And while one couldclaim that these requirements do not apply to data processed on computersoutside European Union countries, the Directive preempts such an argument bystipulating that p
Trang 1Considered as a whole, these requirements both encompass and expand the fairinformation practice guidelines by placing severe restrictions both on whatpersonal data can be collected and how it can be processed And while one couldclaim that these requirements do not apply to data processed on computersoutside European Union countries, the Directive preempts such an argument bystipulating that personal data collected within the European Union can only beexported if the recipient country has similar levels of data protection (LeeLarson, Larson, & Greenlee, 2003) In giving the requirements of the Directiveglobal reach, this clause has proved particularly problematic with regard to theUnited States, where, as will be discussed below, privacy protection is basedaround a right to privacy rather than any specific piece of data protectionlegislation (Camp, 1999).
The American Approach: Self-Regulation
In contrast to the European approach, in the United States the protection ofpersonal data is based on a constitutional right to privacy, rather than on anyspecific data protection legislation While the latter offers blanket guidelines forall data with an identifiable subject, the U.S approach views each subject area
as separate and requires each one to be addressed independently (Camp, 1999).Thus, a patchwork of federal and state laws has developed which regulateprivacy in certain circumstances (such as credit records, driver’s licenseinformation, family and educational privacy, telephone records, and video rentalrecords) (Turinas & Showalter, 2002) However, these have been developed in
an ad hoc piecemeal fashion usually in response to public outcry over topicalevents (Cain, 2002)
In general, the overriding philosophy in the United States has been to resist theintroduction of comprehensive legislative protection in anticipation that themarket will self-regulate through adherence to voluntary codes This approach
was enshrined in the Clinton administration’s Framework for Global
Elec-tronic Commerce (Blanchette & Johnson, 2002) “The Administration considers
data protection critically important We believe that private efforts of industryworking in cooperation with consumer groups are preferable to governmentregulation ” (Clinton & Gore, 1997) As a result, within the United States there
is no comprehensive set of laws or regulations (at either the federal or state level)that address the collection, storage, use, or sale of personal information by theprivate sector (Finkel & McCrady, 2000)
The self-regulation approach entails the setting of standards by an industry groupand the voluntary adherence to such standards by those within the sector (Zwick
& Dholakia, 2001) For example, U.S companies are encouraged (but not legallyobliged) to comply with guidelines such as those drafted by the Federal Trade
Trang 2Commission (FTC), the U.S government’s primary consumer protection nization, which are in turn based on the OECD fair information principlesdiscussed earlier, and to post appropriate privacy policies on their Web sites(Metz, 2001) Enforcement is based on contract law where if a company doesnot comply with the promises and guarantees made in its privacy policy, it can besued by either the consumer directly or by a consumer group or government agencyacting on his/her behalf The FTC has been particularly active in taking legal actionagainst companies whose practices are at variance with their published privacypolicies for engaging in deceptive trade practices (Culnan, 2000).
