- Email: [email protected]
Personal privacy — transatlantic perspectives
CLSR 1902.qxd
07/03/2003
12:16
Page 92
Personal privacy – transatlantic perspectives European and American privacy: commerce, rights and justice – part II Carter H. Manny, University of Southern Maine USA
In a commercial context, there are strong moral arguments in favor of personal privacy using either a rights-based analysis or a justice-based analysis. The gap between European and American thinking about legal protection for personal privacy is partially explained by the emphasis that Europeans place on a rights-based approach, and the different way in which that approach is interpreted in the United States. This article suggests that the philosophical gap could be narrowed by placing greater emphasis on moral principles of justice in the European - US privacy dialogue. Part I of this article appeared in the last issue.
4. Privacy under a justice-based analysis Moral principles of justice are not often mentioned in connection with privacy. Justice focuses on fairness and tends to be associated with group and societal interests as opposed to the emphasis on individual interests under a rights analysis. Of course, when human interests are at stake, rights-based and justice-based arguments can become intertwined. With respect to privacy, justice principles can help answer the question of what is a fair system of collection and distribution of personal data connected with commercial activities. Three principles will be considered: distributive justice, exchange justice and egalitarian justice. These principles have been the foundation of some of the major reform legislation enacted in the US during the twentieth century. First, legislation promoting product safety is partially based on principles of distributive justice, i.e. the fair distribution of the benefits and burdens of producing and using consumer products. The principle of distributive justice also played a part in environmental legislation. This has been especially true when the legislation is not motivated by a desire to promote human health but to protect animal and plant species, and to
92
preserve wilderness areas. The benefits and burdens of economic development and conservation are distributed not only among different groups of people but between humanity and wildlife. Second, the principle of exchange justice, i.e. that fair value be transferred by both parties to a transaction, provides the foundation for laws prohibiting unfair trade practices. Finally, the principle of egalitarian justice is the basis for legislation prohibiting discrimination based on race, gender and disabilities.
(a) Distributive justice What is a fair system for collecting and using personal information? The earlier example of a distance sale of a consumer good can be subjected to a distributive justice analysis. We already saw that the merchant must collect personal data and forward the consumer’s name and address to the carrier who will be delivering the goods. Is it fair for the merchant to retain the information? In a small business, particularly one run by people with good memories, only a lobotomy could guarantee the effective deletion of the consumer’s personal information, at least for the first few weeks after the sale takes place. In a larger business with a high volume of orders, personal information would quickly be forgotten unless stored on paper or in electronic records. Certainly it is fair to allow storage at least until the goods arrive at the consumer’s residence and there has been a reasonable opportunity for the consumer to discover any defects. Retention of records of the transaction would benefit both consumer and seller because the records would be needed to deal with possible rejection of the goods or an allegation that the merchant has breached the contract by delivering nonconforming goods. Retention of records for a longer period could be justified on the basis that the merchant may need to contact the consumer in the future if the merchant learns of defects in the product. But under this scenario, the only relevant information
Computer Law & Security Report Vol. 19 no. 2 2003 ISSN 0267 3649/03 © 2003 Elsevier Science Ltd. All rights reserved
CLSR 1902.qxd
07/03/2003
12:16
Page 93
Personal privacy – transatlantic perspectives would be the type of product purchased and information sufficient to contact the consumer. Retention of this information would benefit not only the merchant and the consumer but society as well, because it would tend to reduce risks of harm and avoid many of the burdens imposed on others whenever a person is physically injured. Assuming that it is fair to allow the merchant to retain information about individual customers, is it fair to allow the merchant to use that information to market its own products to the customer? This is a difficult question and could be answered in a variety of logical ways depending upon whether the focus is limited to this merchant and this consumer, or is an analysis of all merchants and all customers. At the merchant/consumer level, fairness depends on the circumstances. Is the product a once-in-a-lifetime purchase or something that will be fully consumed and need replacement soon? What method of communication will the merchant use to contact the consumer? At the societal level, are there any benefits if merchants have the ability to contact their prior customers with information about new products and services? Again, this depends upon nature of the product or service. Is society harmed if the merchant has this information about its prior customers? There could be some harm associated with the method of communication chosen by the merchant. Telephone calls can be highly disruptive to home life and can occupy a phone line needed for more important communication. Fax transmissions use the consumer’s paper and may also interfere with communication over the fax machine’s phone line. Email messages can take time to read and delete. In Europe there is an additional burden arising out of fees that many telephone companies impose on local calls, so the time a computer user who is connected to the Internet through a dial-up modem spends reading and deleting an unsolicited email message increases his or her telephone bill. Conventional postal mail avoids interfering with the consumer’s communication equipment but can add to the societal problem of disposal of solid waste. Although what is a fair balancing of these competing interests is highly dependent upon the facts involved, an analysis under distributive justice tends to consider these competing interests on a societal rather than individual basis. Is it fair for the merchant to transfer personal information about consumers to other merchants? Do such transfers provide benefits to society? The
answers to these questions are also dependent upon the facts. An application of distributive justice to the following example seems, at first, to justify such transfers. Some goods require accessories. Communication of personal information about a buyer to a seller of those accessories may not only promote efficiency but provide other benefits, particularly if the accessory is in society’s interest. For example, a boat dealer might sell information about recent boat buyers to a marine supply store that sells life jackets. The subsequent direct marketing efforts of the marine supply store might result in novice boat owners learning more quickly that life jackets are legally required safety equipment on boats in the US This might result in a higher percentage of life jacket usage by boaters. Of course, the same societal benefit could be produced by a different sort of collaboration between the two merchants without any transfer of the consumer’s personal information. The boat dealer could distribute product information literature about the marine supply store’s life jackets as part of the sale of the boat. This example illustrates that the desired societal benefit, increased ownership and use of life jackets by novice boaters, is independent of the sharing of personal information. Instead, it appears that the societal benefit, increased ownership and use of life jackets, is dependent upon distribution of product information about life jackets. Thus, a distributive justice analysis can point out weaknesses in arguments favoring the free flow of personal information. Moreover, it seems that rather than sharing personal data about consumers, merchants could in many instances achieve the same result by sharing information about their products and providing this information to consumers at the time of sale.
Does sharing between businesses of personal information about consumers harm society?
Does sharing between businesses of personal information about consumers harm society? If consumers have not been informed in advance of this practice, but later discover it is taking place, that realization may reduce their level of trust in the businesses involved in the sharing. This could lead to lower overall sales and be harmful to the economy. But if this occurs, won’t the market discourage this practice by punishing businesses who share consumer information? If a consumer could detect exactly which merchants were engaged in transferring the consumer’s personal information, market forces might well reduce or eliminate information sharing, but because the sharing is done in secret, the consumer does not
93
CLSR 1902.qxd
07/03/2003
12:16
Page 94
Personal privacy – transatlantic perspectives
a lack of
know exactly who is sharing what. Hence, consumers who object to information sharing are not likely to be able to punish the merchants who pass along their personal information. Moreover, the problem of detection increases the likelihood that information sharers will be able to ride free to some extent on the enhanced reputations of the businesses who do not share personal information without consumer consent.
