The Right to Consent and Control Personal Information Processing in Cyberspace
Transcript of The Right to Consent and Control Personal Information Processing in Cyberspace
-
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
1/9
University of Western Sydney, NSW Australia
E-mail:[email protected]
ABSTRACT
KEYWORDS
Consent, information privacy, privacyviolations, e-commerce, privacy protectionmechanisms.
1 INTRODUCTIONWhilst the internet is undoubtedly
beneficial to e-consumers users and otherusers such as social network users,information technology has affected
privacy dramatically [1], [2]. It has made it
possible for any person to easily collectpersonal information about Internet userswithout their consent. Consumer concernsover the safety of personal information andthe violation of an individuals privacyrights are described as being the singleoverwhelming barrier to rapid growth of e-commerce. Recent research findings alsoshow that the level of public concern for
privacy and personal information hasincreased since 2006 [1], [3]. In 2007, it
was found that 50 percent of Australiansare more concerned about providing
information about them online than theywere two years ago [4]. A recent survey inEurope also indicates that about a quarterof social network users (26 percent) andonline shoppers (18 percent) feel that theyare not in complete control over their
personal data [5]. Internet users areworried that they give away too much
personal information and want to beforgotten when there is no legitimategrounds for retaining their personalinformation [6].
This paper explores the constraints on theexercise of individual autonomy. Viewedfrom the perspective of autonomy, itconsiders what autonomy means for these
purposes and whether current practices(such as the use of standard-form privacy
policy statements, bundled consent)protect individual autonomy. It argues thatto resolve the problem with allowing theuse and/or disclosure of personalinformation based on consent, the e-commerce user must first have sufficientknowledge of the purpose for informationcollection, its use and disclosure ofinformation collected; secondly, consentmechanisms should allow informed andrational decision making; thirdly, there
should be the opportunity for individualchoice allowing withdrawal of consent orthe opting out of information collection.This paper also examines the effects of
privacy violations on individual whenthere is covert collection, automatic
processing, and data security risks thatarise from such activities. This paper alsoquestions the assumption in mostlegislation which affects e-commerce
users, that consent is sufficient to waive anindividuals privacy interests.
The Right to Consent and Control Personal Information Processing in Cyberspace
Thilla RajaretnamAssociate Lecturer, School of Law,
Consumer concerns over the safety of theirpersonal information and the violation of theirprivacy rights are described as being the singleoverwhelming barrier to rapid growth of e-commerce. This paper explores the problemsfor e-commerce users when there is collection,use, and disclosure of personal information
that are based on implied consent in e-commerce transactions. It questions theassumption that consent is sufficient to waiveprivacy interests in relation to e-commercetransactions. It will argue that consent shouldnot necessarily be sufficient to waive privacyinterests, and that the collection, use and/ordisclosure of personal information should besubject to regulation.
232
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
mailto:[email protected]:[email protected] -
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
2/9
-
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
3/9
expectation that their personal informationmay or will be collected [14], [15].
Before e-commerce users can make aconsidered decision whether to consent,
they must have some understanding of theimplications of what is being consented to,and sufficient detail in language suitablefor e-commerce users to give genuineconsent [15]. An e-commerce user abilityto exercise autonomy is furthercompromised by the use of bundled or
blanket consent used by data collectorsand e-business operators [13]. Bundledconsent refers to the consent to a widerange of uses and disclosures without
giving an individual the opportunity tomake a choice about which use ordisclosure they agree to and which they donot. Bundled consent frequently includesterms and conditions allowing changes to
privacy policies without notice. Datacollectors are also using bundled privacyclauses to collect personal information forsecondary use for use in data mining [13].The written statements of bundled consentmay be changed without notice, or someelements outside the privacy policy, or
bundled consent could be added tocustomer agreements to allow data miningin the future [13], [15], [16]. So the use of
bundled consent cannot be meaningfulbecause the person who consents to suchterms and conditions does not know whathe or she is consenting to. One reason
being that privacy clauses containingbundled consent are usually lengthy, often
in very small font size and may not beeasily accessible [14], [18].
This paper suggests that the use of bundledconsent should be prohibited or closelymonitored by regulators so as to notinfringe the privacy rights and restrict anindividuals right to withdraw consent.
The issue of consent on the internet raisessignificant privacy concerns with theemergence of new technological
challenges. There is the added problemrelating to young persons and others who
may lack legal capacity to consent. Tied toconsent is the exercise of choice by theindividual.
