Internet Privacy Law: A Comparison between the United States
advertisement
Internet Privacy Law: A Comparison between the United States and the European Union David L. Baumer1, Julia B. Earp2 and J.C. Poindexter3 College of Management, North Carolina State University, Raleigh, NC 27695-7229 1 David_Baumer@ncsu.edu 2Julia_Earp@ncsu.edu 3JC_Poindexter@ncsu.edu Abstract The increasing use of personal information in web-based applications has created privacy concerns worldwide. This has led to awareness among policy makers in several countries regarding the desirability of harmonizing privacy laws. The challenge with privacy legislation from an international perspective is that the Internet is virtually borderless but legislative approaches differ between countries. This paper presents a functional comparison between current privacy law in the European Union and in the United States, as such laws relate to regulation of websites and online service providers. In addition, we articulate the similarities and differences between the 2002 EU Directive 2002/58/EC, titled the Directive on Privacy and Electronic Communications, which has been adopted by the EU but not implemented, and the proposed U.S. Online Privacy Protection Act. Using a qualitative approach, we use the Fair Information Practices to organize discussion of comparisons and contrasts between U.S. and EU privacy laws. Our investigation of this topic leads us to conclude that the right of privacy is more heavily protected in the EU than in the U.S. The Online Privacy Protection Act, recently introduced as a bill in Congress, has the potential to significantly effect commercial practices in the U.S. and move the U.S. toward current EU privacy protection laws. This analysis benefits managers as well as security professionals since the results can be used to ensure that their organization’s website practices are consistent with countries in which they exchange information. Keywords: information privacy, e-commerce, legislation, international law. 1 Introduction Managers striving to gain competitive advantage through the use of Internet-based systems can easily find themselves frustrated by the differing, and often conflicting, expectations regarding privacy in different countries around the world. From a technology perspective, the inherent nature of the Internet radically reduces the importance of geography and allows international business transactions to be accomplished with ease. From a legal perspective, geography continues to exert a significant influence. Balancing local differences in privacy protection with the increasingly interconnected nature of Internet-based transactions, which often rely on sharing customer personally identifiable information (PII), is a massive challenge to managers and legislators today. Differences between countries must be considered when developing and implementing global Internet-based applications [1]. Understanding the differences in regulatory approaches may be a key to successfully managing information privacy in a global marketplace that is dependent on transborder information flows, especially when the regulatory approaches of other nations are more restrictive. The international privacy challenge can be attributed to several factors, including legislative threats, cultural values and privacy perceptions [2]. Milberg et al. [3], contend that cultural values and privacy perceptions differ among countries and those values and perceptions become intertwined with and exert a significant influence over differing legal environments. According to [4] it is impossible to understand the privacy concerns in the EU without understanding how history has influenced European values, for example, how Nazis used centralized collections of PII to round up and dispose of “undesirables.” Unlike in the U.S. where the courts have only recently discovered a constitutional right of privacy for a narrow range of conduct, as the U.S. Supreme Court articulated in striking down Texas anti-sodomy laws in July of 2003, the EU Information Directive of 1995 and the more recent 2002 EU Directive repeatedly, and emphatically, state that EU residents are entitled to a right of privacy. In this paper, we show just how different Internet privacy protection is in the U.S. relative to the EU and examine a significant, proposed change in U.S. privacy law. Every society values privacy in some respect but the expressions of privacy differ significantly across cultures [5]. A recent survey of over 1000 Internet users from 30 countries demonstrates this; in particular, the non-U.S. respondents were statistically more concerned about organizations using consumer data for customization and personalization purposes [6]. These findings are apparent when comparing and contrasting privacy laws from differing cultures. The cultural values of a nation influence the development and maintenance of societal institutions such as legislative bodies [7]. Although there may be other factors to consider, a country’s cultural values are closely associated with the privacy concerns that are exhibited by its people and are associated also with its regulatory approach [2]. The qualitative analysis we perform in this paper provides additional support for the proposition that different cultural experiences and histories impact a country’s legal system, especially the legal protection provided for individual privacy. The initial consequences of international legal disparities between the U.S. and the EU in privacy protection took place when the EU enacted and enforced the 1995 EU Information Directive. The introduction of the EU 1995 Information Directive promptly caused non-EU countries to either consider adopting more stringent privacy laws or be restricted when attempting to transport data from EU countries into countries having inadequate privacy laws [8]. In particular, the regulatory statutes in the United States lacked adequate privacy protection by the standards set forth in the EU Privacy Directive, and as a result, U.S. businesses were adversely affected by its restrictions [2]. To prevent an imminent information embargo, in November 1, 2000 the U.S. Department of Commerce created Safe Harbor Principles that addressed privacy concerns of the EU relative to U.S. laws and commercial practices. The Safe Harbor Principles provide privacy procedures that are consistent with EU privacy law, but according to a recent study, only 135 organizations in the U.S. had complied with the Safe Harbor Principles [4]. As of August 2003, however, 369 organizations had taken the steps necessary to qualify for the Safe Harbor Principles (see the Department of Commerce website at http://web.ita.doc.gov/safeharbor), suggesting that the Safe Harbor program is working and is 2 increasingly being used by industry. This paper presents a functional comparison of current online privacy law in the European Union (EU) and in the United States. In addition, we discuss a recent proposal for comprehensive online privacy reform in the U.S. and