The Right to Consent and Control Personal Information Processing in Cyberspace

8/13/2019 The Right to Consent and Control Personal Information Processing in Cyberspace

1/9

University of Western Sydney, NSW Australia

E-mail:[email protected]

ABSTRACT

KEYWORDS

Consent, information privacy, privacyviolations, e-commerce, privacy protectionmechanisms.

1 INTRODUCTIONWhilst the internet is undoubtedly

beneficial to e-consumers users and otherusers such as social network users,information technology has affected

privacy dramatically [1], [2]. It has made it

possible for any person to easily collectpersonal information about Internet userswithout their consent. Consumer concernsover the safety of personal information andthe violation of an individuals privacyrights are described as being the singleoverwhelming barrier to rapid growth of e-commerce. Recent research findings alsoshow that the level of public concern for

privacy and personal information hasincreased since 2006 [1], [3]. In 2007, it

was found that 50 percent of Australiansare more concerned about providing

information about them online than theywere two years ago [4]. A recent survey inEurope also indicates that about a quarterof social network users (26 percent) andonline shoppers (18 percent) feel that theyare not in complete control over their

personal data [5]. Internet users areworried that they give away too much

personal information and want to beforgotten when there is no legitimategrounds for retaining their personalinformation [6].

This paper explores the constraints on theexercise of individual autonomy. Viewedfrom the perspective of autonomy, itconsiders what autonomy means for these

purposes and whether current practices(such as the use of standard-form privacy

policy statements, bundled consent)protect individual autonomy. It argues thatto resolve the problem with allowing theuse and/or disclosure of personalinformation based on consent, the e-commerce user must first have sufficientknowledge of the purpose for informationcollection, its use and disclosure ofinformation collected; secondly, consentmechanisms should allow informed andrational decision making; thirdly, there

should be the opportunity for individualchoice allowing withdrawal of consent orthe opting out of information collection.This paper also examines the effects of

privacy violations on individual whenthere is covert collection, automatic

processing, and data security risks thatarise from such activities. This paper alsoquestions the assumption in mostlegislation which affects e-commerce

users, that consent is sufficient to waive anindividuals privacy interests.

The Right to Consent and Control Personal Information Processing in Cyberspace

Thilla RajaretnamAssociate Lecturer, School of Law,

Consumer concerns over the safety of theirpersonal information and the violation of theirprivacy rights are described as being the singleoverwhelming barrier to rapid growth of e-commerce. This paper explores the problemsfor e-commerce users when there is collection,use, and disclosure of personal information

that are based on implied consent in e-commerce transactions. It questions theassumption that consent is sufficient to waiveprivacy interests in relation to e-commercetransactions. It will argue that consent shouldnot necessarily be sufficient to waive privacyinterests, and that the collection, use and/ordisclosure of personal information should besubject to regulation.

232

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(3): 232-240The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305-0012)
mailto:[email protected]:[email protected]


2/9


3/9

expectation that their personal informationmay or will be collected [14], [15].

Before e-commerce users can make aconsidered decision whether to consent,

they must have some understanding of theimplications of what is being consented to,and sufficient detail in language suitablefor e-commerce users to give genuineconsent [15]. An e-commerce user abilityto exercise autonomy is furthercompromised by the use of bundled or

blanket consent used by data collectorsand e-business operators [13]. Bundledconsent refers to the consent to a widerange of uses and disclosures without

giving an individual the opportunity tomake a choice about which use ordisclosure they agree to and which they donot. Bundled consent frequently includesterms and conditions allowing changes to

privacy policies without notice. Datacollectors are also using bundled privacyclauses to collect personal information forsecondary use for use in data mining [13].The written statements of bundled consentmay be changed without notice, or someelements outside the privacy policy, or

bundled consent could be added tocustomer agreements to allow data miningin the future [13], [15], [16]. So the use of

bundled consent cannot be meaningfulbecause the person who consents to suchterms and conditions does not know whathe or she is consenting to. One reason

being that privacy clauses containingbundled consent are usually lengthy, often

in very small font size and may not beeasily accessible [14], [18].

This paper suggests that the use of bundledconsent should be prohibited or closelymonitored by regulators so as to notinfringe the privacy rights and restrict anindividuals right to withdraw consent.

The issue of consent on the internet raisessignificant privacy concerns with theemergence of new technological

challenges. There is the added problemrelating to young persons and others who

may lack legal capacity to consent. Tied toconsent is the exercise of choice by theindividual.

2.2ChoiceA secondary sense in which autonomy isused is that it requires freedom of choice[12], [13]. Control over personalinformation enables an autonomousindividual to make choices, and to selectthose persons who will have access to their

body, home, decisions, communication,and information and those who will not.Choice requires the individual to be arational consumer making informed and

considered decisions and having options inrelation to their personal information. Fairinformation practices require that whenthere are any changes to an organisations

privacy policy the website user should bealerted to this change with informationwhich includes the date of issue and a listof changes made by the organisation to the

prior version; and that reasonable noticemust be given whenever personalinformation is to be shared with others[19], [20].

In e-commerce, individuals make choicesabout the use and disclosure or surrenderof their personal information for secondary

purposes. The options that are available toindividuals in cyberspace to collection, useand the sharing their personal informationis exercised through the opt-in and opt-outregime. There are different views on the

efficacy of opt-in versus the opt-outregime. On one view this could beconsidered consent by trickery while theother view is that there is no true choice[13].

Available evidence suggests that only avery few e-commerce users exerciseautonomy in this sense; users seldom read

privacy clauses on websites or changetheir behaviour as a consequence [17],

[18]. The e-commerce users ability toexercise autonomy as deliberative choice

234



4/9

is constrained in a number of ways. Firstly,an e-commerce users choices whether toaccess a website may be constrained ifrequired to agree to terms and conditionsup front or may find that alternatives are

equally constrained. If other providershave similar policies which do not allowthe user to refuse the terms and conditions,the e-commerce user will lack autonomyin this secondary sense. Often internetusers also have no alternative but areobliges to give their consent to accessservices and goods advertised on theInternet. If an individual does not activelyselect to opt out then he or she is taken toagree by default. Alternatively the box

may be ticked as the default state toindicate agreement with the consumerrequired to untick the box if they do not

agree. It is doubtful if e-commerce usersexpress genuine consent to the use of their

personal information when they tick on thebox that they have read these standardform privacy policies and accept the termstherein. The e-commerce user is unlikelyto fully appreciate the effect andimportance for their privacy of ticking a

box agreeing to the terms and conditionsof access to the website or the transaction.Secondly, there are significant barriers tothe effective exercise of autonomy when e-commerce users have difficulty in locatingthe providers privacy policy. Informationmay not be easily accessible, or difficult tofind, or in legal language which is noteasily comprehended, or may be lengthyand vague as to exactly what is being

agreed or what rights they are actuallysurrendering [18].

3. PRIVACY VIOLATIONS

It appears that the e-commerce userscapacity to exercise autonomy and to

protect their privacy is furthercompromised by the automatic processingof personal information, use of privacyinvasive technologies, and data security

risks.

3.1Automatic ProcessingAutomatic processing of personalinformation allows the aggregation of

personal information, identification of

individuals, and secondary use of personalinformation with or without consent. Theautomatic processing and secondary useand disclosure of personal informationcollected without the consent ofindividuals through data surveillance

affect individual privacy interests [21],[22], [23]. The privacy issue is that

profiles expose Internet and e-commerceusers to risks of the information beinglinked to other information such as names,

addresses and e-mail addresses makingthem personally identifiable. Theharvesting of personal information throughmonitoring and sensing using privacyinvasive technologies is pervasive and

poses special risks to privacy ofindividuals [23].

Database companies are able to correlateand manipulate the data collected throughthe process of data matching, sentiment

analysis, customer profiling, and the

creation of digital dossiers [24], [25].Cookies are the most common profilingmechanism used on the Internet [24] [25].Besides the ability to profile e-commerceusers, the increasing interconnectedness,affordable, fast, on-line systems alsoenable the building of electronic dossiers.Critical decisions about an individuals

status, reputation and credibility either to

determine eligibility and suitability forjobs, credit worthiness, and criminalrecord can readily be made by tapping intodigital dossiers [22], [25]. The processeddata in the form of profiles and digitaldossiers can be disseminated or can bemade accessible easily; it can betransferred quickly from one informationsystem or database to another and across

borders with the click of the mousewithout the knowledge or consent of the

data subject [22], [25]. Personalinformation in the digital dossiers is at risk

235



5/9


6/9

Collection Limitation Principle [36]; andEuropean Unions Directive 95/46/EC

provide for privacy principles [19], [38],[39], [40]. Privacy principles provide forcompliance with displaying privacy

