Lilian Edwards Reconstructing Consumer Privacy Co-Director, AHRB Centre in Intellectual Protection On-Line – A Modest Property and IT Law Faculty of Law, University of Edinburgh Proposal [email protected] www.law.ed.ac.uk/ahrb Poland, September 2004 Why Do We Want To Protect On-Line How to promote trust in e- Consumer Privacy? Engendering Trust commerce?
z UK consumers spent £10bn online in last twelve months
z Trust in buying on line and protection of privacy seem
z Yet 85% think shopping on the High Street still safest
z Eg 25% of consumers report avoiding any sites which
(NCC figures for UK, 2000). And even 46% of
collect personal information (Jupiter, Oct 03)
experienced Internet users think the Net is riskiest place
z Aim of regulation of consumer privacy on-line should be
to promote confidence and trust in e commerce by
z E-Commerce even in US is only 1.6% of consumer retail
consumers. Approaches: encryption, kitemarking, codes of practice, padlock symbols, awareness campaigns,
z Meanwhile 84% of EC citizens never buy anything over
the Internet (only 3% have in Greece, 25% in UK); of
these 84%, 25% say they do not trust the Internet.
z Focus of this paper is on one issue: how to prevent
z Of the 16% of EC consumers who have bought on the
or otherwise deal with privacy related harms
Net 48% still report “security concerns” (Eurobarometer,
Potential privacy harms to consumers Advantages of allowing data from data collection on line? collection by on line businesses
z Identity theft harms eg misuse of credit
card info. Up 45% in UK last year (APACS,
z Personalised service on B2C e commerce sites
March 04). Over ½ million complaints re ID
z Giving sites a “memory” eg Amazon shopping cart,
combining orders, preference suggestions, wish lists,
z Disclosure harms eg Eli Lilly Prozac list,
z General convenience factor for consumers
z Invasion harms: eg spam (now up to 62%
z Gives e-commerce sites a valuable asset ie. database
all email, Brightmail, Feb 04), pop-up ads,
of customer info. Value enhanced on sale, eg, to
advertisers, after liquidation; or after data mining.
z Creation of a trusted relationship?? Eg Yahoo!
evidence on “permission based marketing”
Solutions 1 – the European/DP DP regulation: problems Historical origins: DP tailored for mainframe, non-Internet, data
warehousing environment, when compliance by few “elephants” (Swire) as
Strong legal regulation in form of data protection law
opposed to many “mice” was relatively easy to police. “Elephants” generally
compliance-friendly, hence negotiation-based enforcement, low level
sanctions worked. “Mice” - websites, on line businesses, spammers,
fraudsters, most trading outside Europe - are numerous, hard to spot, run
z Registration/notification by data controllers of purposes
away, hide and lack resources and legal knowledge for compliance.
No “primary purpose” restrictions, or checks on whether data
The sheer size of cyberspace and lack of resources for compliance:
collection necessary to core business goal
Post Internet, many 1,000,000 s of “mice”. Data Protection Commissioners
generally under-funded, under-staffed, reactive not pro-active. Poor DP
Use of data then restricted to notified purposes
compliance reported by website sector in UK (ICO/UMIST study , May
z Consent by data subject to data collection required
2002- 40 % of UK commercial websites don’t even know what personal data
they hold. ) 2003 study found that although 94% of large UK companies had
But significant exceptions eg legitimate business purposes
notified only 4% could provide data subject acces rights on request. “Lip
The global cyberspace environment: Most processing of personal info
z Data subject rights of access and integrity checking
goes on outside EU (around 90% of spam from outwith EU, only UK in top
10 origin of spam countries list) yet no global harmonisation on DP law.
z Data export rules of “adequacy” – but “safe harbor” for
Rapprochment exercises such as EU/US Art 25 DPD ”safe harbor” not
outstanding successes (only 493 US companies signed up at April 04.)
