Lost and Found in Cyberspace: Informational Privacy in the Age 
of the Internet, 34 S.D. L. Rev. 1153 (1997) (``Some state 
constitutions include privacy protections which surpass privacy 
protections in the U.S. Constitution. Alaska, Arizona, California, 
Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and 
Washington have broader privacy protection.'')
---------------------------------------------------------------------------

    \21\ Pavesich v. New England Life Ins. Co., 50 S.E. 68 (Ga. 
1905)
    \22\ Id., at 69.
    \23\ An electronic search of the Westlaw database found 2703 
reported cases of civil actions in state courts that pertained to 
``privacy'' since 1995. We have previously provided the results of 
this search to the Commission.
    \24\ See, e.g., Alaska Constitution, Art. 1 Sec. 22; Arizona, 
Art. 2, Sec. 8; California, Art. 1, Sec. 1; Florida, Art. 1, Sec. 
23; Hawaii, Art. 1, Sec. 5; Illinois, Art. 1, Sec. 6; Louisiana, 
Art. 1, Sec. 5; Montana, Art. 2, Sec. 10; New York, Art. 1, Sec. 12; 
Pennsylvania, Art. 1, Sec. 1; South Carolina, Art. 1, Sec. 10; and 
Washington, Art. 1, Sec 7.
---------------------------------------------------------------------------

    The Second Restatement of Torts provides an authoritative overview 
of the law in this area. Reflecting common judicial practice, the 
Restatement explains that the ``right to privacy'' encompasses four 
distinct causes of action in tort under that umbrella. See Restatement, 
Sec. 652A. First, a cause of action for ``intrusion upon seclusion'' 
may lie against a defendant who intentionally intrudes, physically or 
otherwise, upon the solitude or seclusion of another or his private 
affairs or concerns.\25\ Second, an ``appropriation'' case may exist 
when one takes the name or likeness of another for his own use or 
benefit.\26\ Third, the ``publication of private facts'' is actionable 
when the matter publicized is of a kind that would be highly offensive 
to a reasonable person and is not of legitimate concern to the 
public.\27\ Lastly, an action for ``false light publicity'' is 
appropriate when the defendant knowingly or recklessly places another 
before the public in a false light that would be highly offensive to a 
reasonable person.\28\
---------------------------------------------------------------------------

    \25\ Id., at Chapter 28, Section 652B.
    \26\ Id., at Chapter 28, Section 652C.
    \27\ Id., at Chapter 28, Section 652D.
    \28\ Id., at Chapter 28, Section 652E.
---------------------------------------------------------------------------

    In the context of the safe harbor framework, ``intrusion upon 
seclusion'' could encompass the unauthorized collection of personal 
information whereas the unauthorized use of personal information for 
commercial purposes could give rise to a claim of appropriation. 
Similarly, the disclosure of personal information that is inaccurate 
would give rise to a tort of ``false light publicity'' if the 
information meets the standard of being highly offensive to a 
reasonable person. Finally, the invasion of privacy that results from 
the publication or disclosure of sensitive personal information could 
give rise to a cause of action for ``publication of private facts.'' 
(See examples of illustrative cases below.)
    On the issue of damages, invasions of privacy give the injured 
party the right to recover damages for:
    (a) The harm to his interest in privacy resulting from the 
invasion;
    (b) His mental distress proved to have been suffered if it is of a 
kind that normally results from such an invasion; and
    (c) Special damage of which the invasion is a legal cause.
    Restatement, Sec. 652H. Given the general applicability of tort law 
and the multiplicity of causes of action covering different aspects of 
privacy interests, monetary damages are likely to be available to those 
who suffer invasion of their privacy interests as a result of a failure 
to adhere to the safe harbor principles.
    Indeed, state courts are replete with cases alleging invasion of 
privacy in analogous situations. Ex Parte AmSouth Bancorporation et 
al., 717 So. 2d 357, for example, involved a class action that alleged 
the defendant ``exploited the trust depositors placed in the Bank, by 
sharing confidential information regarding Bank depositors and their 
accounts' to enable a bank affiliate to sell mutual funds and other

[[Page 45680]]

investments. Damages are often awarded in such cases. In Vassiliades v. 
Garfinckel's, Brooks Bros., 492 A.2d 580 (D.C.App. 1985), an appellate 
court reversed a lower court judgement to hold that the use of 
photographs of the plaintiff ``before'' and ``after'' plastic surgery 
in a presentation in a department store constituted an invasion of 
privacy through the publication of private facts. In Candebat v. 
Flanagan, 487 So.2d 207 (Miss. 1986), the defendant insurance company 
used an accident in which plaintiff's wife was seriously injured in an 
advertising campaign. Plaintiff sued for invasion of privacy. The court 
held that plaintiff could recover damages for emotional distress and 
appropriation of identity. Actions for misappropriation can be 
maintained even if the plaintiff is not personally famous. See, e.g., 
Staruski v. Continental Telephone Co., 154 Vt. 568 (1990) (defendant 
derived commercial benefit in using employee's name and photograph in 
newspaper advertisement). In Pulla v. Amoco Oil Co., 882 F.Supp. 836 
(S.D Iowa 1995), an employer intruded on plaintiff employee's seclusion 
by having another employee investigate his credit card records in order 
to verify his sick day absences. The court upheld a jury award of $2 in 
actual damages and $500,000 in punitive damages. Another employer was 
held liable for publishing a story in the company newspaper about an 
employee who was terminated for allegedly falsifying his employment 
records. See Zinda v. Louisiana-Pacific Corp., 140 Wis.2d 277 (Wis.App. 
1987). The story invaded the plaintiff's privacy by publication of a 
private matter because the newspaper circulated in the community. 
Finally, a college which tested students for HIV after telling them the 
blood test was for rubella only was held liable for intrusion upon 
seclusion. See Doe v. High-Tech Institute, Inc., 972 P.2d 1060 
(Colo.App. 1998). (For other reported cases, see Restatement, 
Sec. 652H, Appendix.)
    The United States is often criticized for being overly litigious, 
but this also means that individuals actually can, and do, pursue legal 
recourse when they believe they have been wronged. Many aspects of the 
U.S. judicial system make it easy for plaintiffs to bring suit, either 
individually or as a class. The legal bar, comparatively larger than in 
most other countries, makes professional representation readily 
available. Plaintiffs' counsel representing individuals in private 
claims will typically work on a contingency fee basis, allowing even 
poor or indigent plaintiffs to seek redress. This brings up an 
important factor--in the United States, each side typically bears its 
own lawyers' fees and other costs. This contrasts with the prevailing 
rule in Europe wherein the losing party has to reimburse the other side 
for costs. Without debating the relative merits of the two systems, the 
U.S. rule is less likely to deter legitimate claims by individuals who 
would not be able to pay the costs on both sides if they should lose.
    Individuals can sue for redress even if their claims are relatively 
small. Most, if not all U.S. jurisdictions, have small claims courts 
which provide simplified and less costly procedures for disputes below 
the statutory limits.\29\ The potential for punitive damages also 
offers a financial reward for individuals who might have suffered 
little direct injury to bring suit against reprehensible misconduct. 
Finally, individuals who have been injured in the same way can marshal 
their resources as well as their claims to bring a class-action 
lawsuit.
---------------------------------------------------------------------------