orga-Strong arguments can be made for letting market forces take care of dataprotection As discussed above, research has shown that people are sometimeswilling to disclose personal information in exchange for some economic or socialbenefit subject to their own “privacy calculus”—a personal assessment ofwhether their information will subsequently be used fairly and whether they willsuffer negative consequences in the future (Milne & Gordon, 1993) As a result,
it is argued that ethical norms will emerge naturally as the market evolves, withconsumers only doing business with sites they trust (Culnan & Bies, 1999).Proponents argue that consumers will migrate toward sites that provide strongprivacy protection and will avoid sites that have breached privacy, thus eventu-ally forcing all companies to provide greater protection, or at least the kind ofprotection that consumers want, in order to stay in business (Rust et al., 2002).Unfortunately research has shown that this is not happening in practice and thatthe self-regulation approach has to a large extent failed (FTC Report, 2000).Since Web sites are not legally required to display a privacy policy, many choosenot to, making it impossible to prosecute them for deceptive business practices.Even where privacy policies are displayed, the majority are limited in that theyfail to address many key issues In a study of major U.S consumer Web sites,over 90% failed to comply with one or more of the suggested guidelines,indicating that stronger measures may be necessary to ensure adequate levels
of protection (Ryker et al., 2002)
Last, since there are no commonly agreed-upon standards or legal requirements
to have one in the first place, privacy policies can be abandoned or changed atwill, without notification to the customer (Cain, 2002) As evidence mounts ofmore and more companies abusing their power to collect consumer information,the belief is growing that the desire to make profits inherently contradictsconsumers’ privacy interest (Zwick & Dholakia, 2001) As a result, industrywatchdogs claim that comprehensive privacy legislation should be introduced toprotect the privacy of consumers online (Hinde, 1999) Even the FTC, reacting
to a glaring case of privacy policy violation by Geocities in May 2000, moderatedits heretofore unfettered support for self-regulation and recommended thatCongress enact legislation to protect the public’s private data on the Internet
Trang 3The requirements of the European Directive on the Protection of Personal Datadiscussed earlier have also increased the pressure on the U.S government tointroduce legislation (Blanchette & Johnson, 2002) In particular, the stipulationthat personal data can only be exported from the European Union if the recipientcountry has similar levels of legislative protection (unless individuals expresslyconsent to the transfer) leads theoretically to a situation where data cannot betransferred from European-based companies to divisions or parent companies inthe United States (Hinde, 1998) To overcome this, in summer of 2000 the U.S.Department of Commerce and the European Commission formulated the SafeHarbor Agreement While not emulating the European Union rules, the agree-ment establishes a “mechanism which, though an exchange of documents,enables the EU to certify that participating US companies meet the EUrequirements for privacy protection” (Lee Larson et al., 2003, p 38).
In short, the agreement states that consumers must be notified about thepurposes for which the company collects and uses data and must be given theopportunity to choose whether and how the data are used by or disclosed to thirdparties Third parties that receive personal information must provide the samelevel of protection as that provided by the collecting company In addition,companies must protect data from loss, misuse, unauthorized access, disclosure,alteration, or destruction; must ensure that data are reliable for their intended use,are accurate, complete, and current; and must give individuals the right to view,correct, amend, or delete personal data Last, firms need to provide mechanismsfor ensuring compliance with these privacy principles and the company’s privacypolicy U.S organizations that decide to participate in the Safe Harbor Agree-ment must both comply with its requirements and publicly declare that they do
so by registering with the U.S Department of Commerce (Zwick & Dholakia,2001) As of October 2003, over 250 organizations had completed this registra-tion process
Approaches to Privacy Protection in Other Regions
The two conflicting approaches discussed above—the self-regulation philosophyembraced by the United States and the legislative approach used by theEuropean Union—have to a large extent become the norms throughout theworld Table 1 summarizes the findings of the 2003 report on Privacy & HumanRights, produced by EPIC and Privacy International in respect of non-Europeancountries
As can be seen from Table 1, approaches to privacy protection differ greatlythroughout the world In many countries there is a constitutional right to privacythat also provides basic safeguards with regard to the protection of personal data.Other countries also specifically guarantee the privacy of such data with a
Trang 4separate clause in their constitution However, in the majority of cases thisconstitutional protection has been supplemented by comprehensive data protec-tion legislation In particular, analysis of the data shows how many countries haverecently adopted comprehensive data protection legislation in order to complywith the requirements of the aforementioned European Union Directive on theProtection of Personal Data While for certain countries (Poland, Latvia,Lithuania, Romania, Slovenia, and the Slovak Republic) the introduction of suchlegislation was a prerequisite for consideration for entry into the European Union,
Table 1 Findings of the 2003 report on Privacy & Human Rights
Constitutional Right to Privacy
Explicit Constitutional Right to Data Protection
Base Legislation Governing Data Protection
Compliance with requirements of European Union Directive on Protection of Personal Data
amended by the Privacy Amendment (Private Sector) Act 2000
Protection and Electronic Documents Act (PIPEDA)
2001
Yes
Czech
Estonia Article 43 Article 44(3) Personal Data Protection
Act 1996, Databases Act
1997 as amended 2002
Yes
and Disclosure of Data of Public Interest 1992
Yes
5741-1981 as amended 1996 No Japan Articles 21 and 35 No Personal Data Protection
Jordan Articles 10 and 18 No None (announced intension
to comply with EU Directive)
Trang 5in other regions (e.g., Cananda, New Zealand, Malaysia, and India) legislationhas recently been introduced or is currently being debated specifically so that thelegislative framework provides sufficient safeguards to allow personal data to betransferred from the European Union (Long & Quek, 2002).
