WAFA

5/31/2009 2:06:55 PM

Global Internet Privacy Rights: A Pragmatic Approach

TIM WAFA*

I. INTRODUCTION
The Internet has brought the world closer together by facilitating cheap, efficient, and secure global commerce and communication. Academics, web-enthusiasts, and private businesses have worked tirelessly to build upon the success of this revolutionary medium. However, there are two major obstacles that stand in the way of achieving a utopian online world, one which most effectively balances the goals of efficiency, privacy, and ease of use. These two obstacles can be categorized as: (1) the need to standardize and improve Internet technology; and (2) the need to streamline the existing global online privacy rights framework. Technology standardization has been tackled in an effective and organized fashion by the global technology community. The last decade has seen a successful effort between private business and public consortiums to accelerate the standardization of technical systems that allow myriad internet systems to reliably interface with one another.1 This achievement has allowed developers and end-users to reap the benefits of a well-defined and -policed systems foundation. Website developers have the assurance that their deployed content will be accessible by end-users without significant compatibility challenges.

* Mr. Wafa earned a Bachelor of Science Degree in Engineering and the distinguished San Filippo Merit Scholarship from Santa Clara University. In 2003, he received Faculty Recognition for Technical Excellence for his role on the project, Multimedia Data over Wireless Networks, at the prestigious Computer Society International Design Competition (CSIDC). Mr. Wafa currently attends Loyola Law School where he is a candidate for Juris Doctor (JD, 09), with an emphasis on Intellectual Property, Information Privacy, HIPAA and Sarbanes-Oxley (SOX). Mr. Wafa has been the recipient of numerous accolades while in law school, including First Honors (conferred upon the student achieving the highest grade) in an eclectic selection of coursework (e.g. Technology and Privacy Seminar, Corporate Ethics and Accountability" and Commercial Real Property Transactions). He has provided enterprise information systems consultation services to leading healthcare, legal and banking institutions. Mr. Wafa is a member of the Institute of Electrical and Electronics Engineers (IEEE), the Healthcare Information and Management Systems Society (HIMSS) and the Center for Advanced Study and Research on Intellectual Property (CASRIP). 1. JEFFREY ZELDMAN, DESIGNING WITH WEB STANDARDS: HOW XML CONQUERED THE WORLD & OTHER WEB STANDARDS SUCCESS STORIES 101-02 (New Riders 2003), available at, http://books.google.com/books?id=wUGTSdey6TwC&pg=PA101&lpg=PA101&dq=internet+st andards+success&source=web&ots=balYUFH7Z1&sig=1niGKmcBkyobE4KO5zQF_Batdrc#P PA101. 131

WAFA

5/31/2009 2:06:55 PM

132

INTELL. PROP. L. BULL.

[Vol. 13:131

Unfortunately, the streamlining of global privacy-rights has suffered from a lack of meaningful progress. The existing global privacy rights framework lacks coherence. It is an amorphous hodgepodge of conflicting requirements, differing foundational definitions (e.g. what is privacy), and divergent policy motivations.2 Internet data is increasingly flowing around the globe and during its split-second journey it passes through multiple jurisdictions, each with its own data privacy framework. While it is widely accepted that todays global privacy rights regime has complicated the ability of information service providers to collect, store, and share data about their online customers,3 very little work has gone into analyzing the effects of the existing framework on competition and the business community. This paper seeks to shed light on the implications of the current global privacy framework on business efficiency. Three significant issues have arisen as a byproduct of todays complex global privacy framework. First, the future of online privacy rights regulation is unclear and this uncertainty increases transaction costs and discourages small entrepreneurs from participating in the global Internet marketplace. Second, the disjointed and often competing policy motivations of todays multi-jurisdictional privacy rights regime has brought about an impotent regulatory environment, where jurisdictions are reluctant to pursue legitimate action against privacy-rights violators for fear of chilling online commerce in their territories. Finally, and perhaps most importantly, the existing privacy rights system is in danger of being replaced by an even more defective system; the front-runner replacement system.

II. COMPARING EXISTING ONLINE PRIVACY FRAMEWORKS

Internet traffic and global online commerce have grown together at exponential rates.4 That growth has remained vibrant in the face of severe global economic headwinds. The United States, the European Union, and various Asian countries each have a unique framework for dealing with privacy issues. Many commentators argue that the American and European systems have evolved differently as a result of the different underlying values and traditions of their respective societies.5 In a recent article on MSNBC.com, the American public

2. Bob Sullivan, Privacy Lost: E.U., U.S. Laws Differ Greatly, MSNBC.com (Oct. 19, 2006), http://www.msnbc.msn.com/id/15221111/. 3. U.S. Dept of Commerce, Safe Harbor Overview, http://www.export.gov/safeharbor/SH_Overview.asp (last visited Nov. 7, 2007). 4. InternetWorldStats.com, Worldwide Internet Usage Usage By World Regions, http://www.internetworldstats.com/stats.htm (last visited Nov. 7, 2007). Forrester Research recently projected that online retail sales will grow to $159 billion in 2009, 11 percent above 2008 sales figures. Helen Leggatt, Forrester: Growth Forecast for 2009 Online Retail Sales, BizReport (Jan. 1, 2009), http://www.bizreport.com/2009/01/forrester_growth_forecast_for_2009_online_retail_sales.html. 5. See Sullivan, supra note 2.

