Privacy in Electronic Commerce - Research Paper Example

Cyber Law Contents Sr. # Topic Pg. # I. Introduction 2 II. Discussion and Analysis 3 2 Data protection and right to privacy 6 2.2. Regulatory environment: An overview 8 2.3. The EU data protection directives 8 2.3.1 The 95/46/ EC Directive 10 2.3.2. The 02/58/EC Directive 14 III. Discussion & Analysis 16 IV. Conclusion 19 References 20 1. INTRODUCTION The technological revolution spearheaded by the invention of the internet, and the subsequent development of electronic commerce has posed a significant threat to the conventional methods of business, transforming the manner in which consumers behave, in the process. There has been a steady rise in the scope and use of ecommerce over the years, leading to significant changes in various spheres of our day to day lives. This in turn has led to a sea change in the manner in which legal policies are drafted and implemented, at the local as well as global levels, in order to impose legal obligations on the use and regulation of the internet. Ever since its invention, internet has been largely controlled and governed by common consensus of its users, and the regulatory structure has evolved and co-existed naturally, as opposed to developed deliberately in a structured manner (Acquisti, 2004). However, recently there has been a considerable transformation in the manner in which ecommerce is managed and governed. Due to widespread public concerns, the bodies governing its use, at the national as well as international levels, have been forced to adopt stringent laws, for its healthy development, from time to time. Although, it is quite evident by now, that controlling or regulating the internet environment is not within the scope of any government – local or international. It can only be developed through a healthy co-operation between all states. In the present day world, regulation of the internet assumes a position of immense significance and is inevitable for the smooth operation of all activities and particularly, those related to business practices. Internet has facilitated the foray of even the smallest of firms into a larger public domain, granting them an opportunity to access a wider customer base. In the process, the competitive advantage available at the disposal of firms and individuals has widened drastically, completely transforming the conventional business practices giving rise to various issues related to data protection and security. In order for individuals and firms to operate smoothly and safely in such a high tech environment, it is inevitable for those at the helm of affairs, to afford simple yet effective laws which ensures the protection of their data, and maintains their privacy in this highly vulnerable virtual world. This paper discuss the various aspects of the European data protection directive, with special reference to directives 95/46/EC and 02/58/EC, as amended; in the context of its implications and relevance on the information society in present times. II. Discussion and Analysis The current knowledge regarding informational privacy is largely derived from the observations of individual behaviour, and more particularly from the manner in which individuals relate to and access information about their own selves. Regulations and legislations governing an individual’s right to uphold their private information, has been historically debated and described by Judge Samuel Warren and Louis Brandeis, way back in the year 1890 as an individual’s right to ‘be let alone’ (Warren, Brandeis, 1890). Although technology, and especially the one related to Information and communications, has undergone a massive makeover, since then, the fundamental principles of an individual’s privacy continue to hold the same degree of validity and relevance. Ideally, the right to privacy of data belonging to an individual is based on the principle which states that – the right to share or restrict access to one’s private information / data, lies solely with the individuals concerned and that they have the right to access the same in ‘solitude’, and ‘anonymity’, and reserve the right to withhold it from public access (Dumortier, Robben, 2001). The concept of data privacy and ‘privacy’ in general, has also received credible recognition as an individuals’ fundamental human right, by international organizations such as the UN (Universal Declaration of Human Rights, 1948) (UN Org, 2010) as well as the ECHR, Council of Europe, 1950 (European Convention on Human Rights). It is owing to such policies and perceptions towards individuals’ right to privacy that legal regulations governing its protection were developed and implemented, ever since the 1970s and 80s. The European data protection directive however was only introduced in the year 1995. The basic principles around which these laws were framed include: ensuring the individuals’ right to be informed in cases where their personal information is being collected for various purposes Informing them whenever any personal data is being collected for whatever reasons and seeking their permission to deal with the data so collected i.e. whether to withhold or share it with others for various purposes. Educating them about the manner in which their personal data can be accessed and guiding them in verifying