A small minority of countries offer little privacy protection Protection isparticularly limited in Arab countries, where the concept is viewed as one offamily rather than one of individuality (EPIC, 2003) Certain countries, forexample, Japan and South Korea, have made a deliberate decision to resist theintroduction of comprehensive data protection legislation, preferring instead tofollow the U.S example of self-regulation of the private sector Last, in someregions (e.g., Russia, South Africa), recent political changes have resulted in asituation where although the desire has been expressed to provide EuropeanUnion-style protection for personal data, more pressing economic and politicalchanges have taken precedence and data protection legislation is still in earlydraft stages and is unlikely to be enacted in the near future
Constitutional Right to Privacy
Explicit Constitutional Right to Data Protection
Base Legislation Governing Data Protection Compliance with requirements of
European Union Directive on Protection of Personal Data
Philippines Articles 1, 2, and 3 No None (various bills pending) No
Poland Article 47 Article 51 Protection of Personal Data
Romania Articles 26 and 27 No Processing of Personal Data
and the Protection of Privacy
in the Telecommunications Sector 2001
South Korea Articles 16, 17,
Ukraine Article 31 Article 32 None (various bills pending) No
Table 1 (cont.)
Trang 6An Alternative Approach: The Use of Trust Marks
Somewhere in between the two approaches discussed above lies anotherpossibility—the certification that a company’s behavior with personal data isethical by an independent third party Known as “trust marks” or “privacy seals,”these programs encourage companies to follow privacy principles by providingspecific guidelines for privacy protection to ensure that certain minimal stan-dards are met, compelling companies to undergo a compliance review toestablish conformity of their practices to the requirements of the scheme,requiring approved companies to submit to periodic re-verification and to commit
to a dispute resolution mechanism Companies that comply with these ments are awarded a branded “seal” for display on their Web site (Endeshaw,2001)
require-Such trust marks have been shown to be quite effective at reassuring thecustomer as to the ethical behavior of the sites on which they are included(Grabner-Kraeuter, 2002) For example, a study by Miyazaki and Krishnamurthy(2002) provides evidence that displaying such a seal of approval of this typepositively influences consumers’ perceptions toward a Web site’s privacy policyand may encourage them to surrender their personal information There areseveral third-party certification programs currently available The two mostpopular are TRUSTe and BBBOnLine, with nearly 2,000 and over 700 certifiedsites, respectively, at the time of writing Other alternatives include having acompany’s information management practices audited by companies such asPricewaterhouseCoopers with its PWC Privacy program, or the WebTrustprogram administered by the American Institute of Certified Public Accountants(AICPA) and the Canadian Institute of Chartered Accountants (CICA)(Ragothaman, Davies, & DeVee, 2000)
Each of these schemes award privacy seals to companies that post sive privacy policies and are willing to comply with oversight and consumerresolution procedures Although the requirements of each scheme vary, ingeneral they conform to the fair information principles discussed earlier Forexample, TRUSTe requires licensees to disclose what personal information isbeing collected; how the information will be used; the choices available to usersregarding collection, use, and distribution of their information; the securityprocedures being used to protect their data from loss, misuse, or alteration; andhow users can update or correct inaccuracies (Miyazaki & Krishnamurthy,2002) For a useful analysis and comparison of the detailed requirements of eachscheme, see Jamal, Maier, and Sunder (2002)
comprehen-However, the use of trust marks as a way of supplementing self-regulation and
as an alternative to legislative protection faces a variety of challenges First, notall Web sites belong to such programs (the FTC study cited earlier found that only
Trang 78% of sites were participants in such programs) and thus they provide onlylimited protection for consumer privacy (Kelly, 2000) Second, there is confusionabout privacy seals and what they mean Lee Larson, Larson, and Greenlee(2003) point out that while the Better Business Bureau’s Online ReliabilityProgram might sound like a privacy seal, it is in fact designed to help consumersfind reputable businesses online and has little to do with privacy protection.However, most worrying is the lack of punishment when companies violate theterms of their seals Trust marks as a concept can only succeed if they remaincredible in the mind of the consumer To achieve this, certifying organizationsmust be strict about upholding their standards Unfortunately this does not appear