compare it to the recently enacted, but not implemented, 2002 EU Directive on Privacy and Electronic Communications. In particular, we articulate the similarities and differences between the recently enacted 2002 EU Directive with the proposed Online Privacy Protection Act (OPPA), which has been introduced in the U.S. Congress as a bill in January, 2003 (see H.R. 69). Even though OPPA is just proposed legislation at this point, it encompasses most of the necessary components for comprehensive protection of privacy online called for by privacy advocates and entities such as the FTC. It is also consistent with the Fair Information Practices (FIP) [9], which have operated as a guide for policy makers in the U.S. If the U.S. does indeed enact comprehensive online privacy legislation, it will most likely continue to use the FIPs as a guide and therefore, will closely resemble OPPA. The results presented herein will benefit managers and website designers of companies involved in international business, as well as policy makers. This paper is organized as follows: Section 2 reviews privacy legislation in the EU and U.S., Section 3 presents the comparative analysis between EU and U.S. privacy laws and Section 4 draws some conclusions and provides recommendations to managers and website designers. 2 Privacy Protection in the EU and in the U.S. In 1980, the Organization for Economic Cooperation and Development (OECD) issued the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Commonly known as the OECD Guidelines, they established eight data protection principles for balancing data protection and the free flow of information. Although the OECD Guidelines are recognized by all OECD member nations including the EU and the U.S., they are not legally binding and are thus, implemented differently in different nations. The OECD guidelines address the following aspects of data protection: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability [10]. The five FIPs include: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress. The FIPs represent a subset of the internationally recognized OECD Guidelines, but they have been the focus of U.S. industry and government guidelines and ideals for the protection of personal data and privacy. To date, there is no comprehensive privacy protection law in the U.S. for Internet transactions, albeit with some major caveats. Major exceptions include coverage for healthcare data (the Health Information and Portability Accountability Act, HIPAA), financial data (Gramm-LeachBliley Act, GLB) and information obtained from children (the Children’s Online Privacy Protection Act, COPPA). There is no requirement in the U.S. for commercial websites or online service providers to maintain privacy policies, but if they do they are potentially subject to litigation by the Federal Trade Commission if they do not adhere to their stated privacy practices. The FTC considers it an unfair and deceptive trade practice for a website or online service provider to violate the terms of its own privacy policy and has sued several firms for doing just that. (see e.g., Federal Trade Commission [File No. 982-3015] Geocities; Analysis to Aid Public Comment, Thursday, August 20, 1998). Although some privacy protection is required as previously mentioned, Internet privacy is basically unregulated in the U.S. As a result, users in the U.S. protect themselves by being very selective in the kinds of information they reveal and to which websites they reveal the information [11, 12, 13]. Also private parties (firms and privacy 3 groups) in the U.S. have experimented with various attempts at ensuring privacy through nongovernmental mechanisms such as third party seals, P3P, private lawsuits and other activities including adverse publicity which has thwarted what some regard as invasions of privacy by hardware and software producers. The legal foundation for much EU data protection is found in the 1995 EU Information Directive (Directive 95/46/EC). In July of 2002, the European Commission adopted the Directive on Privacy and Electronic Communications (2002/58/EC). This Directive requires member states of the EU to implement it by October 31, 2003 by passing appropriate national legislation. The 2002 EU Privacy and Electronic Communication Directive makes frequent reference to Directive 95/46/EC. The 2002 EU Privacy and Electronic Communications Directive is mainly directed towards online privacy, while the 1995 Information Directive pertains to privacy issues in law that are not limited to the Internet. The 2002 EU Directive creates additional privacy protections for Internet users on a foundation that was laid by 1995 EU Information Directive. 2.1 U.S. Definition of Personal Information The definition of what constitutes personal privacy is a concept about which there is not unanimity. The latest U.S. approach is indicated by Section 8(8) of the 2003 version of OPPA, which defines personal information as including: “first and last name; home and other physical address; e-mail address; social security number; telephone number; and any other identifier that the Commission [FTC] determines identifies an individual; or information that is maintained with, or can be searched or retrieved by means of, data described immediately above. If the 2003 version of OPPA is enacted into law, the information immediately above would be legally protected in ways provided for by the Act, which provides for notice, choice, access, security, and enforcement, as is discussed in Section 3. Previous versions of OPPA, introduced in earlier sessions of Congress, categorized certain personal information as “sensitive” including: individually identifiable health information; race or ethnicity; political party affiliation; religious beliefs; sexual orientation; social security numbers; and sensitive financial information.1 Most of the information in the “sensitive” category is both personal, but also “private.” Many people willingly disclose their names to strangers, but few are willing to disclose health information, religious orientation, or sexual orientation to people they do not know unless there are guarantees that such information will be kept confidential and not used for other purposes. The 2003 version of OPPA definition does not contain a category of personal information that is labeled “sensitive.” If the 2003 version of OPPA was enacted into law, its protections would be directed towards users’ names and addresses and the other categories listed in Section 8(8) of OPPA, but there would be no special legal protections for “sensitive” personally identifying information (PII). 2.2 EU Definition of Personal Information As mentioned above, the 2002 EU Directive builds on the privacy protections that are contained in the 1995 EU Information Directive. Article 2(a) of the EU 1995 Information Directive defines “personal data” as “any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity...” The EU definition appears in accordance with the 2003 version of OPPA, but is perhaps more comprehensive. Protection of PII based on psychological, mental, cultural or social identity is similar to the “sensitive” categories of information labeled in previous versions of OPPA, but not the 2003 version. 