® BuscaLegis.ccj.ufsc.br

Data privacy approaches from US and EU perspectives

Gerhard Steinke *

Seattle Pacific University, Seattle, WA 98119, USA

Abstract

Consumers using the Internet often indicate that the privacy of their personal data is their foremost concern with the new technology. Di.erent approaches to data privacy and protection are found in the United States and the European Union – an emphasis on self-regulation in the former versus strict legal requirements in the latter. The implications of the recent ‘‘safe harbor’’ agreement may have a signi.cant impact on privacy expectations in the US.

1. Introduction

Internet and Web access is continuing to grow at phenomenal rates around the world. Individuals are using the Web for communication, as a resource for information, as well as a way to buy products and services. At the same time technological advances have made it possible for organizations to track consumer movements on the Web. Web site owners can collect, store, transfer and analyze vast amounts of data from and about individuals who visit their Web sites. Since the Internet transcends geographical boundaries, individuals sur.ng or buying products via the Web have little idea where the Web sites they are visiting are hosted. Web site owners, on the other hand, are trying to determine the impact of political boundaries and di.erent legal requirements.

The issue of the privacy of one’s personal data is often found to be the number one fear facing consumers using the Internet. In this paper, we examine the di.erent approaches to data privacy and protection found in the United States (US) and the European Union (EU) – particularly the implications of the recent ‘‘safe harbor’’ agreement. Consumers and legislators around the world must have con.dence that their personal data and the data of their fellow citizens is being adequately protected.

Only then will Web usage and electronic commerce continue to expand around the world.

2. Privacy concerns

Increasing sophistication in Web technology allows the collection of a variety of Web users’ personal information. Some of the information is being collected when users complete forms and .ll in the blanks – though they often do not know what the organization is going to do with the information. On the other hand, much information is gathered without the knowledge of the user – perhaps via cookies or other examination of their computer while visiting a Web site. In both cases, users have di.culty in controlling the collection, storage and the use – even the selling of their personal information.

Fear about privacy and the lack of trust continue to be the biggest barriers to the growth of online commerce. The Internet industry is built on trust between businesses and their customers – and privacy is the number one ingredient in trust.

Unless organizations using the Web e.ectively address the issue of privacy, they will lose the trust, and the business, of their customers. According to a review of recent surveys (TRUSTe, 2000):

• Loss of personal privacy was a top concern of Americans for the new century (selected by 29% of those surveyed).

• Among Internet users, 37% would be ‘‘a lot’’ more inclined to purchase on a site that had a privacy policy.

• Privacy/security is the foremost factor – selected by 68% of those surveyed – that would convert casual Internet users into buyers.

• For the most part, people are not yet willing to sacri.ce their online privacy for the sake of price or personalization.

• 68% of Web users are ‘‘not at all’’ comfortable with Web sites that merge their browsing habits and shopping patterns into a pro.le that was linked to their real name and identity.

• Among Internet users who do not shop, 63% are very concerned about the use of personal information.

• Among Internet shoppers, 41% are very concerned about the use of personal information.

• Amazon.com recently changed its privacy policy and informed customers about this change via email. Amazon’s new policy includes language that states that the company views data gathered about their customers as an asset, and as such could be bought or sold like any other company asset. Some customers and partners severed their ties with Amazon.

Web users want to be able to readily determine what privacy policy a company has and what happens to the information they provide on a Web site. Governments have been and are getting more involved in addressing privacy concerns brought by

consumers regarding the Web.

3. Privacy laws in the EU

Many European countries, particularly since the end of World War II, have created stringent privacy laws. Germany, France and the United Kingdom are known for their particularly rigorous privacy laws. One of the more recent laws related to privacy passed by the German Bundestag was the Information and Communication Services Act in 1997 (IuKDG, 1997). It contains the Teleservices Data Protection Act (TDDSG, 1997) that deals with the protection of personal data used in telecommunications.

The British government enacted the Data Protection Act in 1988 (DPA, 1998) that went into force in March 2000. It strengthened a 1984 act by adding protection for manual as well as electronic data records and created the position of Data Protection Commissioner with strong powers to oversee the implementation of the law. Another component of this law was the strengthening of individuals rights, e.g., to prevent personal data being used for direct marketing without the permission of the owner of the data.

To standardize the protection of data privacy, the European Union in 1995 enacted the EU Data Protection Directive (DPP, 1995) that took e.ect in 1998. The following are some of the requirements of the directive:

• An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization and the types of third parties to which it discloses the information.

• An organization must o.er individuals the opportunity to opt out whether their information can be used for a purpose besides the one for which it was originally gathered. For sensitive information such as medical conditions, racial or ethnic origin, political opinions, etc., consumers must be given a speci.c opt in choice before the information is disclosed to a third party.

• Each organization handling personal data must take reasonable steps to ensure its security and integrity.

