© Springer-Verlag Berlin Heidelberg 2015Yimeei Guo (ed.)Research on Selected China’s Legal Issues of E-Business10.1007/978-3-662-44542-6_8
8. E-privacy Protection—Centering on Global Main Legal Instruments and Prospects
Management Science Department, Xiamen University, Xiamen, 361005, China
The Internet also creates many threats to our personal privacy. Unless we know the “rules of the road,” our online activity may lead to significant privacy problems. For convenience, this article uses the term “e-privacy” to stand for our personal privacy in the Internet. To avoid an off-limit discussion, after discussing the definition of privacy and e-privacy, this paper analyzes the e-privacy issue and some legal instruments at international and national level with the concern on the collection of personally identifiable information (PII) by Web site operators from visitors to government and commercial Web sites, or by software that is surreptitiously installed on a user’s computer (“spyware”) and transmits the information to someone else, then discusses the captioned problems including a case study in China. Finally, as there is not any complete e-privacy rule for the Internet in China, this paper wants to make some suggestions to Chinese legislature for further specific regulations based on the analysis of the e-privacy in the conclusion.
Published by “Proceedings of 9th Academic Research Conference on Cross-Straits Chinese Culture and Operation Management”, July 8, 2006. pp. 300–308.
The Internet has created an entirely new legal dynamic as well as a new social and business one. From advertising to intellectual property to privacy and electronic-commerce (e-commerce), the online environment has generated novel legal issues and challenges. At the forefront is the subject of privacy.
Generally speaking, the Internet offers many benefits to netizens. Web sites provide a vast world of information, entertainment, and shopping at our fingertips. E-mail, instant message (IE), chat rooms, and ICQ enable us to communicate with friends, family, and strangers in ways we never dreamed of a decade ago.
But the Internet also creates many threats to our personal privacy. Unless we know the “rules of the road,” our online activity may lead to significant privacy problems. For convenience, this article uses the term “e-privacy” to stand for our personal privacy in the Internet.
E-privacy issues generally encompass two types of concerns. One is the collection of personally identifiable information (PII) by Web site operators from visitors to government and commercial Web sites, or by software that is surreptitiously installed on a user’s computer (“spyware”1) and transmits the information to someone else. The other is the monitoring of electronic mail and Web usage by the government or law enforcement officials, employers, or internet service providers (ISPs).
To avoid an off-limit discussion, after discussing the definition of privacy and e-privacy, this paper analyzes the e-privacy issue and some legal instruments at international and national level with the former type concern and discusses the captioned problems including a case study in China. Finally, as there is not any complete e-privacy rule for the Internet in China, this paper wants to makes some suggestions to Chinese legislature for further specific regulations based on the analysis of the e-privacy in the conclusion.
8.2 What is Privacy/E-privacy?
8.2.1 The Right of Privacy
The notion of privacy was first postulated in a Harvard Law Review article by Louis D. Brandeis, later to become a Justice of the Supreme Court of the USA, and Samuel D. Warren of the Harvard Law School, in 1890.2 They described privacy as “the right to be let alone”3 when they were offended by press coverage of their families, and by “recent inventions and business methods.”4 It took almost 20 years before the American courts issued judgments which adopted that principle.5
Later on, in another article by William Prosser, four different types of invasions of privacy were pointed out, including:
appropriating an individual’s name or likeness for commercial benefit;
unreasonable intrusion or interference with an individual’s interest in solitude or seclusion;
publicly disclosing private facts;
publicly placing an individual in a false light.6
8.2.2 E-privacy and “Fair Information Practices”
From an information technology (IT) perspective, a much better definition of privacy has been that of Alan Westin, where he described privacy as:
the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.7
This definition embodies the concept of “fair information practices” which forms the basis for many of the regulatory and voluntary data-protection schemes.8
In short, “privacy” is not just a matter of what is kept secret. In the context of e-commerce and e-government, the right to privacy, i.e., e-privacy is really “the right to control the use of personal information” that is disclosed to others.9
Throughout the world, the privacy of information about individuals is guided by the principles of “fair information practices.” These principles, which were authoritatively detailed by the Organization for Economic Co-Operation and Development (OECD),10 represent basic guidelines for responsible information practices that respect the interests of individuals. They form the foundation of many national and local privacy laws, international agreements on data protection, and various industry codes of best practices.11 It is these principles that provide the framework for privacy impact assessments and the reference point for the work of privacy commissioners.