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

133

was distinguished from the European public as being paranoid about their government and prone to limiting government power as much as possible.6 The American view stands in stark contrast to the intrinsic trust Western Europeans put in their governments to protect them from unscrupulous corporations.7 The philosophical differences have manifested themselves in divergent legal systems, each viewing privacy through a unique lens and offering differing guidelines on when and how protection should be afforded. In many parts of Europe personal information cannot be collected or shared without the consumers explicit permission and consumers have a right to review their data and correct inaccuracies.8 Moreover, companies that process data must register their activities with European governments9 and European employers cannot read their employees private emails even though those emails are being read on company computers during working hours.10 The willingness of the Chinese populace to engage in online commerce without privacy protections may be a natural extension of their upbringing citizens of a country who have come to expect little privacy in most parts of daily life may not care about online privacy in the same way Americans and Europeans do.
A. PRIVACY IN THE UNITED STATES

Privacy laws in the United States have grown in a haphazard fashion.11 A mixture of common-law, federal, and state statutory law forms Americas framework for protecting privacy.12 Although the Constitution omits the word privacy entirely,13 U.S. courts have acknowledged an unenumerated right to privacy.14 In Griswold v. Connecticut,15 Justice Douglas asserted that specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance.16 Douglas went on to suggest that various guarantees emanating from the first, third, and fourth amendments suggest zones of privacy.17 While federal

6. Id. 7. Id. 8. Id. 9. Id. 10. Id. 11. Sullivan, supra note 2. 12. Id. 13. U.S. Const., available at http://encarta.msn.com/encyclopedia_761569008_4/constitution_of_the_united_states.html (last visited Nov. 23, 2008) 14. Unenumerated Rights, Wests Encyclopedia of American Law, http://www.enotes.com/wests-law-encyclopedia/unenumerated-rights (last visited Nov. 23, 2008). 15. Griswold v. Connecticut, 381 U.S. 479 (1965) 16. Id. at 484. 17. Id.

WAFA

5/31/2009 2:06:55 PM

134

INTELL. PROP. L. BULL.

[Vol. 13:131

courts have largely followed the Griswold line of reasoning on the right to privacy, not all legal scholars accept it as gospel. In 1981, current Chief Justice John Roberts wrote that, such an amorphous right is not to be found in the Constitution.18 In addition to the caselaw establishing a constitutional right to privacy, numerous Federal statutes require the government to protect the privacy of citizens in various aspects of their daily lives.19 States are also active in regulating privacy. California has had a breach notification law for many years, which requires,
[A] state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.20

Nevada recently enacted the nations first data encryption law, requiring businesses to use encryption when using electronic means to transfer customers personal data outside their organization.21 Michigan has legislation pending which would go even further than the Nevada Bill, by requiring businesses to encrypt stored consumer data.22
B. PRIVACY IN THE EUROPEAN UNION

Unlike the United States, the European Union (E.U.) attempted to centralize privacy rights by enacting a directive in 1995 that implemented a common framework for its member nations.23 Since then, the directive has been amended numerous times to include updates on how to deal with emerging issues such as the retention of

18. Memorandum from John Roberts, Special Asst. to the U.S. Attorney General, to William French Smith, U.S. Attorney General (Dec. 11, 1981), available at http://www.factcheck.org/UploadedFiles/Roberts-Memo.pdf. 19. Examples of these statutes include: (1) The Privacy Act of 1974, 5 U.S.C. 552(b) (2006) (prevents the unauthorized disclosure of personal information held by the federal government); (2) the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (2006) (protects confidentiality of information gathered by credit reporting agencies); (3) the Sarbanes-Oxley Act, Pub. L. No. 107-204, 116 Stat. 745 (2002) (mandates certain privacy standards for the financial industry; and (4) the Healthcare Insurance Portability and Accountability Act (HIPAA) regulations, 45 C.F.R. 160, 162, and 164 (2008) (seeks to protect the confidentiality, integrity, and availability of certain [electronic protected] health information.). 20. California Security Breach Information Act, Cal. Civ. Code Ann. 1798.82 (West 2008) . 21. Nev. Rev. Stat Ann. 597.970 Ann. (West 2008). 22. S.B. 1022, 2008 Sen., Reg. Sess. (Mich. 2008); Posting of Richard Gainer to Davis Wright Treimane Privacy Blog, http://www.privsecblog.com/archives/122012-print.html (Feb. 27, 2008). 23. Council Directive 95/46, On the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L281/31) (EC), available at http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir199546_part1_en.pdf.

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

135

electronic data24 or the protection of privacy in the electronic communications sector.25 Notwithstanding this progress, the centralization of privacy rights in the E.U. is not fully streamlined. Each of the twenty-six E.U. nations maintains an independent agency. Each agency is tasked with interpreting the privacy directive and enforcing privacy regulations.26 This highly localized enforcement and implementation regime provides E.U. nations with some latitude on how to interpret privacy directives.27
C. PRIVACY IN ASIA

Privacy laws in Asia are even less congruent than they are in the United States or the European Union. Like the European and American frameworks, the laws of Asian nations reflect unique social traditions but vary significantly in the degree of privacy protection they provide to their citizenry.28 On the one hand, industrialized democracies in Asia, such as South Korea and Japan, offer relatively high levels of protection to their citizens.29 On the other hand, the highly authoritarian Asian countries, such as China and Vietnam, are less protective,30 and go to great lengths to scrutinize every bit of data transmitted to and from their country.31 Privacy protections in Asia, Europe and the United States are highly localized in the way they implement and enforce privacy rules. Some systems are privacy-friendly, while others refuse to recognize privacy as a right to be conferred at all.

III. IS THE EXISTING PRIVACY FRAMEWORK DEFICIENT?

A. THE EXISTING SYSTEM WORKS IF IT AINT BROKE, DONT FIX IT! 32

Statements made by forward-thinking privacy advocates during the early years of online shopping were full of doom and

24. Council Directive 2006/24, 2006 O.J. (L 105) (EC), available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML. 25. Council Directive 2002/58, 2002 O.J. (L 201) (EC), available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML. 26. Council Directive 95/46, supra note 23, art. 9. 27. Peter McLaughlin, Cross-Border Data Flows and Increased Enforcement, IEEE Security & Privacy (Sept. Oct. 2008), http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/ind ex.jsp?&pName=security_level1_article&TheCat=1001&path=security/2008/n5&file=pri.xml&. 28. McLaughlin, supra note 27. 29. Caslon Analytics, Privacy Guide Asia, http://www.caslon.com.au/privacyguide6.htm (last visited Mar. 27, 2009). 30. Chris Pounder, Why the APEC Privacy Framework is Unlikely to Protect Privacy, Out-law.com (Oct. 15, 2007), http://www.out-law.com/page-8550. 31. Xiao Qiang, Who are Chinas Top Internet Cops?, China Digital Times (Sept. 28, 2007), http://chinadigitaltimes.net/2006/09/ho_is_chinas_top_internet_cops.php. 32. Urban Dictionary, http://www.urbandictionary.com/define.php?term=if+it+aint+broke%2C+dont+fix+it (last visited Nov. 7, 2007).

