v13_2002e - 4 ”CUSTOMIZABLE PRIVACY” A NEW APPROACH TO...

Info icon This preview shows pages 1–19. Sign up to view the full content.

View Full Document Right Arrow Icon
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
Image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 4
Image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 6
Image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 8
Image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 10
Image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 12
Image of page 13

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 14
Image of page 15

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 16
Image of page 17

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 18
Image of page 19
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 4 ”CUSTOMIZABLE PRIVACY”: A NEW APPROACH TO INTERNATIONAL REGULATION OF THE INTERNET Nathaniel Heller" This paper examines the growing divergences in the regula— tory regimes governing e-commerce and electronic privacy in the major commercial markets — the United States, the European Union, andJapan — and suggests that the existing regulatory frameworks are not sustainable as a long—term international regime. The paper then suggests a new ap— proach to governing international e—commerce and Internet privacy, known as “customizable privacy. ” INTRODUCTION The explosive growth of the Internet and e-commerce in recent years has presented national regulators with the difficult task of devising regula— tory regimes that balance the needs of consumer privacy against the needs of businesses to tap the inherent efficiencies of the Internet. One of the great strengths of the Internet and e—commerce is the ability of firms to make available to consumers personally tailored product sets and services based on the preferences of each individual user. Hence, each time a user logs on to Amazon.com, she is presented with a list ofCDs that the site believes she would be interested in purchasing based on her previous purchases on the Web site. But such customization presents extreme challenges to personal privacy, even cases where the use of such personal data is seemingly innocuous. For instance, many hospitals have begun to equip certain wards with digitized “charts” to replace the traditional paper versions used by doctors to monitor patient progress. There are many private Nathaniel Heller, School of Foreign Service, Georgetown University 64 Nathaniel Heller sector firms and not a few public health experts who argue for linking up hospitals to a nationwide data exchange network that would allow any doctor in the country, particularly in the emergency room, to instanta— neously look up a patient’s medical history and allergies. But how do governments and regulators ensure that those same hospitals do not sell such data to insurance companies, who could then proceed to adjust medical insurance premiums to reflect certain prognoses? What if this network became global, linking all hospitals around the world? Whose “rules” would a given hospital follow? The local country’s, those of the patient’s home country (as with a tourist who falls ill), or some supranational set of rules and regulations agreed to by all countries? Clearly, the pace of Internet regulation has not kept up with the pace of international Internet-based business. Until the right approach is found for regulating the Internet across borders (its inherent nature anyway), users around the world will be stuck conducting commerce and commu— nication in an environment that is poorly protected and ripe for abuse. Worse yet, the histories of Internet regulation in the major world markets are vastly different, providing national regulators with the challenge of developing regulatory frameworks that apply equally well to disparate users and markets. Given the fact that widely different regulatory regimes govern the major commercial regions of the world and that those regimes are often at odds with each other, a new approach to governing privacy on the Internet must be found. The Internet is by nature a global, individual-empowering phenomenon. An effective regulatory regime for Internet privacy, there— fore, should be applicable worldwide while also respecting individual consumer preferences. One such approach, developed below, is that of “customizable privacy.” HISTORY OF PRIVACY PROTECTION IN THE UNITED STATES The right of privacy, as a legal claim enforceable in law, is part of the historical tradition in the United States. In 1890, Samuel Warren and Louis Brandeis argued in a Harvard Law Reviewarticle that privacy was the most cherished of freedoms in a democracy. These lawyers suggested that “recent inventions and business methods” and the pressures of modern society require the creation of a “right of privacy” which would protect “the right to be let alone” (Warren and Brandeis 1890, 193). This right of privacy outlined by Warren and Brandeis came to be known as the ‘American Tort.’ “Customizable Privacy": A New Approach to International Regulation 65 Historically, the United States has developed privacy rights, enforce— able bylaw, to address public concerns. However, recent government administrations have been unable to adequately coordinate online privacy policies in the wake of the rapid changes that have occurred in technology. There are hundreds of privacy measures pending before Congress every single day. Some bills address the privacy rights related to medical records. Others extend privacy protection for financial data. There are even bills to protect the privacy of genetic information, as well as proposals that would preserve general consumer privacy. DOMESTIC DEMAND FOR PRIVACY PROTECTION Today, there is a growing demand for privacy protection in the United States. In a study at the beginning of the online boom, the respected Harris pollsters found that Of people who were not online, 70 percent indicated they would be inclined to start using the Internet if “the privacy of [their] personal information and communications would be protected (Privacy and American Emma; 1998, 6).” In light of this statistic, it is not surprising that only a quarter of Internet users purchase items online (IntelliQuest 2000). Another Louis Harris 8C Associates study found that 53 percent of Americans believe that the “government should pass laws now for how personal information can be collected and used on the Internet.” Of those polled, 23 percent said that the “government should recommend privacy standards for the Internet but not pass laws at this time.” A mere 19 percent believe that the government “should let groups develop privacy standards but not take any action now unless real problems arise (Louis Harris 86 Associates, 1998).” Additional empirical evidence follows: ° In 1998, Alan Westin, a leading privacy scholar and professor of Public Law and Government at Columbia University, found that 81 percent of Internet users were apprehensive about the invasion of privacy online (Harris and Westin). 0 In 1998, a seminal study by AT&T researchers sampling more than 350 people found 87 percent of experienced Internet users were somewhat or very concerned about threats to their privacy online (Cranor, Reagle, and Ackerman). ' In 1999, 70 percent of respondents in a national survey conducted by the National Consumers League reported that they were uneasy about providing personal information to businesses online (Harris 86 Asso— ciates, 1999). 66 Nathaniel Heller - In December of 1999, a Cyber Dialogue study found that more than one-third of Internet users believed that the online submission of personal data was an invasion of privacy (CyberDialouge). 0 In a survey taken in September 1999, Americans were asked by a Wall Street journal'NBC poll what they feared most in the 21St century. Options included terrorism, overpopulation, and global warming. It is remarkable that the loss of privacy received 29 percent of the vote, the largest share of responses (Swire 1999). The now infamous example of DoubleClick further attests that Ameri- cans are concerned about privacy protection on the Internet. Double Click, an online advertising firm that captures information on consumer behavior, purchased Abacus Direct, an offline company that maintains a large database of personally identifiable information. In early 2000, DoubleClick announced that it would cross—reference online customer information with Abacus Direct’s offline database. Within weeks, it faced four lawsuits due to alleged violation of privacy. Further, the Center for Democracy and Technology launched an e-mail campaign against some of the Web publishers that belonged to the Double Click network. These companies included The New York Times, Alta Vista, and Comedy Central. Over 4000 e—mails were sent to publishers asking them to refrain from providing DoubleClick with personally identifiable information (Parker 2000). Ultimately, DoubleClick renounced its intention to cross- reference information, and the Federal Trade Commission, which had launched an investigation, did not pursue further action. INTERNATIONAL PRESSURE FOR PRIVACY PROTECTION Privacy is a fundamental human right recognized in all major international treaties and agreements on human rights. The United Nations Declara- tion on Human Rights acknowledges privacy as a basic right internation— ally. It states, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Similarly, the right to privacy is recognized . in the International Covenant on Civil and Political Rights, where Article 17 states, “No one shall be subjected to arbitrary or unlawful interference with his privacy. . .everyone has the right to protection of the law against such interference or attacks.” Empirical suggests that citizens around the globe are calling for more robust privacy protection measures. A survey from the Graphic, Visual- ”Customizable Privacy": A New Approach to International Regulation 67 ization, and Usability Center (GUV) reveals that 72 percent of Internet users worldwide believe there should be new laws to protect privacy on the Internet. The poll also found that 82 percent of users object to the sale of personal information. The survey suggests a sharp increase in privacy concerns since the last GVU poll and