the information displayed, as well as enabling them to request for changes to be made, in case of inaccurate data. Informing them about the steps taken to protect the privacy of their data (Hübner, 2001). The application of the above mentioned principles or rules, with respect to protection of privacy of data belonging to individuals, is a herculean task and cannot be accomplished easily, especially in present day environment, where data theft is a common occurrence and an ever increasing menace. The private information / data belonging to the individuals needs to be processed stored and / or transferred as the case may be, for the benefit of either the individuals or the organizations, or both, for various purposes such as protection of their security, enhancing public service delivery or for a range of other commercial purposes etc. Thus it is imperative for the government to develop and implement laws seeking protection of individual’s privacy rights with regard to data protection. The following section, discusses the regulatory structure and laws relating to data protection and privacy in a comprehensive manner. 2.1. Data protection and right to privacy The directives listed under the European Data Protection law serve as a primary regulatory means of securing the individual’s right to privacy of their data, for all European citizens. These directives in all, comprises of 34 Articles, which include various provisions spanning a wide variety of issues, such as protection of quality of data; laws regarding processing of data collected; the rights of individuals whose data is sought under various reasons; issues relating to confidentiality of data collected as well as individuals to whom such data belong; security of data collected; sanctions and liabilities; etc. among others. Table 1: Core features of Bennett and Raabs Privacy Regimes Although, the data protection directive of the EU can hardly be described as a highly innovative concept, but it has played a major role in empowering the rights of its citizens, especially with regard to the protection of their privacy, and has had a significant impact on the EU. It has fostered the establishment of a harmonised framework of data protection and security between all member states within the EU. However, it must be noted that the protection of individual’s data is not solely reliant on state-initiated regulations, but in fact there are various self-regulatory practices, as well, which are operating alongside the national regulations. The common goal, regardless of government laws or self regulatory practices adopted by organizations, remains the same – protection of individuals’ basic human right to privacy of their personal data. Such a set up particularly proves to be helpful in dealing with various critical challenges faced in today’s high tech world – such as, issues related to ownership of data, data broking and stewardship etc at regulatory as well as non-regulatory levels. The directive laid down by the EU only furthers the primary cause by encouraging the implementation of such practices at various levels across the state. 2.2. Regulatory environment: An overview The European Union has taken giant strides in ensuring the protection of individual’s data in the form of establishment and implementation of various directives which tend to affect the technological environment. These directives are aimed at addressing various issues within the EU, such as: the E-commerce directive (Dir. 2000/31/EC); the Distance Selling Directive (Dir. 1997/7/EC); The “Electronic Signatures Directive” (Dir. 1999/93/EC); The Data Protection Directives (Dir. 95/46/EC & Dir. 02/58/EC); and the council regulation No. 44/2001. The key objective of these initiatives is to encourage and endorse the development of effective e-commerce within the EU states. E-commerce is a relatively new phenomenon is likely to grow further. It is highly reliant on data collected from individuals and hence in the absence of adequate and effective laws or a regulatory environment governing it, the development of this sector cannot be achieved. This may lead to a negative impact on the European economy affecting its competitive positioning in the global market place. 2.3. The EU Data Protection Directives: The data protection directives developed by the EU are aimed at protecting individuals’ right to privacy of their data and assumes immense significance in view of the present day technological environment, owing to the rise in case of data theft and subsequent concerns regarding data security. These directives are transnational EU wide policy regulations, which are aimed at guiding the individual member states, regarding its implementation and use. It has been developed to counter the various regulatory policies which were previously in effect, in order to afford greater data protection to individuals, in this highly intensive information age and afford the government as well as other organizations in charge of holding and processing a large amount of data, to exchange and process the information at their disposal, wisely and safely over the internet (EUR Lex, 2010). The following table describes the various tenants of the 1995 EU data protection directive Table 2: Source: Lofgren, Webster, 2009 Laws governing protection of individual data, are essentially European in nature, although various other countries such as Canada and Australia, too, have such laws in place, but the depth, intensity and breadth which European laws hold, are largely missing. Two of the key instruments which deal with data protection in the EU with regard to right to privacy include: the two key directives viz a viz Directive 95/46/EC and 02/58/EC. The Directive 95/46/EC basically seeks to establish a meaning and scope of the concept of personal data, and establishes various ways with which such data can be protected (Bennett, 1997). 