Xem mẫu
354 O’Connor
Considered as a whole, these requirements both encompass and expand the fair information practice guidelines by placing severe restrictions both on what personal data can be collected and how it can be processed. And while one could claim that these requirements do not apply to data processed on computers outside European Union countries, the Directive preempts such an argument by stipulating that personal data collected within the European Union can only be exported if the recipient country has similar levels of data protection (Lee Larson, Larson, & Greenlee, 2003). In giving the requirements of the Directive global reach, this clause has proved particularly problematic with regard to the United States, where, as will be discussed below, privacy protection is based around a right to privacy rather than any specific piece of data protection legislation (Camp, 1999).
The American Approach: Self-Regulation
In contrast to the European approach, in the United States the protection of personal data is based on a constitutional right to privacy, rather than on any specific data protection legislation. While the latter offers blanket guidelines for all data with an identifiable subject, the U.S. approach views each subject area as separate and requires each one to be addressed independently (Camp, 1999). Thus, a patchwork of federal and state laws has developed which regulate privacy in certain circumstances (such as credit records, driver’s license information, family and educational privacy, telephone records, and video rental records) (Turinas & Showalter, 2002). However, these have been developed in an ad hoc piecemeal fashion usually in response to public outcry over topical events (Cain, 2002).
In general, the overriding philosophy in the United States has been to resist the introduction of comprehensive legislative protection in anticipation that the market will self-regulate through adherence to voluntary codes. This approach was enshrined in the Clinton administration’s Framework for Global Elec-tronic Commerce (Blanchette & Johnson, 2002). “The Administration considers data protection critically important. We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation . . .” (Clinton & Gore, 1997). As a result, within the United States there is no comprehensive set of laws or regulations (at either the federal or state level) that address the collection, storage, use, or sale of personal information by the private sector (Finkel & McCrady, 2000).
The self-regulation approach entails the setting of standards by an industry group and the voluntary adherence to such standards by those within the sector (Zwick & Dholakia, 2001). For example, U.S. companies are encouraged (but not legally obliged) to comply with guidelines such as those drafted by the Federal Trade
Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
International Approaches to the Protection of Online Privacy 355
Commission (FTC), the U.S. government’s primary consumer protection orga-nization, which are in turn based on the OECD fair information principles discussed earlier, and to post appropriate privacy policies on their Web sites (Metz, 2001). Enforcement is based on contract law where if a company does not comply with the promises and guarantees made in its privacy policy, it can be sued by either the consumer directly or by a consumer group or government agency acting on his/her behalf. The FTC has been particularly active in taking legal action against companies whose practices are at variance with their published privacy policies for engaging in deceptive trade practices (Culnan, 2000).
Strong arguments can be made for letting market forces take care of data protection. As discussed above, research has shown that people are sometimes willing to disclose personal information in exchange for some economic or social benefit subject to their own “privacy calculus”—a personal assessment of whether their information will subsequently be used fairly and whether they will suffer negative consequences in the future (Milne & Gordon, 1993). As a result, it is argued that ethical norms will emerge naturally as the market evolves, with consumers only doing business with sites they trust (Culnan & Bies, 1999). Proponents argue that consumers will migrate toward sites that provide strong privacy protection and will avoid sites that have breached privacy, thus eventu-ally forcing all companies to provide greater protection, or at least the kind of protection that consumers want, in order to stay in business (Rust et al., 2002).
Unfortunately research has shown that this is not happening in practice and that the self-regulation approach has to a large extent failed (FTC Report, 2000). Since Web sites are not legally required to display a privacy policy, many choose not to, making it impossible to prosecute them for deceptive business practices. Even where privacy policies are displayed, the majority are limited in that they fail to address many key issues. In a study of major U.S. consumer Web sites, over 90% failed to comply with one or more of the suggested guidelines, indicating that stronger measures may be necessary to ensure adequate levels of protection (Ryker et al., 2002).
Last, since there are no commonly agreed-upon standards or legal requirements to have one in the first place, privacy policies can be abandoned or changed at will, without notification to the customer (Cain, 2002). As evidence mounts of more and more companies abusing their power to collect consumer information, the belief is growing that the desire to make profits inherently contradicts consumers’ privacy interest (Zwick & Dholakia, 2001). As a result, industry watchdogs claim that comprehensive privacy legislation should be introduced to protect the privacy of consumers online (Hinde, 1999). Even the FTC, reacting to a glaring case of privacy policy violation by Geocities in May 2000, moderated its heretofore unfettered support for self-regulation and recommended that Congress enact legislation to protect the public’s private data on the Internet.
Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
356 O’Connor
The requirements of the European Directive on the Protection of Personal Data discussed earlier have also increased the pressure on the U.S. government to introduce legislation (Blanchette & Johnson, 2002). In particular, the stipulation that personal data can only be exported from the European Union if the recipient country has similar levels of legislative protection (unless individuals expressly consent to the transfer) leads theoretically to a situation where data cannot be transferred from European-based companies to divisions or parent companies in the United States (Hinde, 1998). To overcome this, in summer of 2000 the U.S. Department of Commerce and the European Commission formulated the Safe Harbor Agreement. While not emulating the European Union rules, the agree-ment establishes a “mechanism which, though an exchange of documents, enables the EU to certify that participating US companies meet the EU requirements for privacy protection” (Lee Larson et al., 2003, p. 38).