2.2ChoiceA secondary sense in which autonomy isused is that it requires freedom of choice[12], [13]. Control over personalinformation enables an autonomousindividual to make choices, and to selectthose persons who will have access to their
body, home, decisions, communication,and information and those who will not.Choice requires the individual to be arational consumer making informed and
considered decisions and having options inrelation to their personal information. Fairinformation practices require that whenthere are any changes to an organisations
privacy policy the website user should bealerted to this change with informationwhich includes the date of issue and a listof changes made by the organisation to the
prior version; and that reasonable noticemust be given whenever personalinformation is to be shared with others[19], [20].
In e-commerce, individuals make choicesabout the use and disclosure or surrenderof their personal information for secondary
purposes. The options that are available toindividuals in cyberspace to collection, useand the sharing their personal informationis exercised through the opt-in and opt-outregime. There are different views on the
efficacy of opt-in versus the opt-outregime. On one view this could beconsidered consent by trickery while theother view is that there is no true choice[13].
Available evidence suggests that only avery few e-commerce users exerciseautonomy in this sense; users seldom read
privacy clauses on websites or changetheir behaviour as a consequence [17],
[18]. The e-commerce users ability toexercise autonomy as deliberative choice
234
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
-
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
4/9
is constrained in a number of ways. Firstly,an e-commerce users choices whether toaccess a website may be constrained ifrequired to agree to terms and conditionsup front or may find that alternatives are
equally constrained. If other providershave similar policies which do not allowthe user to refuse the terms and conditions,the e-commerce user will lack autonomyin this secondary sense. Often internetusers also have no alternative but areobliges to give their consent to accessservices and goods advertised on theInternet. If an individual does not activelyselect to opt out then he or she is taken toagree by default. Alternatively the box
may be ticked as the default state toindicate agreement with the consumerrequired to untick the box if they do not
agree. It is doubtful if e-commerce usersexpress genuine consent to the use of their
personal information when they tick on thebox that they have read these standardform privacy policies and accept the termstherein. The e-commerce user is unlikelyto fully appreciate the effect andimportance for their privacy of ticking a
box agreeing to the terms and conditionsof access to the website or the transaction.Secondly, there are significant barriers tothe effective exercise of autonomy when e-commerce users have difficulty in locatingthe providers privacy policy. Informationmay not be easily accessible, or difficult tofind, or in legal language which is noteasily comprehended, or may be lengthyand vague as to exactly what is being
agreed or what rights they are actuallysurrendering [18].
3. PRIVACY VIOLATIONS
It appears that the e-commerce userscapacity to exercise autonomy and to
protect their privacy is furthercompromised by the automatic processingof personal information, use of privacyinvasive technologies, and data security
risks.
3.1Automatic ProcessingAutomatic processing of personalinformation allows the aggregation of
personal information, identification of
individuals, and secondary use of personalinformation with or without consent. Theautomatic processing and secondary useand disclosure of personal informationcollected without the consent ofindividuals through data surveillance
affect individual privacy interests [21],[22], [23]. The privacy issue is that
profiles expose Internet and e-commerceusers to risks of the information beinglinked to other information such as names,
addresses and e-mail addresses makingthem personally identifiable. Theharvesting of personal information throughmonitoring and sensing using privacyinvasive technologies is pervasive and
poses special risks to privacy ofindividuals [23].
