Legal and Regulatory Issues in the Information Economy/Consumer Privacy and Protection
Advances in information technology and data management offer the promise of a new and prosperous cyberspace-based economy. New communications and information systems allow organizations to gather, share and transmit growing quantities of information with unprecedented speed and efficiency. But this technology also poses a serious threat to privacy. Private individuals and organizations now have the access, means, methods and tools to encroach into the privacy of another-and in a manner that is not so obtrusive.
- 1 What is information privacy?
- 2 Why protect privacy?
- 3 Is there such a thing as protecting privacy too much?
- 4 Are there other existing guidelines for data protection?
- 5 How can consumers be protected in electronic commerce transactions?
- 6 How will the OECD guidelines be used?
- 7 What about jurisdiction and consumer redress?
- 8 Should the government be involved in consumer protection and privacy? What role can the private sector play?
What is information privacy?
Of utmost importance is information privacy, “individual’s claim to control the terms under which personal information-information identifiable to the individual-is acquired, disclosed and used.” 
Disclosural privacy is similarly defined as “the individual’s ability to choose for him/ herself the time, circumstance, and extent to which his/her attitudes, beliefs, behavior and opinion are to be shared with or withheld from others.” 
Why protect privacy?
The right to privacy is fundamental to any democratic society. The slightest apprehension on the part of a person using the Internet about who will see his personal information and how it will be used would by itself mean that he has lost a basic freedom. Moreover, the more others know about the details of a person’s life, the greater their opportunity to influence, interfere with, or judge the choices the person makes.
Having knowledge and control of how personal information is provided, transmitted and used is the key to protecting privacy
Is there such a thing as protecting privacy too much?
Foremost among the arguments used against the adoption of a stringent information disclosure regime is that it would ultimately hinder commerce. To require an individual’s prior consent before personal data can be elicited may actually hamper the growth of commerce that is largely based on a “better information equals better markets” theory. If the markets can profile their consumers accurately, a better match between interested buyers and sellers can be made.
Another argument is the need for truthfulness. The ethical or legal duties of disclosure inherent in a relationship command an openness that information privacy prevents. 
What challenge does the protection of privacy pose? How can proper use of information be assured?
Finding a balance between the legitimate need to collect information and the need to protect privacy has become a major challenge. The following OECD guidelines may be considered as fundamental requirements for the proper use or processing of information online:
- Information Privacy Principle. Personal information should be acquired, disclosed, and used only in ways that respect an individual’s privacy.
- Information Integrity Principle. Personal information should not be improperly altered or destroyed.
- Information Quality Principle. Information should be accurate, timely, complete and relevant for the purpose for which it is provided or used.
- Collection Limitation Principle. Personal data should be obtained by lawful and fair means, and where appropriate, with the knowledge and consent of the data object.
- Purpose Specification Principle. The purposes of data at the time of its collection should be specified.
- Security Safeguards Principle. Personal data should be protected by reasonable safeguards against risks like loss or unauthorized access, destruction, use, modification or disclosure of data.
- Openness Principle. There should be a policy of openness about developments, practices and policies with respect to personal data.
- Accountability Principle. A data controller has the responsibility to comply with measures based on the foregoing principles.
Are there other existing guidelines for data protection?
The European Union has issued Directive 95/46/EC, which establishes a regulatory framework to guarantee free movement of personal data, while giving individual EU countries room to maneuver with respect to how to implement the Directive. Free movement of data is particularly important for all services with a large customer base and dependent on processing personal data, such as distance selling and financial services. In practice, banks and insurance companies process large quantities of personal data, inter alia, on such highly sensitive issues as credit ratings and credit-worthiness. If each Member State had its own set of rules on data protection (for example on how data subjects could verify the information held on them), cross-border provision of services, notably over the information superhighways, would be virtually impossible and this extremely valuable new market opportunity would be lost.
The Directive also aims to narrow divergences between national data protection laws to the extent necessary to remove obstacles to the free movement of personal data within the EU. As a result, any person whose data are processed in the Community will be afforded an equivalent level of protection of his rights, in particular his right to privacy, irrespective of the Member State where the processing is carried out. 
How can consumers be protected in electronic commerce transactions?
In December 1999, the OECD issued the Guidelines for Consumer Protection in the Context of Electronic Commerce to help ensure protection for consumers when shopping online and thereby encourage:
- fair business, advertising and marketing practices;
- clear information about the identity of an online business, the goods or services it offers and the terms and conditions of any transaction;
- a transparent process for the confirmation of transactions;
- secure payment mechanisms;
- fair, timely and affordable dispute resolution and redress; privacy protection; and consumer and business education. 
- Box 1.OECD Guidelines on Consumer Protection
A. TRANSPARENT AND EFFECTIVE PROTECTION
- Consumers who participate in electronic commerce should be afforded transparent and effective consumer protection that is not less than the level of protection afforded in other forms of commerce.