policies statements; notice of personalinformation collection, use and/ordisclosure; breach notification; access andcorrection that are viewed as a prerequisitefor fair information collection practices[36], [19] Similarly, in the Asia-Pacificregion, the Asia-Pacific Economic Co-operation (APEC) Privacy Framework

provide for privacy principles [41] providefor personal information protection.APECs Data Privacy Pathfinder contains

general commitments leading to thedevelopment of a Cross-Border PrivacyRules (CBPR) system [41]. The EUDirectives in particular have beeninfluential but compliance is notmandatory for non EU Member States.Although non-EU countries have adoptedsimilar fair information practices into theirnational legal frameworks [36], [19] thereare various approaches and varyingdegrees of protection for personalinformation under national frameworks.In contrast to EU laws, the Australian

privacy framework is considered to beinadequate. The primary federal statute for

privacy protection that is the Privacy Act1988 (Cth) (Privacy Act) NationalPrivacy Principles (NPPs) [37] havetheir foundation consumer choice orconsent as an essential element. But thereis also no right to privacy under the

common law although a statutory tort ofprivacy is being mooted [20]. Privacyprotection in Australia is a patchwork offederal and state statutory regulation andindustry codes of practice and incidental

protection at common law arising out totorts, property, contract and criminal law.Although it is not possible to ensure that aconsumer will act rationally with informedconsideration before deciding to waivetheir privacy rights, the legislature can, at

least, legislate to remove constraintspreventing informed and rational decision

making. Neither the Privacy Act nor theNPPs prohibit bundled consent. It alsoappears that the Privacy Actgives priorityto commercial interests in relation to directmarketing and secondary usage as the

existing legislative structure provide thatconsent may be express consent, or

implied consent [37].

At the international level, law reforminitiatives are currently focused onenhancing privacy protection. For examplethe e-Privacy Directive, now requires EUMember States to ensure that thestoring ofinformation, or the gaining of access toinformation already stored,is only allowed

on condition that the data subjectconcerned has given his or her consent,having been provided with clear and com-

prehensive information, in accordancewith Directive 95/46/EC, inter alia, aboutthe purposes of the processing [39].Theseinitiatives have also influenced theAustralian Law Reform Commissions(ALRC). The ALRC has amongst othersrecommended developing a single set ofPrivacy Principles; redrafting and updatingthe structure of the Privacy Act; andaddressing the impact of new technologieson privacy; and data security breachnotification [20]. It is proposed that asingle set of privacy rules, compliance andenforcement will strengthen privacy

protection for Internet users.

4.2 Other Mechanisms for Privacy

Protection

In relation to the problem to exercisingconsent and choice, it is suggested that anychoice regime should provide a simple andeasily accessible way for consumers toexercise this choice. This paper suggeststhat an opt-in regime is a better option thanthe opt-out regime. It is suggested that theopt-in regimes require positive action bythe consumer to allow the organisation thatis collecting and using their personal

information. It also suggests that simpleand effective mechanisms for ecommerce

237



7/9

users and other Internet users to give andwithdraw consent must be in place.

Transparency in data collection is a crucialpart of data protection. But an average data

subject is not always aware of how to usebrowser settings to reject cookies andoften unaware that their online activitiesare being tracked. Notification encouragestransparency about data collection and thesubsequent handling of personalinformation. Appropriate notification priorto data collection; and information

provided to e-commerce users such as, ifthe information collected will be used orshared with a third party or parties, will

restore control over personal informationand give individuals an opportunity toconsent or to withhold consent to the useof their personal information for primaryand/or secondary purposes. Such anapproach puts a premium on individualchoice and privacy but probably at somecost of efficiency for the e-commerce

provider. Prior notice to data collectionallows an autonomous individual theoption to decide and make choices whetherto share their personal information withothers. Notification with standard privacyclauses attached allows individuals to beable to access their personal informationand to correct incorrect information heldabout them; and it also allows individualsto withhold consent to the collection of

personal information for unlawfulpurposes [19], [20] .

In addition, notification of data securitybreach gain consumer trust and reducedrisk to personal information. Mandatorynotification of data security breaches alertscustomers and ensures that customers andusers are able to take timely action to limitrisks to their personal information fromrisk by for example changing their pinnumber and passwords [20], [39], [40],[42]. Technological tools establishing

privacy preferences besides continuous

privacy awareness and education can also

be effective in protecting personalinformation.