• Individuals must have access to their personal information and be able to correct it. There must also be mechanisms to assure compliance with the directive, recourse for individuals who are a.ected by non-compliance and consequences for the organization when the directive is not followed.

• Corporations and governments are forbidden from using virtually any personal records for any purpose other than the original one, without explicit permission. (This is probably a major reason that European companies do not do as much database marketing or targeting individuals based on their demographic pro.les as US companies.)

• The directive also requires the creation of government data protection agencies, registration of databases with those agencies, and sometimes even prior approval before certain data may be processed.

• Personal data on EU citizens may only be transferred to countries outside the 15-nation block that adopt these rules or are deemed to provide ‘‘adequate protection’’ for the data.

This act forbids the transmission of some consumer data to companies in countries that do not live up to the same stringent data protection laws. In particular, this directive would prevent data about EU citizens being sent to the US, because the US

does not have the necessary data protection laws.

Companies such as Amazon.com, eBay, America Online, Lycos, Yahoo and Lands’ End have set up Web sites in European countries that are distinct from their American businesses – probably a main reason is to keep the data completely separate.

DoubleClick tracks the movements of Web users online; though they use cookies to track users in the US, they do not do so in Europe.

Living up to the European privacy requirements is costly – whether for a European or US organization. For example, if a company wants to outsource the handling of some of its personal data to an organization in another country or do a marketing campaign with such data, it must .rst notify the individuals concerned and give them the option of opting out.

The EU has determined that Switzerland and Hungary provide adequate protection so that personal data can be transferred from the EU to those countries (Emarketer, 2000). The EU is in the process of determining whether Canada’s new privacy law provides adequate protection.

4. US privacy position

The US, with few data protection laws, relies mostly on self-regulation and limited legislation. For example, in the US there is no federal protection for bank account, medical and personnel .les, credit card bills and telephone records. While the Fair Credit Reporting Act gives consumers the right to access and correct inaccurate .-nancial records, this information can be used and transferred among companies freely – without notifying the individuals concerned. The only federal privacy laws that exist for the commercial sector involve cable TV and video store records.

The Federal Trade Commission (FTC) has looked into privacy and electronic commerce in the US since 1995. The FTC expects that commercial Web sites that collect personal identifying information from or about consumers should be required to comply with the following four fair information practices (FTC, 1998):

• Notice: Web sites should provide clear notice of their information practices, what information they collect, how they collect it, how they use it and whether they disclose it to others.

• Choice: Web sites should o.er consumers choices as to whether their personal information can be used beyond the purpose for which it was provided.

• Access: Web sites should o.er consumers access to their information that a Web site has collected about them so the consumers could correct or even delete information.

• Security: Web sites should take reasonable steps to protect the security of the information they collect.

In its 1998 report, ‘‘Privacy Online’’, the FTC presented the results of a online privacy survey of commercial Web sites. The Commission found that 92% of the sample Web sites were collecting great amounts of personal information from consumers, yet only 14% disclosed anything about their information practices. Yet the FTC supported industry self-regulation above legislation, indicating that some means of sanctions for non-compliance with self-regulatory programs was probably necessary.

In a 1999 report to Congress, ‘‘Self regulation and privacy online’’, the FTC still supported self-regulation and asked that industry be given more time to achieve better data privacy. It reported that while all of the top 100 Web sites collected personal data, only 10% posted an easily accessible and detailed statement of their privacy management practices (FTC, 1999).

Early in 2000 the FTC conducted another survey of commercial Web sites and their privacy practices. They again found that most Web sites (97%) collect personal information about consumers; 88% of the randomly selected Web sites posted at least one privacy disclosure statement, yet only 20% of the Web sites followed some part of all four fair information practices (notice, choice, access and security; FTC, 2000). Only 41% of the sites of their random sample met the basic notice and choice standards.

Because of the slow progress of self-regulation, the FTC’s 2000 report to Congress recommended that Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online. It concluded that ‘‘without such protections, electronic commerce will not reach its full potential and consumers will not gain the con.dence they need in order to participate fully in the electronic marketplace’’.

While there have been some e.orts to initiate privacy legislation, US companies continue to .ght against these e.orts, proclaiming that self-regulation will work. A number of third party organizations such as TRUSTe and BBBOnline require companies to implement fair information practices and then monitor their compliance. In return these third party organizations will place their seal on the organization’s Web site, thereby providing the consumer with some assurance as to the privacy policy of the Web site. In the 2000 FTC survey, only 8% of the Web sites in their random sample displayed a privacy seal.

5. Safe harbor agreement

   The enactment of the EU Data Protection Directive has threatened to stop the transfer of personal data from EU countries to the US, since the US, with its limited privacy legislation, does not meet the adequacy standard. After many months of negotiations the EU and the US arrived at an agreement known as the safe harbor agreement which o.ers a convenient way of complying with the adequacy requirements of the EU Directive.

