Protection of privacy online is one of the most important issues facing the global information society. Given the invisibility of new technology in the collection of personal information, consent is necessary to adequately establish control over personal information. Privacy is a human right not subject to commercial concern.
Market forces alone do not provide privacy protection. Indeed, the early history of electronic commerce indicates that it is the unbridled market that is the primary threat to privacy protection. For this reason, it is the general view of consumer organizations around the world that privacy should be protected by means of a legal framework that ensures the observance and enforcement of Fair Information Practices.
On 16-17 February 1998 the OECD Workshop entitled "Privacy Protection in a Global Networked Society" provided a forum for dialogue among government, the private sector, the user and consumer communities, and data protection authorities of the OECD Member countries to focus on privacy protection online. Participants in the Workshop affirmed a commitment to protect individual privacy in the increasingly networked environment both to uphold human rights and to prevent interruptions in the international flow of data.
In March 2000 the European Union and the US Department of Commerce reached an agreement that will determine how American companies may collect personal information from European consumers. The agreement addresses the issues raised by the 1995 EU Data Protection Directive, a law allowing EU nations the right to prevent the transfer of information about European consumers to countries without adequate data protection. The new agreement will require American companies that gather personal information from Europeans to join "safe-harbor" programmes. US companies must agree to abide by certain privacy principles, which will be enforced by the third party safe-harbor programmes.
While the US proposed "Safe Harbor Principles" were drafted with the sole purpose "to foster, promote, and develop international commerce", the EU Data Protection Directive also takes into account the human rights dimension of privacy protection. Chapter 1, Article 1 of the Directive ("Object of the Directive") notes that "Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data." The drafting of "Safe Harbor" principles by a US agency solely concerned with the international trade implications of privacy protections will not give due weight to the importance of such protections for individuals as right-bearing citizens. Documents produced by agencies with broader social considerations have given privacy its due as a fundamental human right. Both Article 12 of the United Nations Universal Declaration of Human Rights and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms directly address the need for privacy protection.
Chapter IV of the European Directive Transfer of Personal Data to Third Countries merely requires an "adequate" rather than equivalent level of protections in non EU-member countries, the Directive should not be construed as an upper limit for privacy protections but as a baseline standard. The Directive states that national laws which will approximate the principles in the Directive "must not result in any lessening of the protection they afford, but must, on the contrary, seek to ensure a high level of protection.
Notice of privacy practices should always take place before the collection of personal information without exception.
The collection of personal information requires opt-in consent from the individual not opt-out choice. Opt-out choice unfairly places the burden of preventing the collection of personal information on the individual.
The purposes for which personal information is collected should be revealed before data collection and limited to such use.
To maintain control over personal information, the individual must be aware of all purposes and use of that information. Information collected should be relevant, not excessive, and stored only as long as necessary for the purposes for which it is collected.
The Americans have a constitutional problem with data protection and are unable to introduce national laws comparable or compatible with those brought in in Europe. They cannot change their legal infrastructure to reflect the impact of globalization because it is derived from an 18th century Constitution designed to resist such changes. This legislative inflexibility is in marked contrast to their economic and business flexibility and innovation, where they lead.
The 'safe harbour' proposal is an inadequate effort by US business to pretend that a (European) human right to privacy can be protected by an (American) commercial contract. In particular, it does not protect foreigners against invasion of their privacy by the US government and courts. American courts will not, for example, accept that information about the activities of non-Americans outside the US but stored in US databases cannot be the subject of a sub-poena from a civil or criminal court in the US. So a Frenchman in France buying Havana cigars from a Cuban in Cuba over the Internet could find his personal transaction details disclosed in Miami. The US claims extraterritorial application of its domestic law and defines some kinds of business activities as crimes.
The US "Safe Harbor Principles" undercut data protection for European citizens in order to make the entry of US companies into foreign markets as painless as possible.
Under the US "Safe Harbor Principles", European citizens will enjoy greater privacy protections from US companies than any US citizen. While US companies may view the acceptance of "Safe Harbor Principles" as an obstacle to developing European markets, US citizens should be alarmed that principles drafted by a US agency for US companies would give greater protections to citizens of another country.
Current standards of opt-in for "sensitive information" give undue deference to commercial interests since it applies only to information "specifying" rather than "revealing" subjects such as medical conditions, race, or political beliefs.