4 The EU 1995 Information Directive defines special “categories of data” that closely correspond to the categories of “sensitive” personal information defined in previous versions of OPPA. In particular, Article 8 of the EU 1995 Information Directive identifies several “special categories of data” and addresses the handling of these categories by stating that, “Member states shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and processing of data concerning health or sex life.” There are a number of exceptions to the prohibitions on member states processing special categories of personal data where the data subject has given his consent. These exceptions include processing that takes place pursuant to employment law in member states, actions intended to protect individuals, data gathering by political, philosophical, or religious organizations, or if the data are made public by the data subject or are made public based on legal claims. 2.2.1 PII: Personal versus Private PII typically does not refer to private information, even though it is personal and identifying. A person’s name or phone number may be personally identifying, but it is not generally private information. A weakness with many prior studies of online privacy is that both public and private categories of PII were combined together. Compiling all the names and phone numbers of residents of a town in a single book is not viewed as particularly threatening by most people, whereas compiling lists of Jews, socialists, and hemophiliacs would be viewed with alarm, not only by the data subjects, but also by the public at large. Internet users’ willingness to provide PII to websites depends on the nature of the information (private or public) as well as the kind of website (retail, health care, financial) collecting the information [12]. Although many Internet users are not reluctant to reveal their name, age, or even home address to commercial websites, most of those same users are very opposed to revealing health and financial information as well as their social security numbers to websites [12]. Relative to current U.S. law, the legal protection provided by the EU is much more directed towards protecting what is traditionally considered “private” information: ethnicity, religion, sexual orientation, political affiliation, medical and financial records. In the U.S., medical and financial records are protected by separate legislation, while most other private information acquired online currently does not have legal protection. It seems clear that passage of the 2003 version of OPPA would not protect possible online misuse of special or sensitive PII that is currently protected from processing by the 1995 EU Information Directive. 3 A Comparison based upon Fair Information Principles The FIPs do not distinguish among various categories of PII, such as “sensitive” or “special”, as discussed immediately above. The discussion in the rest of this paper should be regarded as a “generic” privacy analysis, because it does not deal separately with sensitive or special PII, as defined in previous versions of OPPA or in the 1995 EU Information Directive. The discussion below refers to legal protection against misuse of non-private PII, such as name, address etc. rather than misuse of sensitive PII. 3.1 The Notice Requirement of the Fair Information Practices Under the FIPs any party who is the subject of data collection is entitled to be notified of that fact and of the party or organization that is collecting the information. According to FTC Commissioner Shelia F. Anthony, in testimony before the U.S. Senate Committee on Commerce, Science, and Transportation, in 2000 [14] providing proper notice requires that “data collectors must disclose their information practices before collecting personal information from 5 consumers.” Furthermore, the notice principle of the FIPs is considered to be the most fundamental because it is a precondition to implementing other FIP principles, such as choice and access [15]. 3.1.1 Notice Requirements under U.S. Law U.S. law currently does not require organizations with websites or online service providers to notify end-users about collection of PII (other than as required by HIPAA, GLB and COPPA). In fact, online service providers and commercial websites are not required to have or publish a privacy policy. The Progress and Freedom Foundation (PFF) recently surveyed a random sample of highly-visited websites and found that 90% of those sampled collected PII. Furthermore, only 33% of those collecting PII implemented the notice, choice and security principles [16]. If OPPA was enacted, it would require websites and service providers to notify users before PII is collected. Section 2(b)(1)(A)(i) of the 2003 version of OPPA “require[s] the operator of any Web site or online service— to provide notice on its Web site, in a clear and conspicuous manner, of the identity of the operator, what personal information is collected by the operator, and how the operator uses such information, and what information may be shared with other companies;” We contend that compliance by commercial websites and online service providers with Section 2(b)(1)(A)(i) of the 2003 version of OPPA could be achieved by having a hyperlink on the home page of the company’s website to its privacy policy, which clearly describes what personal information is collected, the uses made of that information, and what information is shared with other companies. Although current U.S. law does not require websites or online service providers to provide notice before collecting PII, virtually all major commercial websites have privacy policies that are available online to users. In particular, 83% of websites surveyed in the PFF study posted a privacy policy [16], so complying with the notice requirements of OPPA would not require a change in commercial practices for most, highly-visited or used websites or online service providers. 