Solution 2 – the USA/self DP regulation: problems (2) regulation model
z Lack of customer pressure to enforce : as level of knowledge
and exercise of DP rights, and of dangers of giving away info
z Main approach is self regulation, some piecemeal
generally, very low. 44% of UK consumers think they have less
rights on line than offline. 71% of UK consumers were prepared
to give away passwords to strangers for chocolate (April 04).
z Key notions of consent, opt-in, opt-out, “personal data”,
z On line self regulatory bodies – trust marks or kite
“domestic purposes”, etc contested, vague and unharmonised
(see eg Durant v FSA, Lindqvist v Sweden.
marks – TrustE, Online Privacy Alliance etc,
z Some (increasing) FTC compliance action
z Does not fit US or EU corporate business models of data
z Generally seen as inadequate by EU model
sharing after mergers, take-overs, liquidations etc. Also costly &
fiddly. US business unwilling to regard daat as property of
z Industry hostility to costs of full DP regime
consumer; EU businesses regard it as compliance hurdle and
z Personal data seen as property of collector, not
annoying business cost and paperwork. US/Self regulation: Problems Solution 3 - Code
z No real “market” of choice for consumer as many privacy
z “Notice”? Do privacy statements get read, understood by
z In theory enables consumer to bargain as to when
and why they will allow their personal information to
z How effectively are privacy standards upheld after data
collection? Eg on liquidation, sale, merger?
be collected via pre-selections on security made in
z Sanctions by trust seals? TrustE etc have notably failed to
adequately punish serious breaches by prominet members
(Geocities, Microsoft) Egghead.com case.
z Pushed as solution for US consumer who lacks faith
FTC’s own verdict : “self regulatory initiatives to date fall far
in self regulation but does not want to resort to full
short. cannot ensure that the on line marketplace as a whole will emulate standards adopted by market leaders” (2000)
anonymisers, proxy servers, encrypted email etc.
z Industry not so willing now post dot.com implosion to pay to
belong to trust seals anyway – TrustE’s numbers have fallen.
z Reflects “propertisation” of personal data –
Code : Problems Assessment
z DP is most sophisticated global model for privacy harm
z Automation may get round “notice” problem but are there
prevention, but for reasons noted, in trans-national
real choices to be made between the privacy options
cyberspace, does not prevent privacy harms listed at start. In
offered by websites? P3P is essentially automated
terms of privacy rights, mainly provides little used data subject
bargaining which requires a marketplace of choices to
access/verification rights, not real privacy protection, nor
compensation for harms such as ID theft, spam.
z Even if US was likely to embrace EC DP regime in full
z And again, what about post-collection enforcement?
(implausible) increasingly ineffective even in Europe, even
after tweaks in Privacy Directive 2002.
z Disingenuous – not privacy “firewalls”
z Self regulation similarly does not effectively prevent privacy
z Can consumers bargain fairly when they don’t know the
value of their personal information in aggregate?
z P3P : encourages consumers to sell their privacy too cheaply
z Do consumers care enough to learn how to use P3P
as does not reflect aggregate value of data collected &
especially if little actual choice enabled? Favours “techies”.
Time overhead/technophobia. Even more true for full
z Do we need to look to a different model? Privacy harm
PETS. Only true privacy fundamentalists likely to spend
compensation rather than privacy harm prevention?Preventing or compensating privacy harms? Control vs Compensation. Justification for “privacy tax” on data Alternate model? – the “trust model” collectors/processors - the “trust model”
Inspired partly by Terry Fisher’s (Harvard) approach to P2P illegal file
Information wants to be free, data wants to flow?
Fisher advocates giving up futilely trying to control illegal copying of
copyright work by rights-holders – instead, give it away, abandon trying
to enforce copyright rules against downloaders.
BUT – still provide compensation to rights-holders via an appropriate tax
eg on broadband, computer hardware, blank CDs – re-distributed fairly
Transfer to privacy context – instead of trying to prevent privacy harms
by rigorous DP rules, consumers get compensated for privacy harms
In privacy context – who should pay? A. – the businesses who make
money out of collecting and processing data and currently get it (largely)
for free. Some kind of “privacy tax”. Clearly not ideal to only compensate breaches, not prevent them
BUT - If data collectors and processors are made to pay for privacy
harms, will they be incentivised to try harder to prevent privacy
Different from ordinary tort/delict model because enforcement will be by
independent body (as in DP) not left up to individual consumer
NB Human rights of those who care deeply about privacy still need
The trust model applied to on-line data Benefits - 1
Data subject as beneficiary has part interest in aggregate value of
“trust” assets ie data collected from all data subjects/consumers by
Focus is on external effects of data collecting/processing – not
“indoor management” of trust. Aim is to provide remedies for harms
= “abuse of trust”, not to require/enforce internal bureaucratic regime
-> perhaps more popular with, and practical for, industry?
Clear under model that data collector owes high duty of care & fiduciary obligations to data subject to care for info collected even if
(as in US ethos) collector regarded as owner of data and not data
Data subject has individual right of action against data collector for
abuse of trust – but backed up public enforcement (by FTC/Inf
Benefits of model - 2 Issues - 1
Does away with need for defining “consent” and associated nuances
z How should “beneficial interest” of consumer be
as personal data is given away (some privacy fundamentalists will
What is value of trust property? Value of dbase on actual sale?
On nominal sale? % of profits made by collecting sites?
Goes after “elephants” (visible data collecting businesses) not “mice”
Option 1: distribute “dividend” to consumer pro rata as per data
spammers, ID thieves etc) to get remedies for those harmed
collected from subject, or time subject spent at site, or money
spent? – problems: high transaction costs; privacy threat itself in
Harmonisation. “Trust” is well known common law model , yet
contains elements key to DP/civilian approach. Trust as an
As above, but simply per capita distribution?
institution is increasingly seen as useful solution for harminsing EC
Consumers get multiple “dividends” from multiple “trusts” for
property law systems. May be more acceptable in USA than detailed
each website visited – fiddly small change
z Answer: move to Fisher’s “tax” model and ask data collectors to
Perhaps “Trust” as a rhetorical notion may inspire confidence where
pay a “privacy tax” on their profits. Will go into single
compensation fund pot, to be applied to prevention of privacy
Compensating privacy harms Criticisms
Why should the “elephants” agree to pay for the sins of the “mice”?
z Uses for “privacy tax” compensation pot?
Natural justice - currently personal information is a “free gift” to
them they profit from (although query if the value is in the data or
Provide statutory compensation pay-outs for recognised privacy
harms, reported to and accredited by enforcement body. No
Pragmatic argument – taxpayers are those most closely
need to prove fault, causality, economic damage. No need for
connected to the data collection which leads to privacy harms,
therefore the tax will encourage them to improve in-house privacy
consumers to bring own actions. Data collectors who pay privacy
standards (cf ISPs improving access to member databases)
tax can retain common law rights to pursue actual wrong-doers
PR incentive – putting what is effectively an industry “no fault”
compensation scheme in place will reassure consumers
Improve enforcement. Create new watchdog body, or top up
enormously and engender trust? hence increase e-commerce
funding of existing national bodies such as FTC, national DPCs,
to aid in compliance with national laws/self regulation measures
Reduction of red tape incentive – quid pro quo of no longer
having to comply with DP notification, access requests and other
Provide PETS for free (and public education) to consumers who
refuse to give away personal info (privacy fundamentalists)
compliance fuss. No more interference with “indoor
Could be transitional device till technology/code and consumer
savvy catches up and provides better solutions – eg payment by
anonymous stored-value smart card, buying “anonymous
browser IDs” from a digital Post Office
z Attempts to break the impasse in global cyberspace between US
z Prioritises prevention of, and compensation for, privacy-related
harms to consumers, rather than industry compliance with
z Regards personal information collected as an aggregate good
z Doesn’t throw away the baby with the bath water – companies
still get to collect, process and mine data, and consumers still
z Abandons “one size fits all” omnibus privacy protection
NEVADA STATE BOARD OF OSTEOPATHIC MEDICINE WEDNESDAY, APRIL 19, 2000 NEVADA EYE AND EAR CONFERENCE ROOM 2598 WINDMILL PARKWAY HENDERSON, NV 89014 I Call to Order: Rudy R. Manthei, D.O., Chairman The chairman Dr. Manthei called the meeting to order at 9:05 AM. Present: Dr. Manthei - Chairman, Dr. Daitch - Member, Dr. Schreiber - Member, Dr. Bannister-Member, Sara Pr
TRAINING MANUAL - MINIPRESS P A machine to bore three holes to accommodate Blum hinges NOTE: PLEASE REFER TO THE LESSON PLAN “Installing Blum hinges” FOR INFORMATION ABOUT HOW TO SELECT, MEASURE, AND INSTALL HINGES. SAFETY Members are NOT permitted to operate this machine unless they are under the direction of an AUTHORIZED supervisor. Only AUTHORIZED supervisors are permitted to