WAFA

5/31/2009 2:06:55 PM

136

INTELL. PROP. L. BULL.

[Vol. 13:131

gloom; these groups argued that consumers would not embrace online commerce unless privacy protections were improved.33 In 2001, United States Federal Trade Commission (FTC) Chairman Timothy Muris stated, there is no question that consumers are deeply concerned about the privacy of their personal information . . . how its being used . . . and who is using it.34 Indeed, U.S. consumers have expressed dissatisfaction about deficiencies in the existing privacy framework in the U.S., demanding more government intervention to address the problem.35 As a result, the Electronic Privacy Information Center (EPIC), a public interest research center based in Washington, D.C., suggested that electronic commerce would not reach its full potential unless the U.S. played an active role to ensure that online consumers feel comfortable conducting business.36 Throughout the late 1990s and early into this decade, government regulators and privacy groups relied heavily on surveys to extrapolate the monetary damage that the existing privacy framework was having on electronic commerce. A lack of meaningful legislative action on strengthening privacy regulation has served to breed only more public discontent in the current decade.37 Nonetheless, with U.S. online retail sales reaching $175 billion in 2007 alone,38 Internet commerce defied prognosticators who were certain that consumer trepidation about their privacy would prevent e-commerce from thriving. The success of online commerce in the face of widespread consumer concern begs an important question if so many people are hesitant to shop online because of privacy concerns, then why have online sales boomed at an exponential rate? Some experts reconcile the discrepancy by discrediting surveys as a whole. 39 However, others argue that surveys are not the problem. 40

33. Anthony Miyazaki & Ana Fernandez, Consumer Perceptions of Privacy and Security Risks for Online Shopping, 35 J. CONSUMER AFF. 27, 29 (2001), available at http://findarticles.com/p/articles/mi_hb3250/is_1_35/ai_n28837254/?tag=content;col1. 34. Timothy Muris, Chairman, Federal Trade Commission, Address at the 2001 Privacy Conference in Cleveland, OH (Oct. 4, 2001), available at http://www.ftc.gov/opa/2001/10/privacy.shtm. Also, 80 percent of online shoppers said they were concerned about how much data was stored or available online. Keith Regan, Online Privacy is Dead Now What, E-Commerce Times (Jan. 2, 2003), http://www.ecommercetimes.com/story/20346.html. 35. EPIC and Forrester Research estimated that privacy concerns resulted in 2.8 billion dollars of lost sales in 1999. According to those surveys, 57% of those polled believed the government should pass laws for how personal information can be collected and used on the Internet . . . [and]only 15% supported letting groups develop voluntary privacy standards (selfregulation), but not take action until real problems arise. ELEC. PRIVACY INFO. CTR., PUBLIC COMMENT ON BARRIERS TO ELECTRONIC COMMERCE (Mar. 17, 2000), http://www.epic.org/privacy/internet/Barriers_to_E-commerce.html. 36. Id. 37. Privacy 08, http://privacy08.org (last visited Mar. 27, 2009). 38. Linda Rosencrance, E-commerce Sales to Boom for Next 5 Years, Computerworld.com (Feb. 5, 2008), http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=90611 08. 39. According to one Cato Institute analyst report, economists have always been

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

137

They blame a lack of consumer education and a campaign of disinformation by Internet companies that give end-users a false sense of security about their online privacy. 41 There is a disconnect between consumer expectations and business practices: about 55 percent of those surveyed by the Samuelson Clinic at UC Berekely and the Annenberg Public Policy Center at the University of Pennsylvania falsely assumed that a companys privacy polices prohibited it from sharing their addresses and purchases with affiliated companies.42 Similarly, nearly four out of ten online shoppers falsely believed that a companys privacy policy prohibits it from using information to analyze an individuals activities online.43 In fact, sharing information with third parties and using information to analyze consumer behavior are common practices. Regardless, the success of the Internet is a global phenomenon. Users from countries with little or no privacy protection are still making commercial use of the medium. Chinese consumers have few privacy protections, yet they engage in online transactions as aggressively as netizens from nations with strong privacy protections.44 Moreover, it may be important to distinguish between the privacy that can be lost in an online commercial transaction and other voluntary online activities. (e.g., creating Myspace pages, anonymous blogs, etc.). Citizens of authoritarian regimes may be willing to participate in online shopping but may curtail other more expressive online activities, which could expose them to scrutiny and punishment by their regimes. Another factor that supports the acceptability of the existing privacy system is the increased willingness of younger netizens to voluntarily allow their private information to be leveraged by service providers.45 Some commentators argue that there is no campaign of misinformation or disinformation by service providers; the young and technologically sophisticated are aware of how their information will be used and have no problem with it.46 Social networking sites like Myspace and Facebook have taken the Internet by storm; their
suspicious of using surveys to determine customer preferences . . . because what counts are actions not words. . . . If concerns about privacy emerge in an ephemeral manner in response to a prompting from a survey and are never acted upon, they are not worth transforming into regulatory goals. SOLVEIG SINGLETON, CATO INSTITUTE, SELF-REGULATION: REGULATORY FAD OR MARKET FORCES (1999), available at http://www.cato.org/pubs/wtpapers/990507report.html. 40. Jaikumar Vijayan, Most Consumers Clueless About Online Tracking, Computerworld.com (Nov. 2, 2007), http://www.pcworld.com/article/id,139212-pg,1/article.html. 41. Id. 42. Id. 43. Id. 44. Id. 45. Net4TV, Security and Privacy: I Really Dont Care (Sept. 26, 1999), http://www.net4tv.com/Voice/Story.cfm?storyID=1481. 46. Posting of C.G. Lynch to CIO.com blog, Why (Most) Facebook Users Dont Care about Privacy, http://advice.cio.com/c_g_lynch/why_most_facebook_users_dont_care_about_privacy (Feb. 17, 2009, 14:34 EST).