3.1.2 Use of Cookies in the U.S. While there are many uses for cookies and web bugs, most of these uses do not include the collection or use of PII. However, cookies are sometimes used to collect and store PII and this had led to a number of recent legal challenges. There are several federal statutes that address practices such as this, including the Wiretap Act and the Stored Communications Act. In particular, they provide civil remedies for users who are victims under these acts. In a recent case, Pharmatrak provided a monitoring service called NETcompare for pharmaceutical companies to track how their websites were used by visitors. Pharmatrak’s service made use of web bugs, but the practice was invisible to users and presumably unknown. The plaintiffs in In re Pharmatrak, Inc., No. 02-2138, 2003 WL 21038761 (1st Cir. May 9, 2003) contend that this capture of PII constituted an illegal interception of electronic communications under the Wiretap Act. The defendants filed a motion to dismiss, which was denied by the First Circuit based partially on the assurance that Pharmatrak made to pharmaceutical companies that it would not collect PII, only clickstream data. Apparently Pharmatrak collected PII in addition to clickstream data. There have been other legal challenges to data collections through cookies, mainly when 6 cookie data were combined with PII. The state constitution of California provides protection for the right of privacy. In Judnick v. Doubleclick, No. 000421 (Cal. Super. Ct. filed, Jan. 27, 2000), the plaintiff, Helen Judnick claimed that Doubleclick, an Internet advertiser violated her privacy rights when it combined her PII with cookie data. Shortly after the suit was filed, Doubleclick announced that it would no longer continue its practice of combining PII and cookie data. However, use of cookies by U.S. websites and online service providers that do not combine cookie data with PII is routine and apparently legal, even though users are not notified nor is consent obtained. 3.1.3 EU Notice Requirements Article 10 of the 1995 EU Information Directive states that member states shall require organizations that collect PII to reveal the following information to data subjects: the identity of the controller2 and of his representative, if any, the purposes of the processing for which the data are intended, any further information such as, the recipients or categories of recipients of the data; whether replies by data subjects to the questions asked by those collecting PII are obligatory or voluntary, as well as the possible consequences of the failure to reply; the existence of the right of access to and the right to rectify the data concerning him. Under the 1995 EU Information Directive, these disclosures are required regardless of whether the collection of data is obtained directly from the data subject or from other sources. For websites, compliance with the 1995 Information Directive means that a hyperlink to a privacy policy that addresses that information would be required. The 2002 Directive on Privacy and Electronic Communications affirms the protections provided in the 1995 EU Information Directive stating that, “By supplementing Directive 95/46/EC, this Directive is aimed at protecting the fundamental right of [end-users] and particularly their right to privacy, as well as the legitimate interests of [the organization].” 3.1.4 EU Cookie Law According to the 2002 Directive, cookies can be “a legitimate and useful tool”, but “their use should be allowed on the condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices…” These requirements appear to be a clear departure from commercial practice at U.S. based websites, which regularly install cookies without separately informing users, even though cookies are often discussed in privacy policies. The 2002 Directive also states that, “So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.” 3.2 Consent/Choice The second FIP maintains that before information is collected from data subjects their consent should be obtained. In particular, compliance with the consent/choice principle requires websites provide consumers with options regarding whether and how personal consumer information may be used for purposes beyond those for which the information was provided [15]. If the user supplies information, the user is aware that the information is being provided and presumably 7 notice/awareness has been satisfied. Of the 90% of commercial websites collecting PII from users only 47% of those support choice or consent to some extent [16]. There are two aspects to the choice/consent element of the FIPs. In some cases, the data subject is unaware that data are being collected about him or her, in which case, notice of data collection becomes imperative in order for the data subject to make informed decisions about uses of his or her PII. In other situations, the user supplies PII in order to complete a transaction, and therefore the user is clearly on notice (or aware) that the website or online service provider is collecting PII about them. Quite obviously in order to fulfill an online book order, a website would have to obtain a customer’s name, address, credit card number and possibly other data. The initial distribution of PII from user to website does not require notice since it is the user that is supplying the information. The real issue is what happens to that information (or PII) after the transactional need is satisfied? Ideally, the user should be permitted to choose what happens to his or her PII. According to the 2003 version of OPPA, choice or consent of users would be required by websites and online service providers. In particular, under Section (b)(1)(A)(ii) of OPPA, these organizations would have “(ii) to provide a meaningful and simple online process for individuals to consent to or limit disclosure of personal information for purposes unrelated to those for which such information was obtained or described in the notice under clause (i);…”, [clause (i) is the OPPA notice requirement presented in 3.1 above]. Under OPPA, then, organizations collecting personal information online about website users would have to obtain their consent (opt-in) to use information collected for one purpose, such as processing a book order, for other purposes. This OPPA requirement seems contrary to the commercial practices of many websites and online service providers that collect PII and use it according to terms stated in their privacy policies, but often do not separately require the data subject’s consent for secondary use of information collected. 3.2.1 Current U.S. Law Regarding the Need to Obtain Consent to Use PII As with notice, current U.S. law generally does not require that websites or online service providers offer users a choice as to whether they consent to the collection of PII. There are, of course, significant exceptions provided by several federal statutes that include the following: The Children’s Online Privacy Protection Act (COPPA) requires that websites obtain verifiable parental consent before obtaining any PII from children 13 and under, HIPAA regulations prohibit non-consensual secondary use of medical information, but there are numerous exceptions for public health, medical research, fraud detection and other reasons. The Gramm-Leach-Bliley Act requires banks and other financial institutions regulated by the Act to obtain consent from customers for some disclosures of financial data to third parties for marketing purposes. 