Database companies are able to correlateand manipulate the data collected throughthe process of data matching, sentiment
analysis, customer profiling, and the
creation of digital dossiers [24], [25].Cookies are the most common profilingmechanism used on the Internet [24] [25].Besides the ability to profile e-commerceusers, the increasing interconnectedness,affordable, fast, on-line systems alsoenable the building of electronic dossiers.Critical decisions about an individuals
status, reputation and credibility either to
determine eligibility and suitability forjobs, credit worthiness, and criminalrecord can readily be made by tapping intodigital dossiers [22], [25]. The processeddata in the form of profiles and digitaldossiers can be disseminated or can bemade accessible easily; it can betransferred quickly from one informationsystem or database to another and across
borders with the click of the mousewithout the knowledge or consent of the
data subject [22], [25]. Personalinformation in the digital dossiers is at risk
235
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
-
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
5/9
-
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
6/9
Collection Limitation Principle [36]; andEuropean Unions Directive 95/46/EC
provide for privacy principles [19], [38],[39], [40]. Privacy principles provide forcompliance with displaying privacy
policies statements; notice of personalinformation collection, use and/ordisclosure; breach notification; access andcorrection that are viewed as a prerequisitefor fair information collection practices[36], [19] Similarly, in the Asia-Pacificregion, the Asia-Pacific Economic Co-operation (APEC) Privacy Framework
provide for privacy principles [41] providefor personal information protection.APECs Data Privacy Pathfinder contains
general commitments leading to thedevelopment of a Cross-Border PrivacyRules (CBPR) system [41]. The EUDirectives in particular have beeninfluential but compliance is notmandatory for non EU Member States.Although non-EU countries have adoptedsimilar fair information practices into theirnational legal frameworks [36], [19] thereare various approaches and varyingdegrees of protection for personalinformation under national frameworks.In contrast to EU laws, the Australian
privacy framework is considered to beinadequate. The primary federal statute for
privacy protection that is the Privacy Act1988 (Cth) (Privacy Act) NationalPrivacy Principles (NPPs) [37] havetheir foundation consumer choice orconsent as an essential element. But thereis also no right to privacy under the
common law although a statutory tort ofprivacy is being mooted [20]. Privacyprotection in Australia is a patchwork offederal and state statutory regulation andindustry codes of practice and incidental
protection at common law arising out totorts, property, contract and criminal law.Although it is not possible to ensure that aconsumer will act rationally with informedconsideration before deciding to waivetheir privacy rights, the legislature can, at
least, legislate to remove constraintspreventing informed and rational decision
making. Neither the Privacy Act nor theNPPs prohibit bundled consent. It alsoappears that the Privacy Actgives priorityto commercial interests in relation to directmarketing and secondary usage as the
existing legislative structure provide thatconsent may be express consent, or
implied consent [37].
At the international level, law reforminitiatives are currently focused onenhancing privacy protection. For examplethe e-Privacy Directive, now requires EUMember States to ensure that thestoring ofinformation, or the gaining of access toinformation already stored,is only allowed
on condition that the data subjectconcerned has given his or her consent,having been provided with clear and com-
prehensive information, in accordancewith Directive 95/46/EC, inter alia, aboutthe purposes of the processing [39].Theseinitiatives have also influenced theAustralian Law Reform Commissions(ALRC). The ALRC has amongst othersrecommended developing a single set ofPrivacy Principles; redrafting and updatingthe structure of the Privacy Act; andaddressing the impact of new technologieson privacy; and data security breachnotification [20]. It is proposed that asingle set of privacy rules, compliance andenforcement will strengthen privacy
protection for Internet users.
4.2 Other Mechanisms for Privacy
Protection
In relation to the problem to exercisingconsent and choice, it is suggested that anychoice regime should provide a simple andeasily accessible way for consumers toexercise this choice. This paper suggeststhat an opt-in regime is a better option thanthe opt-out regime. It is suggested that theopt-in regimes require positive action bythe consumer to allow the organisation thatis collecting and using their personal
information. It also suggests that simpleand effective mechanisms for ecommerce
237
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
-
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
7/9
users and other Internet users to give andwithdraw consent must be in place.
Transparency in data collection is a crucialpart of data protection. But an average data
subject is not always aware of how to usebrowser settings to reject cookies andoften unaware that their online activitiesare being tracked. Notification encouragestransparency about data collection and thesubsequent handling of personalinformation. Appropriate notification priorto data collection; and information
provided to e-commerce users such as, ifthe information collected will be used orshared with a third party or parties, will
restore control over personal informationand give individuals an opportunity toconsent or to withhold consent to the useof their personal information for primaryand/or secondary purposes. Such anapproach puts a premium on individualchoice and privacy but probably at somecost of efficiency for the e-commerce
provider. Prior notice to data collectionallows an autonomous individual theoption to decide and make choices whetherto share their personal information withothers. Notification with standard privacyclauses attached allows individuals to beable to access their personal informationand to correct incorrect information heldabout them; and it also allows individualsto withhold consent to the collection of
personal information for unlawfulpurposes [19], [20] .
In addition, notification of data securitybreach gain consumer trust and reducedrisk to personal information. Mandatorynotification of data security breaches alertscustomers and ensures that customers andusers are able to take timely action to limitrisks to their personal information fromrisk by for example changing their pinnumber and passwords [20], [39], [40],[42]. Technological tools establishing
privacy preferences besides continuous
privacy awareness and education can also
be effective in protecting personalinformation.
