Example: US versus EU internet privacy policy

This example clearing illustrates the nature of the conflict between efficiency and privacy over data. This section was created in Mar 99 after asking the question on the first exam of Informational Society.

Currently (1999) a major trade war is brewing between the European Union, EU, and the US over privacy over the internet. The EU has enacted tough privacy legislation for data collected through internet browsing and has prohibited data on EU citizens from leaving the EU to countries that do not have privacy standards for internet data equal to those of the EU.

We need to first define the difference in the approach taken to internet privacy by the US and the EU. Then we need to consider their social implications, and finally, we need to look to how far the US is likely to go to accommodate the Europeans.

EU internet privacy standards

Because of Hitler and his Gestapo, the Russians and the KGB, and the East Germans and their secret police, Europeans are very sensitive about the collection of vast data files on individuals. Also Europeans more the Americans looks towards government to provide solutions. In 1995 the EU enacted an internet privacy act to take effect in Oct 1998. This act gives individuals privacy rights on their personal data. Basically:

• Directive applies to any set of operations such as collection, storage, disclosure which is performed on personal data
  • Directive gives human persons rights over their data
  • Directive places obligations on data controllers (processors)
  • Member EU states allowed some variation in how they implement directive
• Data controllers:
  • Process data fairly and lawfully
  • Collected and processed for specific, explicit, legitimate purposes
  • Adequate and not excessive in relationship to purpose
  • Accurate and kept up to date. Must take reasonable steps
  • Identify individuals no longer than necessary
• Data can be processed if
  • Subject has unambiguously given consent
  • Legitimate interest for processing data such as contract
• Told what data will be collected and how it will be used.
• Data subjects have the right to view data in firms and to correct it if incorrect.
• Before any data can be given to 3rd parties, the individual must consent and has the right to opt out.
• In addition that data collection must be relevant to stated goal, there are tight rules on sensitive data such as medical, religious and political beliefs.
• Data may not flow to countries without proper privacy safeguards
• Each government will create an agency to police these data standards.

The EU privacy standard place a great deal of emphasis on individual privacy. How much this might affect the development of e-commerce in Europe is hard to estimate. Certainly, it will develop along different lines than in the US. For example, in the EU an internet firm such as Amazon.com could not personalize the site for each customer without first asking for the express permission of each customer.

US internet privacy policy

US privacy policy is not comprehensive as the US targets specific areas when considered needed. For example, there is no general privacy of medical records, but there is privacy about renting raunchy videos. ( I believe this came about because renting videos became an issue in the confirmation hearings of Lawyer Bork for the Supreme Court). Legislation has been enacted to deal with the following specific situations:

• 1970 Fair Credit Reporting Act regulating databases containing credit reports
• 1974 Privacy Act concerning government records on individuals
• 1984 Cable Act contains privacy provisions for subscribers records
• 1986 privacy protection of federal wiretap statute extended to new forms of communication including electronic mail and digital communication
• 1988 Video Privacy Protection Act to protect the privacy of video rental records
• 1991 Telephone consumer Protection Act to deal with autodialers and junk faxes

Although there are numerous bills become Congress and various state legislatures, currently (1999) the US internet privacy policy is market oriented. Firms can buy and sell data collected from cookies and recording mouse clicks to other firms. Privacy policy is a matter of each firm on the internet. One survey in Jun 98 reported that only 14% of 1400 firms surveyed even had a stated internet privacy policy.

It might seem that the market provides no mechanism promoting privacy. However, if the reader thinks about it firms who want repeat customers frequently need to be very discrete about personal information concerning their customers. So whether a firm will sell customer lists or be discrete varies greatly depending on the business in question. TRUSTe, an organization promoting privacy on the WEB, did a survey of potential E-commerce customers.

• 70% expressed concern over monitoring
• 70% worry about making purchases online
• 63% reluctant to divulge personal info unless the site make clear the use
• Expansion of e-commerce depends on addressing customers privacy concerns.

Let us look at the positive aspect of collecting information about customers online. Sites such as Amazon.com can personalize the site to the interests of the user. This is much more efficient in helping the customer to focus his or her search. Also, ads can be focused on the interests of the viewer. The Nirvana of advertisers to be able to present each individual with ads must likely to stir his or her interest. Why waste money giving a single adult a pampers ad; unless, of course, the single adult is taking care of an infant.

