One of the most controversial topics in our always-online, always-connected world is privacy. Even casual computer users have become aware of how much "they" know about our online activities, whether referring to the National Security Agency spying on U.S. citizens, or the constant barrage of ads related to something we once purchased.
Concerns over online privacy have brought different responses in different parts of the world. In the U.S., for example, many Web browsers let users enable a Do Not Track option that tells advertisers not to set the cookies through which those advertisers track their Web use. Compliance is voluntary, though, and many parties have declined to support it. On the other hand, European websites, since 2012, have been required by law to obtain visitors' "informed consent" before setting a cookie, which usually means there is a notice on the page saying something like "by continuing to use this site, you consent to the placing of a cookie on your computer." Why are these approaches so different?
As the use of computers to store, cross-reference, and share data among corporations and government agencies grew through the 1960s and 1970s, so did concern about proper use and protection of personal data. The first data privacy law in the world was passed in the German region of Hesse in 1970. That same year, the U.S. implemented its Fair Credit Reporting Act, which also contained some data privacy elements. Since that time, new laws have been passed in the U.S., Europe, Japan, and elsewhere to try and keep up with technology and citizens' concerns. Research by Graham Greenleaf of the University of New South Wales published in June 2013 (http://bit.ly/ZAygX7) found 99 countries with data privacy laws and another 21 countries with relevant bills under consideration.
There remain fundamental differences in the approaches taken by the U.S., Europe, and Japan, however. One big reason for this, according to Katitza Rodriguez, international rights director of the Electronic Frontier Foundation (EFF), is that most countries around the world regard data protection and privacy as a fundamental rightthat is written into the European Constitution, and is a part of the Japanese Act Concerning Protection of Personal Information. No such universal foundation exists in the U.S., although the Obama administration is trying to change that.
These differences create a compliance challenge for international companies, especially for U.S. companies doing business in regions with tighter privacy restrictions. Several major U.S. firmsmost famously Googlehave run afoul of EU regulators because of their data collection practices. In an acknowledgment of the issue's importance and of the difficulties U.S. businesses can face, the U.S. Department of Commerce has established "Safe Harbor" frameworks with the European Commission and with Switzerland to streamline efforts to comply with those regions' privacy laws. After making certain its data protection practices adhere to the frameworks' standards, a company can self-certify its compliance, which creates an "enforceable representation" that it is following recommended practices.
EFF's Rodriguez describes data protection in the U.S. as "sectorial." The 1996 Health Insurance Portability and Accountability Act (HIPAA), for example, applies to medical records and other health-related information, but nothing beyond that. "In Europe, they have general principles that apply to any sector," she says.
The U.S. relies more on a self-regulatory model, while Europe favors explicit laws. An example of the self-regulatory model is the Advertising Self-Regulatory Council (ASRC) administered by the Council of Better Business Bureaus. The ASRC suggests placing an icon near an ad on a Web page that would link to an explanation of what information is being collected and allow consumers to opt out; however, there is no force of law behind the suggestion. Oddly, Rodriguez points out, while the formal U.S. regulatory system is much less restrictive than the European approach, the fines handed down by the U.S. Federal Trade Commissionwhich is charged with overseeing what privacy regulations there areare much harsher than similar fines assessed in Europe.
The Obama administration, in a January 2012 white paper titled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, outlined seven privacy principles and proposed a Consumer Privacy Bill of Rights (CPBR). It stated that consumers have a right:
The CPBR itself takes a two-pronged approach to the problem: it establishes obligations for data collectors and holders, which should be in effect whether the consumer does anything or even knows about them, and "empowerments" for the consumer. The obligations address the first four principles in the list, while the empowerments address the last three.
Part of the impetus for the CPBR is to allay some EU concerns over U.S. data protection. The framework calls for working with "international partners" on making the multiple privacy schemes interoperable, which will make things simpler for consumers and easier to negotiate for international business.
The EU is concerned with anyone that collects and tracks data, while in the U.S. the larger concern is government surveillance.
There has been little progress on the CPBR since its introduction. Congress has shown little appetite for addressing online privacy, before or after the administration's proposal. Senators John Kerry (now U.S. Secretary of State, then D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011, and Senator John D. Rockefeller IV (D-WV) introduced the Do-Not-Track Online Act of 2013; neither bill made it out of committee. At present, the online privacy situation in the U.S. remains a mix of self-regulation and specific laws addressing specific kinds of information.