WAFA

5/31/2009 2:06:55 PM

138

INTELL. PROP. L. BULL.

[Vol. 13:131

repository of behavioral information on users is a goldmine to advertisers. Peter Levinsohn, president of Fox Interactive Media, owners of MySpace, described the profiling and advertising technology contained in MySpace as an opportunity to provide advertisers with a completely new paradigm.47 Many in the overwhelmingly young demographic who frequent these sites are happy to allow website operators to leverage their behavioral data.48 For example, Mark Gong, a 26-year-old photojournalist from Washington, runs the 3,000-member Wanderlust group on MySpace and expresses an interest for foreign films like Lost in Translation and The Spanish Apartment on his profile.49 Not surprisingly, this disclosure of personal preference has defined him as a prime target for travel ads on MySpace from companies like ShermansTravel.com, a travel deal site. Im not opposed to advertising, Mr. Gong said. They have got to make money.50 Whether the willingness of younger users to expose personal data signals a shift in generational attitudes or reveals a nave constituency remains to be seen. Some commentators argue that younger generations are not fully cognizant (or simply throw caution to the wind) about the dangers posed by the new paradigm.51 When privacy intrusions have been explicit, end-users outrage towards services providers has generally been vocal and harsh. Facebook recently came under strong criticism when end-users began to notice that their private purchases were being monitored and revealed to their friends and family.52 Facebook also received criticism for a recent attempt to make a draconian change to its terms of service.53 The change would have ensured that Facebook retain[ed] ownership of all content uploaded, even if the user chose to delete it.54 Never before has the technology or level of online traffic existed to interlink databases in such a sophisticated manner. Experts on digital privacy say it is inevitable that marketers will know, not only which sites somebody has visited, but who is doing the surfing.55 Jeff
47. Brad Stone, MySpace to Discuss Effort to Customize Ads, N.Y. TIMES, Sept. 18, 2007, at C1, available at http://www.nytimes.com/2007/09/18/technology/18myspace.html?pagewanted=1. 48. Id. 49. Id. 50. Id. 51. Wallstreet Journal Blog, Facebook Users Share too Much, http://blogs.wsj.com/biztech/2007/08/14/facebook-users-share-too-much/ (Aug. 14, 2007). 52. Anick Jesdanun & Rachel Meltz, Facebook Users Complain of New Tracking, ASSOCIATED PRESS, Nov. 11, 2007, available at http://www.newsvine.com/_news/2007/11/21/1113567-facebook-users-complain-of-new-tracking. 53. Jesse Perez, Why Facebook Behaves Like an Arrogant Frat Boy, LiveNews Australia (Mar. 25, 2009), http://livenews.com.au/home/why-facebook-behaves-like-an-arrogant-fratboy/2009/3/25/184829. 54. Id. 55. Louise Story, F.T.C. to Review Online Ads and Privacy, N.Y. TIMES, Nov. 1, 2007, at

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

139

Chester, the executive director of the Center for Digital Democracy, says that marketers are tracking where your mouse is on the page, what you put in your shopping cart, what you dont buy.56 It is a very sophisticated commercial surveillance system.57 The ability of online companies to collect and exploit private user data is not just a vehicle for generating advertising revenue; it is having a serious impact in the courtroom as well. 58 Reports are trickling in of search terms and online videos being used in criminal cases as evidence to convict defendants.59 In the winter of 2006, a wireless hacker pled guilty when his Google searches were used as evidence against him.60 The defendant ran a Google search over the network using the following search terms: how to broadcast interference over wifi 2.4 GHZ, interference over wifi 2.4 Ghz, wireless networks 2.4 interference, and make device interfere wireless network.61 While court papers did not describe how the FBI obtained his searches (e.g. through a seized hard-drive or directly from the search-engine), Google has indicated that it has the ability to provide search terms to law enforcement if given an Internet address or Web cookie.62 In 2005, prosecutors in a North Carolina murder case introduced as evidence search phrases pulled from a seized hard drive.63 The defendant was found guilty in part because he searched for the words neck, snap, break, and hold before his wife was killed.64 Whether Internet users are aware of the broad implications that privacy infringement (in both the legal and normative sense) has and will continue to have on their daily lives is hard to gauge. One analogy that is particularly appropriate was made by an NBC correspondent covering privacy in the modern age. He eloquently stated, Privacy is like health, when you have it, you dont notice it. Only when its gone do you wish youd done more to protect it.65 In spite of consumer surveys and expert warnings, the existing privacy system may work. Consumers are engaging in online commerce and social networking activities at phenomenal rates and
C1, available at http://www.nytimes.com/2007/11/01/technology/01iht-privacy.1.8139691.html. 56. Id. 57. Id. 58. Declan McCullagh, Police Blotter: Google Searches Nab Wireless Hacker, CNET News.com (Dec. 20, 2006), http://www.news.com/Police-blotter-Google-searches-nab-wirelesshacker/2100-1030_3-6144962.html. 59. Adam Liptak, Finding The Facts Of a Case Via Video, N.Y. TIMES, Mar. 2, 2009, at A12, available at http://www.nytimes.com/2009/03/03/us/03bar.html?_r=1&hp. 60. Id. 61. Id. 62. Id. 63. Elinor Mills, Google Searches Become Evidence in Murder Case, CNET News.com (Nov. 11, 2005), http://www.news.com/8301-10784_3-5947342-7.html 64. Id. 65. Sullivan, supra note 2.