    \29\ We had previously provided the Commission with information 
on small-claims actions.
---------------------------------------------------------------------------

    A good example of the ability of individuals to bring suit to 
obtain redress is the pending litigation against Amazon.com for 
invasion of privacy. Amazon.com, the large online retailer, is the 
target of a class action, in which the plaintiffs allege that they were 
not told about, and did not consent to, the collection of personal 
information about them when they used a software program owned by 
Amazon called ``Alexa.'' In that case, plaintiffs have alleged 
violations of the Computer Fraud and Abuse Act in unlawful access to 
their stored communications and of the Electronic Communications 
Privacy Act for unlawful interception of their electronic and wire 
communications. They also claim an invasion of privacy under common 
law. This stems from a complaint filed by an Internet security expert 
in December. The suit seeks damages of $1,000 per class member, plus 
attorneys' fees and profits earned as a result of violations of laws. 
Given that the number of class members could be in the millions, 
damages could total billions of dollars. The FTC is also investigating 
the charges.
Federal and State Privacy Legislation Often Provides Private Causes of 
Action for Money Damages
    In addition to giving rise to civil liability under tort law, 
noncompliance with the safe harbor principles could also violate one or 
another of the hundreds of federal and state privacy laws. Many of 
these laws, which address both government and private-sector handling 
of personal information, allow individuals to sue for damages when 
violations occur. For example:
    Electronic Communications Privacy Act of 1986. The ECPA prohibits 
the unauthorized interception of cellular telephone calls and computer-
to-computer transmissions. Violations can result in civil liability of 
not less than $100 for each day of violation. The protection of the 
ECPA also extends to unauthorized access or disclosure of stored 
electronic communications. Violators are liable for damages suffered or 
forfeiture of profits generated by a violation.
    Telecommunications Act of 1996. Under section 702, customer 
proprietary network information (CPNI) may not be used for any purpose 
other than to provide telecommunications services. Service subscribers 
can either submit a complaint to the Federal Communications Commission 
or file suit in federal district court to recover damages and 
attorneys' fees.
    Consumer Credit Reporting Reform Act of 1996. The 1996 Act amended 
the Fair Credit Reporting Act of 1970 (FCRA) to require improved notice 
and right of access for credit reporting subjects. The Reform Act also 
imposed new restrictions on resellers of consumer credit reports. 
Consumers can recover damages and attorneys' fees for violations.
    State laws also protect personal privacy in a broad range of 
situations. Areas where the states have taken action include bank 
records, cable television subscriptions, credit reports, employment 
records, government records, genetic information and medical records, 
insurance records, school records, electronic communications, and video 
rentals.\30\
---------------------------------------------------------------------------

    \30\ A recent electronic search of the Westlaw database yielded 
994 reported states cases that related to damages and invasion of 
privacy.
---------------------------------------------------------------------------

B. Explicit Legal Authorizations

    The safe harbor principles contain an exception where statute, 
regulation or case law create ``conflicting obligations or explicit 
authorizations, provided that, in exercising any such authorization, an 
organization can demonstrate that its non-compliance with the 
principles is limited to the extent necessary to meet the overriding 
legitimate interests further by such authorization.'' Clearly, where 
U.S. law imposes a conflicting obligation, U.S. organizations whether 
in the safe harbor or not must comply with the law. As for explicit 
authorizations, while the safe harbor principles are intended to bridge 
the differences between the U.S. and European regimes for privacy 
protection, we owe deference to the legislative prerogatives of our 
elected

[[Page 45681]]

lawmakers. The limited exception from strict adherence to the safe 
harbor principles seeks to strike a balance to accommodate the 
legitimate interests on each side.
    The exception is limited to cases where there is an explicit 
authorization. Therefore, as a threshold matter, the relevant statute, 
regulation or court decision must affirmatively authorize the 
particular conduct by safe harbor organizations.\31\ In other words, 
the exception would not apply where the law is silent. In addition, the 
exception would apply only if the explicit authorization conflicts with 
adherence to the safe harbor principles. Even then, the exception ``is 
limited to the extent necessary to meet the overriding legitimate 
interests furthered by such authorization.'' By way of illustration, 
where the law simply authorizes a company to provide personal 
information to government authorities, the exception would not apply. 
Conversely, where the law specifically authorizes the company to 
provide personal information to government agencies without the 
individual's consent, this would constitute an ``explicit 
authorization'' to act in a manner that conflicts with the safe harbor 
principles. Alternatively, specific exceptions from affirmative 
requirements to provide notice and consent would fall within the 
exception (since it would be the equivalent of a specific authorization 
to disclose the information without notice and consent). For example, a 
statute which authorizes doctors to provide their patients' medical 
records to health officials without the patients' prior consent might 
permit an exception from the notice and choice principles. This 
authorization would not permit a doctor to provide the same medical 
records to health maintenance organizations or commercial 
pharmaceutical research laboratories, which would be beyond the scope 
of the purposes authorized by the law and therefore beyond the scope of 
the exception.\32\ The legal authority in question can be a ``stand 
alone'' authorization to do specific things with personal information, 
but, as the examples below illustrate, it is likely to be an exception 
to a broader law which proscribes the collection, use, or disclosure of 
personal information.
---------------------------------------------------------------------------

    \31\ As a point of clarification, the relevant legal authority 
will not have to specifically reference the safe harbor principles.
    \32\ Similarly, the doctor in this example could not rely on the 
statutory authority to override the individual's exercise of the 
opt-out from direct marketing provided by FAQ 12. The scope of any 
exception for ``explicit authorizations'' is necessarily limited to 
the scope of the authorization under relevant law.
---------------------------------------------------------------------------

Telecommunications Act of 1996
    In most cases, the authorized uses are either consistent with the 
requirements of the Directive and the principles, or would be permitted 
by one of the other allowed exceptions. For example, section 702 of the 
Telecommunications Act (codified at 47 U.S.C. Sec. 222) imposes a duty 
on telecommunications carriers to maintain the confidentiality of 
personal information that they obtain in the course of providing their 
services to their customers. This provision specifically allows 
telecommunications carriers to:

--Use customer information to provide telecommunications service, 
including the publication of subscriber directories;
--Provide customer information to others at the written request of the 
customer; and
--Provide customer information in aggregate form.