2.3.1. Directive 95/46/ EC This directive regarding seeks to protect the right of individuals with reference to their personal data as well as advocates the cause of free movement / transfer of data within a comprehensive framework, aimed at securing the privacy of data of all its citizens. In order to strengthen this directive, another secondary legislation (the ePrivacy directive) which was passed in 2002, was added to the existing framework with a view to cover other wider aspects of data protection such as processing of personal data, irrespective of the use of technology involved. This new ePrivacy directive was added to the existing framework with a view to strengthen the current laws and regulations governing data protection, and enforce protection of basic rights of digital users. This directive now seeks to cover issues such as informed consent and transparency, in order to broaden its scope and outreach. The 95/46/EC Directive It is often argued and debated that the key elements of data protection laws must include a precise definition of conditions under which personal information belonging to individuals can be made available to third parties and a framework which prevents collection, processing and use of such data beyond the purview of conditions stated in the definition. The 95/46/ EC directive essentially deals with the aspect which prevents others from accessing private information for use by third parties, unless the conditions specified in the definition are satisfied. The basic purpose of this directive is to: Ensure that the member states take adequate steps to protect the basic rights and freedom of their citizens especially with regard to protection of their privacy with respect to their personal data and To ensure that they neither prevent nor curb the free flow of personal data among the member states The principle of ‘fair and legal’ mentioned under this directive suggests that any type of personal data collected from individuals cannot be treated as legal unless at least one or more of the conditions mentioned in Schedule 2 are duly satisfied. If the personal data is sensitive in nature, then the condition mentioned in Schedule 3 must also be met. In the UK the lawlessness with regard to data protection occurs mainly on the following grounds: When there is a breach of confidence or trust When there is a breach of the ultra-vires doctrine and When there is a breach of a legitimate expectation1. The directive also states that the personal data collected can only be used for specified and legitimate purposes and that if any breach of law is found in this case, where the data is being used for purposes which are incompatible with the provisions of law, then it shall attract legal action as specified under the law. Furthermore this directive also states that the data collected must be adequate, and sufficient in accordance with the purpose for which it was collected, it should not be excess than what is required and must be processed in a proper manner. The principle also holds that the personal data collected, must be accurate and kept up to date, it must not be outdated and irrelevant which may tend to mislead the organization or government concerned (CDT Org, 2010). The accuracy of the data collected must be checked and ensured by the controller of the data, i.e. by the authorities responsible for governing and assessing the data, although the maintenance and updating of the same is discretionary. It further entails that personal data must not be kept or retained longer than required, and must be disposed off in a proper manner, once the objective for which it was collected is duly achieved. Also, it must be used only for the purpose for which it was collected and that it must be promptly deleted or removed once the said purpose for which it was collected, is successfully achieved. In case where the data was collected for a specific purpose owing to the relationship between the data controller and the provider of data, the same must be removed / deleted once the relationship ceases to exist. For instance, in case of relationship between employee and employer, the employer may seek certain personal information from the employee for the purpose of job, but the law requires the employer to delete or remove the personal information of the employee, when the service is terminated or when the relationship between the employer and employee ceases to exist. In case of any breach of law, such as use of personal data for unauthorised or unlawful purposes, this directive includes provision which ensures appropriate technical and legal measures to be initiated against those involved in the crime. Also, the law includes provision to protect the individuals in case