WAFA

5/31/2009 2:06:55 PM

140

INTELL. PROP. L. BULL.

[Vol. 13:131

many users are happy to disclose personal information in exchange for free access to sites and services. However, the lack of protection and lack of uniformity in a global framework still raise significant logistical and efficiency challenges that must be addressed.
B. THE EXISTING SYSTEM IS DEFICIENT

Even though the last decade has seen a surge in online commerce, it would be nave to ignore the significant problems created by the existing privacy framework. Many problems that Chief Information Officers (CIOs) face in deploying web content may be the result of systemic flaws in todays multi-jurisdictional privacy environment.66 When a real-time environment like the Internet is forced to operate in such a regime, inefficiencies arise. One of the great benefits of the Internet is that it provides a reliable, flexible, and relatively fast global platform. Engineers have spent millions of hours perfecting the technology that ensures effective real-time communication on a grand scale. But the efficiency gains provided by Internet technology are diminished by legal requirements that force companies to design systems that conform to multiple local privacy standards. Online companies cannot assume that their satisfaction of privacy and data-retention standards in one region will automatically satisfy the requirements of other regions.67 Executives and Internet professionals are forced to contend with tough decisions, which may include: (1) whether to build one website that conforms to the strictest privacy guideline or multiple sites in which each is tailored for the specific jurisdiction in which it operates; (2) whether to hire an army of lawyers, each experienced with the privacy laws of a particular geography, to draft privacy guidelines or simply adopt guidelines from other websites; and (3) whether to analyze and de-centralize their underlying software (often a blackbox to outsiders) to ensure local compliance. In order for companies to effectively meet the wide-ranging and unique privacy obligations around the globe, they must devote substantial resources to stay on top of regulatory changes and ensure that their data collection, sharing, and information retention policies are always compliant. This is not only a logistical problem for organizations, but also an inefficient expenditure of capital that detracts from the scalability the Internet should provide. Companies that choose to adopt strict privacy guidelines (or are compelled to adopt strict guidelines because they do not have the financial wherewithal to comply with a multi-jurisdictional regime) risk
66. Shane Ham, Center for Democracy and Technology, Internet Privacy: The Case For Pre-emption (Mar. 28, 2009), http://www.cdt.org/privacy/ccp/statepreemption2.pdf. 67. See Avner Levin & Mary Jo Nicholson, Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground, OTTAWA L. & TECH J. 357, 361 (2005), available at http://www.uoltj.ca/articles/vol2.2/2005.2.2.uoltj.Levin.357-395.pdf.

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

141

detrimentally impacting the functionality of their solutions. Lost functionality in a demand elastic environment like the Internet can have significant consequences for the viability of a company. For example, laws requiring that private data (e.g. the search terms that a certain user account has executed) be wiped off servers undermine search engines ability to monetize their services through the creation of behavioral profiles.68 Sunnyvale, California based Yahoo! is a leading search engine recognized by Internet users around the world. Yahoo! has been in operation since the mid-1990s and enjoys a reputation as being userfriendly.69 The company goes to great lengths to promote their userfriendly philosophy Yahoo! even created a separate website dedicated to privacy issues.70 As of March 28, 2009, Yahoo! has thirty-nine different privacy policies.71 The company regularly updates these jurisdictionally-specific policies to remain compliant with the laws of the various countries in which it operates. Yahoo! could choose to adhere to the strictest standard at all times, but that decision could diminish their ability to attract consumers and advertisers, who are, respectively, drawn to rich functional features and comprehensive user profiles. So while the world has spent billions of dollars standardizing global technology

68. Miguel Helft, Google to Offer Ads Based on Interests, N.Y. TIMES, Mar. 11, 2009, at B3, available at http://www.nytimes.com/2009/03/11/technology/internet/11google.html?ref=technology. 69. Posting of Bill Langston to Yahoo! Shine blog, Yahoo More User-Friendly Than Google, http://shine.yahoo.com/channel/none/yahoo-more-user-friendly-than-google-170348/ (May 18, 2008, 11:41 PDT). 70. Yahoo! Privacy International, http://info.yahoo.com/privacy/ (last visited Mar. 29, 2009). 71. Id.

WAFA

5/31/2009 2:06:55 PM

142

INTELL. PROP. L. BULL.

[Vol. 13:131

systems to streamline international commerce, the gains of technology standardization have been offset by an increase in transaction costs stemming from the multi-jurisdictional privacy regime.

IV. THE U.S. BARK NOT BITE ERA OF REGULATION IS COMING TO AN END
How have global Internet companies been able to navigate the challenges of an inefficient legal framework? Some large companies such as Yahoo! have gone out of their way to comply with various international standards, but the vast majority of Internet businesses have opted to do nothing, gambling that regulatory bodies will continue to shy away from an aggressive approach towards enforcing privacy laws. Most regulatory bodies are keenly aware of the dilemma facing online companies and have avoided enforcing the law for fear of chilling online commerce.72 Using the U.S. as an example, in the early years of the Internet, the FTC rarely took action against high-profile opponents. When it did, it imposed little more than slaps on the wrist.73 In 2002, for example, the FTC charged Eli Lilly with unauthorized disclosure of personal information in violation of Section 5(a) (Unfair/Deceptive Acts) of the Federal Trade Commission Act after it disclosed the email addresses of its 669 Prozac Reminder Service subscribers.74 Eli Lilly agreed to settle by signing a consent agreement that required it to establish and maintain a four-stage information security program that would administratively, technically, and physically safeguard consumers personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure.75 Any violation of the agreement would expose Eli Lilly to civil fines not exceeding $11,000.76 As of November 2007, Eli Lilly boasted a market capitalization of $59 billion and generated a gross yearly profit of $12 billion.77 While this settlement was disheartening for its lack of force against an egregious offender, the FTCs comments were even more appalling. Instead of criticizing Eli Lilly for its negligent and unprofessional practices, FTC Commissioner Orson Swindle applauded the company for its long-standing efforts

72. Solveig Singleton, How Privacy Regulation Will Chill Commerce, Cato.org (Dec. 13, 1999), http://www.cato.org/pub_display.php?pub_id=4912. 73. Press Release, Federal Trade Commission, Eli Lilly Settles FTC Charges Concerning Security Breach (Jan. 1, 2002), available at http://www.ftc.gov/opa/2002/01/elililly.shtm. 74. Id. 75. Id. 76. Id. 77. Yahoo! Finance, Eli Lilly Income Statement 2007, http://finance.yahoo.com/q/is?s=LLY&annual (last visited Nov. 17, 2007).

