Contemporary Research in E-Marketing_15

354 O’Connor Considered as a whole, these requirements both encompass and expand the fair information practice guidelines by placing severe restrictions both on what personal data can be collected and how it can be processed. And while one could claim that these requirements do not apply to data processed on computers outside European Union countries, the Directive preempts such an argument by stipulating that personal data collected within the European Union can only be exported if the recipient country has similar levels of data protection (Lee Larson, Larson, & Greenlee, 2003). In giving the requirements of the Directive global reach, this clause has proved particularly problematic with regard to the United States, where, as will be discussed below, privacy protection is based around a right to privacy rather than any specific piece of data protection legislation (Camp, 1999). The American Approach: Self-Regulation In contrast to the European approach, in the United States the protection of personal data is based on a constitutional right to privacy, rather than on any specific data protection legislation. While the latter offers blanket guidelines for all data with an identifiable subject, the U.S. approach views each subject area as separate and requires each one to be addressed independently (Camp, 1999). Thus, a patchwork of federal and state laws has developed which regulate privacy in certain circumstances (such as credit records, driver’s license information, family and educational privacy, telephone records, and video rental records) (Turinas & Showalter, 2002). However, these have been developed in an ad hoc piecemeal fashion usually in response to public outcry over topical events (Cain, 2002). In general, the overriding philosophy in the United States has been to resist the introduction of comprehensive legislative protection in anticipation that the market will self-regulate through adherence to voluntary codes. This approach was enshrined in the Clinton administration’s Framework for Global Elec-tronic Commerce (Blanchette & Johnson, 2002). “The Administration considers data protection critically important. We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation . . .” (Clinton & Gore, 1997). As a result, within the United States there is no comprehensive set of laws or regulations (at either the federal or state level) that address the collection, storage, use, or sale of personal information by the private sector (Finkel & McCrady, 2000). The self-regulation approach entails the setting of standards by an industry group and the voluntary adherence to such standards by those within the sector (Zwick & Dholakia, 2001). For example, U.S. companies are encouraged (but not legally obliged) to comply with guidelines such as those drafted by the Federal Trade Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. International Approaches to the Protection of Online Privacy 355 Commission (FTC), the U.S. government’s primary consumer protection orga-nization, which are in turn based on the OECD fair information principles discussed earlier, and to post appropriate privacy policies on their Web sites (Metz, 2001). Enforcement is based on contract law where if a company does not comply with the promises and guarantees made in its privacy policy, it can be sued by either the consumer directly or by a consumer group or government agency acting on his/her behalf. The FTC has been particularly active in taking legal action against companies whose practices are at variance with their published privacy policies for engaging in deceptive trade practices (Culnan, 2000). Strong arguments can be made for letting market forces take care of data protection. As discussed above, research has shown that people are sometimes willing to disclose personal information in exchange for some economic or social benefit subject to their own “privacy calculus”—a personal assessment of whether their information will subsequently be used fairly and whether they will suffer negative consequences in the future (Milne & Gordon, 1993). As a result, it is argued that ethical norms will emerge naturally as the market evolves, with consumers only doing business with sites they trust (Culnan & Bies, 1999). Proponents argue that consumers will migrate toward sites that provide strong privacy protection and will avoid sites that have breached privacy, thus eventu-ally forcing all companies to provide greater protection, or at least the kind of protection that consumers want, in order to stay in business (Rust et al., 2002). Unfortunately research has shown that this is not happening in practice and that the self-regulation approach has to a large extent failed (FTC Report, 2000). Since Web sites are not legally required to display a privacy policy, many choose not to, making it impossible to prosecute them for deceptive business practices. Even where privacy policies are displayed, the majority are limited in that they fail to address many key issues. In a study of major U.S. consumer Web sites, over 90% failed to comply with one or more of the suggested guidelines, indicating that stronger measures may be necessary to ensure adequate levels of protection (Ryker et al., 2002). Last, since there are no commonly agreed-upon standards or legal requirements to have one in the first place, privacy policies can be abandoned or changed at will, without notification to the customer (Cain, 2002). As evidence mounts of more and more companies abusing their power to collect consumer information, the belief is growing that the desire to make profits inherently contradicts consumers’ privacy interest (Zwick & Dholakia, 2001). As a result, industry watchdogs claim that comprehensive privacy legislation should be introduced to protect the privacy of consumers online (Hinde, 1999). Even the FTC, reacting to a glaring case of privacy policy violation by Geocities in May 2000, moderated its heretofore unfettered support for self-regulation and recommended that Congress enact legislation to protect the public’s private data on the Internet. Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. 