1. Privacy as an International Information Issue MD823 October 18, 2004

2. Privacy in a networked society: An oxymoron? Have you: –Changed your address? –Made a credit card purchase? –Opened a commercial e-mail account? –Surfed the web? There is a record of your activities in a database and probably on the Net too You don’t own it or control who uses it (if you are a US citizen)

3. What Is Privacy? Definitions differ depending on national and individual perspective US legal perspective “The right to be left alone” (Justice Brandeis, 1890) Consumer perspective: Individual control over whether and how to share information EU perspective: Explicit and informed consent about how any personal information is collected and how it will be used –Legal protection to prevent unwanted transfer or re-use of personal data files Your definition?

4. International Privacy Issues Global networks enable/require regular trans-border data flows Different countries have different norms and laws governing privacy US generally supports corporate self-regulation within broad privacy protection guidelines Europe and some Asia/Pacific countries have enacted stricter privacy regulations Common Internet/web and wireless practices raise constant new borderline practices and enforcement issues

5. European Union Regulations Restrict These Practices--For All EU Citizen Data Overview of EU Regulations –Notice up front about the purpose of data gathering, active consent, right to correct, restrictions on re-use, and other protections Enforcement provisions Impact on US companies Attempts at compromise (Safe Harbor provisions)

6. Highlights of the EU Provisions  Notice: each data collector must disclose what personal information is collected and how it is going to be used  Choice: user must explicitly agree to every specific reuse of information for different purposes or any sharing with 3rd parties  Access: user may request to see all collected information and be able to correct errors  Security/Integrity: collector must protect info from errors and unauthorized access  Extra protection is required for “sensitive” info  There must be a recourse for users who feel that these directives are not being followed; enforcement provisions in the law of each country

7. US Privacy Guidelines Basic principles are similar: –notice, consent, access, data integrity Key difference is enforcement--government vs. self-regulation by industry and voluntary compliance by individual companies –“Seal programs” TrustE, BBBonline, etc. encourage model web privacy practices Economic interests and competitive advantage in E-Commerce are at stake and many companies are in violation of guidelines

8. Three Different Approaches Protecting Privacy Government: Regulation backed by legal rules for enforcement Self-Regulation: Establish privacy “best practices” Each industry polices itself; companies may elect to demonstrate compliance by participation in a recognized third party association (TrustE, BBB Online, etc.) Markets: Assume that if consumers refuse to do business with firms that have poor privacy policies (or no privacy policy) then over time those companies will suffer declining market share What are the pros and cons of each approach?

9. Tracking Voluntary Privacy Efforts in the US: A Mixed Record Random sample of 335 Web sites from top 5000 Web sites (Nielsen Net Ratings) 88% had at least one privacy disclosure and 62% posted a privacy policy But only 20% of total have a policy that specifically addresses at least one element of fair information practices (FTC Study June 2000) Increased membership and support for third party “good practice” privacy programs Compliance with EU regulations by largest companies But FTC studies show practice is not in line with rhetoric of privacy protection online

10. Profiling the dog AND its owner  Cartoon by Peter Steiner. Reproduced from page 61, July 5, 1993 issue of The New Yorker, (Vol. 69 (LXIX) no. 20) only for academic discussion, evaluation, and research. Customer Name Street Address & Zip Phone Number SSN / Drivers License Number Age Income Family Size and Ages Stated Product Preferences Family Interests Number & Types of Pets Frequency of Visits Total Purchase Volume Purchase History - Categories Purchase History - Items Purchase History Brands Slide Courtesy Ernst & Young LLP Typical Customer Database

11. A Deep Well of Online Customer Information That Keeps Filling Up With New Data Common Web Practices: –Collecting personal information for one site or application, then using it for other purposes or selling it to a third party –Tracking online behavior (clickstreams) on a large number of popular web sites and pooling that data to design targeted advertising –Aggregating and analyzing individual data across media--from storefronts, direct mail and phone responses, and online sources –“Profiling” desirable customers in terms of online and offline buying behavior

12. Along With A Global Sales Channel….

14. Possible Privacy Gate Keepers: Whom Do We Trust? Government roles –Monitor for security and law enforcement record keeper, tax collector, largest data owner –Privacy protector or big brother? Corporate roles –For customers prospecting, tracking, and marketing opportunities individual and aggregated info as a commercial product –For employees Maintaining HR, payroll, health & other records Monitoring online behavior and employee e-mails Third party roles

15. Balancing Privacy and Security in the Workplace Is your privacy protected at work? Monitoring of e-mail and web browsing Has your company published a policy spelling out appropriate use of e-mail and the Internet at work? –What does it say? Best practices for employee privacy