As expressed by the OECD and other international bodies, fair information practices include:
Collection limitation: No more information should be collected than is necessary to complete the transaction, and any such data collected should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data quality: Personal data should be relevant to the purposes for which they are to be used, should be accurate and complete, and should be kept up-to-date.
Purpose specification: When personal data are collected, the purpose for the collection should be specified and the subsequent use limited to the fulfillment of that purpose or such others as are not incompatible with the original purpose.
Use limitation: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the “purpose specification” except: (a) with the consent of the data subject; or (b) by the authority of law.
Security: Personal data should be protected by reasonable security safeguards against loss or unauthorized access, destruction, use, modification or disclosure.
Openness: In general, there should be no secret collections of data. As a matter of general policy, there should be openness about data practices and policies. Means should be readily available to individuals to establish the existence and nature of databases, the main purposes of their use, and the identity of the entity responsible for the database.
Individual participation: An individual should have the right to obtain access to any data about him held by a data controller. This includes: (a) confirmation of whether or not an entity has data relating to him; (b) to obtain copies of data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, or corrected or completed.
Accountability: Entities collecting data should be subject to enforcement measures that give effect to the principles stated above.
There are obvious exceptions to some of these principles in specific applications. For example, in the context of law enforcement investigations, it is not always possible to give notice to a suspect or to give him access to the information that the police are collecting. Nevertheless, these principles provide a framework for thinking through the privacy issues raised by any government collection of personal information.12
8.3 Main Legal Instruments Dealing with Data Privacy
8.3.1 International Instruments
220.127.116.11 The 1980 OECD Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data
The Guidelines contain a set of data privacy principles similar to those stipulated in “the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.”13 The Guidelines have been very influential on the drafting of data privacy laws and standards in non-European jurisdictions, such as Australia, New Zealand, and Canada.14 They have also been formally endorsed—though not necessarily implemented—by numerous companies and trade associations in the USA.15 Further, they constitute an important point of departure for ongoing efforts by the Asia-Pacific Economic Cooperation (APEC) to draft a set of common data privacy principles for jurisdictions in the Asia-Pacific region.16
18.104.22.168 The Montreux Declaration
In terms of other international legal instruments, there does not exist a truly global convention or treaty dealing specifically with data privacy. The call to the United Nation (UN) was made in a declaration adopted at the 27th International Conference of Data Protection and Privacy Commissioners in Montreux in early September of 2005.
In what they have called “the Montreux Declaration,” the commissioners also call for governments to encourage the adoption of legislation in line with recognized data protection principles and to extend it to their mutual relations; and for the Council of Europe to invite non-member states of the organization to ratify the Convention for the protection of individuals with regard to automatic processing of personal data and its additional protocol.
International organizations have been asked to commit themselves to complying with data protection rules; international non-governmental organizations (NGOs) have been asked to draw up data protection standards; and hardware and software manufacturers have been asked to develop products and systems that integrate privacy-enhancing technologies.
The nature of the legally binding instrument to be adopted by the UN is not prescribed; but Swiss data-protection commissioner Hanspeter Thür told SwissInfo.org that it could be a text adopted by the UN in the same way as human-rights provisions.
Progress in implementing the objectives will be subject to a regular assessment. The first such assessment will be carried out at the 28th International Conference, due to take place in September 2006 in Argentina.