3.2.2 Current EU Law Regarding the Need to Obtain Consent to Use PII On the other hand, the 2002 EU Information Directive is emphatic that websites and online service providers must obtain consent before using “information on the private life of natural persons…” According to the 2002 Directive, 8 Any further processing of such data which the provider of the publicly available electronic communications services may want to perform, for marketing of electronic services or for the provision of added services, may only be allowed if the subscriber has agreed to this on the basis of accurate and full information given by the providers of the publicly available electronic communications services about the types of further processing it intends to perform and about the subscriber’s right not to give or to withdraw his/her consent to such processing. Essentially, what the 2002 Directive requires is that users [the EU term is “subscriber”] be given an option to opt-out after full information is provided to them. Furthermore, the 2002 Directive requires that “Traffic data used for marketing communications or for the provision of value added services should also be erased or made anonymous after the provision of the service.” The 2002 Directive does indicate that “the obligation to erase traffic data or to make such data anonymous when it is no longer needed for the purpose of the transmission of a communication does not conflict with such procedures on the Internet as the caching in the domain name system of IP addresses or the caching of IP addresses to physical address bindings or the use of log-in information to control the right of access to networks or services.” When providing personal information to a website, the user is presumably aware that information is being collected. However, the user may be under the misapprehension that the information will only be used for the intended transaction, but this is often not the case. Additionally, as previously mentioned, cookies are often used without the user’s awareness. Therefore, the user is sometimes unable to exercise a choice to disallow the cookie. The 2002 EU Directive addresses this by stating that “[U]sers should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.” The 2002 Directive does indicate that, “Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.” The bottom line is that EU law requires adherence to the consent/choice FIP, while that is not part of U.S. law, except for the three areas discussed above relating to financial data, health data and information obtained from children. U.S. based websites typically do not ask for permission to attach cookies, and indeed, refuse entrance to various parts of their websites for browsers that are programmed to reject cookies. Under EU law, conditioning admission to certain services or parts of a website to acceptance of cookies is allowed but users must be notified and have an informed opportunity to reject cookie attachments. 3.3 Access/Participation The third FIP addresses the right of data subject to access the information that is collected about them and the right to contest and correct the accuracy of that information. 3.3.1 Current U.S. Law Although some websites do allow users access to PII that is collected about them, it is not mandatory under current U.S. law. If a website voluntarily allows users access to information collected about them, it is generally explained in privacy policies or terms of service statements. Some websites also provide an opportunity for users to correct inaccuracies in the information that has been collected about them. It is clear, however, that users in the U.S. have no legal right to review information collected about them by websites and online service providers, nor do they have the right to make corrections if they find inaccuracies in their data files. If websites and online service providers provide access and an opportunity to correct inaccuracies, it is a voluntary action that is not compelled by U.S. law. Most of the time, if such opportunities for 9 users exist, they are buried in website privacy policies and terms of service statements and users are frequently unaware of these options. If the 2003 version of OPPA was enacted, website operators and online service providers would be required, upon request of individual users, to provide [Section 2(b)(1)(B)(i and ii)]; i. a description of the specific types of personal information collected by that operator [of a website or online service] that was sold or transferred to an external third party and ii. notwithstanding any other provision of law, a means that is reasonable under the circumstances for the individual to obtain the personal information described in paragraph (i) from such individual [operator of a website or online service]; The language in this portion of OPPA suffers from an excess of “legalese” but this section of OPPA provides user access to any file collected, sold or transferred to any external third party. Note that the 2003 version of OPPA only addresses part of the access/participation FIP principle as it does not mention a right or procedure on the part of users to correct errors in the PII files collected about them. Nevertheless, if the 2003 OPPA was enacted into law, users would at least have access to the files of PII that are being compiled about them and a description of the PII that is collected about them. There are some markets and transactions in the U.S. where there is a legally recognized right on the part of data subjects to access personal information collected about them and recommend corrections for inaccuracies. The Fair Credit Reporting Act does guarantee, with stiff penalties for noncompliance, that data subjects shall have access to the files collected about them and that there is a procedure for contesting the accuracy of the credit report. If a data subject contests the accuracy of the credit report about him or her, the credit bureau is required to reinvestigate and make changes if the reinvestigation reveals errors. 3.3.2 Current EU Law Section V, Article V of the 1995/46/EU Information Directive is entitled, The Data Subject’s Right of Access to Data. According to the 1995 Directive, “Member States shall guarantee for every data subject the right to obtain from the controller:…confirmation as to whether or not data relating to him are processed and information at least as to the purposes of the processing, the categories concerned, and the recipients or categories of recipients to whom the data are disclosed;” Section V Article 12 [paragraph 2] also requires that each data subject be entitled to obtain from the controller (of information collected about him or her), “as appropriate the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;”. Finally, Article 12 of the 1995 Information Directive basically guarantees “notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with paragraph 2,…” Similar to the other FIPs, EU law requires that Member States pass laws that recognize access/participation. In particular, EU laws guarantee data subjects access to PII that has been collected about them and some rights with respect to corrections and erasures of incorrect PII. This is a more complete approach to access/participation than would be provided by OPPA. 3.4 Integrity and Security Compliance with the integrity and security FIP principle requires data collectors to take reasonable measures to assure