of accidental loss of information. The directive also affords the establishment of a national supervisory authority in the UK whereby the responsibility of applying the national regulations and providing assistance is not only made available but also rendered inevitable under the law. The directive has also proposed the creation of a “working party” which will be entrusted with the responsibility of ensuring that the rules and regulations are observed and the application of data protection laws are monitored from time to time. Furthermore, suggestions are also sought to modify or renew existing laws, for better data protection of individuals’ personal data. The 1995 data protection directive has enabled the EU to strengthen its laws as well as created a sense of security among the human rights supporters who have been advocating and promoting this cause, within EU. It has ensured the protection of wider human rights, and most essential the right to privacy of personal information and has helped various sections of the society in various ways. For instance, it has helped in providing adequate protection to the employees from excessive and intrusive questioning by the employers, which require them to reveal / disclose their private information. Although it must also be taken into consideration that the data protection directives established and implemented by the EU are in no way, restricted only to the employees, but were meant to be applied to a larger audience. 2.3.2. The 02/58/EC Directive This directive was implemented in place of the previous directive 97/66/EC in the year 1997. This directive helped in bringing about significant transformations in the labour law as well as in other fields, and was implemented UK wide, along with the 1995 directive. The 1995 directive as implemented under the Data Protection Act 1998 while the 02/58/EC directive was implemented under sec 2(2) of the European Communities Act. Although several debates have been centered on the adoption and implementation of proper data protection and privacy laws, during the period 1995 – 1997 the complexity of the laws governing the protection of individual human rights to privacy, delayed its effective implementation. Also the technological environment is known to be highly volatile, and was subject to a wide variety of changes and transformations over a short duration of time, thus making it difficult for the law enforcers, to develop and implement adequate and effective laws which would ensure not only the protection of data but also the protection of individuals’ right to privacy. The scope of the directives were sought to be wide enough to accommodate a wider segment of the society, and to ensure equal protection to all its citizens. This particular directive was mainly associated with labour law, and was frequently changed owing to the dynamic external environment However, whether such changes and amendments made had any positive impact on the information society as a whole remains to be seen (Hildebrandt, Gutwirth, 2008). The basic difference, post the changes made in this directive, apply to the Article 5, which deals with the confidentiality aspect of communications, whereby additional provisions were added to deal with the issue of protection of an individuals’ confidentiality in the field of electronic communications. Since this law was brought in as a replacement to the old (1997) directive, the new improved directive sought to include various changes which would prove to be effective in dealing with the rapidly changing external technological environment. The new directive extended its outreach to include protection of data to legal persons as well, whereby the broader market issues were addressed over and above the general labour law issues. III. Analysis One of the basic objectives of this directive was to enhance the harmonization of data security legislations across all the EU member states, with a view to ensure that the right to privacy of all individuals is maintained and that there is a free flow and processing of information between all the member states. Such a framework would in turn ensure the development of a perfectly harmonized European legal framework, whereby the data controllers can manage personal data in compliance with the rules and regulations laid down by any member state within EU. This would also ensure that the same laws are applicable throughout EU, affording ease of use to the employers regardless of their location. One of the key goals of this directive was to ensure that the broader legal implications of this law, must be available and applicable through EU, and the laws regarding data protection and privacy especially with regard to certain critical issues, are uniform across all member states. For instance, the issues related to protection of private data; the fulfilment of conditions regarding legitimacy of the data so collected; the concerns and issues related to quality and security of data; the rights of the data subjects as well as the probability of enforcing the rules etc among others. The key strengths of this directive as well as their national implications are mentioned in the table below: Table 2: Summary of Main Strengths Source: RAND Europe & time-lex Although the law sought to achieve the basic goal of seeking protection