that privacy in the United States is the highest priority concern for Internet users (GVU 2000). In addition, the October 1999 IBM Multi—National Consumer Privacy study conducted by Louis Harris 86 Associates reveals that most Internet users (63 percent worldwide average) have refused to furnish information to Web sites when privacy policies are unclear or misuse of private information is perceived (IBM 2000). EUROPEAN DIMENSIONS The European Union (EU) has been well ahead of US. efforts to develop a unified Internet regulatory regime. On October 24, 1995, the European Commission (EC) published the Directive on Data Protection (95/46/ EC), an attempt to unify the data privacy regimes of the separate European Union countries and enact a comprehensive set of regulations. The European approach differs markedly from theAmerican system, where the regime consists of unrelated laws ranging from financial data protection to health records to laws governing the rights of children on the Internet. The European approach to regulation of the Internet provides many more rights for the user than does the ad /70£' American regime or the emerging Japanese one (see below). After the Data Directive went into effect in October of 1998, any company in any country using personal data of an EU citizen had to comply with various conditions. These stipulated that personal data could only be used if it was collected for identifiable purposes, was not used for purposes other than the originally stated intentions, and if the user gave consent. Furthermore, the subject of the data can demand to know at any time what data has been collected and what it is being used for. He or she can also demand that the data not be used for direct marketing purposes (European Commission 2000, See- tions II, IV, V, VII, and IX). The most important and severe implication of these requirements came in Chapter IV, Article 25 of the Directive, which spelled out the conse- quences of a violation of the new data privacy standards. In the event that a non—EU country is deemed by European authorities to not meet the new levels of privacy protection, the Directive requires EU member states to take action to stop the flow of information to the third—party country. This draconian response was what led to the immediate start of negotiations 68 Nathaniel Heller between United States and European authorities to prevent a European data embargo on the United States. Were the Directive’s mandates implemented literally, all Internet traffic involving any private data would have ceased on October 1, 1998 between the United States and the European Union. Obviously, both sides had avested interest in avoiding such an embargo and worked to find a solution. Eventually, the United States and European Union reached a middle ground known as the Safe Harbor Principles. This was a self— regulatory mechanism managed by the US. Department of Commerce. Via Safe Harbor, American companies can self-certify that they have implemented privacy protections to the satisfaction of the European standards. The list of Safe Harbor companies currently in compliance is small but continues to grow and includes many largeAmerican technology and Internet companies (United States Department of Commerce 2002). The Safe Harbor negotiations were often acrimonious and took almost two years to complete by the time they were settled in July 2000. Furthermore, the solution provides little more than window dressing in the form of American self-certification. There are no provisions in the agreement for oversight agencies, enforcement procedures, or dispute settlement mechanisms. In short, the Safe Harbor negotiations are an excellent example of how differing regulatory regimes can create substan- tial problems in international e—commerce. THE JAPANESE EXAMPLE Though Japan boasts some of the most cutting-edge Internet technology, its Internet regulatory regime is far less robust than those of the United States and the European Union. Japan’s approach to Internet privacy has historically centered on guidelines issued by the Organization of Eco— nomic Cooperation and Development (OECD) in 1980. These guide— lines have formed the basis for a variety of other international data protection regimes, including the ad—hoc U.S. regime. Among other principles, the OECD rules dictated that all data be collected in a fair and lawful manner with the consent of the user; that the data be relevant to the purposes for which it is used; and that it not be disclosed except with the consent of the user or by authority of law (Unites States 1998). The Japanese government released its own version of privacy protection based on the OECD Guidelines in 1989 entitled “Concerning the Protection of Computer Processed Personal Data in the Private Sector (United States 1998).” ”Customizable Privacy": A New Approach to International Rev: ulation 69 The expansion of Internet use in the 19905 gave rise to new fears about personal data infringement and led to many new efforts from developed nations to strengthen personal data protection (MITI). As noted above, the EU’s Directive banned the transfer of personal data