Internet, e-business and privacy concerns
By Prathiba Mahanamahewa
The most commonly stated motive for data protection legislation is to protect individual privacy from being compromised by computerization and to provide a framework for finding a balance between the interests of the individual, the data user and the community at large.

Countries without a data protection law may lose business from Europe because the EU Directive on the Protection of Personal Data prohibits the transfer of personal data to non-EU countries that do not meet the European "adequacy" standard for data protection. As a result, this Directive places burdens on Sri Lanka and others countries that collect personal data online. The absence of data privacy legislation in India has proved to be a handicap to Europe and the U.S.A. in business process outscoring to Indian companies.

In many countries, including Sri Lanka, laws have not kept up with the technology, leaving significant gaps in protection. In other countries, law enforcement and intelligence agencies have been given significant exemptions. Therefore the mere presence of laws may not provide adequate protection.

Online business or online delivery of public services means feeding personal data to the computer, and having it transmitted from one place to another. Data collectors or service providers or data registers are involved in this activity. Therefore the personal data of customers and citizens should be protected by law without keeping any room for manipulation, possible misuse or unauthorized disclosure to a third party.

Threats toprivacy
Consumer awareness about privacy is increasing, particularly among Internet users. Sooner or later, consumers will demand that their privacy be respected by business. This may require some modification to business practices and customer service and may involve costs not previously incurred. Even American big business has accepted that privacy is a concern that must be addressed. All the public surveys conducted by and for big business in America showed a lack of confidence that consumers' personal information would be protected if they entered into transactions on the Internet. Privacy concerns have been clearly identified as a barrier to the development of e-business.

Personal information that an individual would prefer not to disclose to others can be obtained from imprints left by identifiers on the hard drive of a computer. For instance, in registering Microsoft Word, an identifier was placed on the hard drive that could have permitted Microsoft to track all movements on the Web. Although Microsoft changed the registration system, an identifier is now made through registration of Microsoft Media Player, as well as through other software systems.

Web bugs can disclose personal information that many of us would prefer to keep confidential. Web bugs are images embedded in a web page that can transmit information to a remote computer when the page is viewed. The remote computer can track which computer accesses which page. They are also known as clear GIFs, or l x l GIFs. A web bug is a tiny graphic, included in a web page or e-mail message, used to identify who or how many people are viewing the material. They can be placed in the image tags of the underlying HTML code of the page and they can also be placed in HTML enabled e-mail messages. For instance, Toys-R-Us.com used a tracking device to compile information about online shoppers but stopped after it was discovered.

Internet Service Providers (ISPs) can divulge a host of information about an individual, including name, address, and credit card. They can recapture e-mail that was sent through their services. In addition, ISPs can recapture session information, such as the URLs visited by a user through its service. ISPs at times have disclosed private information about individuals, leading to embarrassment and adverse employment consequences.

Cookies are small text files placed on an Internet user's computer when a website is accessed. They contain information sent by the server to the user's browser. If desired, a web user can sometimes view cookies in the source code of the header of a web page. However, generally, the information collected is not displayed to the user, but is recorded, tracked, and stored by the user's computer and browser. The website can read the cookie later to identify the personal preferences.

Such information will enable the user to navigate the website more easily on return visits. Websites, for instance, can recall registration information, so that users need not re-register each visit. Similarly, cookies enable each user to move forward and backward within a site. Most cookies last during a user's "session," but some can be programmed to last forever -- persistent cookies -- with the corresponding power to keep track of the user's movements on the Web.

Moreover, marketers can then use information about an individual's use of a site to tailor and fine tune sales and promotional offers to consumers, whether on the Web, via email, or at home. Marketers bring information to those who may not know of particular goods and services. Information links sellers to willing buyers, helping achieve a more efficient economy. To some extent, individuals who choose to participate in commercial transactions must give up some personal information to have access to credit and other financial services.

Such information, however, can also be used to reveal all of our personal habits. If marketers share information with each other, an entire mosaic is created revealing our buying patterns, our browsing interests, and the time we spend on the Internet. Many fear the adverse consequences if that information gets into the wrong hands.
Individuals can disable cookies by setting their browsers not to accept them. Some websites will not do business with such users, and in any event, disabling cookies makes navigation through websites quite cumbersome.

Information about an individual's tastes and leisure activity has economic value, and the exchange of such information helps grease the economy. Sri Lanka has never banned the sale of such data, despite the potential impact on privacy. There are, however, many different levels of legal protection for privacy when websites and e-commerce firms -- without consent -- use private information for commercial purposes. No comprehensive protection exists.

In many countries there is a general law that governs the collection, use and dissemination of personal information by both the public and private sectors. An oversight body then ensures compliance. This is the preferred model for most countries adopting data protection laws and was adopted by the EU to ensure compliance with its data protection regime.

Sri Lanka's 1978 Constitution does not explicitly recognize the right to personal privacy as a basic fundamental right though subsequent proposals envisaged the right to privacy as a fundamental right. The government has not introduced any specific legislation, which protects the individual privacy or collection of personal information. The only legislation, which refers to this area, is the 1991.

Telecommunication Act that too refers to interception of communication.
The Common Law in Sri Lanka does not recognize any right to protect personal information. It only permits peripheral protection or remedial action for invasions of privacy stemming from the inappropriate use of personal data.

It is possible to include in the terms of a contract express protection for personal information. Typically, such provisions are broader than just personal information; they extend to the protection of all information flowing between the parties to the contract. These types of clauses supplement any existing rights the parties may already have under the tort of breach of confidentiality.

The contractual relationship is not the essential ingredient, which has given rise to these protections; rather, it is the confidential nature of the relationship. Special relationships exist between banks and customers, doctors and patients and lawyers and clients. They may also exist in a non-contractual context; for example, confidentiality between priests and their parishioners. The ability of the law of contract to provide a solution is severely limited because most data subjects are not in a contractual relationship with the data collectors or users. Thus there are no express or implied contractual rights bestowed upon the data subject.

Negligence
There are various possibilities in tort. The most obvious possibility would be an action brought by the data subject against the data controller for negligent use of storage of the data. This may be because a third party has gained unauthorized access to personal data about the data subject due to the direct or vicarious negligence of the data controller. Such an action will be possible only where a duty of care owed by the data controller to the data subject is established, and this will involve inter alia a consideration of the nature of the information.

Trespass consists of the wrongful entry by the defendant onto land belonging to the plaintiff without consent, the plaintiff being the rightful possessor of the land. Defamation is a cause of action intended to protect the reputation of a person whose standing has been lowered in the estimation of "right thinking members of society" by the publication of derogatory and untrue statements. The electronic dissemination of derogatory statements about a data subject through discussion groups or other Internet facilities will provide the subject matter with a course of action in defamation provided that they are untrue.

Where a person intentionally or recklessly conducts himself so as to cause emotional distress to others, he is liable for that distress. Conceivably, the same course of action would lie where a person revealed personal information designed to cause the data subject acute embarrassment. It is essential that the injury suffered be of an enduring or physical nature.

Another tort requires misconduct by the holder of a public office. The breach of the statutory duties of confidence imposed upon public servants in relation to personal data accessed or used in the course of their administrative duties, for example, would give an aggrieved data subject a course of action here.

Global consistency is fundamental to achieving effective privacy protection. If different standards and approaches are taken, the confusion that would result could well undermine rather than enhance consumer protection and it could hinder the development of E-business. If one stand is to be adopted globally, the Informational Privacy Principles based on OECD guidelines and European Directives would be a practicable solution. Therefore Sri Lanka's draft Data Protection law should be based on these principles.

Personal information must not be collected where it is gathered by unlawful means; for example theft. Moreover, this principle extends to collection by unfair means. The principle of solicitation of personal information from individuals is designed to ensure that agencies that collect personal information take steps to make the data subject aware of the purpose for which the information is being collected and, where the information is passed on by the collector, the details of the person or persons who receive the information.

Where information is collected through a process of solicitation, the collector must ensure that reasonable steps are taken to determine the relevance, completeness and currency of the data. In addition, this principle requires that the information collected does not unreasonably intrude upon the 'personal affairs' of the data subject.

Storage and security of personal information is an important principle, which lies at the heart of the integrity and security of the personal information that is collected and stored. The term 'record-keeper' is introduced here. The record-keeper must ensure that security safeguards that are appropriate in the circumstances are taken to prevent loss, unauthorized access, use, modification or disclosure or misuse of information.

The principle of alteration of records containing personal information sets out the rights of the data subject in relation to ensuring the quality of the information held about him or herself. Appropriate corrections, deletions and additions are required to ensure that the record of personal information conforms to the principle.

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, complete and not misleading.

Personal information only to be used for relevant purposes - the intention of this provision is clearly to prevent misuse of information where it is not relevant to the purpose for which it will be used.

Limits of disclosure
A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless, the individual concerned has been informed that the information of that kind is usually passed to that person, body or agency or the individual concerned has consented to the disclosure and the disclosure is required or authorized by law.

Any information relating to ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life shall not be used or disclosed by a record-keeper without the express written consent, freely given, of the individual concerned. Information relating to an individual's criminal history may only be processed as required or authorized by law.

An essential aspect of any privacy protection regime is oversight. In most countries with a data protection act, there is also an official or agency that oversees enforcement of the act. This must be absolutely an independent supervisory authority. Independence is also a problem in many countries; the agency is under the control of the political arm of the government or a part of the ministry.

This agency is given considerable power; government must consult this agency when it draws up legislation relating to the processing of personal information; the body also has the power to conduct investigations and have a right to access information relevant to their investigations; impose remedies such as ordering the destruction of information or ban processing, and start legal proceedings, hear complaints and issue reports. The agency is also generally responsible for public education and international liaison in data protection and data transfer.

A major problem with many agencies around the world is a lack of resources to adequately conduct oversight and enforcement. Independence is also a problem. In many countries, the agency is under the control of the political arm of the government or part of a particular ministry and lacks the power or will to advance privacy or criticizes privacy invasive proposals.

Unlike the European Union, the United States traditionally has adopted a different approach to data protection. The EU embraces privacy as a fundamental right and thus considers comprehensive legislation as the most appropriate means to protect personal information. Such an approach requires the creation of government data protection agency and approval before the processing of persona data. By contrast, many Americans believe in the free market and are suspicious of government intrusions.

Therefore U.S. approach relies on a mix of legislation, administrative regulation and industry self-regulation through codes of conduct developed by industries as an alternative to government regulation. It is not too late for Sri Lanka to accept the benefits of globalization and be absorbed into the international trade system. Any proposed data protection law should be based on the European model of the EU directive and the data privacy principles because the U.S. data protection model is an ad hoc one and without an independent authority to protect and implement data users rights.

(The author is a Ph.D Researcher in IT Law, University of Queensland, Australia and Lecturer in Law, Faculty of Law, University of Colombo)


Back to Top  Back to Business  

Copyright © 2001 Wijeya Newspapers Ltd. All rights reserved.
Contact us: | Editorial | | Webmaster|