Internet Drives Privacy Debate

Suddenly our entire lives are open books online, fueling concerns about who's using all that information.

by / October 31, 1998
The Internet is history's biggest data-collection machine. Web sites ask for a visitor's name, e-mail address and even income. Small programs called 'cookies' slipped on the hard disk can also trace a surfer's path through the Net. Quite apart from the ethics of such things, experts fear that consumers will buy less online if they are being watched. Nearly one in four Americans would use the Internet more if their privacy were protected, according to a recent poll, and 60 percent think legislation is needed."

From "You are Being Tailed," The Economist (June 27,1998)

Privacy is coming to the forefront of people's awareness and emerging as a major political issue. Some members of Congress and the Clinton administration are now beginning to demand placement of proper protections for the privacy of individuals. The question is whether such measures are to be voluntary or mandated by law. One of the concerns legislators have is the collection and use of personal information from children. Many Web sites collect this, either openly or secretly, through extracting personal information every time a user comes to a site. The Federal Trade Communication, in its June 4 "Report to Congress on Privacy Online," at , expressed deep concern about the violation of privacy on the Internet and, in particular, on the abuse of information collected from children. The FTC first voiced its concerns 12 months earlier. High-tech companies such as Microsoft, Netscape, IBM and many others had promised voluntary privacy codes would be put in place using policy and technological solutions. A year later, a survey by the FTC found that these voluntary practices were woefully inadequate.

Too Much Information?

The Internet has been a driving factor in raising people's concerns about privacy. The tens of millions of us around the world who use the Internet every day are well-aware of how much information is out there.

Our personal information is bandied around the technological and communication networks of the world. At any given time, highly computer-literate people, in government and segments of the private sector, can, within seconds, gather startling amounts of information about us. The issue now is what information we stick onto the World Wide Web, if any, is actually protected?

International Concerns

The transition from paper to the Digital Age has brought with it new issues for the collection, management and dissemination of information.

In the past, especially prior to the rise of the personal computer, seamless international information networks and the Internet, getting at almost any kind of information was a laborious process. Now, Internet browsers and search engines put information from around the globe at one's fingertips. Our personal information is spread out along the corridors of the world's integrated networks. It is the international availability of our personal information that is driving the call not only for national laws, but for international agreement on many Internet issues, including privacy.

As nations join together in global electronic commerce, as more countries become connected to the Internet, and as electronic commerce and electronic delivery of services become reality, it is important to look at the central question of privacy. It is also necessary to assess the differences of approach to the issues in Europe and North America. Privacy is important when dealing with electronic commerce and electronic transactions. When an individual comes online to access a service or benefit, he or she wants to know the transaction is protected from third-party observation.

Assurances are needed that the personal information is not passed on to a multitude of other divisions in the organization or to other departments in government, unless specified by law and the citizen is notified. Clear rules are needed.

The European Solution

Europeans have developed laws to handle the problem within indiv- idual nations.
All 15 members of the European Community have data-protection laws. The European Commission has a Directive on Data Protection outlining all the basic privacy principles. All member states have harmonized their laws, or created them, to fit the directive, which came into force in October. There is one clause in the directive, also found in each of the national laws, that statesthat thetransferof data to another country canbe prohibited if thatcountry does not have adequate privacy protections. Thishas serious implicationsfor North America.

Europeans are now seeking to expand their influence by demanding "adequate" levels of protection in any jurisdiction to which personal information on a European citizen is sent. They have particularly targeted the United States, because this is where the largest amount of European personal data is sent.

Enforcing such principles of protection might prove difficult, because it is questionable whether Europe wants to get into some form of trade war with the United States over privacy. It is clear that some solution is going to be needed. The Europeans will make an issue out of the transfer of personal data on a case-by-case basis.

One solution might be the development of contracts between data-protection authorities in Europe and companies in North America. Such contracts, between a company doing business in Europe, for example, and sending personal data back to its U.S.-based offices, would set out ground rules on how the personal information is treated. It would ensure that the privacy rights of Europeans would travel with the personal information. In other words, this would ensure "adequate" protection of the personal information.

Canadian Action Expected

Canada is moving closer to private-sector privacy protection with a bill pending in its Parliament. It is expected to meet the European "adequacy" standard and allow business to freely trade with Europe with no restrictions due to a lack

of privacy standards. In Quebec, there is a law regulating the use of personal information in the private sector. While many in the United States want some form of privacy regulation, it is certain this will not happen in the immediate future. Canada's law will likely be based on the Canadian Standards Association's Model Code for the Protection of Personal Information. This code was developed in conjunction with industry and government representatives from across Canada. Many companies are now adopting the code.

One likely problem for Canada is that the proposed legislation will only cover the federally regulated agencies -- banking, telecommunications, insurance and transportation. The other sectors are regulated by the provinces, many of which do not want privacy legislation for the private sector. However, these companies could adopt the Canadian Standards Model Code, thus complying individually with the European requirements.

Is the Cat Out of the Bag?

Many today argue that technology is so pervasive in the industrialized nations that our privacy has been lost forever. Privacy advocates vociferously disagree, arguing that legislative standards will handle the problem. Many ordinary people not versed in the substantive issues surrounding privacy know that there is a problem. Surveys indicate that people increasingly want mechanisms to protect their privacy online. Certainly, Europe does not believe that technology has destroyed our privacy. However, the Europeans recognize that the Internet does represent a special problem for the protection of privacy. They see the need for international agreements to protect privacy on the Internet. This could be a long time in coming, given the resistance to regulation of the Internet.

Some members of Congress and the Clinton administration are increasingly frustrated with the lack of sufficient self-regulatory privacy policies on the part of companies doing business online. This is shaping up to be a war on privacy. One camp insists the only way to go is to have enforceable privacy statutes in place. The other argues that the
voluntary approach is sufficient. The FTC urged the administration to develop privacy law on the Internet to protect children, and Vice President Al Gore announced his plans for an Electronic Bill of Rights and stressed the importance of Internet privacy. The message is becoming clear: Either the private sector is going to have to do much more by the end of this year or face the possibility of legislation.

The protections afforded by those companies who do have a data-privacy policy have often been found to be lacking. These protections include allowing individuals to opt out of a service or not to have personal information collected by a data user and passed on to another. Internet sites almost universally do not allow individuals access to their own personal information. Such flaws in voluntary policies would be addressed in a statute.

However, the question is whether the administration and Congress are serious about omnibus legislation. The voices from the private sector calling for the self-regulatory approach are quite strong.

This tension between the voluntary and regulatory approaches to privacy protection is also evident in Canada. The private sector accepted the necessity for legislation but, in response to the government's call for legislation, has suggested that any law have only a light touch and not be too burdensome for business.

Many in the United States have said for years that legislation is going to be necessary for companies to comply with the European Commission's data-protection directive. However, it appears that the spreading of business on the Internet has raised consumers' concerns over intrusive uses of their personal information. This is driving policy and technology solutions for privacy. Omnibus legislation may not be immediately forthcoming, but political concern over public fear of online information abuse is creating Internet privacy policies. They are almost universally inadequate at the moment, but political pressure could result in improved practices. The European directive is a secondary pressure.

Thomas B. Riley is an international specialist on information management and the impact of Information Technology. He is the co-author of Privacy in the Information Age: A Handbook for Industry and Government Professionals. He can be contacted by calling 613 /236-7844, or online at .

November Table of Contents