understanding leads most consumers to underestimate the economic value of their personal data to businesses
(b) Exchange justice Exchange justice examines the fairness of a transaction. It is a principle underlying US consumer and investor protection laws administered by the Federal Trade Commission, the Securities and Exchange Commission and state governments. Exchange justice can be analyzed in two respects: procedural fairness and substantive fairness. Procedural fairness concerns methods of transferring information about the transaction. Substantive fairness examines the relative values of the things being traded. When a consumer transfers his or her personal information to a business, there is a type of exchange. Sometimes this is done consciously, as in the distance contract examples discussed earlier. Sometimes it can be inferred from the circumstances, as when a consumer registers online to gain access to a web site. Sometimes is it invisible, as when a web site or online advertising company uses cookies to track online consumer behavior. (i) Fairness in the procedures of the exchange Procedural fairness concerns methods of exchanging information and is closely related to a rights analysis. Both sides to the transaction should have an equal opportunity to discover the material facts. This principle is also supported by the moral right of free consent mentioned earlier. When personal information is being provided as part of the transaction, procedural fairness requires that the consumer have an opportunity to discover the purposes to which the information will be put. Without the opportunity to discover these purposes, the consumer is unlikely to realize that the personal information is part of the value which he or she is providing. Although a sophisticated consumer could ask the business about its proposed uses of the consumer’s personal information at the time the transaction is proposed, the average individual probably would not think to ask. So in most instances, the opportunity to discover those uses would need to
94
be provided through a disclosure by the business. In the US, some businesses have voluntarily adopted privacy policies purporting to make such disclosures and others are being required by law to do so.1 The notices, however, tend to be difficult for consumers to read and understand.2 In the EU, procedural fairness is protected by law. Any business wanting to depart from the permitted uses set forth in data protection legislation must provide notice of the proposed uses in the process of obtaining the consumer’s consent.3 If the notice is deficient, the consent would be invalid and the business would be in violation of the law. So procedural fairness is much more likely to exist in the EU than in the US. (ii) Fairness in the values exchanged Substantive fairness, while important in a moral sense, is often not protected by law, absent some major impediment in the formation of an agreement like fraud or duress. In a few extraordinary situations, consumers can also be protected from overreaching business behavior resulting from unequal bargaining power, known in the US as unconscionability. When each transaction is viewed in isolation, substantive fairness is difficult to determine because each person calculates the value of privacy in a way which is difficult to quantify. Free market economists argue that there should be no interference with this process because outsiders should not substitute their judgment for the judgment of the participants. But when there are significant imperfections in the market, for example when buyers as a group lack material information, the moral principle of exchange justice justifies interference to promote fairness. There is evidence that consumers lack material information about how their personal data is used, especially when businesses use the data to construct consumer profiles. In an article published in 2000, Professor Michael Froomkin has attempted to show how a lack of understanding leads most consumers to underestimate the economic value of their personal data to businesses,4 which means that consumers will typically be willing to provide or sell their personal information. According to his analysis, the marginal value to the consumer of data produced by each transaction is low. He assumes that when a business aggregates the data, the value increases to a level that is more than the sum of its parts. He also assumes that the value of each unit of additional data to a profiling business
CLSR 1902.qxd
07/03/2003
12:16
Page 95
Personal privacy – transatlantic perspectives remains linear and does not decline. Consumers, however, are unaware of the aggregated value to a profiling company, and will value a unit of personal data at its marginal value in terms of lost privacy. The business who is selling the data to a profiling company will value that same unit of personal data at approximately its average value in the profile. Because the consumer is not aware of how the merchant is valuing the data, he or she is likely to sell the information at a price the merchant is willing to pay. Except for sensitive data, Froomkin believes that European consumers will make the same sort of calculation when they are asked to consent to the use of their data under European data protection law.5 According to this analysis, even when consumers know that a business is transferring their personal information into a marketing database, many will be willing to provide the information in exchange for the “price” the business is offering to pay because consumers are unaware of the value of aggregated data to a profiling company. Froomkin calls this “privacy myopia.”6 He suggests that this phenomenon needs further study to determine how to measure the value of privacy, and to determine the difficulty of educating consumers on the need to value data at its average rather than marginal value.7 Froomkin’s analysis suggests that economic exchanges of personal information between consumers and businesses are likely to be unjust. Newspaper web sites in the US and UK Some examples of online transactions may be helpful to illustrate the application of exchange justice. The first set of examples examines the exchanges between consumers and two newspaper web sites, one in the US and one in the United Kingdom. The web sites are those of the New York Times and The Times (of London). Both companies are providing an information service which is offered in a traditional print format for a price paid by subscription or at a retail outlet. The online version in both cases is provided to the consumer without the exchange of money. Both the print and online versions contain advertising by third parties. For the purpose of this analysis, news stand sales will be disregarded. First, let’s examine the exchanges between the New York Times and a consumer who wants access to its online news stories. The online version is available without the payment of money, but only if the reader registers with the web site.
The registration requires the user to provide a user ID, password, email address, zip code, country, age and gender.8 A different set of information is required for a print subscription: name, address, home and business phone. In both instances, the company has the reader’s zip code and country. It has the email address, age, gender, user ID and password of online readers while it has the name and phone number(s) of print subscribers. Assuming that an email address and phone number are of roughly equivalent value, that the user ID and password are necessary controls for online access, and that the subscriber’s name should not be considered as being of separate value because it is a necessary part of the address for print subscribers, it seems that the net difference in the two sets of data is that the company obtains age and gender information only for online readers. Does this mean that the age and gender of each online subscriber is potentially worth hundreds of dollars a year to the New York Times as reflected in the different subscription prices it charges print9 and online subscribers? That is a difficult conclusion to justify because there are other possible explanations for the price differential. First, online subscribers may consist of people who would never buy a print subscription and thus would be considered to be a source of additional advertising revenue without significantly reducing subscription revenue or newsstand sales. Second, the marginal cost to the New York Times to produce the online version may be very small, so it is willing to provide the service without any cash payment. Third, the online version of the paper may attract advertisers who would never have considered advertising in the print version. So, based upon this relatively superficial analysis, it is difficult to use the difference in the prices of the online and print versions of the New York Times to determine the value of the personal information, namely age and gender, which only the online subscribers provide. What is the value to the New York Times of the personal information provided by subscribers? For its print subscriptions, the company can tell advertisers how many subscribers it has within each postal zip code. For online users, it has the same data plus information about age and gender. According to its privacy policy, the New York Times uses cookies to track site usage. Banner ads placed by third parties on New York Times web pages may contain third party cookies as well. With
95
CLSR 1902.qxd
07/03/2003
12:16
Page 96
Personal privacy – transatlantic perspectives respect to cookies placed by the New York Times, the privacy policy states that information about “individual usage” is never given out to others, but that the company does provide “aggregate information” to third parties who advertise on the web site.10 An example of “aggregate information” is given: “1000 subscribers saw your advertisement today, and 500 of them clicked on it.”11 While this example does not include personally identifiable information, the identity of a user might be revealed if zip code, age and gender were included and if few users clicked on the ad. If the New York Times told an advertiser, “1,000 subscribers saw your advertisement today and a 75 year old man living in zip code 04019 clicked on it,” it would be fairly easy to discover which resident of zip code 04019 (which consists of the tiny community of Cliff Island, Maine) clicked on the ad. While this admittedly is an unusual set of facts, the example demonstrates that “aggregate information” does not always guarantee anonymity. Nevertheless, the ability to track user behavior on the web site, and the type of information which the New York Times provides to advertisers, helps explain why the company charges such different prices for the online and print versions of the newspaper. Third party advertisers, including online advertising networks, also have the ability to track users by means of third party cookies. The data which the newspaper and third parties are able to gather, combined with the volume of online users viewing their ads, raises the potential that some advertisers will pay more to advertise online rather than in print. Based on this analysis, can we say there is a fair exchange between the New York Times and the users of its online web site? There is no clear answer. Users are getting a valuable service in exchange for some personal information, some monitoring activity and exposure to banner ads. Arguably, users are receiving access to information that is worth hundreds of dollars annually. But it is also arguable that many users are not aware of the tracking that is taking place, either because they have not read or understood the company’s posted policies, or because they are unaware of the monitoring that takes place on the world wide web. The privacy which online readers surrender is worth something, but it is difficult to quantify, much less compare, to the price of a print subscription. Let’s now turn to the other newspaper, The Times (of London). Its web site requires no registration of the user for access. Both the terms
96
and conditions of use of the web site and the posted privacy policy state that the company abides by UK data protection legislation. The privacy policy states that personal information of users may be used “in aggregate (and therefore anonymously) for market research purposes, to track activity on our web sites, to publish trends or to improve usefulness and content.”12 The privacy policy describes how cookies are used in connection with the company’s web site to compile “anonymous statistics” relating to browsing, how the online user is not individually identified and that data collected is only used “in aggregate.” Notice that there is an explicit representation that data collected online will be anonymous. The privacy policy then provides detailed instructions on how to modify two popular web browsers, Internet Explorer 5.0 and Netscape Communicator 4.7, to reject cookies. The instructions provide additional evidence that The Times (of London) does not intend to track behavior of individual users. How does the exchange between The Times (of London) and users of its online web site compare with the exchange between The New York Times and its users? Assuming that the value of the content provided is roughly the same, it appears that users of the English newspaper’s web site are “paying” less than users of the American newspaper’s online service because no registration is required for the former. Moreover, the users of the English web site have the protection of British data protection legislation and have been given access to instructions on how to set the browsers on many of their computers to reject cookies. Thus, it is likely that users of the web site of The Times (of London) are surrendering less personal information than users of the web site operated by the New York Times. Retail web sites in the US and UK The two web sites which will be examined are the US web site of Amazon.com which sells books, recorded music and other consumer goods, and the UK web site WildDay.com which sells camping gear and other outdoor recreational equipment. Both web sites collect from customers the usual personal information necessary to deliver goods (name and address) and payment information, which in many instances includes a credit or debit card number. Both web sites have privacy policies. The privacy notice for Amazon.com states that it uses cookies to track customers and that it
CLSR 1902.qxd
07/03/2003
12:16
Page 97
Personal privacy – transatlantic perspectives “might” receive personal information about each customer which can be added to its account information.13 There is language discouraging consumers from using utilities designed to visit the web site anonymously because they will prevent Amazon from providing the customer with a “personalized experience.” The company thus implies that it will provide a lower level of service to consumers who use privacy enhancing technology. Amazon reveals that it shares customer information with affiliated companies which it does not control, for example drugstore.com, and that consumers are aware when these other businesses are involved with a transaction. Amazon also shares personal information with agents who perform functions on its behalf including shipping, sending postal and electronic mail, removing repetitive information from customer lists, analyzing data, providing marketing assistance, processing credit card payments and providing customer service. The agents, however, may use the information only “to perform their functions” but may not use it for other purposes.14 It is unclear what the functions of some of the agents include. Do the agents who analyze data and provide marketing assistance act solely to provide services to Amazon, or do they use the personal data for their own purposes and transfer it to others? Some of the more controversial provisions of Amazon’s privacy statement are that it may sell customer personal information as part of a sale of assets, and a statement that in the event the privacy notice changes in the future, the use of information which the company gathers now will be governed by the privacy notice in effect at the time the personal information is used. A consumer doing business with Amazon therefore has relatively little assurance that his or her personal information will not be transferred. A customer who buys a book from Amazon provides payment in the form of money and payment in the form of personal information which Amazon is able to sell either as part of a sale of assets or under conditions set forth in a different privacy policy which it adopts in the future. The fairness of this exchange depends upon several factors. First, are Amazon’s prices for its products so low that the customer who is fully aware of the company’s privacy policy is getting fair value for his or her personal information? Second, are consumers aware of what the privacy
policy actually means so that they are making a fully informed trade? The answer to the first question involves a complicated analysis not only comparing Amazon’s prices with other retailers, but putting a valuation on each consumer’s privacy. The second question would be easier to answer and would require a survey of a sample of Amazon customers. But it would be surprising if such a survey revealed that consumers read and understand Amazon’s policy when that does not appear to be happening in connection with privacy policies of US financial services companies.15 Let’s now consider the UK website, WildDay.com.16 Like The Times (of London), WildDay’s web site states that the company complies with British data protection legislation. The web site also has a short privacy statement which states that cookies are used only when the customer places an order, and then only to track the order through its completion. The company does not share personal information with others, except when necessary to make sure that the goods are delivered. WildDay does contact its customers with information about its own products and about offers from third parties. Thus, when a customer purchases a product from WildDay, the customer knows that his or her personal information is protected by British data protection legislation, that it will not be transferred to other companies for marketing purposes, but that the consumer may be receiving offers from WildDay for products provided by WildDay and others. Notice that WildDay participates in the sharing of product information rather than personal information, a practice that was considered in the hypothetical example involving a boat dealer and marine supply store noted earlier. Because of the limitations in the uses to which the personal information can be put, the fairness of the exchange between WildDay and a consumer seems to be limited to the fairness of the price paid for the goods received. Personal information is not a source of value in the transaction. When compared to the exchange between Amazon and its customers, WildDay’s transaction is superior for consumers because they know the true price which is being paid. The Amazon exchange is clouded by uncertainty over what Amazon will do with the personal data it obtains. With Amazon there is a possibility that personal information will be sold to another company, the chances of which are difficult for the consumer to assess. Moreover, Amazon’s policy on use of cookies to track and
97
CLSR 1902.qxd
07/03/2003
12:16
Page 98
Personal privacy – transatlantic perspectives profile consumers is virtually unlimited, while WildDay tracks only for the purpose of filling an order. Put more simply, the exchange between WildDay and a customer is fairer because the consumer knows what is being traded. A transparent transaction is more likely to be a fair exchange than one where a party does not know what the other side is doing.
(c) Egalitarian justice
Should society be divided this way so that some people have the capacity to obtain privacy protection and others do not?
98
An egalitarian view of justice provides that people should be treated equally unless they differ in relevant ways. A corollary of this can be derived from the analysis known as disparate impact under US antidiscrimination law: a neutral practice which produces unequal results is justified only if the neutral practice is necessary to achieve a legitimate purpose. The legitimate purpose of a privacy policy is to inform customers of the company’s collection and use of personal information. A policy which is unclear to a significant percentage of customers does not advance the stated purpose of providing information. Because the policy divides consumers into groups of those who do and do not understand, the policy produces disparate impact and is unjust. This analysis reinforces the common sense notion that privacy policies should be understandable to most consumers. There is a separate problem with variations between privacy policies for different web sites. Egalitarian justice suggests that privacy policies should have similarities unless there are relevant differences between web sites. Because of British data protection legislation, it should not be surprising that the two UK web sites have some common elements, while the two US sites are very different. Another source of inequality is the different capacity which consumers have to understand the language used in a company’s privacy policy. This is demonstrated by a study which concluded that many of the written privacy notices provided by US financial services businesses to comply with the Gramm-Leach-Bliley Act are written in complicated language that few US consumers can understand.17 Most consumers are also likely to have difficulty understanding the technology used online for data collection. Both of these factors divide consumers according to their linguistic and technological skills. Moreover, when a business combines a poorly written privacy policy with a zero privacy default standard, the consumer is not
likely to opt out.18 Should such skills be “relevant differences” with respect to privacy? Should society be divided this way so that some people have the capacity to obtain privacy protection and others do not? Is it fair if people with advanced degrees and computer expertise are much more likely to have the ability to obtain information privacy than the vast majority of people who lack these skills? The answers to all these questions on both sides of the Atlantic should be a clear “no.” One way of reducing this problem is to adopt legislation requiring the use of standardized terminology similar to the Truth in Lending Act in the US.19 Although the Truth in Lending Act applies to standardized terminology for quantitative information with respect to consumer loans, the same principles of standardization could be applied to terms relating to personal data and privacy. This approach has also been used to a limited extent in the Magnuson Moss Warranty Act in the US with respect to the use of terminology in warranties for consumer goods 20 and in regulations adopted by the US Food and Drug Administration with respect to terms which manufacturers can use to describe low calorie food.21 The same standards could be adopted through self-regulation rather than legislation. Standardized terminology could be adopted through self-regulatory organizations like TRUSTe and BBBOnline’s privacy program. However, there could be a problem if businesses who are not members of these organizations use the same terminology but with a different meaning. This could create confusion among consumers and lead to a serious free rider problem with businesses outside the self regulatory framework getting the benefit of the standardized terminology without being bound by its meaning. Accordingly, the use of standardized terminology is likely to be beneficial only if its use is required by law. There may be a similar problem of unequal treatment with respect to privacy enhancing technologies. Computer experts disagree on the effectiveness of some of these technologies, including the Platform for Privacy Preferences, also known as P3P. Some suggest that it is unrealistic to rely on privacy enhancing technologies adopted at the user level. One expert has recommended the use of a privacy intermediary, or “infomediary,” to interpose privacy enhancing technology at the service provider level. This would have the advantage of freeing users from making individual judgments about the effectiveness of technology
CLSR 1902.qxd
07/03/2003
12:16
Page 99
Personal privacy – transatlantic perspectives that few of them are able to understand.22 If the services of infomediaries were widely available at modest prices, computer users would possibly have fair, if not equal, access to privacy enhancing technologies.
5. Conclusion When Europeans state that privacy is a fundamental human right, the effect among Americans is to frame questions of consumer information privacy in terms of privacy interests of individuals competing against organizational or societal interests. When privacy is characterized as a right of control of one’s personal information or as a right of non-intrusion, the American response is to allow many organizations to dominate the privacy adjustment process by setting the default at zero privacy. This means that each individual consumer has the burden of learning about the default setting and following the procedures set by the organization to elect a higher level of privacy. It is up to the individual to assert these rights. In Europe, the rights approach to privacy is much different. Privacy rights are protected by government which has set a high level of privacy protection as a default. The burden on changing the default is placed on the business, which must convince the consumer to consent to a lower level of privacy protection. Thus, the characterization of privacy as a right leads to very different approaches to privacy in the US and Europe. A characterization of privacy as an issue of justice, however, is more likely to support a higher level of privacy because justice focuses more on societal issues and is concerned with overall fairness. This is true under the three principles of justice applied in this paper. First, under the principle of distributive justice there is recognition of the harm that the secret sharing of personal information about consumers can have on economic activity. An analysis based on distributive justice also reveals that the sharing of product information can have the same societal benefits as the sharing of personal information, without the latter’s drawbacks. Second, under exchange justice it is clear that the superior transparency under the European data protection regime promotes fairness, even though it is very difficult to calculate the fairness of the exchanges in individual consumer transactions involving personal information. The European system gives its citizens a better understanding of what is, or is not, being done with their personal information.
Finally, under the principle of egalitarian justice, it is apparent that the current US system results in unequal access to privacy because poorly written privacy policies are difficult for most consumers to understand, and because online data collection practices are understood by only a small number of technophiles. The European system, however, reduces these inequalities through high privacy standards set forth in data protection law. Even though Europeans emphasize privacy as a fundamental human right, the European system of data protection contains many applications of moral principles of justice. By placing greater emphasis on justice in the transatlantic privacy dialogue, Europeans have the ability to connect their system of information privacy to moral principles that resonate with large numbers of Americans. Moral principles of justice appeal to an American sense of fairness and provide a foundation for American legislation regarding consumer protection, environmental protection and protection against discrimination based on race, gender and disabilities. If these principles were a greater part of the dialogue, Americans might realize that European methods for protecting privacy are consistent with the values underlying much of the American reform legislation of the past several decades.
the characterization of privacy as a right leads to very different approaches to
Carter Manny, Associate Professor of Business Law, University of Southern Maine, P.O. Box 9300, Portland, Maine, 04104-9300, USA; email: [email protected]; telephone: +1-207-7804129; fax: +1-207-780-4662. A version of this paper was presented at the annual meeting of the Academy of Legal Studies in Business in Albuquerque, New Mexico, USA, on 11 August 2001.
privacy in the US and Europe
FOOTNOTES 1 See Gramm-Leach-Bliley Act, § 503, 15 USC.A. § 6803 (West Supp. 2000). 2 See, e.g., Mark Hochhauser, Lost in the Fine Print: Readability of Financial Privacy Notices, at http://www.privacyrights.org/ar/GLB-Reading.htm (last visited Apr. 16, 2001). [Hereinafter Hockhauser, Lost in Fine Print]. Dr. Hochhauser concludes that consumers will have a hard time reading and understanding the 17 notices he reviewed. They were “poorly written with too many long sentences and too many uncommon words.” He stated that they averaged a third/fourth year college reading level. 3 Data Protection Directive, supra note 3, art. 7. 4 A. Michael Froomkin, The Death of Privacy?, 52 STAN. L. REV. 1461, 1503 (2000). 5 Id. at 1504 6 Id. at 1502
99
CLSR 1902.qxd
07/03/2003
12:16
Page 100
Personal privacy – transatlantic perspectives 7 Id. at 1505. 8 New York Times, Privacy Information, at http://www.nytimes.com/info/help/privacy.html (last visited June 6, 2001) [hereinafter New York Times Privacy Information]. 9 The price of a subscription to the New York Times for home delivery 7 days a week in Portland, Maine, is $9.60 per week or $492.20 per year. A 50% discount for the first 8 weeks is offered to new subscribers. New York Times, Subscription & Customer Care Services, at https://secure-homedelivery.nytimes.com/cgibin/gx.cgi/AppLogic+FTCont.../HomeDeliveryT1 (last visited June 15, 2001). 10 New York Times, Frequently Asked Questions About Cookies, at http://www.nytimes.com/info/help/cookies. html (last visited June 15, 2001). This page contains abbreviated instructions on how to find cookies on an Apple Macintosh computer and on computers using Windows and either Netscape or Internet Explorer browsers. It also states that cookies can be deleted. 11 Id. 12 New York Times Privacy Information, supra note 49. 13 Amazon.com, Amazon.com Privacy Notice, at http:// www.amazon.com/exed/obidos/tg/browse/-/468496/0028283718-6167252 (last visited June 5, 2001). 14 Id. 15 For example a survey by the American Bankers Association found that only 36% of bank customers had read the privacy notices which were sent to comply with the Gramm-Leach-Bliley Act. It was estimated that less than 1% of customers had notified their financial institutions that they were opting-out and directing that their personal information not be shared with other businesses. See, e.g., Americans Trashing Privacy Notices, PORTLAND PRESS HERALD, June, 30, 2001 at 4A. 16 WildDay.com, About WildDay, at http://www.wildday.co. uk/acatalog/AboutWildDay.html (last visited June 15, 2001). 17 See, e.g., Hockhauser, Lost in Fine Print, supra note 42. 18 See, e.g., Bellman, et al., supra note 27 and accompanying text; see also British DMers, supra note 28 and accompanying text. 19 See 15 USC. §§ 1604-1606 (1994). 20 See 15 USC. §§ 2303-2304 (1994). 21 See 21 C.F.R. § 101.56 (2000). 22 Interview with computer technology expert Jean-Marc Dinant of the Centre de Recherches Informatique et Droit, Facultés Universitaires Notre Dame de la Pais, Namur, Belgium, Oct. 11, 2000. See Jean-Marc Dinant, Law and Technology Convergence in the Data Protection Field?, at http://www.droit.fundp.ac.be/ Textes/privacy_law_tech_convergence.rtf (1999).
100
07/03/2003
12:16
Page 92
Personal privacy – transatlantic perspectives European and American privacy: commerce, rights and justice – part II Carter H. Manny, University of Southern Maine USA
In a commercial context, there are strong moral arguments in favor of personal privacy using either a rights-based analysis or a justice-based analysis. The gap between European and American thinking about legal protection for personal privacy is partially explained by the emphasis that Europeans place on a rights-based approach, and the different way in which that approach is interpreted in the United States. This article suggests that the philosophical gap could be narrowed by placing greater emphasis on moral principles of justice in the European - US privacy dialogue. Part I of this article appeared in the last issue.
4. Privacy under a justice-based analysis Moral principles of justice are not often mentioned in connection with privacy. Justice focuses on fairness and tends to be associated with group and societal interests as opposed to the emphasis on individual interests under a rights analysis. Of course, when human interests are at stake, rights-based and justice-based arguments can become intertwined. With respect to privacy, justice principles can help answer the question of what is a fair system of collection and distribution of personal data connected with commercial activities. Three principles will be considered: distributive justice, exchange justice and egalitarian justice. These principles have been the foundation of some of the major reform legislation enacted in the US during the twentieth century. First, legislation promoting product safety is partially based on principles of distributive justice, i.e. the fair distribution of the benefits and burdens of producing and using consumer products. The principle of distributive justice also played a part in environmental legislation. This has been especially true when the legislation is not motivated by a desire to promote human health but to protect animal and plant species, and to
92
preserve wilderness areas. The benefits and burdens of economic development and conservation are distributed not only among different groups of people but between humanity and wildlife. Second, the principle of exchange justice, i.e. that fair value be transferred by both parties to a transaction, provides the foundation for laws prohibiting unfair trade practices. Finally, the principle of egalitarian justice is the basis for legislation prohibiting discrimination based on race, gender and disabilities.
(a) Distributive justice What is a fair system for collecting and using personal information? The earlier example of a distance sale of a consumer good can be subjected to a distributive justice analysis. We already saw that the merchant must collect personal data and forward the consumer’s name and address to the carrier who will be delivering the goods. Is it fair for the merchant to retain the information? In a small business, particularly one run by people with good memories, only a lobotomy could guarantee the effective deletion of the consumer’s personal information, at least for the first few weeks after the sale takes place. In a larger business with a high volume of orders, personal information would quickly be forgotten unless stored on paper or in electronic records. Certainly it is fair to allow storage at least until the goods arrive at the consumer’s residence and there has been a reasonable opportunity for the consumer to discover any defects. Retention of records of the transaction would benefit both consumer and seller because the records would be needed to deal with possible rejection of the goods or an allegation that the merchant has breached the contract by delivering nonconforming goods. Retention of records for a longer period could be justified on the basis that the merchant may need to contact the consumer in the future if the merchant learns of defects in the product. But under this scenario, the only relevant information
Computer Law & Security Report Vol. 19 no. 2 2003 ISSN 0267 3649/03 © 2003 Elsevier Science Ltd. All rights reserved
CLSR 1902.qxd
07/03/2003
12:16
Page 93
Personal privacy – transatlantic perspectives would be the type of product purchased and information sufficient to contact the consumer. Retention of this information would benefit not only the merchant and the consumer but society as well, because it would tend to reduce risks of harm and avoid many of the burdens imposed on others whenever a person is physically injured. Assuming that it is fair to allow the merchant to retain information about individual customers, is it fair to allow the merchant to use that information to market its own products to the customer? This is a difficult question and could be answered in a variety of logical ways depending upon whether the focus is limited to this merchant and this consumer, or is an analysis of all merchants and all customers. At the merchant/consumer level, fairness depends on the circumstances. Is the product a once-in-a-lifetime purchase or something that will be fully consumed and need replacement soon? What method of communication will the merchant use to contact the consumer? At the societal level, are there any benefits if merchants have the ability to contact their prior customers with information about new products and services? Again, this depends upon nature of the product or service. Is society harmed if the merchant has this information about its prior customers? There could be some harm associated with the method of communication chosen by the merchant. Telephone calls can be highly disruptive to home life and can occupy a phone line needed for more important communication. Fax transmissions use the consumer’s paper and may also interfere with communication over the fax machine’s phone line. Email messages can take time to read and delete. In Europe there is an additional burden arising out of fees that many telephone companies impose on local calls, so the time a computer user who is connected to the Internet through a dial-up modem spends reading and deleting an unsolicited email message increases his or her telephone bill. Conventional postal mail avoids interfering with the consumer’s communication equipment but can add to the societal problem of disposal of solid waste. Although what is a fair balancing of these competing interests is highly dependent upon the facts involved, an analysis under distributive justice tends to consider these competing interests on a societal rather than individual basis. Is it fair for the merchant to transfer personal information about consumers to other merchants? Do such transfers provide benefits to society? The
answers to these questions are also dependent upon the facts. An application of distributive justice to the following example seems, at first, to justify such transfers. Some goods require accessories. Communication of personal information about a buyer to a seller of those accessories may not only promote efficiency but provide other benefits, particularly if the accessory is in society’s interest. For example, a boat dealer might sell information about recent boat buyers to a marine supply store that sells life jackets. The subsequent direct marketing efforts of the marine supply store might result in novice boat owners learning more quickly that life jackets are legally required safety equipment on boats in the US This might result in a higher percentage of life jacket usage by boaters. Of course, the same societal benefit could be produced by a different sort of collaboration between the two merchants without any transfer of the consumer’s personal information. The boat dealer could distribute product information literature about the marine supply store’s life jackets as part of the sale of the boat. This example illustrates that the desired societal benefit, increased ownership and use of life jackets by novice boaters, is independent of the sharing of personal information. Instead, it appears that the societal benefit, increased ownership and use of life jackets, is dependent upon distribution of product information about life jackets. Thus, a distributive justice analysis can point out weaknesses in arguments favoring the free flow of personal information. Moreover, it seems that rather than sharing personal data about consumers, merchants could in many instances achieve the same result by sharing information about their products and providing this information to consumers at the time of sale.
Does sharing between businesses of personal information about consumers harm society?
Does sharing between businesses of personal information about consumers harm society? If consumers have not been informed in advance of this practice, but later discover it is taking place, that realization may reduce their level of trust in the businesses involved in the sharing. This could lead to lower overall sales and be harmful to the economy. But if this occurs, won’t the market discourage this practice by punishing businesses who share consumer information? If a consumer could detect exactly which merchants were engaged in transferring the consumer’s personal information, market forces might well reduce or eliminate information sharing, but because the sharing is done in secret, the consumer does not
93
CLSR 1902.qxd
07/03/2003
12:16
Page 94
Personal privacy – transatlantic perspectives
a lack of
know exactly who is sharing what. Hence, consumers who object to information sharing are not likely to be able to punish the merchants who pass along their personal information. Moreover, the problem of detection increases the likelihood that information sharers will be able to ride free to some extent on the enhanced reputations of the businesses who do not share personal information without consumer consent.
understanding leads most consumers to underestimate the economic value of their personal data to businesses
(b) Exchange justice Exchange justice examines the fairness of a transaction. It is a principle underlying US consumer and investor protection laws administered by the Federal Trade Commission, the Securities and Exchange Commission and state governments. Exchange justice can be analyzed in two respects: procedural fairness and substantive fairness. Procedural fairness concerns methods of transferring information about the transaction. Substantive fairness examines the relative values of the things being traded. When a consumer transfers his or her personal information to a business, there is a type of exchange. Sometimes this is done consciously, as in the distance contract examples discussed earlier. Sometimes it can be inferred from the circumstances, as when a consumer registers online to gain access to a web site. Sometimes is it invisible, as when a web site or online advertising company uses cookies to track online consumer behavior. (i) Fairness in the procedures of the exchange Procedural fairness concerns methods of exchanging information and is closely related to a rights analysis. Both sides to the transaction should have an equal opportunity to discover the material facts. This principle is also supported by the moral right of free consent mentioned earlier. When personal information is being provided as part of the transaction, procedural fairness requires that the consumer have an opportunity to discover the purposes to which the information will be put. Without the opportunity to discover these purposes, the consumer is unlikely to realize that the personal information is part of the value which he or she is providing. Although a sophisticated consumer could ask the business about its proposed uses of the consumer’s personal information at the time the transaction is proposed, the average individual probably would not think to ask. So in most instances, the opportunity to discover those uses would need to
94
be provided through a disclosure by the business. In the US, some businesses have voluntarily adopted privacy policies purporting to make such disclosures and others are being required by law to do so.1 The notices, however, tend to be difficult for consumers to read and understand.2 In the EU, procedural fairness is protected by law. Any business wanting to depart from the permitted uses set forth in data protection legislation must provide notice of the proposed uses in the process of obtaining the consumer’s consent.3 If the notice is deficient, the consent would be invalid and the business would be in violation of the law. So procedural fairness is much more likely to exist in the EU than in the US. (ii) Fairness in the values exchanged Substantive fairness, while important in a moral sense, is often not protected by law, absent some major impediment in the formation of an agreement like fraud or duress. In a few extraordinary situations, consumers can also be protected from overreaching business behavior resulting from unequal bargaining power, known in the US as unconscionability. When each transaction is viewed in isolation, substantive fairness is difficult to determine because each person calculates the value of privacy in a way which is difficult to quantify. Free market economists argue that there should be no interference with this process because outsiders should not substitute their judgment for the judgment of the participants. But when there are significant imperfections in the market, for example when buyers as a group lack material information, the moral principle of exchange justice justifies interference to promote fairness. There is evidence that consumers lack material information about how their personal data is used, especially when businesses use the data to construct consumer profiles. In an article published in 2000, Professor Michael Froomkin has attempted to show how a lack of understanding leads most consumers to underestimate the economic value of their personal data to businesses,4 which means that consumers will typically be willing to provide or sell their personal information. According to his analysis, the marginal value to the consumer of data produced by each transaction is low. He assumes that when a business aggregates the data, the value increases to a level that is more than the sum of its parts. He also assumes that the value of each unit of additional data to a profiling business
CLSR 1902.qxd
07/03/2003
12:16
Page 95
Personal privacy – transatlantic perspectives remains linear and does not decline. Consumers, however, are unaware of the aggregated value to a profiling company, and will value a unit of personal data at its marginal value in terms of lost privacy. The business who is selling the data to a profiling company will value that same unit of personal data at approximately its average value in the profile. Because the consumer is not aware of how the merchant is valuing the data, he or she is likely to sell the information at a price the merchant is willing to pay. Except for sensitive data, Froomkin believes that European consumers will make the same sort of calculation when they are asked to consent to the use of their data under European data protection law.5 According to this analysis, even when consumers know that a business is transferring their personal information into a marketing database, many will be willing to provide the information in exchange for the “price” the business is offering to pay because consumers are unaware of the value of aggregated data to a profiling company. Froomkin calls this “privacy myopia.”6 He suggests that this phenomenon needs further study to determine how to measure the value of privacy, and to determine the difficulty of educating consumers on the need to value data at its average rather than marginal value.7 Froomkin’s analysis suggests that economic exchanges of personal information between consumers and businesses are likely to be unjust. Newspaper web sites in the US and UK Some examples of online transactions may be helpful to illustrate the application of exchange justice. The first set of examples examines the exchanges between consumers and two newspaper web sites, one in the US and one in the United Kingdom. The web sites are those of the New York Times and The Times (of London). Both companies are providing an information service which is offered in a traditional print format for a price paid by subscription or at a retail outlet. The online version in both cases is provided to the consumer without the exchange of money. Both the print and online versions contain advertising by third parties. For the purpose of this analysis, news stand sales will be disregarded. First, let’s examine the exchanges between the New York Times and a consumer who wants access to its online news stories. The online version is available without the payment of money, but only if the reader registers with the web site.
The registration requires the user to provide a user ID, password, email address, zip code, country, age and gender.8 A different set of information is required for a print subscription: name, address, home and business phone. In both instances, the company has the reader’s zip code and country. It has the email address, age, gender, user ID and password of online readers while it has the name and phone number(s) of print subscribers. Assuming that an email address and phone number are of roughly equivalent value, that the user ID and password are necessary controls for online access, and that the subscriber’s name should not be considered as being of separate value because it is a necessary part of the address for print subscribers, it seems that the net difference in the two sets of data is that the company obtains age and gender information only for online readers. Does this mean that the age and gender of each online subscriber is potentially worth hundreds of dollars a year to the New York Times as reflected in the different subscription prices it charges print9 and online subscribers? That is a difficult conclusion to justify because there are other possible explanations for the price differential. First, online subscribers may consist of people who would never buy a print subscription and thus would be considered to be a source of additional advertising revenue without significantly reducing subscription revenue or newsstand sales. Second, the marginal cost to the New York Times to produce the online version may be very small, so it is willing to provide the service without any cash payment. Third, the online version of the paper may attract advertisers who would never have considered advertising in the print version. So, based upon this relatively superficial analysis, it is difficult to use the difference in the prices of the online and print versions of the New York Times to determine the value of the personal information, namely age and gender, which only the online subscribers provide. What is the value to the New York Times of the personal information provided by subscribers? For its print subscriptions, the company can tell advertisers how many subscribers it has within each postal zip code. For online users, it has the same data plus information about age and gender. According to its privacy policy, the New York Times uses cookies to track site usage. Banner ads placed by third parties on New York Times web pages may contain third party cookies as well. With
95
CLSR 1902.qxd
07/03/2003
12:16
Page 96
Personal privacy – transatlantic perspectives respect to cookies placed by the New York Times, the privacy policy states that information about “individual usage” is never given out to others, but that the company does provide “aggregate information” to third parties who advertise on the web site.10 An example of “aggregate information” is given: “1000 subscribers saw your advertisement today, and 500 of them clicked on it.”11 While this example does not include personally identifiable information, the identity of a user might be revealed if zip code, age and gender were included and if few users clicked on the ad. If the New York Times told an advertiser, “1,000 subscribers saw your advertisement today and a 75 year old man living in zip code 04019 clicked on it,” it would be fairly easy to discover which resident of zip code 04019 (which consists of the tiny community of Cliff Island, Maine) clicked on the ad. While this admittedly is an unusual set of facts, the example demonstrates that “aggregate information” does not always guarantee anonymity. Nevertheless, the ability to track user behavior on the web site, and the type of information which the New York Times provides to advertisers, helps explain why the company charges such different prices for the online and print versions of the newspaper. Third party advertisers, including online advertising networks, also have the ability to track users by means of third party cookies. The data which the newspaper and third parties are able to gather, combined with the volume of online users viewing their ads, raises the potential that some advertisers will pay more to advertise online rather than in print. Based on this analysis, can we say there is a fair exchange between the New York Times and the users of its online web site? There is no clear answer. Users are getting a valuable service in exchange for some personal information, some monitoring activity and exposure to banner ads. Arguably, users are receiving access to information that is worth hundreds of dollars annually. But it is also arguable that many users are not aware of the tracking that is taking place, either because they have not read or understood the company’s posted policies, or because they are unaware of the monitoring that takes place on the world wide web. The privacy which online readers surrender is worth something, but it is difficult to quantify, much less compare, to the price of a print subscription. Let’s now turn to the other newspaper, The Times (of London). Its web site requires no registration of the user for access. Both the terms
96
and conditions of use of the web site and the posted privacy policy state that the company abides by UK data protection legislation. The privacy policy states that personal information of users may be used “in aggregate (and therefore anonymously) for market research purposes, to track activity on our web sites, to publish trends or to improve usefulness and content.”12 The privacy policy describes how cookies are used in connection with the company’s web site to compile “anonymous statistics” relating to browsing, how the online user is not individually identified and that data collected is only used “in aggregate.” Notice that there is an explicit representation that data collected online will be anonymous. The privacy policy then provides detailed instructions on how to modify two popular web browsers, Internet Explorer 5.0 and Netscape Communicator 4.7, to reject cookies. The instructions provide additional evidence that The Times (of London) does not intend to track behavior of individual users. How does the exchange between The Times (of London) and users of its online web site compare with the exchange between The New York Times and its users? Assuming that the value of the content provided is roughly the same, it appears that users of the English newspaper’s web site are “paying” less than users of the American newspaper’s online service because no registration is required for the former. Moreover, the users of the English web site have the protection of British data protection legislation and have been given access to instructions on how to set the browsers on many of their computers to reject cookies. Thus, it is likely that users of the web site of The Times (of London) are surrendering less personal information than users of the web site operated by the New York Times. Retail web sites in the US and UK The two web sites which will be examined are the US web site of Amazon.com which sells books, recorded music and other consumer goods, and the UK web site WildDay.com which sells camping gear and other outdoor recreational equipment. Both web sites collect from customers the usual personal information necessary to deliver goods (name and address) and payment information, which in many instances includes a credit or debit card number. Both web sites have privacy policies. The privacy notice for Amazon.com states that it uses cookies to track customers and that it
CLSR 1902.qxd
07/03/2003
12:16
Page 97
Personal privacy – transatlantic perspectives “might” receive personal information about each customer which can be added to its account information.13 There is language discouraging consumers from using utilities designed to visit the web site anonymously because they will prevent Amazon from providing the customer with a “personalized experience.” The company thus implies that it will provide a lower level of service to consumers who use privacy enhancing technology. Amazon reveals that it shares customer information with affiliated companies which it does not control, for example drugstore.com, and that consumers are aware when these other businesses are involved with a transaction. Amazon also shares personal information with agents who perform functions on its behalf including shipping, sending postal and electronic mail, removing repetitive information from customer lists, analyzing data, providing marketing assistance, processing credit card payments and providing customer service. The agents, however, may use the information only “to perform their functions” but may not use it for other purposes.14 It is unclear what the functions of some of the agents include. Do the agents who analyze data and provide marketing assistance act solely to provide services to Amazon, or do they use the personal data for their own purposes and transfer it to others? Some of the more controversial provisions of Amazon’s privacy statement are that it may sell customer personal information as part of a sale of assets, and a statement that in the event the privacy notice changes in the future, the use of information which the company gathers now will be governed by the privacy notice in effect at the time the personal information is used. A consumer doing business with Amazon therefore has relatively little assurance that his or her personal information will not be transferred. A customer who buys a book from Amazon provides payment in the form of money and payment in the form of personal information which Amazon is able to sell either as part of a sale of assets or under conditions set forth in a different privacy policy which it adopts in the future. The fairness of this exchange depends upon several factors. First, are Amazon’s prices for its products so low that the customer who is fully aware of the company’s privacy policy is getting fair value for his or her personal information? Second, are consumers aware of what the privacy
policy actually means so that they are making a fully informed trade? The answer to the first question involves a complicated analysis not only comparing Amazon’s prices with other retailers, but putting a valuation on each consumer’s privacy. The second question would be easier to answer and would require a survey of a sample of Amazon customers. But it would be surprising if such a survey revealed that consumers read and understand Amazon’s policy when that does not appear to be happening in connection with privacy policies of US financial services companies.15 Let’s now consider the UK website, WildDay.com.16 Like The Times (of London), WildDay’s web site states that the company complies with British data protection legislation. The web site also has a short privacy statement which states that cookies are used only when the customer places an order, and then only to track the order through its completion. The company does not share personal information with others, except when necessary to make sure that the goods are delivered. WildDay does contact its customers with information about its own products and about offers from third parties. Thus, when a customer purchases a product from WildDay, the customer knows that his or her personal information is protected by British data protection legislation, that it will not be transferred to other companies for marketing purposes, but that the consumer may be receiving offers from WildDay for products provided by WildDay and others. Notice that WildDay participates in the sharing of product information rather than personal information, a practice that was considered in the hypothetical example involving a boat dealer and marine supply store noted earlier. Because of the limitations in the uses to which the personal information can be put, the fairness of the exchange between WildDay and a consumer seems to be limited to the fairness of the price paid for the goods received. Personal information is not a source of value in the transaction. When compared to the exchange between Amazon and its customers, WildDay’s transaction is superior for consumers because they know the true price which is being paid. The Amazon exchange is clouded by uncertainty over what Amazon will do with the personal data it obtains. With Amazon there is a possibility that personal information will be sold to another company, the chances of which are difficult for the consumer to assess. Moreover, Amazon’s policy on use of cookies to track and
97
CLSR 1902.qxd
07/03/2003
12:16
Page 98
Personal privacy – transatlantic perspectives profile consumers is virtually unlimited, while WildDay tracks only for the purpose of filling an order. Put more simply, the exchange between WildDay and a customer is fairer because the consumer knows what is being traded. A transparent transaction is more likely to be a fair exchange than one where a party does not know what the other side is doing.
(c) Egalitarian justice
Should society be divided this way so that some people have the capacity to obtain privacy protection and others do not?
98
An egalitarian view of justice provides that people should be treated equally unless they differ in relevant ways. A corollary of this can be derived from the analysis known as disparate impact under US antidiscrimination law: a neutral practice which produces unequal results is justified only if the neutral practice is necessary to achieve a legitimate purpose. The legitimate purpose of a privacy policy is to inform customers of the company’s collection and use of personal information. A policy which is unclear to a significant percentage of customers does not advance the stated purpose of providing information. Because the policy divides consumers into groups of those who do and do not understand, the policy produces disparate impact and is unjust. This analysis reinforces the common sense notion that privacy policies should be understandable to most consumers. There is a separate problem with variations between privacy policies for different web sites. Egalitarian justice suggests that privacy policies should have similarities unless there are relevant differences between web sites. Because of British data protection legislation, it should not be surprising that the two UK web sites have some common elements, while the two US sites are very different. Another source of inequality is the different capacity which consumers have to understand the language used in a company’s privacy policy. This is demonstrated by a study which concluded that many of the written privacy notices provided by US financial services businesses to comply with the Gramm-Leach-Bliley Act are written in complicated language that few US consumers can understand.17 Most consumers are also likely to have difficulty understanding the technology used online for data collection. Both of these factors divide consumers according to their linguistic and technological skills. Moreover, when a business combines a poorly written privacy policy with a zero privacy default standard, the consumer is not
likely to opt out.18 Should such skills be “relevant differences” with respect to privacy? Should society be divided this way so that some people have the capacity to obtain privacy protection and others do not? Is it fair if people with advanced degrees and computer expertise are much more likely to have the ability to obtain information privacy than the vast majority of people who lack these skills? The answers to all these questions on both sides of the Atlantic should be a clear “no.” One way of reducing this problem is to adopt legislation requiring the use of standardized terminology similar to the Truth in Lending Act in the US.19 Although the Truth in Lending Act applies to standardized terminology for quantitative information with respect to consumer loans, the same principles of standardization could be applied to terms relating to personal data and privacy. This approach has also been used to a limited extent in the Magnuson Moss Warranty Act in the US with respect to the use of terminology in warranties for consumer goods 20 and in regulations adopted by the US Food and Drug Administration with respect to terms which manufacturers can use to describe low calorie food.21 The same standards could be adopted through self-regulation rather than legislation. Standardized terminology could be adopted through self-regulatory organizations like TRUSTe and BBBOnline’s privacy program. However, there could be a problem if businesses who are not members of these organizations use the same terminology but with a different meaning. This could create confusion among consumers and lead to a serious free rider problem with businesses outside the self regulatory framework getting the benefit of the standardized terminology without being bound by its meaning. Accordingly, the use of standardized terminology is likely to be beneficial only if its use is required by law. There may be a similar problem of unequal treatment with respect to privacy enhancing technologies. Computer experts disagree on the effectiveness of some of these technologies, including the Platform for Privacy Preferences, also known as P3P. Some suggest that it is unrealistic to rely on privacy enhancing technologies adopted at the user level. One expert has recommended the use of a privacy intermediary, or “infomediary,” to interpose privacy enhancing technology at the service provider level. This would have the advantage of freeing users from making individual judgments about the effectiveness of technology
CLSR 1902.qxd
07/03/2003
12:16
Page 99
Personal privacy – transatlantic perspectives that few of them are able to understand.22 If the services of infomediaries were widely available at modest prices, computer users would possibly have fair, if not equal, access to privacy enhancing technologies.
5. Conclusion When Europeans state that privacy is a fundamental human right, the effect among Americans is to frame questions of consumer information privacy in terms of privacy interests of individuals competing against organizational or societal interests. When privacy is characterized as a right of control of one’s personal information or as a right of non-intrusion, the American response is to allow many organizations to dominate the privacy adjustment process by setting the default at zero privacy. This means that each individual consumer has the burden of learning about the default setting and following the procedures set by the organization to elect a higher level of privacy. It is up to the individual to assert these rights. In Europe, the rights approach to privacy is much different. Privacy rights are protected by government which has set a high level of privacy protection as a default. The burden on changing the default is placed on the business, which must convince the consumer to consent to a lower level of privacy protection. Thus, the characterization of privacy as a right leads to very different approaches to privacy in the US and Europe. A characterization of privacy as an issue of justice, however, is more likely to support a higher level of privacy because justice focuses more on societal issues and is concerned with overall fairness. This is true under the three principles of justice applied in this paper. First, under the principle of distributive justice there is recognition of the harm that the secret sharing of personal information about consumers can have on economic activity. An analysis based on distributive justice also reveals that the sharing of product information can have the same societal benefits as the sharing of personal information, without the latter’s drawbacks. Second, under exchange justice it is clear that the superior transparency under the European data protection regime promotes fairness, even though it is very difficult to calculate the fairness of the exchanges in individual consumer transactions involving personal information. The European system gives its citizens a better understanding of what is, or is not, being done with their personal information.
Finally, under the principle of egalitarian justice, it is apparent that the current US system results in unequal access to privacy because poorly written privacy policies are difficult for most consumers to understand, and because online data collection practices are understood by only a small number of technophiles. The European system, however, reduces these inequalities through high privacy standards set forth in data protection law. Even though Europeans emphasize privacy as a fundamental human right, the European system of data protection contains many applications of moral principles of justice. By placing greater emphasis on justice in the transatlantic privacy dialogue, Europeans have the ability to connect their system of information privacy to moral principles that resonate with large numbers of Americans. Moral principles of justice appeal to an American sense of fairness and provide a foundation for American legislation regarding consumer protection, environmental protection and protection against discrimination based on race, gender and disabilities. If these principles were a greater part of the dialogue, Americans might realize that European methods for protecting privacy are consistent with the values underlying much of the American reform legislation of the past several decades.
the characterization of privacy as a right leads to very different approaches to
Carter Manny, Associate Professor of Business Law, University of Southern Maine, P.O. Box 9300, Portland, Maine, 04104-9300, USA; email: [email protected]; telephone: +1-207-7804129; fax: +1-207-780-4662. A version of this paper was presented at the annual meeting of the Academy of Legal Studies in Business in Albuquerque, New Mexico, USA, on 11 August 2001.
privacy in the US and Europe
FOOTNOTES 1 See Gramm-Leach-Bliley Act, § 503, 15 USC.A. § 6803 (West Supp. 2000). 2 See, e.g., Mark Hochhauser, Lost in the Fine Print: Readability of Financial Privacy Notices, at http://www.privacyrights.org/ar/GLB-Reading.htm (last visited Apr. 16, 2001). [Hereinafter Hockhauser, Lost in Fine Print]. Dr. Hochhauser concludes that consumers will have a hard time reading and understanding the 17 notices he reviewed. They were “poorly written with too many long sentences and too many uncommon words.” He stated that they averaged a third/fourth year college reading level. 3 Data Protection Directive, supra note 3, art. 7. 4 A. Michael Froomkin, The Death of Privacy?, 52 STAN. L. REV. 1461, 1503 (2000). 5 Id. at 1504 6 Id. at 1502
99
CLSR 1902.qxd
07/03/2003
12:16
Page 100
Personal privacy – transatlantic perspectives 7 Id. at 1505. 8 New York Times, Privacy Information, at http://www.nytimes.com/info/help/privacy.html (last visited June 6, 2001) [hereinafter New York Times Privacy Information]. 9 The price of a subscription to the New York Times for home delivery 7 days a week in Portland, Maine, is $9.60 per week or $492.20 per year. A 50% discount for the first 8 weeks is offered to new subscribers. New York Times, Subscription & Customer Care Services, at https://secure-homedelivery.nytimes.com/cgibin/gx.cgi/AppLogic+FTCont.../HomeDeliveryT1 (last visited June 15, 2001). 10 New York Times, Frequently Asked Questions About Cookies, at http://www.nytimes.com/info/help/cookies. html (last visited June 15, 2001). This page contains abbreviated instructions on how to find cookies on an Apple Macintosh computer and on computers using Windows and either Netscape or Internet Explorer browsers. It also states that cookies can be deleted. 11 Id. 12 New York Times Privacy Information, supra note 49. 13 Amazon.com, Amazon.com Privacy Notice, at http:// www.amazon.com/exed/obidos/tg/browse/-/468496/0028283718-6167252 (last visited June 5, 2001). 14 Id. 15 For example a survey by the American Bankers Association found that only 36% of bank customers had read the privacy notices which were sent to comply with the Gramm-Leach-Bliley Act. It was estimated that less than 1% of customers had notified their financial institutions that they were opting-out and directing that their personal information not be shared with other businesses. See, e.g., Americans Trashing Privacy Notices, PORTLAND PRESS HERALD, June, 30, 2001 at 4A. 16 WildDay.com, About WildDay, at http://www.wildday.co. uk/acatalog/AboutWildDay.html (last visited June 15, 2001). 17 See, e.g., Hockhauser, Lost in Fine Print, supra note 42. 18 See, e.g., Bellman, et al., supra note 27 and accompanying text; see also British DMers, supra note 28 and accompanying text. 19 See 15 USC. §§ 1604-1606 (1994). 20 See 15 USC. §§ 2303-2304 (1994). 21 See 21 C.F.R. § 101.56 (2000). 22 Interview with computer technology expert Jean-Marc Dinant of the Centre de Recherches Informatique et Droit, Facultés Universitaires Notre Dame de la Pais, Namur, Belgium, Oct. 11, 2000. See Jean-Marc Dinant, Law and Technology Convergence in the Data Protection Field?, at http://www.droit.fundp.ac.be/ Textes/privacy_law_tech_convergence.rtf (1999).
100