of data and privacy of individuals’ personal information the ever changing and highly vulnerable nature of the external environment has rendered various obligations of these directives of this act remain relatively elusive, till date. The sensitivities and needs of all the member states differ and hence grouping them under one law, and seeking application of uniform policies throughout all the states, tends to ignore the specific requirement of each state. Furthermore it is also argued that there are problems in nationwide implementation of the law, and hence can be interpreted as the lack of co-ordination and harmonization among the member states with regard to the acceptability of the provisions mentioned under this directive. The observance of certain regulations in some member states and its wilful or unintentional ignorance in others may also indicate the relative inability of the law, to be interpreted uniformly across EU. In order for the law to function effectively, the interpretation of the same must be uniform throughout all states. Furthermore the relationship between the key concepts of personal data and the risks associated with privacy of individuals’ information, is also relatively unclear. The directive has been widely criticized for the ambiguity which exists in defining key terms such as protection of privacy and protection of data. The act is quite vague and does not specify the boundaries within which the terms can be interpreted. Also, not all the acts listed under this directive have a clear focus on differentiating the two concepts and hence the ambiguity. The concept of personal data is quite broad in scope and is open to interpretation, further contributing to the dilemma faced by users in interpreting the law. It is argued that any data which can be associated with a certain individual can be interpreted and deemed as belonging to that individual i.e. can be treated as his/her personal data. In accordance with this interpretation, the IP (internet protocol) addresses too, fall under personal information category, irrespective of the fact whether the organizations processing such data actually does or does not have the possibility to associate such information with every individual concerned. IV. Conclusion It can be safely concluded from the above discussion that ascertaining the precise significance and outreach of these directives and comparing their advantages against the disadvantages, may prove to be a highly complicated activity. Although it cannot be denied that the directive does have the potential to create awareness regarding critical issues such as data protection and protection of privacy of individuals and their implications while developing and implementing an effective legal framework thus safely presuming its success and positive impact on the broader information society. However, at the same time, it cannot be denied that there still exist, a substantial dissent among the policy makers, regarding several key issues which are required to be dealt with on a prompt basis, in order for the law to assume greater significance and effectiveness. Also, the directives discussed above, has played a major role in creating awareness among individuals regarding the pros and cons of preserving their data, as well as enlightened them regarding their basic human rights. But at the same time, it has left a wide gap, which needs to be bridged, such as clearing the existing ambiguities regarding definition and scope of certain terms, which are acting as a road block and preventing the law from unleashing its full power, in the better and wider interests of the individuals concerned. References: Acquisti, A., (2004). Privacy in Electronic Commerce and the Economics of Immediate Gratification. Proceedings of ACM Electronic Commerce Conference (EC 04), New York, USA: ACM Press, Pp. 21-29. Bennett, C., (1997). Convergence Re-visited: Towards a global policy for the protection of personal data. In Agre, P., and Rotenberg, M. (eds) Technology and privacy: The new landscape, Cambridge: MIT Press Bennett, C., Raab, C., (2006). The governance of privacy: Policy instruments in global perspective. Cambridge: MIT Press CDT Org (2010). Directive 95/46/EC [online] Accessed: 9th December, 2010 from: < http://www.cdt.org/privacy/eudirective/EU_Directive_.html> Dumortier, J., Robben, F., (2001). A decade of research @ the crossroads of law and ICT, Larcier Publication, NY European Union (EU). (1995). Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the processing of personal data and the free movement of such data. Brussels, OJ No. L281 (the EU Data protection directive), 9 December, 2010 Hildebrandt, M., Gutwirth, S., (2008). Profiling the European citizen: cross disciplinary perspectives, Springer Publication Hübner, S., (2001). IT- security and privacy: design and use of privacy-enhancing security mechanisms, Springer Publication Lofgren, K., Webster, (2009). Political Studies Association Annual Conference, Manchester Warren, S. D., Brandeis, L. D., (1890). The Right to Privacy, Harvard Law Review Boston, Pp. 193 - 220 UN Org (2010).The Universal Declaration of Human Rights [Online] Accessed: 9th December, 2010 from: EUR Lex (2010). Directive 95/46/EC of the European Parliament [online] Accessed: 9th December 2010 from: Read More