to have been the case In recent years, there have been a number of cases ofhigh-profile companies (including Microsoft, RealAudio, Yahoo!, Chase Man-hattan Bank, and Geocities) that have displayed privacy seals on their Web sites,subsequently engaged in practices that directly contradicted the terms of theirstated privacy policies, and yet were not disciplined by the certifying body.Several analysts have noted that the trust mark providers do not seem inclined
to discipline their members and sponsors (Endeshaw, 2001) If such practicescontinue, consumers are likely to lose confidence in privacy seals and the value
of the entire concept will be questionable in the future
Conclusions
The right to privacy has become a central issue in electronic commerce Camp(1999) summarizes the situation well: “What is the state of Web privacy? It isneither ideal nor improving” (p 250) Consumers have become more concernedabout how their personal data are being used, and there is growing evidence thatthese concerns are limiting the growth of electronic commerce
This chapter has outlined the three major approaches being used to address thisissue—self-regulation, legislative protection, and third-party certification throughtrust marks or privacy seals Although the concept of allowing markets to self-regulate is an attractive one, in practice the desire to make profits seems to beoverriding many company’s guarantees as to their use of personal data Theevidence shows that such an egalitarian concept simply does not work inpractice Although some studies (e.g., Jamal et al., 2002) have shown that thelevel of protection being given to personal information in the United States isgradually improving without legislation or regulations, it is clear that suchprogress has to a large extend resulted from the threat of sanctions Similarly,supplementing self-regulation with the certification of good privacy practices bythird-party organizations is also facing challenges, mainly because of a lack ofadoption and enforcement
Trang 8Furthermore, it is clear that the more restrictive comprehensive legislativeapproach is, the one that is gaining acceptance as the global norm Already, thecombination of the European Union countries, the portfolio of countries wishing
to join the European Union, and the large number of other countries that tradeextensively with European countries have adopted this approach, making it ineffect a de facto standard for the protection of data privacy throughout the world.Even the United States’ nearest neighbors, Canada and Mexico, have rejectedthe concept of self-regulation in this case and introduced highly specificlegislation designed to guarantee the rights of consumers as regards the personaluse of their data (Taylor, 2003) It can only be a matter of time before the UnitedStates follows suit Already dozens of bills concerning the protection of privacyhave been introduced at both the federal and state levels (Lee Lawson, 2003)
At the time of writing, the Online Privacy Protection Act of 2003 (H.R 69) isbeing considered by the U.S Congress Despite objections from industry groupsthat its provisions will make them uncompetitive, it is likely that this bill or a similarpiece of legislation will pass in the near future, bringing the United States into linewith the rest of the world in terms of the protection of consumers’ personalinformation
A major question remains as to whether the legislative approach will result inbetter privacy protection in the long run While legislation does help to ensure acertain minimum level of protection for everyone (assuming, of course, that suchstandards are adequately enforced), it may also result in poorer standards thanmight have existed in its absence Proponents of self-regulation argue thatcustomers will, in the long run, gravitate toward companies that provide adequatelevels of privacy protection, or at least the types and levels of guarantees that areimportant to them Legislative standards are unlikely to be as focused or flexible
as those set by the market, but the fact that they exist may result in consumersbecoming complacent about the issue and companies conforming with theminimum baseline but going no further In addition to stressing the need toconform with their legislative demands, governments must stress that suchguidelines are the necessary and encourage companies to provide higher levels
of protection
References
Bennett, C (1992) Regulating privacy: Data protection and public policy
in Europe and the United States Ithaca, NY: Cornell University Press.