The safe harbor agreement allows US companies doing business in the EU to adhere to a code of business practices that allows them to conform to the EU Privacy Directive while continuing to follow industry self-regulation with the FTC rules as a backup. Companies must certify to the Commerce Department that they will follow the regulations of the EU directive. If a company does not live up to the agreement, they would be subject to prosecution by the FTC for deceptive business practices. Many see this safe harbor agreement as a victory for US self-regulation. Yet not everyone in the US supports the agreement. The National Business Coalition on ECommerce

and Privacy (NBCEP, 2000), a group led by GE and Fidelity Investments, complained that EU privacy principles are being e.ectively imposed on American businesses that far exceed any privacy requirements developed in the US.

This latter point of view may indeed be problematic in that American businesses operating under the safe harbor agreement will be providing Europeans more privacy rights than they currently accord US citizens.

6. Other e.orts for improvingdata privacy

The Platform for Privacy Preferences Project (P3P) is part of the World Wide Web Consortium’s (W3C) proposal for an international standard for online privacy and the e.ort to provide technology to support Web privacy (P3P, 2000). The P3P project aims to develop a variety of tools and services that give users greater control over personal information and enhance trust between Web services and individual users. P3P enables Web sites to express their privacy policy in a standardized scheme that can be parsed by the client computer. Speci.cally, P3P enables the owners of a Web site to translate their privacy practices into XML-based P3P statements that

can be retrieved automatically and easily interpreted by a P3P-enabled browser. This means that users can then easily .nd and understand the policies of a particular site, and make informed decisions on dealing with that site. The user then decides whether they would continue to visit the Web site under these conditions. P3P technology was created by representatives from organizations such as AT&T, HP, IBM, America Online, Microsoft and even the Direct Marketing Association, along with a strong international component including the representatives from the Privacy Commission in Ontario, Canada, and the Privacy Commissioner of Schleswig-

Holstein, Germany. P3P should soon be found in browsers. Further extensions of P3P will allow the software to store what information was provided to each Web site.

Recently chief executives of 72 corporations, participating in the Global Business Dialogue on E-commerce (GBDe, 2000) in Miami, called for global standards to safeguard personal information on the Internet. Their goal is for Internet vendors to clearly state their policies on the uses of personal data, give customers a chance to keep details private, as well as provide a contact for privacy complaints.

Third-party organizations have expanded their programs to provide safe harbor seals or self-certi.cation systems. TRUSTe claims to have over 2000 Web sites certi.ed under its existing programs. They also see themselves as providing an alternative dispute resolution process to the FTC. The self-certi.cation required by the safe harbor agreement with the EU can be accomplished via a third party such as the TRUSTe – and TRUSTe is advertising their self-certi.cation process.

7. Conclusion

   The worldwide use and impact of the Web has heightened sensitivity to other regions’ values and ideals. While privacy expectations and legal requirements di.er depending on culture and government, customers will prefer Web sites where a maximum of privacy protection is provided. If this privacy can be technically guaranteed, then consumers will be even more supportive of those Web sites and organizations.

References

DPP, 1995. EU Data Protection Directive. http://www.privacy.org/pi/intl_orgs/ec/eudp.html.

DPA, 1998. Data Protection Act. http://www.hmso.gov.uk/acts/acts1998/19980029.htm.

Emarketer, 2000. EUExecutive endorses data privacy pact with US. http://www.emarketer.com/etc/

404.htm.

FTC, 1998. FTC report: Privacy Online. http://www.ftc.gov/opa/1998/9807/privacyh.htm.

FTC, 1999. FTC report: Self-regulation and Privacy Online. http://www.ftc.gov/opa/1999/9907/report1999.

htm.

FTC, 2000. FTC report: Privacy Online – Fair Information Practices in the Electronic Marketplace. http://

www.ftc.gov/os/2000/05/testimonyprivacy.htm.

GBDe, 2000. Conference: CEOs Issue Web Privacy Standards. http://www.gbd.org/media/articles/

092600c.html.

IuKDG, 1997. Information and Communications Services Act (Informations-und Kommunikationsdienste-

Gesetz-IuKDG). http://www.iid.de/iukdg/iukdg_ke.html.

G. Steinke / Telematics and Informatics 19 (2002) 193–200 199

NBCEP, 2000. Letter from Susan D. Pinder, chair of the National Business Coalition on E-commerce and

Privacy, to the US. Commerce Department in response to the ‘‘safe-harbor’’ agreement under the

European Union Data Protection Directive: April 5, 2000. http://www.g2news.com/WebPostings/EUUSPrivacyDirective.

html.

P3P, 2000. P3P World Wide Web Consortium. http://www.w3.org.

TDDSG, 1997. Teleservices Data Protection Act, Teledienstedatenschutzgesetz, TDDSG. http://www.

iuscomp.org/gla/statutes/TDDSG.htm.

TRUSTe, 2000. How does online privacy impact your bottom line? http://www.truste.org/webpublishers/

pub_bottom.html.