The negative aspect of collecting such data is that the individual has no control of such data and because firms buy and sell such data, interested parties can create giant databases filled with very extensive profiles on individuals. The potential for political and personal abuse is enormous.

Impact of EU privacy policy on the US

The absolute worst case scenario is that the EU denies US firms the right to do business in Europe where there is any possible human data transfer back to the US. Some examples include:

• Bar all e-commerce unless data about Europeans is processed in European and follows the new rules.
• Airline and Hotel firms could not transfer any data about European customers preferences such as eating and seating.
• Medical research data could not combine European and American data sets.
• Firms that need data about individuals such as accountant, insurers and investment bankers would be severely curtailed.

Some firms have made individual efforts to comply with the new European privacy directive. Citibank in collaboration with the German National Railway made an agreement to collectively launch the largest German credit card offering. In order to get approval the two firms had to negotiate for six months to institute numerous privacy protections to satisfy the new privacy directive. Another example is that Anitha Bondestam, the Swedish privacy watchdog instructed American Airlines to delete all health and medical details on Swedish passengers after each flight unless 'explicit consent' was given.

The US will probably do the minimum to improve internet privacy in order to be able to do business in Europe. One US idea is the concept of safe harbors, or corporations that satisfy the European directives being able to do business in Europe.

US firms realize that to greatly expand business on the internet they must provide customers with better security about personal data and a data environment where the customer clearly knows the privacy policy of the firm. To avoid stricter government regulations, firms will move to adopting some form of privacy standards. Two standards being considered by the World Wide Web Consortium are:

• Platform for Privacy Preferences : User sets privacy preferences in browser and the browser examines machine proposals sent by services. If agreement is reached personal data is transferred.
• Open Profiling Standard: Sixty companies support this standard. Mechanics are similar to the above in that user would maintain a file on his or her harddrive that he or she would release rather than filling in registration forms.

My forecast (Mar 99) as to the evolution of privacy on the internet is as follows:

• US will push hard for safe harbor firms in the US. Firms wishing to do business with Europeans will create these safe harbors that satisfy the new EU privacy standards. Citibank has already done this.
• In the US privacy will evolve in a compromise that tends to favor firm's interests in efficiency rather than individuals interests in privacy. An unregulated market provides a wide range of behavior some of which is very objectionable. After firms decide on some basic standards for regulating the flow of personal information they will have their lobbyists create a federal law to supersede all state laws.
  • This will allow the elimination of rouge firms that cause bad public relations for the firms that follow the weak privacy standard. The FTC will become the watch dog for privacy by expanding its current operations in this area.
    • This standard will probably require greater security for sensitive information such as medical, political or religious. Special restrictions about collecting info from children will probably be included.
  • Individuals will negotiate with firms the condition of privacy of their data. To simplify the process, pop up menus will appear to negotiate the conditions.
  • Firms will be able to sell data to other firms. Business lobbyists are likely to be able to fund more elections than privacy advocates.
  • Provided their are not a rash of horror stories, the privacy law in the US will emphasis efficiency over privacy. With a rash of horror stories, privacy advocates can marshal public opinion.

An interesting possible solution to internet privacy is the fact that since privacy is a service then entrepreneurs have incentives to create firms that provide customers privacy at a price. One such effort is anonymous surfing. The problem is whether such anonymous surfing is really anonymous. These firms do not solve the problem of firms selling your data to third parties. You might argue that if the individuals had better control over their data that they could care less. Zero-Knowledge Systems Inc. has taken an encryption approach to providing surfers complete privacy. This puts them at odds with the US government policy agencies who fear privacy promotes illegal activities. Zero-Knowledge Systems is based in Montreal to avoid the strict US encryption sales laws. They shut down their best service.

Surf the Net

I have selected sites that will have stories on privacy and the internet. News stories will also cover the topic, but they have a short life on the internet.

• EU Data Directive
• Actual Directive
• Safe Harbour: Method for US firms to do business in EU without violating EU Data Directive
• US Internet Privacy Law
• TRUSTe: Truste is the site for US self regulation by business.
• Online Privacy Alliance
• Privacy Online: A Report to Congress An FTC report
• Electronic Privacy Information Center
• Electronic Frontier Foundation
• Center for Democracy and Technology
• Privacy Exchange
• Electronic Communications Privacy Act

Fred Norman

Fri: 9 Jan 09