As the UK’s Data Protection Commissioner announced a record rise in the number of complaints over the misuse of personal data held by third parties, there have been a number of other significant data privacy developments on both sides of the Atlantic.
Topic: Data privacy
Who: TRUSTe, European Parliament, DoubleClick, Stockpoint Inc., CEN
When: July 2000
Where: US, UK, EU
What happened:
In a month when the UK’s Data Protection Commissioner announced a record rise in the number of complaints over the misuse of personal data held by third parties, (with 130 out of 145 organisations taken to court found to have illegally used or obtained data), there have been a number of other significant data privacy developments on both sides of the Atlantic.
In Europe, the European Parliament expressed deep misgivings about the proposed "Safe Harbor" agreement between the US and the EU, designed to facilitate EU-US transfer of personal data transfers in a manner compliant with the EU Data Protection Directive. The EP wants changes to the deal including a right for individuals to appeal to the courts in respect of any decision in relation to their personal data, and an obligation to pay compensation for financial or moral damage done as a result of illegal collection or use of data.
Back to the drawing board! Unless of course the US ends up introducing federal data protection laws after all, a development which is all the more likely after clear indications by the FTC that in its view self regulation has not worked and a body similar to the UK’s Data Protection Commission should be set up.
Two other developments are consistent with this. First, DoubleClick was recently served with 15 separate lawsuits in respect of its data mining practices, claiming more than $1 billion. The claims relate to DoubleClick’s use of "cookies" to track consumers’ on-line activities without their knowledge, although DoubleClick deny the data collected identifies any indvidual.
Separately, Iowa-based website owner Stockpoint Inc has been prosecuted along with three other on-line consumer data collectors by the Michigan state attorney general for alleged breaches of Michigan consumer protection laws criminalising unfair and deceptive practices. Stockpoint’s misdemeanour? Not having a data privacy policy on its site, and thereby failing to tell consumers how it would use data collected, including passing data to third parties.
Finally, in a move likely to give little comfort to on-line marketers struggling to get to grips with existing data protection legislation, the European Standardisation Committee CEN has been encouraged by the European Commission to embark on a consultation process to investigate the feasibility and popularity of a set of on-line data protection standards. Well intentioned this move may be, but it is difficult to see how yet more e codes and guidelines will make life easier for marketer or consumer. See our piece on Selling on-line and the profusion of new consumer protection codes in Newsfeed Stop Press.
Why this matters:
It is fast becoming clear that above all other consumer issues in the on-line environment, data privacy is presently generating the most concern, dismay, mistrust and uncertainty. UK companies who have been collecting and using data for years in blithe disregard for even the most basic requirements of the data protection legislation (such as the need to register with (now "notify") the Data Protection Commission) are realising that they will not be able to hide their heads in the sand for much longer. The enforcers, on the other hand, are still under-resourced and in hopeless disarray as to how to stem the tide of non-compliance. The UK’s Data Protection Commission, for instance, is busy putting it about that recent regulations controlling cold calling apply to unsolicited commercial e mail when this is only faintly arguable and areas where the Commission do clearly have a remit are not being properly publicised or policed.