5 CONCLUSIONThis paper has examined the significanceof privacy for individuals as a fundamentalhuman right. Violations of human rightsarise from the unlawful collection andstorage of personal data, the problemsassociated with inaccurate personal data,or the abuse, or unauthorised disclosure ofsuch data. The difficulty of finding andunderstanding information relating to
privacy policies, blanket or bundledconsents, the lack of choice whether to
accept conditions and the preference giveto commercial interests reduces theindividuals autonomy to make informed
decision making, and to control andconsent to the use their personalinformation. Autonomy is only trulyobserved if the e-consumer is able to
provide explicit consent and has bothchoice and the opportunity to makerational and informed decisions. Consentto the collection, use, and disclosure of
personal information should be regarded asinstrumental to individual autonomy.
The proposed reforms to enhanceinformation protection in cyberspace bothin Europe and the Asia-Pacific region isaimed to strengthen and give Internet usersmore control over their personalinformation, make it easier for individualsto access and improve the quality of
information they receive from datacollectors about what happens to theirpersonal information, with who theirinformation is shared with, and also toensure that personal information is
protected no matter where it is sent orstored. This paper proposes that moreappropriate regulatory response to removeconstraints which impede considereddecisions about privacy by e-commerceusers needs to be in place to protection of
personal information in cyberspace. Forexample in relation to e-commerce users,
238
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
-
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
8/9
the legislative framework can be satisfiedif the user has liberty of action, that is, ifthe user agrees without duress or coercion.Viewed from the standpoint of individual
privacy, legislation should also ensure that
constraints on the ability to make rationaldecisions are removed. But only time willtell if current reforms initiatives andregulation have been effective in
protecting personal information of Internetusers in cyberspace.
6 REFERENCE[1] Office of the Privacy Commissioner:Submission to the Australian Law ReformCommission Review of Privacy Discussion Paper72 (2007).
[2] Schwartz, P.M.,: Privacy and Democracy inCyberspace, Vanderbilt Law Review, vol. 52, pp.1609-1702 (1999).
[3] Privacy Commissioner: Privacy concerns onthe up: Annual Report 2009, Office of the PrivacyCommissioner, New Zealand,( 2009).
[4] Office of the Privacy Commissioner: PrivacyMatters, vol. 1, Issue 4, Australian Government
(2007).
[5] European Commission: Why do we need an EUdata protection reform? (2012)http://ec.europa.eu/justice/data-
protection/document/review2012/factsheets/1_en.pdf
[6] Special Eurobarometer 359: Attitudes on DataProtection and Elecronic Indentity in the EuropeanUnion (2012)http://ec.europa.eu/public_opinion/archives/ebs/ebs
_359_en.pdf
[7] Warren, S., Brandeis, L.: The right to privacy,"Harvard Law Review vol. 4, pp. 193220 (1890).
[8] Westin, A.: Privacy and Freedom, pp. 487. NewYork, Atheneum Publishers (1967).
[9] Rossler, B.,: The Value of Privacy, pp. 1-17.Cambridge, Polity Press, (2005).
[10] Schoeman, F., (ed.): Philosophical Dimensionsof Privacy: An Anthology, pp. 346-402 Cambridge,Cambridge University Press (1984).
[11] Penny, J. W.,: Privacy and the NewVirtualism, Yale Journal of Law & Technology,vol. 10, pp. 194-250 (2008).
[12] Regan, P.,: The role of consent in informationprivacy protection, Center for Democratic and
Technology (2009).
[13] Cavoukian, C.,: Data Mining: Staking a Claimon Your Privacy, Office of the Information andPrivacy Commissioner, Ontario (1998).
[14] Clarke, R.,: e-Contract: A Critical Element ofTrust in e-Business. In: Proc. 15
thBled Electronic
Commerce Conference, Bled, Slovenia (2002).
[15] Clarke, R.,: The Effectiveness of PrivacyPolicy Statements, Xamax Consultancy Pty Ltd.(2008).
[16] Marotta-Wurgler,F.,:Does DisclosureMatter?, New York University Law and EconomicsResearch Paper, No. 10, pp. 54 (2010).
[17] Senate Select Committee on InformationTechnologies: Cookie Monsters?: Privacy in theinformation society, Commonwealth Parliament ofAustralia (2000).
