EU report seeks Net privacy laws

The European Union report rejects the White House stance that industry solutions--not laws--can best safeguard consumers online.

4 min read
Fanning an international conflict over how to protect online privacy, the European Union has released a report rejecting the White House stance that industry solutions--not laws--can best safeguard sensitive information on the Net.

In a draft opinion, the European Commission said that to be effective, the two most prominent technological standards being considered by the World Wide Web Consortium to let Net users provide Web sites with personally identifiable data need to be backed up by a strong regulatory framework.

Both standards--the Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS)--let computer users set up profiles and then negotiate to release that information to Web sites in return for goods and services, such as a subscription to a proprietary news site.

Netscape Communications and Microsoft are building the standards into their browsers--which is exactly the type of self-regulatory approach to protecting online privacy being endorsed by the Clinton administration.

The White House has been pushing industry self-regulatory solutions to shield online privacy, but EU lawmakers are proposing regulations to ensure the personal data is fairly collected and not exploited. The conflicting philosophies will come to a head this fall when a European privacy directive goes into effect, which stands to hinder the flow of e-commerce between the United States and countries in the European Union.

The European Commission's working party on personal privacy reviewed P3P and OPS and released a draft report on June 16 stating: "A technical platform for privacy protection will not in itself be sufficient to protect privacy on the Web."

The opinion went on to say that the technologies must be backed up by laws that give consumers' data inherent protections, such as those outlined by the Organization for Economic Cooperation and Development in 1980.

"Use of P3P and OPS in the absence of such a framework risks shifting the onus primarily onto the individual user to protect himself, a development which would undermine the internationally established principle that it is the 'data controller' who is responsible for complying with data protection principles," the working group states.

"Such an inversion of responsibility also assumes a level of knowledge about the risks posed by data processing to individual privacy that cannot realistically be expected of most citizens," the group adds.

Privacy advocates applauded the report.

"It's very significant, because over the last year, the European Commission has been saying more and more, 'If you can protect privacy through self-regulation, then that's cool,'" said Evan Hendricks, who analyzed the report for the Privacy Times last week.

"But with this opinion, basically the European Commission is pointing out the shortcomings of these technological approaches and is telling the W3C, Netscape, and Microsoft to go back to the drawing board," he added.

The paper states that when P3P is "implemented in the next generation of browsing software, [it] could mislead EU-based operators into believing that they can be discharged of certain of their legal obligations (e.g., granting individual users a right of access to their data) if the individual user consents to this as part of the online negotiation.

"Given that most Internet users are unlikely to alter any preconfigured settings on their browser, the 'default' position regarding a user's privacy preferences will have a major impact on the overall level of online privacy protection," it continues. "P3P and OPS must be implemented into browser technology with default positions which reflect the user's interest to enjoy a high level of privacy protection (including the ability to browse Web sites anonymously) without finding himself blocked or inconvenienced in his attempts to gain access to sites."

The W3C does not see the report as a criticism of the technologies.

"I think the opinion is very straightforward. It's not attacking P3P," Joseph Reagle, P3P project manager, said today. "While P3P is in the spotlight, broader issues of self-regulation and government regulation are important, but P3P is independent of that and can work in either environment."

With regard to defaults, Reagle said P3P is set up to let Net users look to known organizations for recommended settings.

"Defaults are going to be critical," he noted. "The P3P technology itself allows you to download the recommended defaults from a trusted third party."

At a Commerce Department summit last week, self-regulatory approaches to protect online privacy were examined, but many plans lacked enforcement. Many attendees said that a combination of industry guidelines, consumer education, and regulatory enforcement was the best way to shield online privacy.

Still, privacy advocates in the United States are pushing for new laws regarding data collection on the Net. Already the Federal Trade Commission has recommended legislation to prohibit collecting data from preteens without parental permission.

"I think the Europeans have given privacy much more thought than we have here," said Marc Rotenberg, director of the Electronic Privacy Information Center.

"The main point to take away from the commission's paper is the view that technical approaches provide only a partial solution," he added. "Standing alone this really doesn't work to protect privacy. You need to find approaches that involve legal rights."