    See 47 U.S.C. Sec. 222(c)(1)-(3). The Act also allows 
telecommunications carriers an exception to use customer information:

--To initiate, render, bill, and collect for their services;
--To protect against fraudulent, abusive or illegal conduct; and
--To provide telemarketing, referral or administrative services during 
a call initiated by the customer.\33\
---------------------------------------------------------------------------

    \33\ The scope of this exception is very limited. By its terms, 
the telecommunications carrier can use CPNI only during a 
call initiated by the customer. Furthermore, we have been advised by 
the FCC that the telecommunications carrier may not use CPNI to 
market services beyond the scope of the customer's inquiry. Finally, 
since the customer must approve the use of CPNI for this purpose, 
this provision is not really an ``exception'' at all.
---------------------------------------------------------------------------

    Id., Sec. 222(d)(1)-(3). Finally, telecommunications carriers are 
required to provide subscriber list information, which can only include 
the names, addresses, telephone numbers and line of business for 
commercial customers to publishers of telephone directories. Id., 
Sec. 222(e).
    The exception for ``explicit authorizations'' might come into play 
when telecommunications carriers use CPNI to prevent fraud or other 
unlawful conduct. Even here, such actions could qualify as being in the 
``public interest'' and allowed by the principles for that reason.
Department of Health and Human Services Proposed Rules
    The Department of Health and Human Services (HHS) has proposed 
rules regarding standards for the privacy of individually identifiable 
health information. See 64 FR 59,918 (Nov. 3, 1999) (to be codified at 
45 CFR parts 160-164). The rules would implement the privacy 
requirements of the Health Insurance Portability and Accountability Act 
of 1996, Pub. L. 104-191. The proposed rules generally would prohibit 
covered entities (i.e. health plans, health care clearinghouses, and 
health providers that transmit health information in electronic format) 
from using or disclosing protected health information without 
individual authorization. See proposed 45 CFR Sec. 164.506. The 
proposed rules would require disclosure of protected health information 
for only two purposes: (1) To permit individuals to inspect and copy 
health information about themselves, see id. at Sec. 164.514; and (2) 
to enforce the rules, see id. at Sec. 164.522.
    The proposed rules would permit use or disclosure of protected 
health information, without specific authorization by the individual, 
in limited circumstances. These include for example oversight of the 
health care system, law enforcement, and emergencies. See id. at 
Sec. 164.510. The proposed rules set out in detail the limits on these 
uses and disclosures. Moreover, permitted uses and disclosures of 
protected health information would be limited to the minimum amount of 
information necessary. See id. at Sec. 164.506.
    The permissive uses explicitly authorized by the proposed 
regulations are generally consistent with the safe harbor principles or 
are otherwise allowed by another exception. For example, law 
enforcement and judicial administration are permitted, as is medical 
research. Other uses, such as oversight of the health care system, 
public health function, and government health data systems, serve the 
public interest. Disclosures to process health care payments and 
premiums are necessary to the provision of health care. Uses in 
emergencies, to consult with next-of-kin regarding treatment where the 
patient's consent ``cannot practicably or reasonably be obtained,'' or 
to determine the identity or cause of death of the deceased protect the 
vital interests of the data subject and others. Uses for the management 
of active duty military and other special classes of individuals aid 
the proper execution of the military mission or similar exigent 
situations; and in any event, such uses will have little if any 
application to consumers in general.
    This leaves only the use of personal information by health care 
facilities to produce patient directories. While such use might not 
rise to the level of a

[[Page 45682]]

``vital'' interest, the directories do benefit patients and their 
friends and relations. Also, the scope of this authorized use is 
inherently limited. Therefore, reliance on the exception in the 
principles for uses ``explicitly authorized'' by law for this purpose 
presents minimal risk to the privacy of patients.
Fair Credit Reporting Act
    The European Commission has expressed the concern that the 
``explicit authorizations'' exception would ``effectively create an 
adequacy finding'' for the Fair Credit Reporting Act (FCRA). This would 
not be the case. In the absence of a specific adequacy finding for the 
FCRA, those U.S. organizations that would otherwise rely on such a 
finding, would have to promise to adhere to the safe harbor principles 
in all respects. This means that where FCRA requirements exceed the 
level of protection embodied in the principles, the U.S. organizations 
need only to obey the FCRA. Conversely, where the FCRA might fall 
short, then those organizations would need to bring their information 
practices into conformity with the principles. The exception would not 
alter this basic assessment. By its terms, the exception applies only 
where the relevant law explicitly authorizes conduct that would be 
inconsistent with the safe harbor principles. The exception would not 
extend to where FCRA requirements merely do not meet the safe harbor 
principles.\34\
---------------------------------------------------------------------------

    \34\ Our discussion here should not be taken as an admission 
that the FCRA does not provide ``adequate'' protection. Any 
assessment of the FCRA must consider the protection provided by the 
statute in its entirety and not focus only on the exceptions as we 
do here.
---------------------------------------------------------------------------