356 O’Connor The requirements of the European Directive on the Protection of Personal Data discussed earlier have also increased the pressure on the U.S. government to introduce legislation (Blanchette & Johnson, 2002). In particular, the stipulation that personal data can only be exported from the European Union if the recipient country has similar levels of legislative protection (unless individuals expressly consent to the transfer) leads theoretically to a situation where data cannot be transferred from European-based companies to divisions or parent companies in the United States (Hinde, 1998). To overcome this, in summer of 2000 the U.S. Department of Commerce and the European Commission formulated the Safe Harbor Agreement. While not emulating the European Union rules, the agree-ment establishes a “mechanism which, though an exchange of documents, enables the EU to certify that participating US companies meet the EU requirements for privacy protection” (Lee Larson et al., 2003, p. 38). In short, the agreement states that consumers must be notified about the purposes for which the company collects and uses data and must be given the opportunity to choose whether and how the data are used by or disclosed to third parties. Third parties that receive personal information must provide the same level of protection as that provided by the collecting company. In addition, companies must protect data from loss, misuse, unauthorized access, disclosure, alteration, or destruction; must ensure that data are reliable for their intended use, are accurate, complete, and current; and must give individuals the right to view, correct, amend, or delete personal data. Last, firms need to provide mechanisms for ensuring compliance with these privacy principles and the company’s privacy policy. U.S. organizations that decide to participate in the Safe Harbor Agree-ment must both comply with its requirements and publicly declare that they do so by registering with the U.S. Department of Commerce (Zwick & Dholakia, 2001). As of October 2003, over 250 organizations had completed this registra-tion process. Approaches to Privacy Protection in Other Regions The two conflicting approaches discussed above—the self-regulation philosophy embraced by the United States and the legislative approach used by the European Union—have to a large extent become the norms throughout the world. Table 1 summarizes the findings of the 2003 report on Privacy & Human Rights, produced by EPIC and Privacy International in respect of non-European countries. As can be seen from Table 1, approaches to privacy protection differ greatly throughout the world. In many countries there is a constitutional right to privacy that also provides basic safeguards with regard to the protection of personal data. Other countries also specifically guarantee the privacy of such data with a Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. International Approaches to the Protection of Online Privacy 357 separate clause in their constitution. However, in the majority of cases this constitutional protection has been supplemented by comprehensive data protec-tion legislation. In particular, analysis of the data shows how many countries have recently adopted comprehensive data protection legislation in order to comply with the requirements of the aforementioned European Union Directive on the Protection of Personal Data. While for certain countries (Poland, Latvia, Lithuania, Romania, Slovenia, and the Slovak Republic) the introduction of such legislation was a prerequisite for consideration for entry into the European Union, Table 1. Findings of the 2003 report on Privacy & Human Rights Country Argentina Australia Brazil Bulgaria Canada Chile China Colombia Czech Republic Estonia Hong Kong Hungary India Israel Japan Jordan Latvia Lithuania Explicit Constitutional Right to Privacy Article 43 No Article 5 Article 32 No Article 19 Article 38 Article 15 No Article 43 Article 29 Article 59 No Section 7 Articles 21 and 35 Articles 10 and 18 Article 96 Article 22 Explicit Constitutional Right to Data Protection No No Article 5 No No No No No No Article 44(3) No No No No No No No No Base Legislation Governing Data Protection Law for Protection of Personal Data 2000 Privacy Act 1988 as amended by the Privacy Amendment (Private Sector) Act 2000 Consumer Protection Law 1990 Personal Data Protection Act 2001 Personal Information Protection and Electronic Documents Act (PIPEDA) 2001 Law for the Protection of Private Life 1999 None None (various bills pending) On Personal Data Protection 2000 Personal Data Protection Act 1996, Databases Act 1997 as amended 2002 Personal Data (Privacy) Ordinance 1996 Protection of Personal Data and Disclosure of Data of Public Interest 1992 No (various bills pending) Protection of Privacy Law 5741-1981 as amended 1996 Personal Data Protection Act 2003 None (announced intension to comply with EU Directive) Law on Personal Data Protection 2000 Law on Legal Protection of Personal Data 1996, 1998, 2000, 2002 Compliance with requirements of European Union Directive on Protection of Personal Data Yes Pending No Yes Yes No No No Yes Yes Pending Yes No No No No Yes Yes Copyright © 2006, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. 358 O’Connor Table 1. (cont.) Country Malaysia Malta Mexico New Zealand Peru Philippines Poland Romania Russian Federation Singapore Slovak Republic Slovenia South Africa South Korea Switzerland Taiwan Thailand Turkey Ukraine Explicit Constitutional Right to Privacy No Article 38 Article 16 Article 21 Article 2 Articles 1, 2, and 3 Article 47 Articles 26 and 27 Article 23 No Article 16 Article 36 Article 14 Articles 16, 17, and 18 Article 13 Articles 12, 13, and 14 Article 34 Articles 20 and 22 Article 31 Explicit Constitutional Right to Data Protection No No No No Article 2 No Article 51 No Article 24 No Article 19 No Article 32 No Article 13 No Article 58 No Article 32 Base Legislation Governing Data Protection None (various bills pending) Data Protection Act 2001 Mexican E-Commerce Act Privacy Act 1993 None (various bills pending) None (various bills pending) Protection of Personal Data Act 1997 Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector 2001 None (various bills pending) None Protection of Personal Data 2001 Personal Data Protection Act 1999, 2001 None None Federal Act of Data Protection 1992 Computer-Processed Personal Data Protection Law 1995 None (various bills pending) None None (various bills pending) Compliance with requirements of European Union Directive on Protection of Personal Data No Yes No (Pending) No No Yes Yes No No Pending Yes No No Yes No ... - tailieumienphi.vn