In short, the agreement states that consumers must be notified about the purposes for which the company collects and uses data and must be given the opportunity to choose whether and how the data are used by or disclosed to third parties. Third parties that receive personal information must provide the same level of protection as that provided by the collecting company. In addition, companies must protect data from loss, misuse, unauthorized access, disclosure, alteration, or destruction; must ensure that data are reliable for their intended use, are accurate, complete, and current; and must give individuals the right to view, correct, amend, or delete personal data. Last, firms need to provide mechanisms for ensuring compliance with these privacy principles and the company’s privacy policy. U.S. organizations that decide to participate in the Safe Harbor Agree-ment must both comply with its requirements and publicly declare that they do so by registering with the U.S. Department of Commerce (Zwick & Dholakia, 2001). As of October 2003, over 250 organizations had completed this registra-tion process.
Approaches to Privacy Protection in Other Regions
The two conflicting approaches discussed above—the self-regulation philosophy embraced by the United States and the legislative approach used by the European Union—have to a large extent become the norms throughout the world. Table 1 summarizes the findings of the 2003 report on Privacy & Human Rights, produced by EPIC and Privacy International in respect of non-European countries.
As can be seen from Table 1, approaches to privacy protection differ greatly throughout the world. In many countries there is a constitutional right to privacy that also provides basic safeguards with regard to the protection of personal data. Other countries also specifically guarantee the privacy of such data with a
Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
International Approaches to the Protection of Online Privacy 357
separate clause in their constitution. However, in the majority of cases this constitutional protection has been supplemented by comprehensive data protec-tion legislation. In particular, analysis of the data shows how many countries have recently adopted comprehensive data protection legislation in order to comply with the requirements of the aforementioned European Union Directive on the Protection of Personal Data. While for certain countries (Poland, Latvia, Lithuania, Romania, Slovenia, and the Slovak Republic) the introduction of such legislation was a prerequisite for consideration for entry into the European Union,
Table 1. Findings of the 2003 report on Privacy & Human Rights
Country
Argentina
Australia
Brazil
Bulgaria
Canada
Chile
China Colombia Czech Republic Estonia
Hong Kong
Hungary
India Israel
Japan
Jordan
Latvia
Lithuania
Explicit Constitutional Right to Privacy
Article 43
No
Article 5
Article 32
No
Article 19
Article 38 Article 15 No
Article 43
Article 29
Article 59
No Section 7
Articles 21 and 35
Articles 10 and 18
Article 96
Article 22
Explicit Constitutional Right to
Data Protection
No
No
Article 5
No
No
No
No No No
Article 44(3)
No
No
No No
No
No
No
No
Base Legislation Governing Data Protection
Law for Protection of Personal Data 2000 Privacy Act 1988 as amended by the Privacy
Amendment (Private Sector) Act 2000
Consumer Protection Law 1990
Personal Data Protection Act 2001
Personal Information Protection and Electronic Documents Act (PIPEDA) 2001
Law for the Protection of Private Life 1999
None
None (various bills pending) On Personal Data Protection 2000
Personal Data Protection Act 1996, Databases Act 1997 as amended 2002 Personal Data (Privacy) Ordinance 1996
Protection of Personal Data and Disclosure of Data of Public Interest 1992
No (various bills pending) Protection of Privacy Law 5741-1981 as amended 1996 Personal Data Protection Act 2003
None (announced intension to comply with EU Directive)
Law on Personal Data Protection 2000
Law on Legal Protection of Personal Data 1996, 1998, 2000, 2002
Compliance with requirements of European Union Directive on Protection of Personal Data Yes
Pending
No
Yes
Yes
No
No No Yes
Yes
Pending
Yes
No No
No
No
Yes
Yes
Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
358 O’Connor
Table 1. (cont.)
Country
Malaysia Malta Mexico
New Zealand Peru Philippines Poland
Romania
Russian Federation Singapore Slovak Republic Slovenia
South Africa South Korea
Switzerland
Taiwan
Thailand Turkey Ukraine
Explicit Constitutional Right to Privacy
No Article 38 Article 16 Article 21 Article 2
Articles 1, 2, and 3 Article 47
Articles 26 and 27
Article 23
No Article 16
Article 36
Article 14 Articles 16, 17, and 18 Article 13
Articles 12, 13, and 14 Article 34
Articles 20 and 22 Article 31
Explicit Constitutional Right to
Data Protection
No No No No
Article 2 No Article 51
No
Article 24
No Article 19
No
Article 32 No
Article 13
No
Article 58 No Article 32
Base Legislation Governing Data Protection
None (various bills pending) Data Protection Act 2001 Mexican E-Commerce Act Privacy Act 1993
None (various bills pending) None (various bills pending) Protection of Personal Data Act 1997
Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector 2001
None (various bills pending)
None
Protection of Personal Data 2001
Personal Data Protection Act 1999, 2001
None None
Federal Act of Data Protection 1992
Computer-Processed Personal Data Protection Law 1995 None (various bills pending) None
None (various bills pending)
Compliance with requirements of European Union Directive on Protection of Personal Data No Yes No
(Pending) No No Yes
Yes
No
No Pending
Yes
No No
Yes
No
...
- tailieumienphi.vn
nguon tai.lieu . vn