Legal and Regulatory Issues in the Information Economy/Consumer Privacy and Protection

Advances in information technology and data management offer the promise of a new and prosperous cyberspace-based economy. New communications and information systems allow organizations to gather, share and transmit growing quantities of information with unprecedented speed and efficiency. But this technology also poses a serious threat to privacy. Private individuals and organizations now have the access, means, methods and tools to encroach into the privacy of another-and in a manner that is not so obtrusive.

What is information privacy?
Of utmost importance is information privacy, “individual’s claim to control the terms under which personal information-information identifiable to the individual-is acquired, disclosed and used.”

Disclosural privacy is similarly defined as “the individual’s ability to choose for him/ herself the time, circumstance, and extent to which his/her attitudes, beliefs, behavior and opinion are to be shared with or withheld from others.”

Why protect privacy?
The right to privacy is fundamental to any democratic society. The slightest apprehension on the part of a person using the Internet about who will see his personal information and how it will be used would by itself mean that he has lost a basic freedom. Moreover, the more others know about the details of a person’s life, the greater their opportunity to influence, interfere with, or judge the choices the person makes.

Having knowledge and control of how personal information is provided, transmitted and used is the key to protecting privacy

Is there such a thing as protecting privacy too much?
Foremost among the arguments used against the adoption of a stringent information disclosure regime is that it would ultimately hinder commerce. To require an individual’s prior consent before personal data can be elicited may actually hamper the growth of commerce that is largely based on a “better information equals better markets” theory. If the markets can profile their consumers accurately, a better match between interested buyers and sellers can be made.

Another argument is the need for truthfulness. The ethical or legal duties of disclosure inherent in a relationship command an openness that information privacy prevents.

What challenge does the protection of privacy pose? How can proper use of information be assured?
Finding a balance between the legitimate need to collect information and the need to protect privacy has become a major challenge. The following OECD guidelines may be considered as fundamental requirements for the proper use or processing of information online:


 * Information Privacy Principle. Personal information should be acquired, disclosed, and used only in ways that respect an individual’s privacy.
 * Information Integrity Principle. Personal information should not be improperly altered or destroyed.
 * Information Quality Principle. Information should be accurate, timely, complete and relevant for the purpose for which it is provided or used.
 * Collection Limitation Principle. Personal data should be obtained by lawful and fair means, and where appropriate, with the knowledge and consent of the data object.
 * Purpose Specification Principle. The purposes of data at the time of its collection should be specified.
 * Security Safeguards Principle. Personal data should be protected by reasonable safeguards against risks like loss or unauthorized access, destruction, use, modification or disclosure of data.
 * Openness Principle. There should be a policy of openness about developments, practices and policies with respect to personal data.
 * Accountability Principle. A data controller has the responsibility to comply with measures based on the foregoing principles.

Are there other existing guidelines for data protection?
The European Union has issued Directive 95/46/EC, which establishes a regulatory framework to guarantee free movement of personal data, while giving individual EU countries room to maneuver with respect to how to implement the Directive. Free movement of data is particularly important for all services with a large customer base and dependent on processing personal data, such as distance selling and financial services. In practice, banks and insurance companies process large quantities of personal data, inter alia, on such highly sensitive issues as credit ratings and credit-worthiness. If each Member State had its own set of rules on data protection (for example on how data subjects could verify the information held on them), cross-border provision of services, notably over the information superhighways, would be virtually impossible and this extremely valuable new market opportunity would be lost.

The Directive also aims to narrow divergences between national data protection laws to the extent necessary to remove obstacles to the free movement of personal data within the EU. As a result, any person whose data are processed in the Community will be afforded an equivalent level of protection of his rights, in particular his right to privacy, irrespective of the Member State where the processing is carried out.

How can consumers be protected in electronic commerce transactions?
In December 1999, the OECD issued the Guidelines for Consumer Protection in the Context of Electronic Commerce to help ensure protection for consumers when shopping online and thereby encourage:


 * fair business, advertising and marketing practices;
 * clear information about the identity of an online business, the goods or services it offers and the terms and conditions of any transaction;
 * a transparent process for the confirmation of transactions;
 * secure payment mechanisms;
 * fair, timely and affordable dispute resolution and redress; privacy protection; and consumer and business education.


 * Box 1.OECD Guidelines on Consumer Protection 


 * Source: Organisation for Economic Co-operation and Development, Guidelines for Consumer Protection in the Context of Electronic Commerce (2000); available from http://www1.oecd.org/publications/e-book/9300023E.PDF

How will the OECD guidelines be used?
The OECD Guidelines are designed to be a technology-neutral tool to help governments, business and consumer representatives by providing practical guidance to help build and maintain consumer confidence in electronic commerce. The Guidelines address the principal aspects of business-to-consumer electronic commerce and reflect existing legal protections available to consumers in more traditional forms of commerce. They stress the importance of transparency and information disclosure and the need for cooperation among governments, businesses and consumers at the national and international levels.

The Guidelines are intended to provide a set of principles to help:


 * Governments - as they review, and (if necessary) adapt, formulate and implement consumer policies and initiatives for electronic commerce.
 * Businesses, consumer groups and self-regulatory bodies - by providing guidance on the core characteristics of consumer protection that should be considered in the development and implementation of self-regulatory schemes.
 * Individual businesses and consumers - by outlining the basic information disclosures and fair business practices they should provide and expect online.

What about jurisdiction and consumer redress?
The OECD Guidelines discuss at length the issues related to jurisdiction, applicable law and access to redress. Because of the broad and horizontal nature of these issues, questions about how they might best be addressed within the context of electronic commerce are not unique to consumer protection. However, the Internet’s potential to increase the number of direct business-to-consumer cross-border transactions makes it important that consumer interests be fully taken into account.

The language on jurisdiction and applicable law within the Guidelines reflects the complexity and the current lack of international consensus on these issues. The Guidelines recognize that all business-to-consumer cross-border transactions are subject to the existing framework on jurisdiction and applicable law, but that electronic commerce poses certain challenges to that framework. The Guidelines call for further work in addressing these issues and ensuring that consumer interests are given appropriate consideration as the jurisdictional framework for electronic commerce evolves.

The Guidelines also focus particular attention on the importance of providing consumers with access to fair, timely and inexpensive means for redress, and encourage the development of effective alternative dispute resolution (ADR) mechanisms. Taking legal action to resolve a consumer dispute is generally an expensive, difficult and time-consuming process for everyone involved. These are problems that could be amplified in the event of cross-border disputes. As in other forms of commerce, the development and promotion of ADR can help to avoid more formal and costly legal options. Responding to consumer complaints quickly, easily and fairly, and establishing affordable and effective online dispute resolution mechanisms can go a long way toward building consumer confidence and trust.

Should the government be involved in consumer protection and privacy? What role can the private sector play?
In the end, the issue of consumer protection and privacy is a concern of both the government and the private sector. Government must ensure that there are adequate laws that offer protection to consumers; the private sector must implement meaningful, user-friendly, self-regulatory privacy regimes. Until users are confident that their communications and data are safe from interception and unauthorized use, they are unlikely to routinely use of the Internet for commerce. Only with consumer trust can we make e-commerce work.