5 CONCLUSIONThis paper has examined the significanceof privacy for individuals as a fundamentalhuman right. Violations of human rightsarise from the unlawful collection andstorage of personal data, the problemsassociated with inaccurate personal data,or the abuse, or unauthorised disclosure ofsuch data. The difficulty of finding andunderstanding information relating to

privacy policies, blanket or bundledconsents, the lack of choice whether to

accept conditions and the preference giveto commercial interests reduces theindividuals autonomy to make informed

decision making, and to control andconsent to the use their personalinformation. Autonomy is only trulyobserved if the e-consumer is able to

provide explicit consent and has bothchoice and the opportunity to makerational and informed decisions. Consentto the collection, use, and disclosure of

personal information should be regarded asinstrumental to individual autonomy.

The proposed reforms to enhanceinformation protection in cyberspace bothin Europe and the Asia-Pacific region isaimed to strengthen and give Internet usersmore control over their personalinformation, make it easier for individualsto access and improve the quality of

information they receive from datacollectors about what happens to theirpersonal information, with who theirinformation is shared with, and also toensure that personal information is

protected no matter where it is sent orstored. This paper proposes that moreappropriate regulatory response to removeconstraints which impede considereddecisions about privacy by e-commerceusers needs to be in place to protection of

personal information in cyberspace. Forexample in relation to e-commerce users,

238



8/9

the legislative framework can be satisfiedif the user has liberty of action, that is, ifthe user agrees without duress or coercion.Viewed from the standpoint of individual

privacy, legislation should also ensure that

constraints on the ability to make rationaldecisions are removed. But only time willtell if current reforms initiatives andregulation have been effective in

protecting personal information of Internetusers in cyberspace.

6 REFERENCE[1] Office of the Privacy Commissioner:Submission to the Australian Law ReformCommission Review of Privacy Discussion Paper72 (2007).

[2] Schwartz, P.M.,: Privacy and Democracy inCyberspace, Vanderbilt Law Review, vol. 52, pp.1609-1702 (1999).

[3] Privacy Commissioner: Privacy concerns onthe up: Annual Report 2009, Office of the PrivacyCommissioner, New Zealand,( 2009).

[4] Office of the Privacy Commissioner: PrivacyMatters, vol. 1, Issue 4, Australian Government

(2007).

[5] European Commission: Why do we need an EUdata protection reform? (2012)http://ec.europa.eu/justice/data-

protection/document/review2012/factsheets/1_en.pdf

[6] Special Eurobarometer 359: Attitudes on DataProtection and Elecronic Indentity in the EuropeanUnion (2012)http://ec.europa.eu/public_opinion/archives/ebs/ebs

_359_en.pdf

[7] Warren, S., Brandeis, L.: The right to privacy,"Harvard Law Review vol. 4, pp. 193220 (1890).

[8] Westin, A.: Privacy and Freedom, pp. 487. NewYork, Atheneum Publishers (1967).

[9] Rossler, B.,: The Value of Privacy, pp. 1-17.Cambridge, Polity Press, (2005).

[10] Schoeman, F., (ed.): Philosophical Dimensionsof Privacy: An Anthology, pp. 346-402 Cambridge,Cambridge University Press (1984).

[11] Penny, J. W.,: Privacy and the NewVirtualism, Yale Journal of Law & Technology,vol. 10, pp. 194-250 (2008).

[12] Regan, P.,: The role of consent in informationprivacy protection, Center for Democratic and

Technology (2009).

[13] Cavoukian, C.,: Data Mining: Staking a Claimon Your Privacy, Office of the Information andPrivacy Commissioner, Ontario (1998).

[14] Clarke, R.,: e-Contract: A Critical Element ofTrust in e-Business. In: Proc. 15

thBled Electronic

Commerce Conference, Bled, Slovenia (2002).

[15] Clarke, R.,: The Effectiveness of PrivacyPolicy Statements, Xamax Consultancy Pty Ltd.(2008).

[16] Marotta-Wurgler,F.,:Does DisclosureMatter?, New York University Law and EconomicsResearch Paper, No. 10, pp. 54 (2010).

[17] Senate Select Committee on InformationTechnologies: Cookie Monsters?: Privacy in theinformation society, Commonwealth Parliament ofAustralia (2000).

[18] Out-Law.com: Average privacy policies take s10 minutes to read, research finds,' Out-Law.com(2008) http://www.out-law.com/page-9490.

[19] European Commission: Directive 95/46/EC ofthe European Parliament and of the Council of 24October 1995 on the protection of individuals withregard to the processing of personal data and on thefree movement of such data (Directive 95/46/EC)(1995).

