May 22, 1998

J. Beckwith Burr

Associate Administrator

National Telecommunications and Information Administration

Office of International Affairs

U.S. Department of Commerce

Room 1473

Washington, D.C. 20230

Dear Becky:

The U.S. Council for International Business (USCIB) appreciates the opportunity to provide you with our initial views on the Discussion Draft "Elements of Effective Self-Regulation for Protection of Privacy." The USCIB welcomes the Discussion Draft as a valuable contribution to the current discussions on effective self-regulation. The USCIB is committed to helping promote a viable model for privacy protection, a model that will be recognized by both the U.S. Government and foreign governments, ultimately leading to mutual recognition for various models of privacy protection.

As you know, the USCIB, representing 300 global corporations, professional firms and business associations, advances the global interests of American business both in the United States and abroad. It is the American affiliate of the International Chamber of Commerce (ICC), the Business and Industry Advisory Committee to the Organization for Economic Cooperation and Development (BIAC), and the International Organisation of Employers. As such, it officially represents U.S. business positions both in the main intergovernmental bodies and vis-a-vis foreign business communities and their governments.

The USCIB has been very active in promoting the OECD Guidelines on Privacy and Transborder Data Flows as the guiding principles for self-regulatory privacy initiatives. We continue to espouse a sectoral approach to privacy based on these broad principles. Implementation of principles of fair information practices and enforcement mechanisms will not and should not be uniform across all industry sectors: a one-size-fits-all approach is neither advisable nor appropriate. A sectoral approach recognizes that various industries handle different types of consumer information that require different approaches to protection, including different levels of enforcement. Effective sectoral self-regulation, augmented by privacy enhancing technologies, will provide the privacy protection consumers are calling for.

The USCIB supports the Principles of Fair Information Practices as set forth in the Discussion Draft. As stated in the document, the principles are consistent with those advanced by the OECD Guidelines on Privacy and Transborder Data Flows, to which USCIB members are committed. The USCIB also recognizes and appreciates the need for redress mechanisms in self-regulatory policies. We think that it is important to distinguish between the concepts of enforcement, indicating an external authority, and redress, indicating internal mechanisms designed to address consumer concerns and complaints. Development of effective redress mechanisms is an essential part of effective self-regulation that may obviate the need for recourse to other enforcement mechanisms and may be the most tailored solution to the problem.

The potential cost of such mechanisms is of concern to U.S. industry. Self-regulatory enforcement mechanisms must also be tailored according to the type of information, sector, and/or size of the company at issue. The USCIB also wants to highlight the need to focus on enforcement mechanisms which address harmful use of customer information. Our members welcome continued discussions with the U.S. Government on devising redress/enforcement mechanisms that are effective and commercially viable.

The USCIB is mindful of the public concerns related to privacy on the Internet and the Government’s call for substantial progress towards the development of more effective self-regulation with greater potential for redress/enforcement. We agree that consumers need to be better informed of what personal information companies are collecting and for what purposes. Consumers must also be provided with mechanisms to decline the collection of information and reasonable mechanisms to correct information. Lastly, consumers must have confidence that these practices, as set forth by the company or sector, will be adhered to and that mechanisms exist to address non-compliance.

In spurring business on to achieve the goals set forth above, some caution is advisable. While consumers are quick to highlight the concern for privacy in response to survey questions, it is very difficult to provide sufficient context surrounding these questions to get truly informed responses. The USCIB will work with our membership and U.S. business to increase education related to the beneficial results of collecting personally identifiable information. This might have an effect on public opinion survey responses. In addition, it is undeniable that consumers are increasingly expecting a personalized, customized web experience. This can only be provided by collecting personally identifiable information through the use of technologies such as cookies. Thus, business needs to inform consumers about the trade-offs.

It is also clear that business needs to more effectively refute the image of the Internet painted by some observers as a "Wild West" for privacy. The undeniable fact is that there have been very few cases of harmful privacy incursions as a result of information collected by companies on the Internet. It must be acknowledged that consumers need time to become comfortable with this new technology and its business practices. For example, it is only fairly recently that consumers have become comfortable with the concept of providing credit card numbers over the telephone. Consumer confidence will grow over time once consumers are more familiar with the Internet and industry efforts to protect individually identifiable information.

We support the need for business to develop and post credible and informative privacy practices, and to adhere to them, ultimately empowering consumers to make more informed decisions. Once consumers are better informed of their privacy options, business must provide consumers with the mechanisms to enable them to act on their decisions. There is no single approach or solution. Much of what needs to be accomplished may be achieved through the deployment of privacy enhancing technologies in conjunction with disclosure of corporate practices. In sectors that handle the most sensitive information, greater assurance and redress/enforcement mechanisms will need to be provided. The end that must be achieved is the empowerment of the consumer to exert reasonable controls over the collection and use of personally identifiable information by third parties.

Through our role as the U.S. member to BIAC, we have promoted the continued viability of the OECD Guidelines, while opposing the extraterritorial nature of the E.U. Directive which, to date, provides insufficient recognition of the validity of divergent legal and regulatory approaches to privacy. The USCIB has also been a leader in developing privacy solutions at the ICC. The following work is either underway or under consideration in these arenas: the drafting of model privacy contract clauses; the development of Net-based alternative dispute resolution mechanisms; the drafting of effective and credible Internet Service Provider privacy codes based on the OECD Guidelines; and the exploration of sealing or other identifying systems cross-referenced to secure on-line repositories.

The USCIB is also actively working to advance the dialogue and increase the understanding of the privacy issue within U.S. and international business. To that end, we sponsored an inter-industry association meeting to promote awareness of the issue, share information, and discuss the utility and parameters of joint efforts, concluding with a call to action to U.S. business to develop effective self-regulation mechanisms. Twenty-seven associations from a variety of industry sectors actively participated in the meeting and heard a call-to-action from Ira Magaziner and reports from several leading associations, namely, the Online Privacy Alliance, the Direct Marketing Association, the Information Reference Services Group, the Information Technology Policy Council, and Privacy & American Business. The USCIB will continue to work with other industry associations in this effort and has agreed to serve as a clearinghouse for self-regulatory mechanisms and to engage international business associations and their members in our efforts.

In addition, the USCIB has prepared a privacy "diagnostic," to be used by companies in developing effective privacy guidelines. The USCIB is currently in the process of widely disseminating the diagnostic to U.S. industry with the hopes of increasing the awareness of the need for U.S. industry to address this issue. The diagnostic is available on our website (www.uscib.org) and we will mail the diagnostic as a hardcopy attachment to this letter. We will also attach a list of questions that USCIB members would like to have answered by the E.U. regarding the implementation of the E.U. Data Protection Directive that we submitted to Barbara Wellbery, Special Counsel for Electronic Commerce, U.S. Department of Commerce, on April 13, 1998.

The USCIB looks forward to continuing our dialogue with the U.S. Government and working with it to promote the development of effective self-regulation of the protection of personally identifiable information in response to the legitimate concerns of consumers. We would be happy to discuss these comments in greater detail at your convenience.

Sincerely,

Edward J. Regan Charles Prescott

Chair, Information Policy Committee Chair, Working Group on Privacy and Transborder Data Flows

Enc.

Cc: Ira Magaziner

Barbara Wellbery

Paula Bruening