    In other words, we do not intend the exception to mean that 
whatever is not required is therefore ``explicitly authorized.'' 
Furthermore, the exception applies only when what is explicitly 
authorized by U.S. law conflicts with the requirements of the safe 
harbor principles. The relevant law must meet both of these elements 
before non-adherence with the principles would be permitted.
    Section 604 of the FCRA, for example, explicitly authorizes 
consumer reporting agencies to issue consumer reports in various 
enumerated situations. See FCRA, Sec. 604. If in so doing, section 604 
authorizes credit reporting agencies to act in conflict with the safe 
harbor principles, then the credit reporting agencies would need to 
rely on the exception (unless, of course, some other exception 
applied). Credit reporting agencies must obey court orders and grand 
jury subpoenas, and use of credit reports by government licensing, 
social and child support enforcement agencies serves a public purpose. 
Id., Sec. 604(a)(1), (3)(D), and (4). Consequently, the credit 
reporting agency would not need to rely on the ``explicit 
authorization'' exception for these purposes. Where it acts in 
accordance with written instructions by the consumer, the consumer 
reporting agency would be fully in compliance with the safe harbor 
principles. Id., Sec. 604(a)(2). Likewise, consumer reports can be 
procured for employment purposes only with the consumer's written 
authorization (id., Secs. 604(a)(3)(B) and (b)(2)(A)(ii)) and for 
credit or insurance transactions that are not initiated by the consumer 
only if the consumer had not opted out from such solicitations (id., 
Sec. 604(c)(1)(B)). Also, FCRA prohibits credit reporting agencies from 
providing medical information for employment purposes without the 
consent of the consumer. Id., Sec. 604(g). Such uses comport with the 
notice and choice principles. Other purposes authorized by section 604 
entail transactions involving the consumer and would be permitted by 
the principles for that reason. See id., Sec. 604(a)(3)(A) and (F).
    The remaining use ``authorized'' by section 604 relates to 
secondary credit markets. Id., Sec. 604(a)(3)(E). There is no conflict 
between use of consumer reports for this purpose and the safe harbor 
principles per se. It is true that the FCRA does not require credit 
reporting agencies, for example, to give notice and consent to 
consumers when they issue reports for this purpose. However, we 
reiterate the point that the absence of a requirement does not connote 
an ``explicit authorization'' to act in a manner other than as 
required. Similarly, section 608 allows credit reporting agencies to 
provide some personal information to government agencies. This 
``authorization'' would not justify a credit reporting agency ignoring 
its commitments to adhere to the safe harbor principles. This contrasts 
with our other examples where exceptions from affirmative notice and 
choice requirements operate to explicitly authorize uses of personal 
information without notice and choice.
Conclusion
    A distinct pattern emerges even from our limited review of these 
statutes:
     The ``explicit authorization'' in the law generally 
permits the use or disclosure of personal information without the 
individual's prior consent; thus, the exception would be limited to the 
notice and choice principles.
     In most cases, the exceptions authorized by the law are 
narrowly drawn to apply in specific situations for specific purposes. 
In all cases, the law otherwise prohibits the unauthorized use or 
disclosure of personal information that does not fall within these 
limits.
     In most cases, reflecting their legislative character, the 
authorized use or disclosure serves a public interest.
     In almost all cases, the authorized uses are either fully 
consistent with the safe harbor principles or fall into one of the 
other allowed exceptions.
    In conclusion, the exception for ``explicit authorizations'' in the 
law will, by its nature, likely be rather limited in scope.

C. Mergers and Takeovers

    The Article 29 Working Party expressed concern over situations 
where an organization within the safe harbor is taken over by, or 
merged with, a firm which has not made a commitment to follow the safe 
harbor principles. The Working Party, however, appears to have assumed 
that the surviving firm would not be bound to apply the safe harbor 
principles to personal information held by the firm that is taken over, 
but that is not necessarily the case under U.S. law. The general rule 
in the United States as to mergers and takeovers is that a company 
which acquires the outstanding stock of another corporation generally 
assumes the obligations and liabilities of the acquired firm. See 15 
Fletcher Cyclopedia of the Law of Private Corporations Sec. 7117 
(1990); see also Model Bus. Corp. Act Sec. 11.06(3) (1979) (``the 
surviving corporation has all liabilities of each corporation party to 
the merger''). In other words, the surviving firm in a merger or 
takeover of a safe harbor organization by this method would be bound by 
the latter's safe harbor commitments.
    Moreover, even if the merger or takeover were effectuated through 
the acquisition of assets, the liabilities of the acquired enterprise 
could nevertheless bind the acquiring firm in certain circumstances. 15 
Fletcher, Sec. 7122. Even where liabilities did not survive the merger, 
however, it is worth noting that they also would not survive a merger 
where the data were transferred from Europe pursuant to a contract--the 
only viable alternative to the safe harbor for data transfers to the 
United States. In addition, the safe harbor documents as revised now 
require any safe harbor organization to notify the Department of 
Commerce of any takeover and permit data to continue to be transferred 
to the

[[Page 45683]]

successor organization only if the successor organization joins the 
safe harbor. See FAQ 6. Indeed, the United States has now revised the 
safe harbor framework to require U.S. organizations in this situation 
to delete information they have received under the safe harbor 
framework if their safe harbor commitments will not continue or other 
suitable safeguards are not put in place.

July 14, 2000.
John Mogg, Director, DG XV, European Commission, Office C 107-6/72, 
Rue de la Loi, 200, 1049 Brussels, BELGIUM

Dear Mr. Mogg:
    I understand a number of questions have arisen with regard to my 
letter to you of March 29, 2000. To clarify our authority on those 
areas where questions have arisen, I am sending this letter, which, 
for future ease of reference, adds to and recapitulates some of the 
text of previous correspondence.
    In your visits to our offices and in your correspondence, you 
have raised several questions about the United States Federal Trade 
Commission's authority in the online privacy area. I thought it 
would be useful to summarize my prior responses and to provide 
additional information about the agency's jurisdiction over consumer 
privacy issues raised in your most recent letter. Specifically, you 
ask whether: (1) The FTC has jurisdiction over transfers of 
employment-related data if done in violation of the U.S. safe harbor 
principles; (2) the FTC has jurisdiction over non-profit privacy 
``seal'' programs; (3) the FTC Act applies equally to the offline as 
well as online world; and (4) what happens when the FTC's 
jurisdiction overlaps with other law enforcement agencies.

FTC Act Application to Privacy

    The Federal Trade Commission's legal authority in this area is 
found in Section 5 of the Federal Trade Commission Act (``FTC 
Act''), which prohibits ``unfair or deceptive acts or practices'' in 
or affecting commerce.\35\ A deceptive practice is defined as a 
representation, omission or practice that is likely to mislead 
reasonable consumers in a material fashion. A practice is unfair if 
it causes, or is likely to cause, substantial injury to consumers 
which is not reasonably avoidable and is not outweighed by 
countervailing benefits to consumers or competition.\36\
---------------------------------------------------------------------------

    \35\ 15 U.S.C. 45. The Fair Credit Reporting Act would also 
apply to Internet data collection and sales that meet the statutory 
definitions of ``consumer report'' and ``consumer reporting 
agency.''
    \36\ 15 U.S.C. 45(n).
---------------------------------------------------------------------------

    Certain information collection practices are likely to violate 
the FTC Act. For example, if a web site falsely claims to comply 
with a stated privacy policy or a set of self-regulatory guidelines, 
Section 5 of the FTC Act provides a legal basis for challenging such 
a misrepresentation as deceptive. Indeed, we have successfully 
enforced the law to establish this principle.\37\ In addition, the 
Commission has taken the position it may challenge particularly 
egregious privacy practices as unfair under Section 5 if such 
practices involve children, or the use of highly sensitive 
information, such as financial records \38\ and medical records. The 
Federal Trade Commission has and will continue to pursue such law 
enforcement actions through our active monitoring and investigative 
efforts, and through referrals we receive from self-regulatory 
organizations and others, including European Union member states.
---------------------------------------------------------------------------

    \37\ See GeoCities, Docket No. C-3849 (Final Order Feb. 12, 
1999) (available at www.ftc.gov/os/1999/9902/9823015d%26o.htm); 
Liberty Financial Cos., Docket No. C-3891 (Final Order Aug. 12, 
1999) (available at www.ftc.gov/opa/1999/9905/younginvestor.htm). 
See also Children's Online Privacy Protection Act Rule (COPPA), 16 
C.F.R. Part 312 (available at www.ftc.gov/opa/1999/9910/childfinal.htm). The COPPA Rule, which became effective last month, 
requires operators of Web sites directed to children under 13, or 
who knowingly collect personal information from children under 13, 
to implement the fair information practice standards enunciated in 
the Rule.
    \38\ See FTC v. Touch Tone, Inc., Civil Action No. 99-WM-783 
(D.Co.) (filed April 21, 1999) at www.ftc.gov/opa/1999/9904/touchtone.htm>. Staff Opinion Letter, July 17, 1997, issued in 
response to a petition filed by the Center for Media Education, at 
www.ftc.gov/os/1997/9707/cenmed.htm>.
---------------------------------------------------------------------------

Backstop Self-Regulation

    The FTC will give priority to referrals of non-compliance with 
self-regulatory guidelines received from organizations such as 
BBBOnline and TRUSTe.\39\ This approach would be consistent with our 
longstanding relationship with the National Advertising Review Board 
(NARB) of the Better Business Bureau, which refers advertising 
complaints to the FTC. The National Advertising Division (NAD) of 
NARB resolves complaints, through an adjudicative process, 
concerning national advertising. When a party refuses to comply with 
an NAD decision, a referral is made to the FTC. FTC staff reviews 
the challenged advertising on a priority basis to determine if it 
violates the FTC Act, and often is successful in stopping the 
challenged conduct or convincing the party to return to the NARB 
process.
---------------------------------------------------------------------------

    \39\ Indeed, the FTC recently filed a complaint in federal 
district court against a TRUSTe sealholder, Toysmart.com, seeking 
injunctive and declaratory relief to prevent the sale of 
confidential, personal customer information collected on the company 
Web site in violation of its own privacy policy. The FTC learned of 
this possible law violation directly from TRUSTe. FTC v. 
Toysmart.com, LLC, Civil Action No. 00-11341-RGS (D.Ma.) (filed July 
11, 2000) (available at www.ftc.gov/opa/2000/07/toysmart.htm).
---------------------------------------------------------------------------

    Similarly, the FTC will give priority to referrals of non-
compliance with safe harbor principles from EU member states. As 
with referrals from U.S. self-regulatory organizations, our staff 
will consider any information bearing upon whether the conduct 
complained of violates Section 5 of the FTC Act. This commitment can 
also be found in the safe harbor principles under the Frequently 
Asked Question (FAQ 11) on enforcement.

GeoCities: The FTC's First Online Privacy Case

    The Federal Trade Commission's first Internet privacy case, 
GeoCities, was based on the Commission's authority under Section 
5.\40\ In that case, the FTC alleged that GeoCities misrepresented, 
both to adults and children, how their personal information would be 
used. The Federal Trade Commission's complaint alleged that 
GeoCities represented that certain personal identifying information 
it collected on its Web site was to be used only for internal 
purposes or to provide consumers with the specific advertising 
offers and products or services they requested, and that certain 
additional ``optional'' information would not be released to anyone 
without the consumer's permission. In fact, this information was 
disclosed to third parties who used it to target members for 
solicitations beyond those agreed to by the member. The complaint 
also charged that GeoCities engaged in deceptive practices relating 
to its collection of information from children. According to the 
FTC's complaint, GeoCities represented that it operated a children's 
area on its Web site and that the information collected there was 
maintained by GeoCities. In fact, those areas on the Web site were 
run by third-parties who collected and maintained the information.
---------------------------------------------------------------------------

    \40\ GeoCities, Docket No. C-3849 (Final Order Feb. 12, 1999) 
(available at www.ftc.gov/os/1999/9902/9823015d%26o.htm).
---------------------------------------------------------------------------

    The settlement prohibits GeoCities from misrepresenting the 
purpose for which it collects or uses personal identifying 
information from or about consumers, including children. The order 
requires the company to post on its Web site a clear and prominent 
Privacy Notice, telling consumers what information is being 
collected and for what purpose, to whom it will be disclosed, and 
how consumers can access and remove the information. To ensure 
parental control, the settlement also requires GeoCities to obtain 
parental consent before collecting personal identifying information 
from children 12 and under. Under the order, GeoCities is required 
to notify its members and provide them with an opportunity to have 
their information deleted from GeoCities' and any third parties' 
databases. The settlement specifically requires GeoCities to notify 
the parents of children 12 and under and to delete their 
information, unless a parent affirmatively consents to its retention 
and use. Finally, GeoCities also is required to contact third 
parties to whom it previously disclosed the information and request 
that those parties delete that information as well.\41\
---------------------------------------------------------------------------

    \41\ The Commission subsequently settled another matter 
involving the collection of personal information from children 
online. Liberty Financial Companies, Inc., operated the Young 
Investor website which was directed to children and teens, and 
focused on issues relating to money and investing. The Commission 
alleged that the site falsely represented that personal information 
collected from children in a survey would be maintained anonymously, 
and that participants would be sent an e-mail newsletter as well as 
prizes. In fact, the personal information about the child and the 
family's finances was maintained in an identifiable manner, and no 
newsletter or prizes were sent. The consent agreement prohibits such 
misrepresentations in the future and requires Liberty Financial to 
post a privacy notice on its children's sites and obtain verifiable 
parental consent before collecting personal identifying information 
from children. Liberty Financial Cos., Docket No. C-3891 (Final 
Order Aug. 12, 1999) (available at www.ftc.gov/opa/1999/9905/younginvestor.htm).