that information collected from consumers is accurate and secure 10 from unauthorized use [15]. The implication of this FIP is that websites and online service providers are required to use commercially reasonable measures to protect PII from external threats posed by hackers and identity thieves and from inappropriate internal use. The threats from hackers are well known; some enjoy the challenge of penetrating firewalls and security systems, while others, motivated by profit, make fraudulent use of PII in the form of identity theft and credit card fraud. Although identity theft has received much recent attention, ineffective internal controls of access to PII collected by large institutions (e.g. hospitals and universities) are actually a more significant threat to the security and integrity of such data. In a study that reported the results of a survey of hospital employees who had access to medical records of the hospital [17], respondents were asked their perceptions regarding the most important threats to the confidentiality of such records. Second, behind unauthorized secondary use of medical records, was inappropriate and unauthorized access to medical records. Compliance with the security FIP requires organizations that acquire and store PII to implement protective measures against external, as well as internal threats, to the confidentiality of the data. 3.4.1 Current U.S. Law In the U.S., most websites and online service providers are not required by law to have adequate security, though there are three exceptions for websites that store medical records, financial data, or acquire information from children. For each of these three areas, there are statutory requirements that websites storing such information must ensure the integrity of the data by employing commercially reasonable security measures. The Gramm-Leach-Bliley Act, for example, requires financial institutions to implement security technologies that can fend off anticipated threats. For websites that do not fall into any of these three categories, there is no statutory requirement under U.S. law to maintain adequate security for the confidentiality of PII that is acquired or stored, but there could be legal sanctions in the form of common law suits based on negligence. If websites and online service providers do store PII and do not use commercially reasonable security procedures, it could be argued that they are negligent, which is a common law tort. A defendant (a website storing PII sued by users) is liable for negligent behavior if the defendant owes a duty to the plaintiffs, breaches that duty by acting unreasonably, and the breach of that duty to the plaintiffs is the proximate cause of damages incurred by the plaintiffs. All of those elements are present if a website or online service provider collects, stores, or transmits PII; they have a duty to data subjects to act reasonably with their PII. If websites and online service providers do not use commercially reasonable security measures to deter foreseeable internal or external threats and security is compromised, they have breached a duty to data subjects and could be liable for the resulting consequences of security breakdowns. Although no federal statute requires websites and online service providers who store PII to use commercially reasonable measures, common law suits based on negligence are a potential consequence of not using commercially reasonable measures to protect the integrity of stored PII. There have only been a few lawsuits in which the plaintiffs (users who records are stored) claim that defendants (websites that stored PII) were negligent in their handling of PII. In order for these suits to be justified economically, many users must be joined together in a class action lawsuit because the damages associated with unlawful disclosure of PII are normally not large on an individual basis. For attorneys who specialize in class action suits, the rate of return is higher where the defendants are charged with securities fraud or selling defective products. In some class action product liability cases, individual victims (plaintiffs) are entitled to several million dollars apiece, whereas the damages to individuals associated with failure to keep PII private are 11 likely to be measured in the hundreds of dollars. The bottom line is that under current U.S. law there is only weak legal protection for PII stored by websites and online service providers unless the records stored are subject to HIPAA regulations, GLB, or COPPA. On the other hand, criminal sanctions in the U.S. against hackers have been dramatically increased in the recent years. Hackers face severe criminal liability under the Computer Fraud and Abuse Act (CFAA), which makes it illegal to knowingly access a “protected” computer without authorization or exceed authorized access. In the wake of 911 attacks, hackers who violate the CFAA are subject to imprisonment for up to twenty years as well as substantial fines. Violations of the CFAA occur if (1) the hacker gains access to computer files that are forbidden to him or (2) the hacker exceeds the access that has been granted to him. Prosecution of a crime does not normally provide restitution to victims, especially in the case of hackers who are often bored teens, but the increased legal sanctions undoubtedly do have deterrence value. The 2003 version of OPPA, Section 2(b)(1)(C), does “require the operator of such Web site or online service to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information it collects or maintains.” “Reasonable procedures” to protect confidentiality etc. are presumably defined with reference to the procedures typically used in industry, though in some cases the courts have found that industry standards lag behind what is reasonable.3 Certainly, “reasonable procedures” would include use of encryption to scramble transmissions between web sites and its customers, firewalls, internal management practices, and other measures that are commonly used by websites and online service providers to protect confidential PII that has been provided to them by customers or other firms. 3.4.1 EU Law Article 4 of the 2002 EU Directive on Privacy and Electronic Communications requires that, “The provider of a publicly available electronic communications service must take appropriate technical and organizational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security.” Article 4 of the 2002 EU Directive requires that an electronic communication service must take appropriate technical and organizational measures because it allows such services to inform subscribers about risks when its security does not provide adequate protection. Article 4(2) states that, “In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.” The implication of this subsection is that those entities who store PII acquired online may absolve themselves of liability for certain contingencies if the costs of deterring the risk exceed the benefits and the electronic communication service informs subscribers in advance of its unwillingness to ensure against that risk. Article 5(3) of the EU 2002 Directive does require, “Member States”…to “ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through, national legislation.” If passed, OPPA would impose similar requirements on websites and online service providers in the U.S. that stored PII. Current U.S. law provides protection to users, subscribers, and website visitors through the common law which requires a showing that the website or online service provider was negligent. A problem with common law remedies, not backed up by a statute is that individual lawsuits and class actions are not economically justified in terms of likely, court-awarded, damages. 