[18] Out-Law.com: Average privacy policies take s10 minutes to read, research finds,' Out-Law.com(2008) http://www.out-law.com/page-9490.
[19] European Commission: Directive 95/46/EC ofthe European Parliament and of the Council of 24October 1995 on the protection of individuals withregard to the processing of personal data and on thefree movement of such data (Directive 95/46/EC)(1995).
[20] Australian Law Reform Commission (ALRC):For Your Information: Australian Privacy Law andPractice (ALRC Report 108)(2008).
[21] Australian Communications and Media
Authority (ACMA): Growth in sensing andmonitoring information driving change in service,ACMA Media Release 89/2011 (2011).
[22] Solove, D. J.,: A Taxonomy of Privacy,University of Pennsylvania Law Review vol. 154,
No. 3, pp. 477-560 (2006).
[23] Electronic Privacy Information Centre:Cookies (2011)http://www.epic.org/privacy/internet/cookies/
[24] Cavoukian, C.,: Privacy and the Open
Networked Enterprise, Information and PrivacyCommissioner, Ontario, Canada (2006).
239
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
http://www.epic.org/privacy/internet/cookies/http://www.epic.org/privacy/internet/cookies/ -
8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace
9/9
[25] Clarke, R., : Information Technology andDataveillance, Communions of the ACM, vol. 31,Issue 5, pp. 498-512, (1988).
[26] Privacy International: PHR2006Privacy
topics: Electronic commerce (2007)http://www.privacyinternational.org/article.shtml
[27] Solove, D. J.,: The Digital Person: Technologyand Privacy in the Information Age, New York:
New York University Press (2004).
[28] Solove, D. J.,: Digital Dossiers and theDissipation of Fourth Amendment Privacy,Southern California Law Review, vol. 75, pp.1083-1167 (2002).
[29] Electronic Privacy Information Centre
(EPIC): Federal Trade Commission AnnouncesSettlement in EPIC Facebook Privacy Complaint -Social Networking Privacy (2011)http://epic.org/privacy/socialnet/
[30] R. Clarke, R., A. Maurushat, A.,: TheFeasibility of Consumer Device Security,University of New South Wales Law Research,Series No. 5 (2009).
[31] Solove, D.J.,: The New Vulnerability: DataSecurity and Personal information. In : SecuringPrivacy in the Internet Age, A. Chander, A.,
Gelman, L., Radin, M. J., (eds.) StanfordUniversity Press (2005).
[32] Australian Broadcasting Corporation: Fear inthe Fast Lane. Four Corners Program - ABC.net.au(2009)http://www.abc.net.au/4corners/content/2009/s2658405.htm.
[33] Australian Payments Clearing Association:Payments Fraud in Australia - Media Release(2010) http://www.apca.com.au.
[34] Australian Institute of Criminology: ConsumerScams-2010 and 2011 (2011)http://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspx.
[35] Australian Crime Commission: Crime ProfileSeriesIdentity Crime - Fact Sheet (2011)http://www.crimecommission.gov.au/sites/default/files/files/identity-crime.pdf
[36] Organisation of Economic Cooperation andDevelopment (OECD): OECD Guidelines on theProtection of Privacy and Transborder Flows of
Personal Data (OECD Guidelines) (1980)
http://www.oecd.org/documentprint/0,3455,en_2649_34255_1815186_1_1_1,00.html
[37] Privacy Act 1988 (Cth.) s 6, Sch 3 NationalPrivacy Principles (NPPs).
[38] European Commission: ePrivacy Directiveclose to enactment: improvements on security
breach, cookies and enforcement, and more tocome, Ref.: EDPS/09/13.European Union (2009).
[39] European Commission: EU Directive onPrivacy and electronic Communications, Article 29WP Issues Opinion on Cookies in the NewePrivacy Directive (2010).
[40] European Commission: ePrivacy DirectiveRegulations. European Union (2011)http://ec.europa.eu/information_society/policy/eco
mm/doc/library/public_consult/data_breach/ePrivacy_databreach_consultation.pdf
[41] Asia-Pacific Economic Cooperation (APEC):APEC Data Privacy Pathfinder Initiative (2012)http://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspx
[42] Greenleaf, G.,: Five years of the APECprivacy Framework: Failure or promise? (2008)http://austlii.edu.au/~graham/publications/2008/Greenleaf_ASLI0408.pdf
240
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
http://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspxhttp://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspxhttp://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspx