Microsoft powerpoint - edwardsl_pres.ppt

Lilian Edwards
Reconstructing Consumer Privacy
Co-Director, AHRB Centre in Intellectual
Protection On-Line – A Modest
Property and IT Law
Faculty of Law, University of Edinburgh
Proposal
[email protected]
www.law.ed.ac.uk/ahrb
Poland, September 2004
Why Do We Want To Protect On-Line
How to promote trust in e-
Consumer Privacy? Engendering Trust
commerce?
z UK consumers spent £10bn online in last twelve months z Trust in buying on line and protection of privacy seem z Yet 85% think shopping on the High Street still safest z Eg 25% of consumers report avoiding any sites which (NCC figures for UK, 2000). And even 46% of collect personal information (Jupiter, Oct 03) experienced Internet users think the Net is riskiest place z Aim of regulation of consumer privacy on-line should be to promote confidence and trust in e commerce by z E-Commerce even in US is only 1.6% of consumer retail consumers. Approaches: encryption, kitemarking, codes of practice, padlock symbols, awareness campaigns, z Meanwhile 84% of EC citizens never buy anything over the Internet (only 3% have in Greece, 25% in UK); of these 84%, 25% say they do not trust the Internet.
z Focus of this paper is on one issue: how to prevent z Of the 16% of EC consumers who have bought on the or otherwise deal with privacy related harms Net 48% still report “security concerns” (Eurobarometer, Potential privacy harms to consumers
Advantages of allowing data
from data collection on line?
collection by on line businesses
z Identity theft harms eg misuse of credit card info. Up 45% in UK last year (APACS, z Personalised service on B2C e commerce sites March 04). Over ½ million complaints re ID z Giving sites a “memory” eg Amazon shopping cart, combining orders, preference suggestions, wish lists, z Disclosure harms eg Eli Lilly Prozac list, z General convenience factor for consumers z Invasion harms: eg spam (now up to 62% z Gives e-commerce sites a valuable asset ie. database all email, Brightmail, Feb 04), pop-up ads, of customer info. Value enhanced on sale, eg, to advertisers, after liquidation; or after data mining.
z Creation of a trusted relationship?? Eg Yahoo! evidence on “permission based marketing” Solutions 1 – the European/DP
DP regulation: problems
Historical origins: DP tailored for mainframe, non-Internet, data
warehousing environment, when compliance by few “elephants” (Swire) as Strong legal regulation in form of data protection law opposed to many “mice” was relatively easy to police. “Elephants” generally compliance-friendly, hence negotiation-based enforcement, low level sanctions worked. “Mice” - websites, on line businesses, spammers, fraudsters, most trading outside Europe - are numerous, hard to spot, run z Registration/notification by data controllers of purposes away, hide and lack resources and legal knowledge for compliance.
No “primary purpose” restrictions, or checks on whether data The sheer size of cyberspace and lack of resources for compliance:
collection necessary to core business goal Post Internet, many 1,000,000 s of “mice”. Data Protection Commissioners generally under-funded, under-staffed, reactive not pro-active. Poor DP Use of data then restricted to notified purposes compliance reported by website sector in UK (ICO/UMIST study , May z Consent by data subject to data collection required 2002- 40 % of UK commercial websites don’t even know what personal data they hold. ) 2003 study found that although 94% of large UK companies had But significant exceptions eg legitimate business purposes notified only 4% could provide data subject acces rights on request. “Lip The global cyberspace environment: Most processing of personal info
z Data subject rights of access and integrity checking goes on outside EU (around 90% of spam from outwith EU, only UK in top 10 origin of spam countries list) yet no global harmonisation on DP law. z Data export rules of “adequacy” – but “safe harbor” for Rapprochment exercises such as EU/US Art 25 DPD ”safe harbor” not outstanding successes (only 493 US companies signed up at April 04.) Solution 2 – the USA/self
DP regulation: problems (2)
regulation model
z Lack of customer pressure to enforce : as level of knowledge
and exercise of DP rights, and of dangers of giving away info z Main approach is self regulation, some piecemeal generally, very low. 44% of UK consumers think they have less rights on line than offline. 71% of UK consumers were prepared to give away passwords to strangers for chocolate (April 04).
z Key notions of consent, opt-in, opt-out, “personal data”,
z On line self regulatory bodies – trust marks or kite “domestic purposes”, etc contested, vague and unharmonised
(see eg Durant v FSA, Lindqvist v Sweden.
marks – TrustE, Online Privacy Alliance etc, z Some (increasing) FTC compliance action z Does not fit US or EU corporate business models of data
z Generally seen as inadequate by EU model sharing after mergers, take-overs, liquidations etc. Also costly &
fiddly. US business unwilling to regard daat as property of z Industry hostility to costs of full DP regime consumer; EU businesses regard it as compliance hurdle and z Personal data seen as property of collector, not annoying business cost and paperwork.
US/Self regulation: Problems
Solution 3 - Code
z No real “market” of choice for consumer as many privacy z “Notice”? Do privacy statements get read, understood by z In theory enables consumer to bargain as to when and why they will allow their personal information to z How effectively are privacy standards upheld after data collection? Eg on liquidation, sale, merger? be collected via pre-selections on security made in z Sanctions by trust seals? TrustE etc have notably failed to adequately punish serious breaches by prominet members (Geocities, Microsoft) Egghead.com case.
z Pushed as solution for US consumer who lacks faith FTC’s own verdict : “self regulatory initiatives to date fall far in self regulation but does not want to resort to full short. cannot ensure that the on line marketplace as a whole will emulate standards adopted by market leaders” (2000) anonymisers, proxy servers, encrypted email etc.
z Industry not so willing now post dot.com implosion to pay to belong to trust seals anyway – TrustE’s numbers have fallen.
z Reflects “propertisation” of personal data – Code : Problems
Assessment
z DP is most sophisticated global model for privacy harm z Automation may get round “notice” problem but are there prevention, but for reasons noted, in trans-national real choices to be made between the privacy options cyberspace, does not prevent privacy harms listed at start. In offered by websites? P3P is essentially automated terms of privacy rights, mainly provides little used data subject bargaining which requires a marketplace of choices to access/verification rights, not real privacy protection, nor compensation for harms such as ID theft, spam.
z Even if US was likely to embrace EC DP regime in full z And again, what about post-collection enforcement? (implausible) increasingly ineffective even in Europe, even after tweaks in Privacy Directive 2002.
z Disingenuous – not privacy “firewalls” z Self regulation similarly does not effectively prevent privacy z Can consumers bargain fairly when they don’t know the value of their personal information in aggregate? z P3P : encourages consumers to sell their privacy too cheaply z Do consumers care enough to learn how to use P3P as does not reflect aggregate value of data collected & especially if little actual choice enabled? Favours “techies”. Time overhead/technophobia. Even more true for full z Do we need to look to a different model? Privacy harm PETS. Only true privacy fundamentalists likely to spend compensation rather than privacy harm prevention? Preventing or compensating privacy harms?
Control vs Compensation.
Justification for “privacy tax” on data
Alternate model? – the “trust model”
collectors/processors - the “trust model”
Inspired partly by Terry Fisher’s (Harvard) approach to P2P illegal file Information wants to be free, data wants to flow? Fisher advocates giving up futilely trying to control illegal copying of copyright work by rights-holders – instead, give it away, abandon trying to enforce copyright rules against downloaders.
BUT – still provide compensation to rights-holders via an appropriate tax eg on broadband, computer hardware, blank CDs – re-distributed fairly Transfer to privacy context – instead of trying to prevent privacy harms by rigorous DP rules, consumers get compensated for privacy harms In privacy context – who should pay? A. – the businesses who make money out of collecting and processing data and currently get it (largely) for free. Some kind of “privacy tax”.
Clearly not ideal to only compensate breaches, not prevent them BUT - If data collectors and processors are made to pay for privacy harms, will they be incentivised to try harder to prevent privacy Different from ordinary tort/delict model because enforcement will be by independent body (as in DP) not left up to individual consumer NB Human rights of those who care deeply about privacy still need The trust model applied to on-line data
Benefits - 1
Data subject as beneficiary has part interest in aggregate value of “trust” assets ie data collected from all data subjects/consumers by Focus is on external effects of data collecting/processing – not “indoor management” of trust. Aim is to provide remedies for harms = “abuse of trust”, not to require/enforce internal bureaucratic regime -> perhaps more popular with, and practical for, industry? Clear under model that data collector owes high duty of care & fiduciary obligations to data subject to care for info collected even if (as in US ethos) collector regarded as owner of data and not data Data subject has individual right of action against data collector for abuse of trust – but backed up public enforcement (by FTC/Inf Benefits of model - 2
Issues - 1
Does away with need for defining “consent” and associated nuances z How should “beneficial interest” of consumer be as personal data is given away (some privacy fundamentalists will What is value of trust property? Value of dbase on actual sale? On nominal sale? % of profits made by collecting sites? Goes after “elephants” (visible data collecting businesses) not “mice” Option 1: distribute “dividend” to consumer pro rata as per data spammers, ID thieves etc) to get remedies for those harmed collected from subject, or time subject spent at site, or money spent? – problems: high transaction costs; privacy threat itself in Harmonisation. “Trust” is well known common law model , yet contains elements key to DP/civilian approach. Trust as an As above, but simply per capita distribution? institution is increasingly seen as useful solution for harminsing EC Consumers get multiple “dividends” from multiple “trusts” for property law systems. May be more acceptable in USA than detailed each website visited – fiddly small change z Answer: move to Fisher’s “tax” model and ask data collectors to Perhaps “Trust” as a rhetorical notion may inspire confidence where pay a “privacy tax” on their profits. Will go into single compensation fund pot, to be applied to prevention of privacy Compensating privacy harms
Criticisms
Why should the “elephants” agree to pay for the sins of the “mice”? z Uses for “privacy tax” compensation pot? Natural justice - currently personal information is a “free gift” to them they profit from (although query if the value is in the data or Provide statutory compensation pay-outs for recognised privacy harms, reported to and accredited by enforcement body. No Pragmatic argument – taxpayers are those most closely need to prove fault, causality, economic damage. No need for connected to the data collection which leads to privacy harms, therefore the tax will encourage them to improve in-house privacy consumers to bring own actions. Data collectors who pay privacy standards (cf ISPs improving access to member databases) tax can retain common law rights to pursue actual wrong-doers PR incentive – putting what is effectively an industry “no fault” compensation scheme in place will reassure consumers Improve enforcement. Create new watchdog body, or top up enormously and engender trust? hence increase e-commerce funding of existing national bodies such as FTC, national DPCs, to aid in compliance with national laws/self regulation measures Reduction of red tape incentive – quid pro quo of no longer having to comply with DP notification, access requests and other Provide PETS for free (and public education) to consumers who refuse to give away personal info (privacy fundamentalists) compliance fuss. No more interference with “indoor Could be transitional device till technology/code and consumer savvy catches up and provides better solutions – eg payment by anonymous stored-value smart card, buying “anonymous browser IDs” from a digital Post Office z Attempts to break the impasse in global cyberspace between US z Prioritises prevention of, and compensation for, privacy-related harms to consumers, rather than industry compliance with z Regards personal information collected as an aggregate good z Doesn’t throw away the baby with the bath water – companies still get to collect, process and mine data, and consumers still z Abandons “one size fits all” omnibus privacy protection

Source: http://26konferencja.giodo.gov.pl/data/resources/EdwardsL_pres.pdf