12 3.5 Enforcement/Redress If the 2003 version of OPPA is enacted into law, it is envisioned in the statute that enforcement will take place through actions by state attorney generals and by the FTC. Section 4 of OPPA allows states, through their attorney generals, to bring actions that they believe violate any regulation fashioned by the FTC on behalf of state residents. Such actions include bringing a suit to enjoin unlawful actions of websites or online service providers, actions to enforce compliance with the regulation, actions for damages, restitution, or other compensation and any other relief a court may deem appropriate. Before filing an action, the state attorney general shall provide to the FTC written notice of the action and a copy of the complaint. Upon notification, the FTC shall have the right to intervene, which means that the FTC will prosecute the case instead of the state. OPPA, if passed into law, would supercede “State law to the extent that it [OPPA] establishes a rule of law applicable to an online privacy action that is inconsistent with State law.” Importantly, “Nothing in this Act supercedes State law with respect to the prosecution of fraud.” The implication of this interaction between OPPA and State law is that individuals harmed by actions of websites and online service providers would still have the option to file a private civil suit, based on common law fraud under State law. OPPA itself, however, does not provide for a private right of action by citizens, which is, perhaps, a recognition that class action lawsuits in this area are infeasible. If a website or an online service provider made a promise with respect to PII that it knew was false, the breach of such promises may constitute both a violation of OPPA and common law fraud, but individuals harmed by such actions could only sue under common law fraud. Of course, the attorney general in the state could sue the defendants for violations of OPPA, or the FTC may intervene and sue under powers given to it by OPPA. EU Directives are basically commands to Member States to enact laws consistent with the Directive. There is nothing in the 2002 Directive that allows for private rights of actions for violations of the Directive. By passing laws that make certain actions of websites and online service providers illegal, enforcement of the 2002 Directive takes place through legislation and other police actions of law by the governments of Member States. As with most aspects of ensuring privacy, the EU places enforcement into the hands of governmental authorities, rather than private actions. As mentioned above, this is the same approach taken by OPPA, which does not contain a private right of action, though OPPA does not preclude private common law fraud suits. Table 1: FIP Coverage Summary FIP Notice / Awareness Current U.S. Law None in general but there are requirements in the GLB Act and HIPAA regulations that require notice. OPPA Hyperlink to privacy policy that notifies the user as to who is collecting PII, what PII is collected, how PII is used, and what information is transferred to third parties. Choice Industry specific Websites that fall under the provisions of COPPA, HIPAA or GLB. Access / Participation None Websites must provide a meaningful and simple online process for users to consent to (or limit) disclosure of PII for purposes unrelated to those for which the PII was obtained. Websites must provide (upon request of user) i) a description of types of PII collected and transferred to a third party, EU Directives Hyperlink to privacy policy that notifies the user as to who is collecting PII, the purpose for collecting PII, categories of third parties who receive the PII, and the right to access and the right to rectify PII. EU law generally requires that users be given a choice before their PII is used for any other purpose than completing a transaction. Websites must provide users access to PII and conditional procedures to modify incorrect PII. 13 Security / Integrity Enforcement / Redress 4 None – however, common lawsuits based on negligence are a potential consequence of not using commercially reasonable measures to protect the integrity of stored PII. FTC and state attorney generals can file unfair trade practice suits for websites that do not adhere to promises made in their privacy policies. ii) reasonable procedures for the user to obtain PII. Requires websites to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information it collects or maintains. For violations of OPPA state attorney generals are empowered to file suits for injunctions and damages unless the FTC decides it wants to file a nationwide claim. Must take appropriate technical and organizational measures to safeguard security of its services. There are no private rights of action but enforcement takes place through information regulatory agencies in each member nation. Conclusion and Implications For most transactions that take place on the Internet, U.S. based websites are not regulated. If they collect PII, they are not required to provide notice. They are not required to give end-users, a choice as to whether secondary use is made of PII collected to complete transactions. For users whose PII is collected by U.S. based websites, they have no right to access that information or to recommend corrections of inaccuracies. Websites that are negligent in their storage of PII are potentially liable under common law suits, but the amount of damages involved rarely justify a suit by individual users even if joined together in a class action suit. The Federal Trade Commission and state attorney generals have filed legal claims against websites that violate the terms of their own privacy policies, but neither the FTC nor state attorney generals have the resources to seriously dent the vast bulk of fraud that occurs in cyberspace let alone the misuse of PII according to the FIPs. On a piecemeal basis, U.S. legislators have provided some legal protection for the privacy of financial and medical records and for information obtained from children under 13. Also, there are significant efforts by private parties in the U.S. to guarantee user privacy on the Internet, but analysis of these efforts is outside the scope of this paper. Compared with the EU, however, there is far less legal protection