MANILA, MAY 5, 2008
(STAR) HINDSIGHT By Josefina T. Lichauco - I will endeavor to cover some of the suggestions given by a number of those who sent their questions and comments via e-mail. Taking together a number of these, the umbrella issue boils down to this: What type of information may a company collect about persons and entities online and what may the company do with that information?

A person’s “vital statistics,” meaning, personally identifiable information — such as name, address, date of birth, occupation, even income, sports, hobbies, etc. — are highly valued by marketers because being in possession of these data enables them to reach highly targeted audiences.

Not all information that a company succeeds in gathering online is always submitted by a user. For instance, any well-run
e-commerce site keeps a record of every item ever ordered by a particular customer, and some may even keep a record of items viewed but not ordered by a customer. That’s how a lot of dot-coms offer their users specific recommendations that are personalized so that, for instance, when a user accesses the website, the retailer can recognize the user either when he or she logs in or by reading what has been endearingly called a “cookie” which, in effect, is a unique identifier placed by the website on the user’s hard drive.

While some people may find this type of personalization useful, others find it invasive and disturbing, which was the question of Prof. Clara Seri Lawrence, who sent her comments via e-mail from Philadelphia in the US. So, too, with Prof. Timoteo N. Bundy, a Fil-American from Boston, who has given me information and comments that are indeed valuable and useful theories/concepts to bear in mind.

According to Prof. Bundy, regardless of how users may view this type of information-collecting, no US law forbids it directly; of course, no Philippine law either. And no US or Philippine law, except for a few situations, such as those relating to medical and financial information, really prevents what a company can do with it.

He points out that one interesting situation had to do with videotape rentals. He narrates the story behind it. In 1987, the late US President Reagan nominated Robert Bork to fill a vacancy as justice of the US Supreme Court. In the process of Bork’s nomination, an enterprising reporter obtained a list from a video rental store of the movies Bork had rented.

The reporter wanted information showing that Bork had rented pornography, but as it turned out, the list was innocuous. However, according to Bundy, so many were disturbed by the fact that records of this type could be obtained that the US Congress passed the Video Privacy Protection Act of 1988, also known as the “Bork Bill,” which actually made it illegal, under many circumstances, for any video company to disclose what videos someone has requested or obtained.

This happened during the pre-Internet days, before the miracle of the World Wide Web descended upon the global community of men. If that list happened to emerge in a website, blogsite, an exchange of e-mails, etc., the said information would be as open and public as you can get and could very well fall under a person’s e-privacy rights.

For consumer confidence to be as high in electronic commerce as it is in ordinary commerce, the e-marketplace should have the same level of privacy protection as the real marketplace. International agreements covering the operation of such industries as airlines, broadcasting, investment banking, manufacturing, etc. exist, so a legal resolution is certainly not out of the question.

Legislatures all over the world are considering laws that would protect e-privacy, particularly for business and personal data. Since the widespread use of computers in the 1980s ushered in a multitude of privacy legislations all over the world, these bills have signaled the most dramatic change in privacy legislation.

I think Canada has an excellent privacy code, which was developed by the Canadian Standards Association, attempting to balance the need to protect individual privacy and the desire of organizations and businesses or other enterprises to collect personal data.

Countries the world over have enacted privacy policies. The global characteristics of the Internet imply that Internet users will be required to deal with differing privacy approaches. This, in turn, is bound to result in international dissension.

At a conference in Canada in 1999, the issue was discussed with some degree of urgency and importance. (The accompanying photo shows me with the Canadian conference chair on the right and other delegates, after a difficult meeting on e-privacy). An example of nations with conflicting privacy laws urgently meeting to address the e-privacy issue are the countries of the European Union. A Directive on Data Protection was issued, which applied when an individual processes personal data manually or automatically with a computer.

Similar to, but not identical with, the American model, the European directive authorizes the processing of personal data if the processor notifies the individual and receives consent to disseminate the information. The American model did not require this. The US and the EU remain deadlocked over this issue of data privacy, particularly over how to extend the European protection system to personal information held by US companies.

We, citizens of the world, should all be concerned about the erosion of Internet privacy in our respective countries, because individuals do not have the legal standing to bring suits under International Law, and because individuals can do little to protect themselves from the awesome powers of a state to gather information.

A model privacy code, as far as studies have shown, should require that:

1. Entities identify their data collection purpose;

2. Entities limit the use of that information to the purposes identified;

3. Entities must obtain consent to collect and use data;

4. Said organization must obtain consent to disclose the data collected;

5. Individuals should be granted access rights to their personal data;

6. Entities must keep accurate and current data regarding their customers;

7. They must provide the public with information on their data protection policies;

8. Government authorities may conduct compliance audits to ensure accuracy.

Since e-privacy legislation in many jurisdictions has yet to be written, and international treaties in relation to e-privacy have not been signed, e-businesses and Internet users should rely on voluntary e-privacy rules. On this matter, Dr. Emman Fitzgerald, an Englishman who does business with Thailand and Indonesia, e-mailed me to inquire about said voluntary e-privacy rules and the “legal niceties” that prevail. This was really going to be the topic of my next article.

The above is just the tip of a growing iceberg that a lot of jurisdictions have to address in a connected global community where these “legal niceties” can further complicate a world already suffocated with the gravest problems that have to do with terrorism and wars.

Chief News Editor: Sol Jose Vanzi

All rights reserved