Privacy

The International Legal Framework for Data Protection and Its Transposition to Developing and Transitional Countries (Dec. 2004) - Short paper summarizing the major international documents on data protection, with general observations for their transposition to developing and transitional countries.

Privacy protection is a critical element of consumer and user trust in the online environment and a necessary condition for the development of electronic commerce. Three international organizations have developed guidelines or rules that set forth basic consumer privacy protections:

Organisation for Economic Co-operation and Development -- Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Privacy Guidelines) (1980) http://www.oecd.org/EN/document/0,,EN-document-0-nodirectorate-no-24-10255-0,00.html

• Privacy Guidance Report (2004) - produced by the OECD's Working Party on Information Security and Privacy
   
• Consumers in the Online Marketplace: the OECD Guidelines Three Years Later (4 February 2003) -- report by the Committee on Consumer Policy on the "Guidelines for Consumer Protection in the Context of Electronic Commerce" - summarises the results of implementation activities in OECD countries http://www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-cp(2002)4-final
   
• Privacy Online: Policy and Practical Guidance (20 January 2003) -- policy and practical guidance for implementing privacy protection online - addressed to OECD member countries, business and other organisations, individual users and consumers. http://www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-iccp-reg(2002)3-final

Council of Europe -- Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981) http://conventions.coe.int/treaty/EN/cadreprincipal.htm
Articles 4 - 10 set out the basic principles for data protection.

• Internet Privacy Guidelines (23 February 1999) -- practical, non-binding advice for Internet users and service providers http://www.coe.fr/dataprotection/rec/elignes.htm

• A good overview of the privacy rules and recommendations issued by the Council of Europe http://www.coe.fr/dataprotection/eintro.htm

European Union -- Data Protection Directive (1995) http://europa.eu.int/comm/internal_market/privacy/law_en.htm
Articles 5 - 17 spell out in somewhat more detail the basic privacy principles.

• Guide to the data privacy directive -- focuses on who is entitled to handle personal information and how such information can be processed. http://europa.eu.int/comm/internal_market/en/media/dataprot/news/guide_en.pdf
   
• Directive on privacy and electronic communications [pdf] - July 2002, translates the principles of the 1995 directive into specific rules for telecommunications and other electronic communications. GIPI memo analyzing the new directive [pdf].
   
• Resources on EU data protection law - overview, model contracts, links to other international instruments and national data protection commissioners http://europe.eu.int/comm/internal_market/en/dataprot/index.htm

Privacy and E-Government (May 2003) - report by CDT to the United Nations Department of Economic and Social Affairs as background for the World Public Sector Report on E-Government. Surveys privacy trends internationally with a focus on data in the hands of government. Describes "best practices," including privacy officers, privacy impact assessments, privacy enhancing technologies and privacy audits.

Privacy Overview

There are two aspects to the concept of privacy:

1. Consumer privacy - the right of individuals to control information about themselves generated or collected in the course of a commercial interaction. Referred to in Europe as "data protection."
2. Privacy rights of the individual against the government - the individual's protection against unreasonable government intrusions on privacy, such as searches of the home or interceptions of communications.

Internet law needs to address both sets of issues.

Consumer Privacy

Consumer privacy protection in the US and Europe, as well as under the guidelines of the OECD, is based on the following principles:

1. Notice and Consent - before the collection of data, the data subject should be provided: notice of what information is being collected and for what purpose and an opportunity to choose whether to accept the data collection and use.

   In Europe, data collection cannot proceed unless data subject has unambiguously given his consent (with exceptions).

2. Collection Limitation - data should be collected for specified, explicit and legitimate purposes. The data collected should be adequate, relevant and not excessive in relation to the purposes for which they are collected.
    
3. Use/Disclosure Limitation - data should be used only for the purpose for which it was collected and should not be used or disclosed in any way incompatible with those purposes.
    
4. Retention Limitation - data should be kept in a form that permits identification of the data subject no longer than is necessary for the purposes for which the data were collected.
    
5. Accuracy - the party collecting and storing data is obligated to ensure its accuracy and, where necessary, keep it up to date; every reasonable step must be taken to ensure that data which are inaccurate or incompleteare corrected or deleted
    
6. Access - a data subject should have access to data about himself, in order to verify its accuracy and to determine how it is being used
    
7. Security - those holding data about others must take steps to protect its confidentiality.

Privacy Protection Against The Government

The right to privacy is internationally recognized as a human right. However, most governments claim the authority to invade privacy through the following means:

• interception of communications in real-time
• interception of traffic data (routing information) in real-time
• access to data stored by service providers, including traffic data being stored for billing purposes
• access to data stored by users

These means of access to communications and stored data must be narrowly defined and subject to independent controls under strict standards. Real-time interception of communications should take place only with prior approval by a judge, issued under standards at least as strict as those for policy searches of private homes.

Resources

• Privacy and Human Rights 2003 (Sept. 2003) - an International survey of privacy laws and developments.
   
• International Working Group on Data Protection in Telecommunications (IWGDPT) - online archive of position papers.
   
• Organization of Central and Eastern Europe Data Protection Authorities - includes documents describing the legal basis and institutional responsibility for data privacy protection in 8 CEE countries.
   
• Victor Naumov, St.Petersburg Institute for Informatics, "Legal Issues in Personal Data Protection on the Russian Internet"