of online privacy in the U.S. EU law requires that data subjects be notified when PII is collected about them and the 2002 EU Directive extended the notice requirement to the attachment of cookies and other tracking mechanisms. In general, those attempting to use PII for purposes other than the transaction for which it was collected must obtain an affirmative opt-in from users according to EU law. Users living in EU member states are entitled to access to PII collected about them and have the right to participate in correcting mistakes. The EU does require that those that store and transmit PII use commercially reasonable means for maintaining confidentiality. Enforcement in the EU is accomplished through data protection commissions. The 2002 EU Directive builds on the protections provided for in the 1995 Information Directive. In the U.S. there have been several reform proposals tendered in Congress, but so far none has been enacted. The current comprehensive proposal for privacy, the Online Privacy Protection Act, if adopted would require U.S. based websites to incorporate most of the Fair Information Practices in their standard operating procedures. Many websites do have privacy policies that incorporate some of the FIPs, but for many other websites enactment of OPPA 14 would cause substantial changes in current commercial practices. The differing privacy laws create a dilemma for executives, managers and security professionals. When managers or Chief Privacy Officers produce website privacy policies that conform to the most restrictive online privacy laws, the organization is expected to adhere to those laws. However, it is expensive to comply with restrictive privacy laws and similarly, valuable marketing data may be lost to business rivals. Some policy analysts emphasize the importance of “ethics”, but recent Internet history and basic economy theory suggest that if there is a profit to be made by acquiring, storing or transmitting PII, someone will take advantage of the opportunity. Given the vastness of cyberspace, misuse of PII is often undetected. When organizations do engage in surreptitious behavior with regard to PII, consumers typically must rely on voluntary actions by non-profit, watchdog groups. It is the authors’ opinion that such reliance is not a viable safeguard against thousands of websites and online service providers, large and small, whose ethical commitments are attenuated because of profits considerations (i.e., if they do not do “it” others will and those others will become more profitable as a result). A topic for further research is an empirical investigation of whether the commercial practices of EU websites are significantly different from those of U.S. based websites. It is clear that there are substantially more guarantees for the privacy of PII in EU law, but whether those guarantees are evident in the practices of large and small websites is worthy of investigation. Once the 2002 Directive is implemented, we should see fewer EU based websites that do not have a hyperlink to their privacy policies on their home pages relative to U.S. based websites. Users dealing with websites subject to EU law should have more options with respect to the use of their PII, greater access and participation in correcting their files and other protections discussed above. Investigators in the legal/privacy field should have a keen interest in measuring the impact of the 2002 EU Directive on commercial practices of EU based websites. It could also be said that much of the difference between commercial practices in the U.S. and EU are attributable to the impact of the 1995 EU Information Directive. There is no doubt that the 1995 EU Information Directive caused major changes in the commercial practices of EU based collectors and transmitters of information, including websites, and through the Safe Harbor Principles commercial practices of U.S. firms have been impacted. Researchers in this area may have difficulty disentangling the effect of EU Directives because these directives have been foisted upon some U.S. firms through the Safe Harbor Principles. If OPPA is enacted into law, its effects should obliterate differences in commercial practices of U.S. and EU websites and online service providers, so perhaps longitudinal studies are appropriate. References (numbered by appearance) [1] 1-Ives, B. and Jarvenpaa, S.L. Applications of global information technology: Key issues for management. MIS Quarterly (Mar. 1991), 33-48. [2] 2-Milberg, S.J., H.J. Smith and S.J. Burke. Information Privacy: Corporate Management and National Regulation. Organization Science, Vol.11, No.1, January-February, pp.3557, 2000. [3] 3-Milberg et al 1995. [4] 4-Loring, T. An Analysis of the Informational Privacy Protection Afforded by the European Union and the United States. Texas International Law Journal, Spring 2002. [5] 5-Westin, A. Privacy and Freedom. Atheneum, New York, 1967. 15 [6] 6-Earp, J.B., A.I. Anton, L.Aiman-Smith and W. Stufflebeam. “Crossed Signals: What Users Really Want from Internet Privacy Policies.” The Academy of Management, August 1-6, 2003. [7] 7-Hofstede, G. Cultures and Organizations. McGraw-Hill, Berkshire, England, 1991. [8] 8-Dresner, S. Data protection roundup. Privacy Laws Bus. (U.K.) (33) January, pp 2-8, 1996. [9] 9-The Code of Fair Information Practices, U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, viii, http://www.epic.org/privacy/consumer/ code_fair_info.html, 1973. [10] 10-[OECD00] CDT’s Guide to Online Privacy: Privacy Basics: The OECD Guidelines, accessed on August 6, 2002 at http://www.cdt.org/privacy/guide/basic/oecdguidelines.html, 2000. [11] 11- Baumer, D.L., J.B. Earp, and P.S. Evers, Tit for Tat in Cyberspace: Consumer and Web Site Responses to Anarchy in the Market for Personal Information, Journal of Law and Technology, Vol. 4(2), 2003, pp: 217-274. [12] 12-Earp, J. B. and D.L. Baumer, Innovative Web Use to Learn about Consumer Behavior and Online Privacy, Communications of the ACM, Vol. 46 No. 4, 2003, pp: 8183 [13] 13-Volokh, 2000 [14] 14-Online Privacy Protection Testimony of FTC Commissioner Sheila F. Anthony Before the U.S. Senate Committee on Commerce, Science, and Transportation, May 25, 2000, located at: http://www.senate.gov/~commerce/hearings/0525ant.pdf. [15] 15-Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report to Congress, 2000. [16] 16-W.F. Adkinson, J.A. Eisenach and T.M. Lenard. Privacy online: A Report on the Information Practices and Policies of Commercial Web Sites. Washington, DC: Progress & Freedom Foundation, 2002. Downloaded July 18, 2003: http://www.pff.org/publications/privacyonlinefinalael.pdf. [17] 17-Baumer, Earp and Payton. ACM Computers and Society. 1 S. 2201, 107th Cong. . 2002. Chapter 1, Article 2(d) defines a “controller” as “the natural or legal person, public authority, agency or any other body which alone or with others determines the purposes and means of the processing of personal data. 3 Cite the AIDS blood case and the original Learned Hand case. 2 16