The commissioners also adopted a resolution presented by Germany on the use of biometric data in passports, ID cards, and travel documents. In it, the commissioners call for effective safeguards to be built in so as to limit the risks inherent in biometrics. They also adopted a resolution from Italy on the use of personal data for political communication purposes.17
22.214.171.124 The European Union
Within the European Union (EU), several Directives on data privacy have been adopted, the first and most important of which is “Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data” (hereinafter “EU Directive”).18 This instrument is binding on EU member states. It is also binding on non-member states (Norway, Iceland and Liechtenstein) that are party to the 1992 Agreement on the European Economic Area (EEA). While the Directive is primarily a European instrument for European states, it exercises considerable influence over other countries not least because it prohibits (with some qualifications) transfer of personal data to those countries unless they provide “adequate” levels of data privacy (see Articles 25–26).19 Many non-European countries are passing legislation in order, at least partly, to meet this adequacy criterion.20
Furthermore, the Directive stipulates that the data privacy law of an EU state may apply outside the EU in certain circumstances, most notably if a data controller,21 based outside the EU, utilizes “equipment” located in the state to process personal data for purposes other than merely transmitting the data through that state (see Article 4 <1> <c>).22 All of these provisions give an impression that the EU, in effect, is legislating for the world.23
Although the Directive establishes what a company can and cannot do with the data they hold, yet it does not make any specific provisions with regard to e-mail or more specifically, e-mail marketing. Unsolicited e-mail, i.e., “spam” is becoming a growing problem that is costing business worldwide a staggering £6bn per year in online connection costs.24 As the European Parliament and the Council of the European Union conceive: the Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services, publicly available electronic communications services over the Internet open new possibilities for users but also new risks for their personal data and privacy. So-called spyware, Web bugs, hidden identifiers, and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.25
Therefore, a new EU anti-spam law—Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) 26 came into force on December 11, 2003, and is already having a dramatic effect on the amount of spam sent to computer users. Under the Directive, spyware becomes illegal software.27 This Directive’s implementation glorifies the formal stepping in the global anti-spam war of EU and is an important weapon to enhance the consumer’s confidence on Internet and e-communication as well.28
8.3.2 National Instruments
126.96.36.199 The USA
By contrast, the US legal regime for data privacy is much more atomized. While there is fairly comprehensive legislation dealing with federal government agencies,29 omnibus legislative solutions are eschewed with respect to the private sector. Legal protection of data privacy in relation to the latter takes the form of ad hoc, narrowly circumscribed, sector-specific legislation, combined with recourse to litigation based on the tort of invasion of privacy and/or breach of trade practices legislation.30 European-style data privacy agencies do not exist.
At the same time, though, a “safe harbor” agreement has been concluded between the USA and EU allowing for the flow of personal data from the EU- to US-based companies that voluntarily agree to abide by a set of “fair information” principles based loosely on the EU Directive. The scheme, which so far has attracted over 500 companies,31 has been held by the European Commission to satisfy the Directive’s adequacy test in Article 25.32
Today, much of the privacy regulation in the USA occurs at the state level, where many of the 50 states have enacted privacy laws that govern specific industries, issues, or practices. Often, these laws are inconsistent, so that a set of business practices that is legal and commonplace in one state may be prohibited just across the state line. In addition, the number of state privacy laws is increasing quickly—for example, more than 20 states have passed separate financial privacy laws just since the beginning of 2004.
At the same time, Congress has enacted federal privacy legislation specific to certain industries. For instance:
The Gramm–Leach–Bliley Act applies to financial institutions;
The Health Insurance Portability and Accountability Act (HIPAA)of 199633 applies to health care providers;
The privacy provisions of the Cable Act apply to cable operators;
The privacy provisions of the Communications Act apply to telecommunications carriers34;
The Identity Theft Penalty Enhancement Act (ITPEA) increases criminal penalties for phishing and other forms of identity fraud. This measure, signed by the President in July 2004, establishes punishment guidelines for anyone who possesses someone else’s personal information with intent to commit a crime.37
And concerns over spyware are now prompting an array of federal legislative proposals.38
Finally, a bill announced on February 8, 2006, in Congress would require every Web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a “legitimate” business purpose.39