Chapter 8. Privacy Policies, Legislation, And Government Regulation
At a Glance
This chapter provides an overview of public policies that are directly related to business, non—profit, and governmental operations in a networked world. There are some examples of legislation that has been designed to protect citizens, customers, and children from identity theft, fraud, and obscene content; Part 4 contains a deeper discussion of regulatory issues in “cyberspace,” here we are focusing on organizational responsibility for interactions with the public. This chapter will focus, in brief, on issues that are relevant in the e-commerce and e-finance contexts.
The Business-Customer Relationship in a Digital World
Online businesses know a lot about their customers. An online merchant knows every product that you look at, every product that you put in your “shopping cart” but later take out, and anything that you’ve ever purchased from them online. Online merchants also know when you shop, if you shop from home or from work, and—if they care—what your credit rating is. Furthermore, unlike the offline world, an online merchant can correlate your shopping profile with your web browsing habits.
Potentially Internet service providers could learn even more about their customers because all information that an Internet user sees must first pass through the provider’s computers. ISPs could also determine the web sites that their users frequent—and even the individual articles that have been viewed. They could analyze e-mail messages for keywords. By tracking this information, an Internet provider could tell if its users are interested in boats or cars, whether they care about fashion, or even if they are interested in particular medical diseases.
Policies That Protect Privacy and Privacy Policies
What standards should online businesses and organizations follow with regard to the personally identifiable information that they gather?
In the United States, consumer rights were first addressed clearly through the passage of the Fair Credit Reporting Act in 1970. This law gave consumers fundamental rights, including the right to see their credit reports; the right to know the third-parties to whom their reports had been disclosed; the right to force credit reporting agencies to re-investigate “errors” detected by consumers; the right to force the agencies to include a statement from the consumer on reports that were in dispute; and a sunset provision requiring credit reporting agencies to purge information on a consumer’s report that was more than seven years old (ten years for information regarding bankruptcies). In 1973, the Code of Fair Information Practices was produced to supplement the discussion of consumer rights in an age when computers were beginning to hold more personal data.
The Code of Fair Information Practices62
The Code of Fair Information Practices is based on five principles:
• There must be no personal data record-keeping systems whose very existence is secret.
• There must be a way for a person to find out what information about the person is in a record and how it is used.
• There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent.
• There must be a way for a person to correct or amend a record of identifiable information about the person.
• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for its intended use and must take precautions to prevent misuses of the data.
In the United States, Congress continued to pass legislation regulating the use of personal information. Over time, banking records, telephone, Internet, and cable subscriber records, medical records, educational records, and even video-tape rental records all came under protection by U.S. Congressional action. However, each of these pieces of legislation offered different protections and was enforced by a different part of the federal government. Some acts, like the antijunk-fax Telephone Consumer Privacy Act, did not have any enforcement mechanism at all other than private lawsuits. Things were different in Europe. Building on the experience of World War II, during which personal records were misused by the Nazis, most European governments created an institutional framework for regulating the collection and use of personal information. The Europeans extended the ideas expressed in the Code of Fair Information Practices into an overall system that was termed data protection.
62 Source: U.S. Department of Health, Education, and Welfare, 1973.
OECD Guidelines
In 1980, the Organization for Economic Development and Cooperation (OECD) adopted an expanded set of privacy guidelines. These guidelines were designed, in part, to harmonize the growing number of privacy regulations throughout the industrialized world. The guidelines were also specifically designed to deal with the growing problem of transborder data flows—the movement of personal information from one country, where that data might be highly protected, to another country that might have lesser protections. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data consist of eight principles:
Collection Limitation Principle
There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle
Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up to date.
Purpose Specification Principle
The purposes for which personal data is collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle
Personal data should not be disclosed, made available, or otherwise used for pur-poses other than those specified in accordance with the previous principle except:
• With the consent of the data subject, or
• By the authority of law.
Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
Openness Principle
There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Individual Participation Principle
An individual should have the right:
• To obtain from a data controller, or —otherwise, confirmation of whether or not the data controller has data relating to him;
• To have communicated to him, data relating to him:
o Within a reasonable time;
o At a charge, if any, that is not excessive;
o In a reasonable manner; and
o In a form that is readily intelligible to him;
• To be given reasons if a request made specified as above is denied, and to be able to challenge such denial; and
• To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.
Accountability Principle
A data controller should be accountable for complying with measures that give effect to the principles stated above.
The OECD Guidelines do not have the force of law, but are instead used as guidelines for each OECD member country when passing its own laws.
See Part 3, Chapter 11 for a simple checklist on data protection measures that may be taken if you gather information about potential customers on your web site.
|