As EFF's Rodriguez pointed out, the 2000 Charter of Fundamental Rights of the European Union has explicit provisions regarding data protection. Article 8 says,
"Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified."
Even before the Charter's adoption, a 1995 directive of the European Parliament and the Council of the European Union read, "Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms." These documents establish the EU-wide framework and foundation for online privacy rights.
The roots of the concern, says Rodriguez, lie in the countries' memory of what happened under Nazi rule. "They understand that state surveillance is not only a matter of what the government does, but that a private company that holds the data can give it to the government," she says. Consequently, the EU is concerned with anyone that collects and tracks data, while in the U.S. the larger concern is government surveillance rather than corporate surveillance, "though I think that's changing."
The EU's principles cover the entire Union, but it is up to individual countries to carry them out in practice. "Implementation and enforcement varies from country to country," explains Rodriguez. "In Spain, Google is suffering a lot, but it's not happening so much in Ireland. It's not uniform."
In December 2013, the Spanish Agency for Data Protection fined Google more than $1 million for mismanaging user data. In May 2014, the European Court of Justice upheld a decision by the same agency that Google had to remove a link to obsolete but damaging information about a user from its results; in response, Google set up a website to process requests for information removal, and by the end of that month claimed to have received thousands of requests.
The legal framework currently governing data privacy in Japan is the 2003 Act Concerning Protection of Personal Information. The Act requires businesses handling personal information to specify the reason and purpose for which they are collecting it. It forbids businesses from changing the information past the point where it still has a substantial relationship to the stated use and prohibits the data collector from using personal information more than is necessary for achieving the stated use without the user's consent. The Act stipulates exceptions for public health reasons, among others.
Takashi Omamyuda, a staff writer for Japanese Information Technology (IT) publication Nikkei Computer, says the Japanese government was expected to revise the 2003 law this year, "due to the fact that new technologies have weakened its protections." Changes probably will be influenced by both the European Commission's Data Protection Directive and the U.S. Consumer Privacy Bill of Rights (as outlined in the Obama administration white paper), as well as by the Organization for Economic Co-operation and Development (OECD) 2013 privacy framework.
In preparation for such revisions, the Japanese government established a Personal Information Review Working Group. "Some Japanese privacy experts advocate that the U.S. Consumer Privacy Bill of Rights and FTC (Federal Trade Commission) staff reports can be applied in the revision," says Omamyuda, "but for now these attempts have failed." Meanwhile, Japanese Internet companies are arguing for voluntary regulation rather than legal restrictions, asserting such an approach is necessary for them to be able to utilize big data and other innovative technologies and to support international data transfer.
As one step in this process, the Japanese government announced a "policy outline" for the amendment of these laws in June 2014. "The main issue up for revision," says Omamyuda, "is permitting the transfer of de-identified data to third parties under the new 'third-party authority.'" The third-party authority would be an independent body charged with data protection. "No one is sure whether this amendment would fill the gap between current policy and the regulatory approaches to online privacy in the EU and U.S."
The Japanese government gathered public comments, including a supportive white paper from the American Chamber of Commerce in Japan which, unsurprisingly, urged that any reforms "take the least restrictive approach, respect due process, [and] limit compliance costs."
With the world's data borders becoming ever more permeable even as companies and governments collect more and more data, it is increasingly important that different regions are on the same page about these issues. With the U.S. trying to satisfy EU requirements for data protection, and proposed reforms in Japan using the EU's principles and the proposed U.S. CPBR as models, policies appear to be moving in that direction.
2014 Japanese Privacy Law Revision Public Comments, Keio University International Project for the Internet & Society http://bit.ly/1E8X3kR
Act Concerning Protection of Personal Information (Japan Law No. 57, 2003) http://bit.ly/1rIjZ3M
Charter of Fundamental Rights of the European Union http://bit.ly/1oGRu37
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://bit.ly/1E8UxuT
Global Tables of Data Privacy Laws and Bills http://bit.ly/ZAygX7
Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, Obama Administration White Paper, February 2012, http://1.usa.gov/1rRdMUw
The OECD Privacy Framework, Organization for Economic Co-operation and Development, http://bit.ly/1tnkiil
©2015 ACM 0001-0782/15/02
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from email@example.com or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2015 ACM, Inc.
No entries found