---------------------------------------------------------------------------

[[Page 45684]]

ReverseAuction.com

    In January 2000, the Commission approved a complaint against, 
and consent agreement with, ReverseAuction.com, an online auction 
site that allegedly obtained consumers' personally identifying 
information from a competitor site (eBay.com) and then sent 
deceptive, unsolicited e-mail messages to those consumers seeking 
their business.\42\ Our complaint alleged that ReverseAuction 
violated Section 5 of the FTC Act in obtaining the personally 
identifiable information, which included eBay users' e-mail 
addresses and personalized user identification names (``user IDs''), 
and in sending out the deceptive e-mail messages.
---------------------------------------------------------------------------

    \42\ See ReverseAuction.com, Inc., Civil Action No. 000032 
(D.D.C.) (filed January 6, 2000) (press release and pleadings at 
www.ftc.gov/opa/2000/01/reverse4.htm).
---------------------------------------------------------------------------

    As described in the complaint, before obtaining the information, 
ReverseAuction registered as an eBay user and agreed to comply with 
eBay's User Agreement and Privacy Policy. The agreement and policy 
protect consumers' privacy by prohibiting eBay users from gathering 
and using personal identifying information for unauthorized 
purposes, such as sending unsolicited commercial e-mail messages. 
Thus, our complaint first alleged that ReverseAuction misrepresented 
that it would comply with eBay's User Agreement and Privacy Policy, 
a deceptive practice under Section 5. In the alternative, the 
complaint alleged that ReverseAuction's use of the information to 
send the unsolicited commercial e-mail, in violation of the User 
Agreement and Privacy Policy, was an unfair trade practice under 
Section 5.
    Second, the complaint alleged that the e-mail messages to 
consumers contained a deceptive subject line informing each of them 
that his or her eBay user ID ``will expire soon.'' Finally, the 
complaint alleged that the e-mail messages falsely represented that 
eBay directly or indirectly provided ReverseAuction with eBay users' 
personally identifiable information, or otherwise participated in 
dissemination of the unsolicited e-mail.
    The settlement obtained by the FTC bars ReverseAuction from 
committing these violations in the future. It also requires 
ReverseAuction to provide notice to consumers who, as a result of 
receiving ReverseAuction's e-mail, registered or will register with 
ReverseAuction. The notice informs these consumers that their eBay 
users IDs were not about to expire on eBay, and that eBay did not 
know of, or authorize, ReverseAuction's dissemination of the 
unsolicited e-mail. The notice also provides these consumers with 
the opportunity to cancel registration with ReverseAuction and have 
their personal identifying information deleted from ReverseAuction's 
database. In addition, the order requires ReverseAuction to delete, 
and refrain from using or disclosing, the personal identifying 
information of eBay members who received ReverseAuction's e-mail but 
who have not registered with ReverseAuction. Finally, consistent 
with prior privacy orders obtained by this agency, the settlement 
requires ReverseAuction to disclose its own privacy policy on its 
Internet site, and contains comprehensive record keeping provisions 
to allow the FTC to monitor compliance.
    The ReverseAuction case demonstrates that the FTC is committed 
to using enforcement to buttress industry self-regulatory efforts in 
the area of online consumer privacy. Indeed, this case directly 
challenged conduct that undermined a Privacy Policy and User 
Agreement protecting consumers' privacy, and that could erode 
consumer confidence in privacy measures undertaken by online 
companies. Because this case involved the misappropriation by one 
company of consumer information protected by another company's 
privacy policy, it also may have particular relevance to the privacy 
concerns raised by the transfer of data between companies in 
different countries.
    Notwithstanding the Federal Trade Commission's law enforcement 
actions in GeoCities, Liberty Financial Cos., and ReverseAuction, 
the agency's authority in some areas of online privacy is more 
limited. As noted above, to be reachable under the FTC Act, the 
collection and use of personal information without consent must 
constitute either a deceptive or unfair trade practice. Thus, the 
FTC Act likely would not address the practices of a Web site that 
collected personally identifiable information from consumers, but 
neither misrepresented the purpose for which the information was 
collected, nor used or released the information in a way that was 
likely to cause substantial injury to consumers. Also, it currently 
may not be within the FTC's power to broadly require that entities 
collecting information on the Internet adhere to a privacy policy or 
to any particular privacy policy.\43\ As stated above, however, a 
company's failure to abide by a stated privacy policy is likely to 
be a deceptive practice.
---------------------------------------------------------------------------

    \43\ For this reason, the Federal Trade Commission stated in 
Congressional testimony that additional legislation probably would 
be required to mandate that all U.S. commercial Web sites directed 
toward consumers abide by specified fair information practices. 
``Consumer Privacy on the World Wide Web,'' Before the Subcommittee 
on Telecommunications, Trade and Consumer Protection of the House 
Committee on Commerce United States House of Representatives, July 
21, 1998 (the testimony can be found at www.ftc.gov/os/9807/privac98.htm). The FTC deferred calling for such legislation in 
order to give self-regulatory efforts the opportunity to demonstrate 
widespread adoption of fair information practices on Web sites. In 
the Federal Trade Commission's report to Congress on online privacy, 
``Privacy Online: A Report to Congress,'' June 1998 (the report can 
be found at www.ftc.gov/reports/privacy3/toc.htm), the FTC 
recommended legislation to require that commercial Web sites obtain 
parental consent before collecting personally identifiable 
information from children under 13 years old. See footnote 3 supra. 
Last year, the FTC's report, ``Self-Regulation and Privacy Online: A 
Federal Trade Commission Report to Congress,'' July 1999 (the report 
can be found at www.ftc.gov/os/1999/9907/index.htm#13,) found 
sufficient progress in self-regulation and, accordingly, chose not 
to recommend legislation at that time.
    In May 2000, the Commission issued a third report to Congress, 
``Privacy Online: Fair Information Practices in the Electronic 
Marketplace,'' (the report can be found at www.ftc.gov/os/2000/05/index.htm#22) which discusses the FTC's recent survey of commercial 
Web sites and their compliance with fair information practices. The 
report also recommended (by a majority of the Commission) that 
Congress enact legislation that would set forth a basic level of 
privacy protection for consumer-oriented commercial Web sites.
---------------------------------------------------------------------------

    Furthermore, the FTC's jurisdiction in this area covers unfair 
or deceptive acts or practices only if they are ``in or affecting 
commerce.'' Information collection by commercial entities that are 
promoting products or services, including collecting and using 
information for commercial purposes, would presumably meet the 
``commerce'' requirement. On the other hand, many individuals or 
entities may be collecting information online without any commercial 
purpose, and thereby may fall outside the Federal Trade Commission's 
jurisdiction. An example of this limitation involves ``chat rooms'' 
if operated by noncommercial entities, e.g., a charitable 
organization.
    Finally, there are a number of full or partial statutory 
exclusions from the FTC's basic jurisdiction over commercial 
practices that limit the FTC's ability to provide a comprehensive 
response to Internet privacy concerns. These include exemptions for 
many information intensive consumer businesses such as banks, 
insurance companies and airlines. As you are aware, other federal or 
state agencies would have jurisdiction over those entities, such as 
the federal banking agencies or the Department of Transportation.
    In cases where it does have jurisdiction, the FTC accepts and, 
resources permitting, acts on consumer complaints received by mail 
and telephone in its Consumer Response Center (``CRC'') and, more 
recently, on its Web site.\44\ The CRC accepts complaints from all 
consumers, including those residing in European Union member states. 
The FTC Act provides the Federal Trade Commission equitable power to 
obtain injunctive relief against future violations of the FTC Act, 
as well as redress for injured consumers. We would, however, look to 
see whether the company has engaged in a pattern of improper 
conduct, as we do not resolve individual consumer disputes. In the 
past, the Federal Trade Commission has provided redress for citizens 
of both the United States and other countries.\45\ The FTC will 
continue to assert its authority, in appropriate cases, to provide 
redress to citizens of other countries who have been injured by 
deceptive practices under its jurisdiction.
---------------------------------------------------------------------------

    \44\ See https://www.ftc.gov/ftc/complaint.htm for the Federal 
Trade Commission's online complaint form.
    \45\ For example, in a recent case involving an Internet pyramid 
scheme, the Commission obtained refunds for 15,622 consumers 
totaling approximately $5.5 million. The consumers resided in the 
United States and 70 foreign countries. See www.ftc.gov/opa/9807/fortunar.htm; www.ftc.gov/opa/9807/ftcrefund01.htm.

---------------------------------------------------------------------------

[[Page 45685]]

Employment Data

    Your most recent letter sought additional clarification 
concerning the FTC's jurisdiction in the area of employment data. 
First, you pose the question whether the FTC could take action under 
Section 5 against a company that represents it complies with U.S. 
safe harbor principles but transfers or uses employment-related data 
in a manner that violates these principles. We want to assure you 
that we have carefully reviewed the FTC authorizing legislation, 
related documents, and relevant case law and have concluded that the 
FTC has the same jurisdiction in the employment-related data 
situation as it would generally under Section 5 of the FTC Act.\46\ 
That is to say, assuming a case met our existing criteria 
(unfairness or deception) for a privacy-related enforcement action, 
we could take action in the employment-related data situation.
---------------------------------------------------------------------------

    \46\ Except as specifically excluded by the FTC's authorizing 
statute, the FTC's jurisdiction under the FTC Act over practices 
``in or affecting commerce'' is coextensive with the constitutional 
power of Congress under the Commerce Clause, United States v. 
American Building Maintenance Industries, 422 U.S. 271, 277 n. 6 
(1975). The FTC's jurisdiction would thus encompass employment-
related practices in firms and industries in international commerce.
---------------------------------------------------------------------------

    We also would like to dispel any view that the FTC's ability to 
take privacy-related enforcement action is limited to situations 
where a company has deceived individual consumers. In fact, as the 
Commission's recent action in the ReverseAuction \47\ matter makes 
clear, the FTC will bring privacy-related enforcement actions in 
situations involving data transfers between companies, where one 
company allegedly has acted unlawfully vis a vis another company, 
leading to possible injury to both consumers and companies. We 
expect this situation is the one in which the employment issue is 
most likely to arise, as employment data about Europeans is 
transferred from European companies to American companies that have 
pledged to abide by the safe harbor principles.
---------------------------------------------------------------------------

    \47\ See ``Online Auction Site Settles FTC Privacy Charges,'' 
FTC News Release (Jan. 6, 2000), available at http://www.ftc.gov/opa/2000/01/reverse4.htm.
---------------------------------------------------------------------------

    We do wish to note one circumstance in which FTC action would be 
circumscribed, however. This would occur in situations in which the 
matter is already being addressed in a traditional labor law dispute 
resolution context, most likely a grievance/arbitration claim or an 
unfair labor practice complaint at the National Labor Relations 
Board. This would occur, for example, if an employer had made a 
commitment in a collective bargaining agreement regarding the use of 
personal data and an employee or union claimed that the employer had 
breached that agreement. The Commission would likely defer to that 
proceeding.\48\
---------------------------------------------------------------------------

    \48\ The determination whether conduct is an ``unfair labor 
practice'' or a violation of a collective bargaining agreement is a 
technical one that is ordinarily reserved to the expert labor 
tribunals who will hear the complaints, such as arbitrators and the 
NRLB.
---------------------------------------------------------------------------

Jurisdiction Over ``Seal'' Programs

    Second, you ask whether the FTC would have jurisdiction over 
``seal'' programs administering dispute resolution mechanisms in the 
United States that misrepresented their role in enforcing the ``safe 
harbor'' principles and handling individual complaints, even if such 
entities were technically ``not for profit.'' In determining whether 
we have jurisdiction over an entity that holds itself out as a non-
profit, the Commission closely analyzes whether the entity, while 
not seeking a profit for itself, furthers the profit of its members. 
The Commission has successfully asserted jurisdiction over such 
entities and as recently as May 24, 1999, the United States Supreme 
Court, in California Dental Association v. Federal Trade Commission, 
unanimously affirmed the Commission's jurisdiction over a voluntary 
nonprofit association of local dental societies in an antitrust 
matter. The Court held:

The FTC Act is at pains to include not only an entity ``organized to 
carry on business for its own profit,'' 15 U. S. C. Sec. 44, but 
also one that carries on business for the profit ``of its members.'' 
* * *. It could, indeed, hardly be supposed that Congress intended 
such a restricted notion of covered supporting organizations, with 
the opportunity this would bring with it for avoiding jurisdiction 
where the purposes of the FTC Act would obviously call for asserting 
it.

    In sum, determining whether to assert jurisdiction over a 
particular ``non-profit'' entity administering a seal program would 
require a factual review of the extent to which the entity provided 
economic benefit to its for-profit members. If such an entity 
operated its seal program in a manner that provided an economic 
benefit to its members, the FTC likely would assert its 
jurisdiction. As a separate point, the FTC likely would have 
jurisdiction over a fraudulent seal program that misrepresents its 
status as a non-profit entity.

Privacy in the Offline World

    Third, you note that our prior correspondence has focused on 
privacy in the online world. While online privacy has been a major 
concern of the FTC as a critical component to the development of 
electronic commerce, the FTC Act dates back to 1914 and applies 
equally in the offline world. Thus, we can pursue offline firms that 
engage in unfair or deceptive trade practices with regard to 
consumers' privacy.\49\ In fact, in a case brought by the Commission 
last year, FTC v. TouchTone Information, Inc.,\50\ an ``information 
broker'' was charged with illegally obtaining and selling consumers' 
private financial information. The Commission alleged that Touch 
Tone obtained consumers' information by ``pretexting,'' a term of 
art coined by the private investigation industry to describe the 
practice of getting personal information about others under false 
pretenses, typically on the telephone. The case, filed April 21, 
1999, in federal court in Colorado, seeks an injunction and all 
illegally gained profits.
---------------------------------------------------------------------------

    \49\ As you know from earlier discussions, the Fair Credit 
Reporting Act also gives the FTC the authority to protect consumers' 
financial privacy within the purview of the Act and the Commission 
recently issued a decision pertaining to this issue. See In the 
Matter of Trans Union, Docket No. 9255 (March 1, 2000) (press 
release and opinion available at www.ftc.gov/os/2000/03/index.htm#1).
    \50\ Civil Action 99-WM-783 (D.Colo.) (available at http://www.ftc.gov/opa/1999/9904/touchtone.htm) (tentative consent decree 
pending).
---------------------------------------------------------------------------

    This law enforcement experience, as well as recent concerns 
about the merging of offline and online databases, the blurring of 
distinctions between online and offline merchants, and the fact that 
a vast amount of personal identifying information is collected and 
used offline, make clear that significant attention to offline 
privacy issues is warranted.

Overlapping Jurisdiction

    Finally, you pose the question of the interplay of the FTC's 
jurisdiction with that of other law enforcement agencies, 
particularly in cases where there is potentially overlapping 
jurisdiction. We have developed strong working relationships with 
numerous other law enforcement agencies, including the federal 
banking agencies and the state attorneys general. We very often 
coordinate investigations to maximize our resources in instances of 
overlapping jurisdiction. We also often refer matters to the 
appropriate federal or state agency for investigation.
    I hope this review is helpful. Please let me know if you need 
any further information.

    Sincerely,

Robert Pitofsky

July 14, 2000.

John Mogg, Director, DG XV, European Commission, Office C 107-6/72, 
Rue de la Loi, 200, 1049 Brussels, BELGIUM

Dear Director General Mogg:
    I am providing you this letter at the request of the U.S. 
Department of Commerce to explain the role of the Department of 
Transportation in protecting the privacy of consumers with respect 
to information provided by them to airlines.
    The Department of Transportation encourages self-regulation as 
the least intrusive and most efficient means of ensuring the privacy 
of information provided by consumers to airlines and accordingly 
supports the establishment of a ``safe harbor'' regime that would 
enable airlines to comply with the requirements of the European 
Union's privacy directive as regards transfers outside the EU. The 
Department recognizes, however, that for self-regulatory efforts to 
work, it is essential that the airlines that commit to the privacy 
principles set forth in the ``safe harbor'' regime in fact abide by 
them. In this regard, self-regulation should be backed by law 
enforcement. Therefore, using its existing consumer protection 
statutory authority, the Department will ensure airline compliance 
with privacy commitments made to the public, and pursue referrals of 
alleged non-compliance that we receive from self-regulatory 
organizations and others, including European Union member states.
    The Department's authority to take enforcement action in this 
area is found in 49 U.S.C. 41712 which prohibits a carrier

[[Page 45686]]

from engaging in ``an unfair or deceptive practice or an unfair 
method of competition'' in the sale of air transportation that 
results or is likely to result in consumer harm. Section 41712 is 
patterned after Section 5 of the Federal Trade Commission Act (15 
U.S.C. 45). However, air carriers are exempt from Section 5 
regulation by the Federal Trade Commission under 15 U.S.C. 45(a)(2).
    My office investigates and prosecutes cases under 49 U.S.C. 
41712. (See, e.g., DOT Orders 99-11-5, November 9, 1999; 99-8-23, 
August 26, 1999; 99-6-1, June 1, 1999; 98-6-24, June 22, 1998; 98-6-
21, June 19, 1998; 98-5-31, May 22, 1998; and 97-12-23, December 18, 
1997.) We institute such cases based on our own investigations, as 
well as on formal and informal complaints we receive from 
individuals, travel agents, airlines, and U.S. and foreign 
government agencies.
    I would point out that the failure by a carrier to maintain the 
privacy of information obtained from passengers would not be a per 
se violation of section 41712. However, once a carrier formally and 
publicly commits to the ``safe harbor'' principles of providing 
privacy to the consumer information it obtains, then the Department 
would be empowered to use the statutory powers of section 41712 to 
ensure compliance with those principles. Therefore, once a passenger 
provides information to a carrier that has committed to honoring the 
``safe harbor'' principles, any failure to do so would likely cause 
consumer harm and be a violation of section 41712. My office would 
give the investigation of any such alleged activity and the 
prosecution of any case evidencing such activity a high priority. We 
will also advise the Department of Commerce of the outcome of any 
such case.
    Violations of section 41712 can result in the issuance of cease 
and desist orders and the imposition of civil penalties for 
violations of those orders. Although we do not have the authority to 
award damages or provide pecuniary relief to individual 
complainants, we do have the authority to approve settlements 
resulting from investigations and cases brought by the Department 
that provide items of value to consumers either in mitigation or as 
an offset to monetary penalties otherwise payable. We have done so 
in the past, and we can and will do so in the context of the safe 
harbor principles when circumstances warrant. Repeated violations of 
section 41712 by any U.S. airline would also raise questions 
regarding the airline's compliance disposition which could, in 
egregious situations, result in an airline being found to be no 
longer fit to operate and, therefore, losing its economic operating 
authority. (See, DOT Orders 93-6-34, June 23, 1993, and 93-6-11, 
June 9, 1993. Although this proceeding did not involve section 
41712, it did result in the revocation of the operating authority of 
a carrier for a complete disregard for the provisions of the Federal 
Aviation Act, a bilateral agreement, and the Department's rules and 
regulations.)
    I hope that this information proves helpful. If you have any 
questions or need further information, please feel free to contact 
me.

    Sincerely,

Samuel Podberesky,
Assistant General Counsel for Aviation Enforcement and Proceeding.

[FR Doc. 00-18489 Filed 7-21-00; 8:45 am]
BILLING CODE 3510-DR-U