In the information age, sensitive and confidential data is routinely stored in or transmitted across computer networks. Online businesses often collect and use data to maximize consumers' online experience and options. For example, online booksellers can collect data to make reading recommendations, online advertisers can use data to offer consumers coupons for products they use and online media sites can collect data to allow visitors to customize the news they receive.
While all businesses must maintain consumer trust to succeed, Internet businesses that maintain virtual interaction with consumers are particularly dependant on consumer confidence. Absent trust in the integrity of electronic transactions, consumers will be hesitant to use online services and e-commerce and the benefits of online interactions may not be fully achieved. Businesses generally understand the need to maintain the integrity of consumer data and, therefore, consumer confidence. The issue is how best to balance the legitimate needs of consumers to maintain their privacy, the desire of consumers to have the best possible online experience and the ability to reap the benefits of online interactions. This must be achieved in the context of a global community of Internet businesses and users, each with unique cultural requirements and attitudes impacting their level of desired privacy.
As state, provincial and national governments seek to address the privacy issue, it is important to create frameworks that work well in a global economy. Overly burdensome privacy policies can become barriers to trade, preventing the free flow of information across borders. Further, stringent rules against cross-border data flows may hurt development of new technologies, hindering the full potential of online educational, commercial and entertainment applications.
The Organization for Economic Cooperation and Development (OECD) regularly examines the issue of privacy. They published their Guidelines on privacy in the 1980s. While somewhat broad, the Guidelines remain a basic standard underpinning most current international agreements, national laws and self-regulatory policies. In 2003, the OECD issued a report, "Privacy Online: Policy and Practical Guidance," which includes policy and practical guidance for implementing privacy protection online. It is addressed to OECD member countries, business and other organizations, individual users and consumers.
In 1995 the European Union (EU) issued a Privacy Directive banning the flow of personal data to third parties without "adequate privacy protections". In 2003, a Directive on privacy and electronic communications translated the principles of the Data Privacy Directive into specific rules for the telecommunications sector. A number of Member States still need to implement this Directive.
Following passage of the 1995 EU Directive, negotiators from the EU and US developed the Safe Harbor Agreement. The Agreement establishes a series of rules whereby private companies can be deemed in compliance with EU regulations. Once companies have achieved Safe Harbor status, they are eligible to receive EU data.
In the US, a number of state and federal bodies continue to consider privacy issues. The U.S. Federal Trade Commission (FTC) is satisfied that self-regulation is an effective means to protect consumer privacy. The FTC favored government regulation in 1998 unless industry could implement "broad-based and effective self-regulatory policies" by the end of the year. By 1999, the FTC was urging the U.S. Congress not to pass any new Internet privacy laws, finding self-regulation the least intrusive and most efficient means to ensure fair information practices. This success is due in part to business efforts to promote privacy and establish trust with consumers, as well as efforts of neutral watchdog groups such as the Better Business Bureau Online and TRUSTe.
In October 2001, the FTC announced an aggressive, pro-consumer privacy agenda to address a number of consumer privacy issues. The initiative most likely to impact the online community includes efforts to enforce voluntary privacy notices posted by companies and ensure compliance with the US-EU Safe Harbor Agreement.
In the Asia Pacific Economic Cooperation (APEC) Electronic Commerce Steering Group (ECSG), discussions are ongoing to develop a set of APEC principles for data protection and privacy.
We support a model of industry self-regulation (as opposed to government intervention) that is strengthened by innovative tools to give consumers greater choice in protecting their personal data and understanding how it may be collected and used.
A reasonable balance can be achieved between consumer protection and business requirements, as evidenced by several ambitious and successful industry-led initiatives over the recent past.
Consumer confidence in the Internet needs to be maintained by protecting citizens' privacy.
Disparate and multiple privacy rules place a heavy burden on global companies - including legal liability, administrative costs and lessening of the customer experience.
There are ample personal electronic tools available, as well as simple procedures to follow, that consumers could employ to better protect their data. Government could help in this regard by working with industry to provide consumer education in this area.
Privacy rules should be driven by industry-led initiatives.
Where legislation is necessary, we encourage standardization of rules across global jurisdictions.
For information on privacy legislation worldwide, visit http://www.bakernet.com/ecommerce/home-privacy.htm
Online Privacy Alliance
Center for Democracy & Technology
Electronic Privacy Information Center
Cisco Privacy Statement
As of January 2005