Blanchette, J.-F., & Johnson, D G (2002) Data retention and the panoptic society:
The social benefits of forgetfulness The Information Society, 18, 33–45.
Trang 9Cain, R (2002) Global privacy concerns and regulation—Is the United States
a world apart? International Review of Law Computers and
Technol-ogy, 16(1), 23–34.
Camp, L J (1999) Web security and privacy: An American perspective The
Information Society, 15, 249–256.
Carroll, B (2002) Price of privacy: Selling consumer databases in bankruptcy
Journal of Interactive Marketing, 16(3), 47–58.
Clinton, W., & Gore, A (1997) Framework for global electronic commerce
Retrieved from www.ecommerce.gov
Culnan, M (2000) Protecting privacy online: Is self-regulation working?
Journal of Public Policy and Marketing, 19(1), 20–26.
Culnan, M., & Armstrong, P K (1999) Information privacy concerns,
proce-dural fairness and impersonal trust: An empirical investigation
Organiza-tion Science, 10, 104–115.
Culnan, M., & Bies, R (1999) Managing privacy concerns strategically: Theimplications of fair information practices for marketing in the twenty-first
century In C J Bennett & R Grant (Eds.), Visions of privacy (pp 149–
167) Toronto: University of Toronto Press
Electronic Privacy Information Center (EPIC) (2002) Privacy & human rights:
An international survey of privacy laws and developments Washington,DC: Author
Electronic Privacy Information Center (EPIC) Alert (2000, July 16) Privacy.
Washington, DC: Author
Endeshaw, A (2001) The legal significance of trademarks Information &
Communications Technology Law, 10(2), 203–230.
European Community (1995) Directive 95/46/EC of the European Parliamentand the Council on the protection of individuals with regard to theprocessing of personal data and on the free movement of such data
Official Journal of the European Community, 23, L 281.
Finkel, R., & McCrady, T (2000) Facing the Web’s phantom menace:
Under-standing online privacy fears and how e-business can respond Journal of
Internet Law, 3, 9–12.
Georgia Tech Research Corporation (1997) Seventh WWW user survey
Retrieved from www.cc.gatech.edu/gvu/user_surveys
Gilbert, J (2001, August) Privacy? Who needs privacy? Business 2.0, p 20 Godin, S (1999) Permission marketing: Turning strangers into friends, and
friends into customers New York: Simon & Schuster.
Trang 10Grabner-Kraeuter, S (2002) The role of consumers’ trust in online shopping.
Journal of Business Ethics, 39, 43–50.
Grove, A (1998) Only the paranoid survive New York: HarperCollins
Business
Grover, V., Hall L et al (1998) The Web of privacy: Business in the information
age Business Horizons, July–August, 5–11.
Head, M & Yuan, Y (2001) Privacy protection in electronic commerce—A
theoretical framework Human Systems Management, 20, 149–160.
Hinde, S (1998) Privacy and security—The drivers for growth of e-commerce
Computers and Security, 17, 475–478.
Hoffman, D., Novak, P et al (1999) Information privacy in the marketspace:
Implications for commercial uses of anonymity The Information Society,
Kelly, E (2000) Ethical apects of managing customer privacy in electronic
commerce Human Systems Management, 19, 237–244.
Krishnamurthy, S (2001) A comprehensive analysis of permission marketing
Journal of Computer-Mediated Communication, 6(2) Retrieved from www.ascusc.org/jcmc/vol6/issue2/krishnamurthy.html
Lee Larson, J., Larson, R., & Greenlee, J (2003) Privacy protection on the
Internet Strategic Finance, June, 49–53.
Long, W., & Quek, M (2002) Personal data privacy protection in an age of
globalization: The US–EU safe harbour compromise Journal of
Euro-pean Public Policy, 9(3), 325–344.