B. FAIR BUSINESS, ADVERTISING AND MARKETING PRACTICES
- Businesses engaged in electronic commerce should pay due regard to the interests of consumers and act in accordance with fair business, advertising and marketing practices.
C. ONLINE DISCLOSURES
- I. INFORMATION ABOUT THE BUSINESS
- Businesses engaged in electronic commerce with consumers should provide accurate, clear and easily accessible information about themselves sufficient to allow, at a minimum:
- II. INFORMATION ABOUTTHE GOODS OR SERVICES
- Businesses engaged in electronic commerce with consumers should provide accurate and easily accessible information describing the goods or services offered; sufficient to enable consum-ers to make an informed decision about whether to enter into the transaction and in a manner that makes it possible for consumers to maintain an adequate record of such information.
- III. INFORMATION ABOUTTHE TRANSACTION
- Businesses engaged in electronic commerce should provide sufficient information about the terms, conditions and costs associated with a transaction to enable consumers to make an informed decision about whether to enter into the transaction.
- IV. CONFIRMATION PROCESS
- To avoid ambiguity concerning the consumer’s intent to make a purchase, the consumer should be able, before concluding the purchase, to identify precisely the goods or services he or she wishes to purchase; identify and correct any errors or modify the order; express an informed and deliberate consent to the purchase; and retain a complete and accurate record of the transaction.
- Consumers should be provided with easy-to-use, secure payment mechanisms and information on the level of security such mechanisms afford.
Dispute resolution and redress
- Consumers should be provided meaningful access to fair and timely alternative dispute resolution and redress without undue cost or burden.
- Business-to-consumer electronic commerce should be conducted in accordance with the recognized privacy principles set out in the OECD Guidelines Governing the Protection of Privacy and Transborder Flow of Personal Data (1980), and taking into account the OECD Ministerial Declaration on the Protection of Privacy on Global Networks (1998), to provide appropriate and effective protection for consumers.
Education and awareness
- Governments, business and consumer representatives should work together to educate consumers about electronic commerce, to foster informed decision-making by consumers participating in electronic commerce, and to increase business and consumer awareness of the consumer protection framework that applies to their online activities.
- Source: Organisation for Economic Co-operation and Development, Guidelines for Consumer Protection in the Context of Electronic Commerce (2000); available from http://www1.oecd.org/publications/e-book/9300023E.PDF
How will the OECD guidelines be used?
The OECD Guidelines are designed to be a technology-neutral tool to help governments, business and consumer representatives by providing practical guidance to help build and maintain consumer confidence in electronic commerce. The Guidelines address the principal aspects of business-to-consumer electronic commerce and reflect existing legal protections available to consumers in more traditional forms of commerce. They stress the importance of transparency and information disclosure and the need for cooperation among governments, businesses and consumers at the national and international levels.
The Guidelines are intended to provide a set of principles to help:
- Governments - as they review, and (if necessary) adapt, formulate and implement consumer policies and initiatives for electronic commerce.
- Businesses, consumer groups and self-regulatory bodies - by providing guidance on the core characteristics of consumer protection that should be considered in the development and implementation of self-regulatory schemes.
- Individual businesses and consumers - by outlining the basic information disclosures and fair business practices they should provide and expect online.
What about jurisdiction and consumer redress?
The OECD Guidelines discuss at length the issues related to jurisdiction, applicable law and access to redress. Because of the broad and horizontal nature of these issues, questions about how they might best be addressed within the context of electronic commerce are not unique to consumer protection. However, the Internet’s potential to increase the number of direct business-to-consumer cross-border transactions makes it important that consumer interests be fully taken into account.
The language on jurisdiction and applicable law within the Guidelines reflects the complexity and the current lack of international consensus on these issues. The Guidelines recognize that all business-to-consumer cross-border transactions are subject to the existing framework on jurisdiction and applicable law, but that electronic commerce poses certain challenges to that framework. The Guidelines call for further work in addressing these issues and ensuring that consumer interests are given appropriate consideration as the jurisdictional framework for electronic commerce evolves.
The Guidelines also focus particular attention on the importance of providing consumers with access to fair, timely and inexpensive means for redress, and encourage the development of effective alternative dispute resolution (ADR) mechanisms. Taking legal action to resolve a consumer dispute is generally an expensive, difficult and time-consuming process for everyone involved. These are problems that could be amplified in the event of cross-border disputes. As in other forms of commerce, the development and promotion of ADR can help to avoid more formal and costly legal options. Responding to consumer complaints quickly, easily and fairly, and establishing affordable and effective online dispute resolution mechanisms can go a long way toward building consumer confidence and trust.
Should the government be involved in consumer protection and privacy? What role can the private sector play?
In the end, the issue of consumer protection and privacy is a concern of both the government and the private sector. Government must ensure that there are adequate laws that offer protection to consumers; the private sector must implement meaningful, user-friendly, self-regulatory privacy regimes. Until users are confident that their communications and data are safe from interception and unauthorized use, they are unlikely to routinely use of the Internet for commerce. Only with consumer trust can we make e-commerce work.