A global view of data protection laws.
|
The
long arm of the law
DoubleClick,
the Internet’s largest advertising firm, had better watch its step. The company puts
advertising banners on websites–and spies on users with electronic informers called
cookies. The purpose is to determine Internet surfers’ profiles so that they can
be sent tailor-made advertisements.
As long as Internet users were identified only by information about their computers,
they remained relatively anonymous. But everything changed in 1999 when DoubleClick
bought out Abacus, a database company that kept track of some two billion online
orders–and the names of millions of Americans who placed them! DoubleClick combined
its own files with that of Abacus to make an even bigger, more accurate database–and,
more alarming still, one with names.
Privacy watchdog groups went on the offensive and sued the company. Eventually, DoubleClick
was forced to give up its megabase.
More recently, the world’s biggest e-bookseller, Amazon, sparked another controversy.
In September 2000, the money-losing business suddenly decided to rent customer information
to third parties, something it had agreed not to do. Again, American privacy advocates
sued. The bookseller triggered a similar uproar in the United Kingdom, where Privacy
International even asked for Amazon.uk to be shut down!
|
|
Trading
personal data on Internet users is a booming business that is also spurring laws
to protect e-consumers
Two hundred dollars
just for answering a questionnaire. The offer from an American group called Greenfield
Consulting recently landed in the electronic mailbox of a member of France’s Information
Technology and Freedom Commission (CNIL). The attractive proposal
reflects the high premium that companies put on gathering data about Internet users.
Every year in late January, a huge file fair, the “customer relations” exhibition,
takes place in Paris. At this year’s event, entirely devoted to e-commerce and the
Internet, I-Base, a start-up founded in 1999, offered its file of 15 to 35 year-olds,
“a behavioural database of over 700,000 young people.” Where do the names and data
come from? The company refuses to answer the question. Another firm taking part in
the event, Consodata, is one of France’s two megabase companies. Each year, Consodata
and its counterpart, Claritas, send a form to millions of mailboxes with questions
about outstanding loans, reading habits, hobbies, etc. Every bit counts: with time,
these information snippets turn into refined consumer profiles that are worth gold.
In the age of e-commerce and personalized services, these companies are increasingly
interested in Internet users. To find out their every whim, Consodata has set up
a special subsidiary called Cabestan, which offers online games as bait to subscribers
of Spray, an access provider. Personal information left behind while answering a
quiz thus became a gold mine for Cabestan, which will put the data on the market
soon.
These practices are already very far advanced in the United States, the cradle of
the Net economy and of “data mining.” Serge Gauthronet, a consultant specializing
in these issues, went there to visit “e-mail marketers” with “a mind-boggling artillery.”
First, they send forms to the most popular sites, asking visitors to answer questions
about their profession, leisure activities, children and so on. What’s more, the
Internet users are “tracked” while making purchases and surfing the Net. This enables
online marketing firms to send them increasingly specific offers. These companies
boast about being able to send up to 100 million emails a day! Since there are about
200 of them worldwide, their total strike force may be as high as 20 billion emails
a day, says Gauthronet, or “about sixty emails per electronic mailbox every 24 hours!”
When
the cookies crumble
Gauthronet
has just submitted a detailed report about these practices to the European Commission.
His first conclusion is that data-gathering methods seem more transparent now than
they did a few years ago, when the overwhelming majority of companies collected information
without Internet users knowing it. Their most widespread methods consisted of using
“cookies” (software installed on hard drives to record users’ comings and goings
on the Net), or directing their questions to children, who are more forthcoming.
Nowadays, information is increasingly gathered with the express consent of the consumer
(known as the “opt-in” principle), who can pull out of the game at any time. Another
advance is “permission marketing”: e-marketers are starting to ask users for their
consent before bombarding them with advertising emails.
So, where’s the threat? First, says Gauthronet, some companies don’t always have
a very scrupulous vision of opt-in. “For example,” he explains, “an Internet user
just has to bookmark a site to be considered giving consent for everything and anything.”
In another abuse, sensitive information sometimes finds its way into a routine and
authorized data-gathering procedure without the Internet user knowing it. Beyond
that, Gauthronet raises issues of freedom and “the dispossession of the self” that
databases are going to bring about. “When your identity is frozen,” he says, “you’re
stripped of the right and means to define yourself the way you want to.” And of course,
he mentions the steady erosion of the consumer’s privacy.
Vacancies
in the safe harbor
On
October 25, 1995, the European Union unanimously adopted a directive that gives all
its citizens the right to access databases, the right of rectification, and the right
to refuse the sale of data to a third party. The measure also stipulates that no
file may leave Europe for a third country unless the latter can guarantee an “adequate”
level of personal data protection. This means that American Express and Microsoft,
for example, cannot repatriate employee and client files to the United States unless
they sign a contract agreeing to respect certain rules.
However, even a united Europe is having a hard time making its views heard, especially
in the United States. Shortly before the directive entered into force on October
25, 1998, Washington was still defending the principle of “self-regulation.” The
deadlock between the U.S. Federal Trade Commission and the European Commission dragged
on for two years. Eventually, in July 2000, both parties signed the “safe harbor”
accord, which quietly entered into force on November 1. According to the agreement,
to keep trans-Atlantic data flowing, companies must agree to observe the European
directive’s basic principles and to accept sanctions if they don’t. The United States,
Hungary and Switzerland have received the EU’s “clean country” label.
However, the measure is not to American companies’ liking. So far, just seven businesses
have joined safe harbor! French legal expert Etienne Drouard, who is following the
issue for the Cnil, doubts it will be successful: American companies “consider the
agreement as a relinquishing of national sovereignty!” he says. But the whole issue
may crop up again this year, because Washington is showing signs of taking a harder
line on privacy. After the Amazon and DoubleClick scandals (see box) among others,
privacy has become a hot political issue. The new congressional members had barely
taken their seats when several of them put forward bills on the matter. Apparently,
free-market America is coming up against its citizens’ increasingly fierce resistance.
Did you know…
In a survey of the 100 most popular sites in their respective countries, 92%
of the U.S.-based sites placed at least one cookie while 47% did so among the EU-based
ones. 80% of those in the U.S. and 72% in the EU collected some form of information.
http://www.consumersinternational.org |