to third countries if they did not offer an adequate level of protection. In light of these developments, Japan’s Ministry of International Trade and Industry (MITI) organized a “Working Group on Privacy Issues” that was charged with revising the 1989 guidelines (MITI, 2). The revised guidelines, released in March 1997, allowed for increased consumer access to their information, auditing mechanisms, and measures to improve consumer education (Unites States 1998). The Japanese government promoted a self—regulatory approach to- wards implementation of the new rules (MITI). MITI intended for the private sector to develop voluntary measures to regulate itself based on MITI’s guidelines. In keeping with this policy, Japan’s Cyber Business Association created the “Guidelines for Protecting Personal Information in Cyber Business” in December 1997, concerning the handling of personal information in Internet-related commercial transactions (Cyber Business Association 1997). These guidelines closely mirrored MITI’s. There were however, some key differences. The Cyber Business Association’s guidelines stressed that although browser numbers and access logs could not be used to directly identify an individual (and thus are not defined in MITI’s rules as “personal informa— tion”), they could be cross—referenced with other data to identify individu— als. Hence, the guidelines emphasized the need to make clear to users that this type of information can be collected and used, and that this informa- tion could be indirectly used to identify individuals (Cyber Business Association 1997). Moreover, these guidelines encouraged member companies to inform users about how this personal information was collected and used (Cyber Business Association 1997). Another example ofJapan’s self-regulatory approach is embodied in the Japanese Direct Marketing Association’s GADMA) guidelines. While following the basic structure of MITI’s restrictions, JADMA inserted some important additions. According to JADMA’s rules, personal data containing information about a user’s race, family lineage, religious beliefs, health records, and sexual habits should never be collected (JADMA 1998). Member compa— nies are also required to obtain consent from data subjects when they collect personal data by furnishing a written notice. Furthermore, the JADMA rules stress responsibility when lending personal data to a third 70 Nathaniel Heller party, a common occurrence in e-commerce when two firms partner to provide a single product or service to a customer. In recent years, however, the Japanese government has taken a more active role in privacy protection. In February 1998, MITI established a SupervisoryAuthority for the Protection of Personal Data to monitor a new system granting “privacy marks” to businesses committed to the protection of personal data in accordance with the MITI guidelines (Privacy Interna— tional, 1). The agency responsible for administering the privacy marks, the Japan Information Processing Development Center (J IPDEC), is a joint public/ private agency. Companies that do not comply with industry guidelines will be excluded from relevant industry organizations and will not be given the privacy mark. The assumption is that market forces will punish the negligent firm. The role of the Supervisory Authority is to actively investigate violations and make suggestions to industry authorities. Some observers view this approach as government—directed co‘regulation rather than voluntary self—regulation (Greenleaf 1998). Following the trend in Japan moving away from industry self-regula— tion and toward government intervention, the Japanese government passed legislation in 2001 that holds corporations accountable for infor- mation gathered over the Internet. The law, known as the Personal Data Protection Bill, is the first piece of Japanese legislation to regulate the unlimited use and unauthorized sale of personal information on the Internet (Nikkei Weekly 2000). Companies that fail to improve data management practices would face prosecution. The key concept of the bill is to place responsibility on companies for protecting data. Previously, only individuals who mishandled personal information were prosecuted. Now, however, the companies that employ such violators Will also be held liable for failing to prevent abuse of data. The law follows the basic framework of the original OECD Guidelines of 1980, especially with regard to limitations on data collection and use. It makes provisions for the fair and lawful collection of data and limitations on the purpose and use of the information. It also calls for proper management of personal data. This means that companies must keep the information up—to—date and must supervise employees who come into contact with this data (Japanese Embassy, Washington 2000). Further, it includes a restriction on the transfer of personal data to a third party unless the user consents or ownership of the company is transferred. The law also calls for a degree of openness in transactions using personal data. Comp...
View Full Document

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern