Technology and society: impacts and implications

Legislation Protecting Privacy in the United States and Europe

The United States government and the European Union provide the benchmarks for legislation and regulation designed to protect the privacy of information about individual citizens. Since the emergence of the Internet during the 1990s as a medium for exchanging information, policymakers in both the United States and Europe have focused on implementing rules and guidelines that encourage -- if not require -- commercial firms to regulate themselves in the collection and use of data about private individuals.

While these efforts have been quite successful in promoting the protection of privacy on the Internet, new technological developments threaten to undermine the effectiveness of self-regulation. Privacy advocates have pointed out that new legislative and regulatory measures are required to extend the protection of privacy into the 21st century. In particular, the statutory and regulatory schemes that protect individual privacy will have to make an explicit commitment to Fair Information Practices (FIPs), which have been long recognized by government agencies and which promise to provide increased flexibility in the development of regulations, so that they can cope with the ever-changing technological environment that poses a threat to individual privacy.

Exiting Privacy Policy and Legislation in the United States

In the United States, there is no federal legislation that directly regulates collection and use of personal information over the Internet. The privacy of consumer information has been protected by a variety of federal statutes, none of which are directly oriented towards the protection of information on the Internet. Accordingly, federal law reflects a set of general principles that are applicable to protecting information over the Internet, but these principles are not readily translated into rules that can be quickly adopted and adapted to respond to changes in technology that can affect citizens' privacy.

The most sweeping -- and most generalized -- protection to consumer privacy comes from Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits deceptive trade practices generally. It creates a rule that any commercial entity must actually implement the privacy policies it professes to observe. This aspect of the FTC Act makes self-regulation a cornerstone of federal privacy policy in the United States.

The FTC has promoted self-regulation on the Internet by encouraging web sites to adopt and publicize privacy policies, thereby placing themselves under the regulation of Section 5 of the FTC Act. This self-regulatory regime has been known as "notice and consent." It requires that web sites give notice to consumers of their privacy policies and to permit consumers the choice of controlling how their private information could be used by the web site. Web sites were also encouraged to give the FTC has also encouraged commercial entities operating through the Internet to provide security measures to protect consumers' private data.

Privacy on the Internet is also protected by more specifically targeted legislation that mandates privacy protection practices with respect to certain kinds of information, regardless of whether it is communicated on the Internet or elsewhere. For example, the Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act," requires privacy measures for consumers' financial information. These measures must be applied when financial information is transmitted over the Internet. Similarly, the Fair Credit Reporting Act promotes the accuracy of information in consumer credit reports and establishes measures to assure the privacy of information in those reports. Although these rules do not apply solely to the Internet, they control the exchange of information in any medium, including the Internet.

Existing Privacy Policy and Legislation in Europe

For the last fifteen years, the European Union's "Data Protection Directive" (the Directive) has been the most prominent data protection law in the world. In general, the Directive is comprehensive and flexible, adapting readily to changes in technology. But several new technological developments have posed a challenge to the effectiveness of the Directive.

The Directive depends upon many of the same principles about managing personal data that inform privacy statutes and regulations in the United States. It applies to any activity that can be done with personal data, including the collection, storage, and disclosure of such data. It requires that that anyone collecting personal data do so for specific, legitimate purposes and that such data's use be limited to its explicit purpose. It also requires that, whenever data is collected, it is identified with a particular person for no longer than necessary. As in the United States, the Directive requires that, in countries belonging to the European Union, individuals have access to the information about the data that has been collected about them and to information about how that data has been used. Finally, the Directive prohibits the cross-border transfer of data to any country that does not observe standards for protecting data.

Technological Developments That Threaten the Existing Regulatory Schemes

The rapid pace of technological change has made it difficult for existing statutes and regulations to preclude new threats to privacy. Several recent technological changes have created opportunities for persons to use data in contravention of the Directive or of U.S. federal rules. These new threats illustrate the need for modernization of privacy law.

One of these challenges comes from cloud computing. In cloud computing, data is stored online, in remote servers. Such storage is described as being "in the cloud." Online, remote data storage makes it easier for multiple users to collaborate on projects using shared data. But it also makes it easier to transfer data across borders, and such data may be transferred to countries without adequate data protection protocols. When medium or small-sized businesses use cloud computing to store customer data, there is a risk that the private information of consumers can be accessed by unauthorized parties. Because it is practically impossible to inform consumers about all of the transactions that are involved in storing data "in the cloud," there is no way that consumers can meaningfully consent to how their data is stored.

Behavioral advertising is also an issue with privacy implications. In behavioral advertising, companies collect data about consumer's web-browsing activities from the consumer's computer and then use that data to tailor the advertising that will appear on the web pages that the consumer visits, so that the advertising reflects the consumer's interests.

"Deep packet inspection" (DPI) is another threat to consumer privacy. DPI is a method of examining and storing data sent over the Internet. Whenever a computer user requests data (by visiting a web page, for example) or sends data (by sending an email or transmitting information through an online form), the data passing over the Internet is broken up into "packets," each of which is labeled with a header that includes routing information. Internet service providers and others who control devices in the middle of the Internet can inspect the data in these packets and can even copy it. Some ISPs create complete copies of all of the data that consumers are sending and receiving over the Internet, and they sell these copies to behavioral advertisers.

Neither the Directive nor existing U.S. privacy rules were particularly effective in responding to problems with DPI. In 2008, it was revealed that ISPs in the United States and the United Kingdom were using DPI to obtain consumer information that was being sold to advertisers. Although there was some question whether this practice violated the UK's anti-wiretapping statutes, the practice was apparently permissible under the Directive. (CDT's Comments, 5).

The Directive prohibits practices that would permit the re-identification of data. But it does not contain any provisions that would explicitly prohibit an entity from sending anonymized data to a country that is not covered by the Directive, where such data could be re-identified and then returned to a European Union country for use.

New technologies also permit private enterprises to collect information about the physical location and activities of individual consumers. Newer cell phones can report their physical location to the wireless telephone provider at all times. Consequently, the wireless telephone company can collect data not only about where its customers were, but also, in many cases, about what the customers were doing. For example, if a customer visited a medical clinic, his or her wireless company would have information about the fact that he or she likely sought medical treatment at a particular time.

It is also becoming possible to identify data that has been "anonymized." Privacy law in both Europe and the United States requires that data be stripped of identifying information before it can be used by commercial entities. But new technologies are permitting the re-identification of anonymized data.