Page 166 -
P. 166
Chapter 4 Ethical and Social Issues in Information Systems 165
The European Directive on Data Protection
In Europe, privacy protection is much more stringent than in the United States.
Unlike the United States, European countries do not allow businesses to use per-
sonally identifiable information without consumers’ prior consent. On October
25, 1998, the European Commission’s Directive on Data Protection went into
effect, broadening privacy protection in the European Union (EU) nations. The
directive requires companies to inform people when they collect information
about them and disclose how it will be stored and used. Customers must pro-
vide their informed consent before any company can legally use data about
them, and they have the right to access that information, correct it, and request
that no further data be collected. Informed consent can be defined as con-
sent given with knowledge of all the facts needed to make a rational decision.
EU member nations must translate these principles into their own laws and
cannot transfer personal data to countries, such as the United States, that do not
have similar privacy protection regulations. In 2009, the European Parliament
passed new rules governing the use of third-party cookies for behavioral track-
ing purposes. These new rules were implemented in May 2011 and require that
Web site visitors must give explicit consent to be tracked by cookies. Web sites
will be required to have highly visible warnings on their pages if third-party
cookies are being used (European Parliament, 2009).
In January 2012, the E.U. issued significant proposed changes to its data
protection rules, the first overhaul since 1995 (European Commission, 2012).
The new rules would apply to all companies providing services in Europe, and
require Internet companies like Amazon, Facebook, Apple, Google, and others
to obtain explicit consent from consumers about the use of their personal data,
delete information at the user’s request (based on the “right to be forgotten”),
and retain information only as long as absolutely necessary. The proposed rules
provide for fines up to 2% of the annual gross revenue of offending firms. In
the case of Google, for instance, with annual revenue of $38 billion, a maximum
fine would amount to $760 million. The requirement for user consent includes
the use of cookies and super cookies used for tracking purposes across the Web
(third-party cookies), and not for cookies used on a Web site. Like the FTC’s
proposed framework, the EU’s new proposed rules have a strong emphasis on
regulating tracking, enforcing transparency, limiting data retention periods,
and obtaining user consent.
Working with the European Commission, the U.S. Department of Commerce
developed a safe harbor framework for U.S. firms. A safe harbor is a private,
self-regulating policy and enforcement mechanism that meets the objectives of
government regulators and legislation but does not involve government regu-
lation or enforcement. U.S. businesses would be allowed to use personal data
from EU countries if they develop privacy protection policies that meet EU
standards. Enforcement would occur in the United States using self-policing,
regulation, and government enforcement of fair trade statutes.
Internet Challenges to Privacy
Internet technology has posed new challenges for the protection of individual
privacy. Information sent over this vast network of networks may pass through
many different computer systems before it reaches its final destination. Each of
these systems is capable of monitoring, capturing, and storing communications
that pass through it.
Web sites track searches that have been conducted, the Web sites and Web
pages visited, the online content a person has accessed, and what items that
person has inspected or purchased over the Web. This monitoring and tracking
MIS_13_Ch_04_Global.indd 165 1/18/2013 10:27:40 AM