[20] Australian Law Reform Commission (ALRC):For Your Information: Australian Privacy Law andPractice (ALRC Report 108)(2008).

[21] Australian Communications and Media

Authority (ACMA): Growth in sensing andmonitoring information driving change in service,ACMA Media Release 89/2011 (2011).

[22] Solove, D. J.,: A Taxonomy of Privacy,University of Pennsylvania Law Review vol. 154,

No. 3, pp. 477-560 (2006).

[23] Electronic Privacy Information Centre:Cookies (2011)http://www.epic.org/privacy/internet/cookies/

[24] Cavoukian, C.,: Privacy and the Open

Networked Enterprise, Information and PrivacyCommissioner, Ontario, Canada (2006).

239

http://www.epic.org/privacy/internet/cookies/http://www.epic.org/privacy/internet/cookies/


9/9

[25] Clarke, R., : Information Technology andDataveillance, Communions of the ACM, vol. 31,Issue 5, pp. 498-512, (1988).

[26] Privacy International: PHR2006Privacy

topics: Electronic commerce (2007)http://www.privacyinternational.org/article.shtml

[27] Solove, D. J.,: The Digital Person: Technologyand Privacy in the Information Age, New York:

New York University Press (2004).

[28] Solove, D. J.,: Digital Dossiers and theDissipation of Fourth Amendment Privacy,Southern California Law Review, vol. 75, pp.1083-1167 (2002).

[29] Electronic Privacy Information Centre

(EPIC): Federal Trade Commission AnnouncesSettlement in EPIC Facebook Privacy Complaint -Social Networking Privacy (2011)http://epic.org/privacy/socialnet/

[30] R. Clarke, R., A. Maurushat, A.,: TheFeasibility of Consumer Device Security,University of New South Wales Law Research,Series No. 5 (2009).

[31] Solove, D.J.,: The New Vulnerability: DataSecurity and Personal information. In : SecuringPrivacy in the Internet Age, A. Chander, A.,

Gelman, L., Radin, M. J., (eds.) StanfordUniversity Press (2005).

[32] Australian Broadcasting Corporation: Fear inthe Fast Lane. Four Corners Program - ABC.net.au(2009)http://www.abc.net.au/4corners/content/2009/s2658405.htm.

[33] Australian Payments Clearing Association:Payments Fraud in Australia - Media Release(2010) http://www.apca.com.au.

[34] Australian Institute of Criminology: ConsumerScams-2010 and 2011 (2011)http://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspx.

[35] Australian Crime Commission: Crime ProfileSeriesIdentity Crime - Fact Sheet (2011)http://www.crimecommission.gov.au/sites/default/files/files/identity-crime.pdf

[36] Organisation of Economic Cooperation andDevelopment (OECD): OECD Guidelines on theProtection of Privacy and Transborder Flows of

Personal Data (OECD Guidelines) (1980)

http://www.oecd.org/documentprint/0,3455,en_2649_34255_1815186_1_1_1,00.html

[37] Privacy Act 1988 (Cth.) s 6, Sch 3 NationalPrivacy Principles (NPPs).

[38] European Commission: ePrivacy Directiveclose to enactment: improvements on security

breach, cookies and enforcement, and more tocome, Ref.: EDPS/09/13.European Union (2009).

[39] European Commission: EU Directive onPrivacy and electronic Communications, Article 29WP Issues Opinion on Cookies in the NewePrivacy Directive (2010).

[40] European Commission: ePrivacy DirectiveRegulations. European Union (2011)http://ec.europa.eu/information_society/policy/eco

mm/doc/library/public_consult/data_breach/ePrivacy_databreach_consultation.pdf

[41] Asia-Pacific Economic Cooperation (APEC):APEC Data Privacy Pathfinder Initiative (2012)http://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspx

[42] Greenleaf, G.,: Five years of the APECprivacy Framework: Failure or promise? (2008)http://austlii.edu.au/~graham/publications/2008/Greenleaf_ASLI0408.pdf

240

http://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspxhttp://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.ag.gov.au/Privacy/Pages/APEC-Data-Privacy-Pathfinder-Initiative.aspxhttp://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspxhttp://www.aic.gov.au/en/publications/current%20serices/rip21-40/rip25.aspx

The Right to Consent and Control Personal Information Processing in Cyberspace

Documents

Transcript of The Right to Consent and Control Personal Information Processing in Cyberspace