Page 98 - Privacy in a Cyber Age Policy and Practice
P. 98

THE PRIVACY MERCHANTS  85

                                                   64
           additional uncertainty and compliance burdens.”  The ideal legislation
           for Microsoft and similar entities would provide “baseline privacy protec-
           tion” over which companies would be encouraged to “compete on the basis
                                       65
           of more robust privacy practices” —essentially regulating themselves.
           According to Microsoft Deputy General Counsel for Erich Anderson’s tes-
           timony before Congress, a federal law should be crafted only as “an effective

           complement to” self-regulation. 66
             State and sectoral laws have already addressed a number of privacy
                                                                    67
           issues (e.g., setting limits on tracking consumers for targeted advertising )
                                                      68
           while Congress has been largely inactive in this area.  Hence, following
           this line would, in effect, reduce privacy standards in those states that lifted
                                                                    69
           them and could prevent them from adding protections in the future.
           Moreover, the corporate proposal does involve some federal legislation
           rather than merely relying on self-regulation. Indeed, it seems impossible
           to restrain the privacy merchants without calling in Big Brother.


                 3. Consent for Secondary Use: Opt In Rather than Opt Out?

           A rather different approach holds that individuals who release informa-
           tion about themselves for a specific purpose or transaction, for example,
           to purchase a book from Amazon, would be understood to still “own” this
           information. Amazon could use it for other purposes (or sell that informa-
           tion to other parties) only with the explicit consent of the consumer, rather
           than on the basis of a privacy statement on its web pages or on presumed
           consent. Other words have been used to refer to the same idea in different
           contexts; for example, consumers would have to opt in to grant secondary
                                                            70
           and additional use of private information rather than opt out.  In Ameri-
           can discourse, the term “owned” is used because information is treated as
           property and private information as private property. Europe embraces the
           same idea; however, privacy is treated more as an individual right—as part
           of the personhood, which is violated when one’s private sphere is violated.
             In 1995, in an effort to establish minimum protections for Internet user
           privacy and establish baseline consistency among the data protection laws
           of EU member states, the European Council issued what is commonly
           called the “Data Protection Directive.” The directive, which scholars have
                                                           72
                          71
           called “aggressive”  and “extraordinarily comprehensive,”  took effect
           in October 1998. Based on a legal tradition that “expressly recognizes the
                                                       73
           fundamental right to the protection of personal data,”  the directive is
           credited with having established the most influential and prominent data
                                    74
           protections in the world to date.  However, it has proven difficult to ensure
           compliance in those countries governed by the directive. Although the
   93   94   95   96   97   98   99   100   101   102   103