Lourosa-Ricardo, C (2001, ) New technologies aim to give Internet users more
privacy Wall Street Journal Europe, p 22.
Mayer-Schonberger, V (1998) The Internet and privacy legislation: Cookies
for a treat? Computer Law & Security Report, 14(3), 166–174.
Trang 11Metz, C (2001, November 13) What they know PC Magazine, pp 104–118.
Milne, G R., & Gordon, M E (1993) Direct mail privacy efficiency: Trade-offs
within an implied social contract framework Journal of Public Policy
and Marketing, 12, 206–215.
Miyazaki, A., & Krishnamurthy, S (2002) Internet seals of approval: Effects on
online privacy policies and consumer perceptions Journal of Consumer
Affairs, 36(1), 28–49.
Nunes, P., & Kambil, A (2001) Personalization? No thanks Harvard
Busi-ness Review, April, 32–34.
Opplinger, R (2000) Privacy protection and anonymity services for the World
Wide Web (WWW) Future Generation Computer Systems, 16, 379–
391
Phelps, J E., D’Souza, G et al (2001) Antecedents and consequences of
consumer privacy concerns: An empirical investigation Journal of
Inter-active Marketing, 15(4), 2–17.
Ragothaman, S., Davies, T., & DeVee, D (2000) Legal aspects of electronic
commerce and their implications for the accounting profession Human
Systems Management, 19, 245–254.
Rust, R., Kannan, P., & Peng, N (2002) The customer economics of Internet
privacy Journal of the Academy of Marketing Science, 30(4), 455–464.
Ryker, R., LaFleur, E et al (2002) Online privacy policies: An assessment of
the Fortune E-50 Journal of Computer Information Systems, Summer,
15–20
Taylor, S (2003) Protecting privacy in Canada’s private sector The
Informa-tion Management Journal, July/August, 33–39.
Turinas, A., & Showalter, B (2002) Privacy in the electronic age Managing
Intellectual Property, 124, 72–78.
Valentine, D (2000) Privacy on the Internet: The evolving legal landscape
Santa Clara Computer and High Tech Law Journal, (16), 407–408.
Weber, T (2000, ) On the Internet, everybody wants to be a nobody Wall Street
Journal Europe, p 26.
Westin, A F (1967) Privacy and freedom New York: Atheneum.
Zwick, D., & Dholakia, N (2001) Contrasting European and American proaches to privacy in electronic markets: Property right vs civil right
ap-Electronic Markets, 11(2), 116–120.
Trang 12About the Authors
Sandeep Krishnamurthy is an associate professor of e-commerce and
mar-keting in the business administration program at the University of Washington,Bothell He obtained his PhD from the University of Arizona in marketing andeconomics His research interests are in the area of e-marketing, e-commerce,and open source software Most recently, he published a 450-page MBA
textbook, E-Commerce Management: Text and Cases His scholarly work on
e-commerce and open source software has appeared in journals such as
Business Horizons, Journal of Consumer Affairs, Journal of Mediated Communication, Quarterly Journal of E-Commerce, Marketing Management, First Monday, Journal of Marketing Research, and Journal
Computer-of Service Marketing Krishnamurthy also works in the areas Computer-of generic
advertising and nonprofit marketing His work in generic advertising has
appeared in journals such as Organizational Behavior and Human Decision
Processes (OBHDP) and Marketing Letters His work in non-profit marketing
has appeared in the International Journal of Non-Profit Voluntary Sector
Marketing He currently serves as associate book review editor for the Journal
of Marketing Research and is a co-editor for a special issue of the tional Marketing Review He regularly reviews papers for a variety of journals
Interna-including Marketing Science and the Journal of Advertising His writings in the business press have appeared on Clickz.com, Digitrends.net, and
Marketingprofs.com His comments have been featured in press articles in
outlets such as Marketing Computers, Direct Magazine, Wired.com,
Medialifemagazine.com, Oracle’s Profit Magazine, and Washington Post.
He has developed and taught several innovative courses related to e-commerce
to both MBA and undergraduate students Most recently, he developed and