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

143

in development of privacy practices, acceptance of responsibility for the internal failures that resulted in the alleged violation of their privacy policy, and willingness to take appropriate steps to correct mistakes.78 Moreover, Mr. Swindle deemed Eli Lilly a model for others to follow.79 As the Internet reaches critical mass, the U.S. and many other governments are feeling emboldened to enforce privacy laws. This effect can be best described by analogy. When a business first opens or seeks to attract customers, it will often employ a strategy called loss leading.80 Loss leaders are products sold below cost to attract shoppers. 81 Ideally, shoppers attracted to the store by the loss leader product will end up buying other products as well.82 Retailers hope for a net positive transaction.83 During the early days of Internet shopping, many online stores used free shipping or deep discounts on products to facilitate their loss leader strategy.84 However, as the Internet matured and the demand for customer acquisition by businesses cooled, loss leader utilization dropped.85 The same dynamic will likely take hold with respect to Internet privacy regulation. Congress has been reluctant to over-regulate the Internet in its infancy for fear of undermining its growth. In fact, a congressional moratorium banned all internet access taxes until 2014.86 But governments around the world are finally starting to view the Internet as a mature medium and willing to consider taxing it. France has taken the lead and recently passed legislation to impose a 1% tax on all Internet access starting in 2009.87 As regulatory agencies in the United States get more comfortable with the technology that drives the Internet and online shopping becomes more entrenched in the daily life of netizens, agencies will put more bite into their compliance campaigns. Just as consumers eventually lose the benefits associated with loss leading, anecdotal evidence suggests that the era of an
78. Press Release, Federal Trade Commission, Eli Lilly, supra note 73. 79. Id. 80. Investopedia, Loss Leader Strategy, http://www.investopedia.com/terms/l/lossleader.asp (last visited Apr. 29, 2009). 81. Id. 82. Id. 83. Id. 84. Peter Sayer, Amazon Ordered to End Free Delivery on Books in France, InfoWorld.com (Dec. 17, 2007), http://www.infoworld.com/article/07/12/12/Amazon-ordered-toend-free-delivery-on-books-in-France_1.html. 85. Bob Tedeschi, E-Commerce Report; Discounts Might be a Good Way to Build a Retail Clientele -- but not Until On-line Shoppers Become More Price Conscious, N.Y. TIMES, May 31, 1999, at C3, available at http://query.nytimes.com/gst/fullpage.html?res=9E03E6D91530F932A05756C0A96F958260&n= Top/News/Business/Small%20Business/E-Commerce. 86. Jim Puzzanghera, Congress Approves Internet-Tax Moratorium, L.A. TIMES, Oct. 31, 2007, at C1, available at http://articles.latimes.com/2007/oct/31/business/fi-nettax31. 87. Candice Novak, The Future of Internet Taxation, USNews.com (Nov. 26, 2008), http://www.usnews.com/articles/business/technology/2008/11/26/the-future-of-internettaxation.html.

WAFA

5/31/2009 2:06:55 PM

144

INTELL. PROP. L. BULL.

[Vol. 13:131

unenforced regulatory privacy framework may be nearing an end.88 Recent statements made by U.S. governmental entities and industryinsiders have alluded to an impending paradigm shift.89 In June 2007, the FTC started to complain vigorously about the need to improve cooperation with foreign partners.90 The commission cited the challenges individuals have had in seeking legal recourse for privacy violations,91 and the hurdles confronted by law enforcement [when] pursuing matters outside their jurisdiction.92 Industry insiders are well aware of this push toward tougher laws and stronger enforcement. Randall Rothenberg, president and CEO of the Interactive Advertising Bureau, stated:
The state of the industry is excellent, yet its also at risk . . . anticonsumer advocates are out to stifle the industry, including the FTC, which wants complete regulation of cookies themselves and could require opt-in stipulations for all online ads. As last weeks hearings suggest, [the FTC] feel[s] the time for fact-finding is over, its now time to regulate.93

Stricter regulations and greater frequency of enforcement actions are likely to significantly increase costs on companies that have thus far been able to put privacy issues on the back burner. The inefficiencies of todays disjointed regulatory environment will rise to the surface and throw the investment and small business community into a panic, as the risks and liabilities of online businesses are adjusted upward. When investors are faced with undefined risk stemming from a lack of regulatory clarity, a natural contraction in capital investment tends to take place.94 The reluctance to invest decreases the overall number of participants in the marketplace and diminishes the competitive forces that drive down costs and encourage innovation.95 This is likely to hurt small businesses more than large businesses because smaller businesses generally operate on thinner margins and lack the financial wherewithal to comply with multi-jurisdictional privacy requirements.

V. ATTEMPTS TO STANDARDIZE
Technologists and business leaders have long disapproved of a
88. Press Release, Federal Trade Commission, FTC Joins Foreign Partners in Recommending Enhanced International Cooperation to Enforce Privacy Laws (June 14, 2007), available at http://www.ftc.gov/opa/2007/06/oecd.shtm. 89. Id. 90. Id. 91. Id. 92. Id. 93. David Kaplan, Regulation Is Threat to Online Ads, IAB Warns, N.Y. TIMES, Nov. 7, 2007, available at http://www.nytimes.com/paidcontent/PCORG_316655.html?ref=technology. 94. Jun Ishii & Jingming Yan, Investment Under Regulatory Uncertainty: U.S. Electricity Generation Investments Since 1996 1 (Center for the Study of Energy Markets, Working Paper No. 127, 2004), available at http://www.ucei.berkeley.edu/PDF/csemwp127.pdf. 95. Id.

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

145

fragmented privacy law framework and worried that inability to comply with multiple standards would hinder the capacity of the Internet to attract consumers. These critics share a basic desire to convince lawmakers and enforcement agencies around the globe to coalesce around uniform standards. Unfortunately, governments have failed to provide a comprehensive framework with the notice and clarity consumers and businesses need to understand their respective rights, duties, and obligations.96 Some governments have tried to address critics. In 2000, the E.U. and U.S. signed a safe harbor agreement in an effort to give corporations a quick and easy way to insulate themselves from potential trans-Atlantic privacy litigation.97 The safe harbor was a compromise, involving months of grueling negotiations,98 intended to alleviate the potential chilling effect that the newly enacted and stringent E.U. laws might have on online commerce. 99 The U.S. government on its export.gov website describes the differences between the two approaches as follows:
The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.100

The goal of the safe harbor was to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive.101 In essence, by self-certifying, a U.S. organization could assure E.U. authorities that the company provides adequate privacy protection.102 Perhaps most importantly, any claims brought by European citizens or governments against U.S. companies would be heard in the U.S.103 Despite its promise, the safe harbor agreement has suffered from relatively low participation. Nearly ten years after its formation, the export.gov website lists only 1,300 participants and not a single entity has had its safe harbor compliance revoked or suspended.104
96. Asia-Pacific Economic Cooperation, APEC Privacy Framework: Facilitating Business and Protecting Consumers Across the Asia-Pacific, APEC Newsletter (Jan. 1, 2006), http://www.apec.org/apec/enewsletter/jan_vol7/onlinenewsd.html. 97. U.S. Dept of Commerce, supra note 3. 98. Carol M. Morrissey, CongressLine The EU Privacy Protection Directive and the U.S. Safe Harbor (June 14, 2000), http://www.llrx.com/congress/061500.htm. 99. Id. 100. Id. 101. Id. 102. Id. 103. Id. 104. U.S. Dept of Commerce, Safe Harbor List,

WAFA

5/31/2009 2:06:55 PM

146

INTELL. PROP. L. BULL.

[Vol. 13:131

A more contemporary attempt to streamline the interfacing of various jurisdictional frameworks was launched by the Organization for Economic Co-Operation and Development (OECD), a thirtynation forum that promotes economic growth, trade, and development.105 The OECD has issued a number of non-binding recommendations to enhance multilateral cooperation in enforcing privacy regulations.106 The first recommendation was for all member nations to create a master point-of-contact list to better coordinate requests for assistance between nations.107 The second recommendation was utilization of a baseline request document that would ensure key items of information are included each time a request for assistance is made between nations.108 While the safe harbor and OECD recommendations attempted to streamline the interfacing between disparate privacy models, there was a separate attempt to bring about global privacy conformity through technology. The effort was launched in 2000 by the World Wide Consortium (W3C), an international consortium which develops protocols and guidelines for the world-wide-web. Not surprisingly, the same technologists who had collaborated on standardizing inefficient Internet systems recognized the inefficiency of the global privacy regime and tried to tackle the framework from a purely technical angle.109 The W3C working group was comprised of think-tanks, software developers, the federal government, and Internet service providers. Its aim was to improve the transparency of website privacy policies.110 In 2002, this working group published an implementation guide called The Platform for Privacy Preferences (P3P).111 P3P enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents.112 Essentially, P3P policies present a snapshot summary of how the site collects, handles and uses personal information about its visitors. P3P applications compare this summary to the users own set of privacy preferences, and inform the user when

http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited Apr. 6, 2009). 105. Organization For Economic Co-Operation and Development, About Us, http://www.oecd.org/pages/0,3417,en_36734052_36734103_1_1_1_1_1,00.htm (last visited Apr. 29, 2009). 106. Press Release, Federal Trade Commission, FTC Joins Foreign Partners, supra note 88. 107. Id. 108. Id. 109. World Wide Consortium, The Platform for Privacy Preferences 1.0 Specification, http://www.w3.org/TR/P3P/#Introduction (last visited Apr. 29, 2009). 110. World Wide Consortium, Workshop on the Future of P3P, http://www.w3.org/2002/p3p-ws/pp/ (last visisted Apr. 29, 2009). Participants included: Citibank, America Online, Microsoft, Fidelity, the Federal Trade Commission, various universities, TRUSTe, the Office of the Attorney General of NY, and the European Commission. 111. World Wide Consortium, The Platform for Privacy Preferences 1.0 Specification, supra note 109. 112. Id.

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

147

these preferences do not match.113 Thus, users need not read the privacy policies at every site they visit.114 Because P3P was really nothing more than a solution that facilitated end-user notice and choice, but was at the mercy of website operators to support, it was never capable of providing a comprehensive solution. In the years following its inception, P3P failed to impress the end-user community or privacy advocates.115 Not only did the system fail to provide a mechanism for oversight, P3P could be used by the unscrupulous to give end-users a false sense of security about the legitimacy of a websites privacy claims. Michael Kapy, a technologist from IBM, strongly urged the removal of P3P support in the FireFox browser.116 Live Leer, a PR manager for Opera Software, a popular alternative web-browser, explained the deliberate lack of P3P support in their browser. There have been some issues with how well P3P will protect privacy, and for that reason we have decided to wait until these are resolved.117 In a scathing report issued by EPIC, P3P was harshly criticized for providing Pretty Poor Privacy. The report disparaged P3Ps (1) failure to establish true privacy standards, (2) inability to exclude non-compliant sites, and (3) inability to enforce privacy policies.118 In practice, because of sporadic adoption, P3P provided little to no protection119 and most browsers dropped support for the standard.120

VI. THE FUTURE GLOBAL PRIVACY REGIME

The safe harbor, OECD, and P3P platform lacked the substance to provide a comprehensive solution that satisfied consumers, providers, and technologists. None of the proposals established a baseline structure that could bring order to the current challenges. Assuming that a streamlined global privacy framework could be established, what would the system look like? In 2005, the Asia Pacific Economic Cooperation (APEC) set out to provide the first comprehensive legal framework on the issue

113. P3P Toolbox, What is P3P and How Does it Work?, http://www.p3ptoolbox.org/guide/section2.shtml (last visited Apr. 11, 2009). 114. World Wide Consortium, Platform for Privacy Preferences (P3P) Project, http://www.w3.org/P3P/ (last visited Apr. 29, 2009). 115. Posting of Michael Kaply to https://bugzilla.mozilla.org/show_bug.cgi?id=225287#c12 (Apr. 28, 2004, 05:15: 44 PTD). 116. Id. 117. Jason Levitt, P3P: Protector of Consumers Online Privacy, INFORMATIONWEEK, Aug. 20, 2001, at 44, available at http://www.informationweek.com/story/IWK20010816S0004. 118. ELEC. PRIVACY INFO. CTR. & JUNKBUSTERS, PRETTY POOR PRIVACY: AN ASSESSMENT OF P3P AND INTERNET PRIVACY (2000), available at http://epic.org/reports/prettypoorprivacy.html. 119. Chris Oakes, The Trouble with P3P, WIRED, June 25, 1998, available at http://www.wired.com/science/discoveries/news/1998/06/13242. 120. Id.

WAFA

5/31/2009 2:06:55 PM

148

INTELL. PROP. L. BULL.

[Vol. 13:131

of global data privacy.121 APEC is made up of twenty-one members, including Australia, Canada, China, Japan, Russia, and the United States.122 The APEC members constitute approximately 57 percent of the worlds Gross Domestic Product and 45 percent of the worlds trade.123 At the heart of the APEC Privacy Framework is a set of nine principles that apply to personal information about a living individual processed by a personal information controller, a person or organization who controls the collection, holding, processing, or use of personal information.124 The APEC framework, strongly advocated for by the corporate titan Google, seeks to ensure the continued growth of online commerce. Central to the APEC framework is the goal of building consumer trust and confidence in the privacy and security of online transactions and information networks.125 APEC seeks to address the concern that individuals have about the harmful consequences from the misuse of their information126 which could have adverse implications for global business and economics.127 Moreover, the framework seeks to overcome regulatory systems that unnecessarily restrict this [data] flow or place burdens on it. . . [because they have] . . . adverse implications for global business and economies.128 The APEC proposal has had its share of critics and supporters. APEC supporter Eric Schmidt, CEO of Google, wrote that APEClike proposals
would increase transparency and consumer choice, helping people to make informed decisions about the services they use as well as reducing the need for additional regulation. For business [sic] agreed standards would mean being able to work within one clear framework, rather than the dozens that exist today. This would help stimulate innovation. And for governments, a common approach would help dramatically improve the flow of data between countries promoting trade and commerce.129

While Schmidts editorial accurately reflects many of the problems with todays framework, the APEC solution he proposes does little to address those issues, and in many ways exacerbates the

121. APEC ELEC. COMMERCE STEERING GROUP, APEC PRIVACY FRAMEWORK FACTSHEET, http://www.apec.org/apec/news___media/fact_sheets/apec_privacy_framework.html (last visited Apr. 11, 2009). 122. About APEC, http://www.apec.org/apec/about_apec.html (last visited Apr. 11, 2009). 123. Hon. Philip Ruddock, Attorney-General, Remarks at the Office of the Privacy Commissioner [Australia] and Microsoft Breakfast Forum 8 (2007), http://privacy.gov.au/news/speeches/sp04_07.pdf. 124. Pounder, supra note 30. 125. Id. 126. Id. 127. Id. 128. Id. 129. Peter Fleischer Privacy blog, Eric Schmidt on Global Privacy, http://peterfleischer.blogspot.com/2007/09/eric-schmidt-on-global-privacy.html (Sept. 19, 2007).

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

149

problem. APEC would give private corporations carte blanche to exploit private user data through an overly flexible, self-regulated, interpretive system and provide no mechanism for oversight. The fundamental problem with the APEC framework is that it does not provide the level of granularity needed to adequately protect private data in accordance with its principles.130 Nations can exploit loose diplomatic language to interpret the APEC however they see fit.131 Dr. Chris Pounder, editor of Data Protection Quarterly, maintains that the APEC proposal was heavily deficient as a result of diplomatic wrangling and this resulted in the fudging of important issues132 and principles that are ambiguous.133 Pounder concedes that ironing out a framework via APEC was a major leap forward since many countries that belong to APEC are not fully developed in their democratic structures and some Asiatic national governments contain a strong authoritarian streak. Some privacy progress in these states is better than no progress.134 It should also be pointed out that the APEC framework is not binding on member nations because it would not have been ratified otherwise. China, not surprisingly, has resisted adopting the recommendations.135 Since the Internet is a global platform, it needs a solid set of baseline standards. The vague principles that the APEC rules present have little practical impact on ensuring corporate compliance or end-user privacy.

VII. COMPETING FORCES - SELF-REGULATION, NO-REGULATION, OR TOP-DOWN REGULATION?

The future of global Internet privacy is being fiercely debated by governments, private market participants, and the public.136 So vocal and scattered are the various opinions in this debate that even some leading corporations, such as Yahoo!, have been unable to build consensus within their own ranks, causing them to delay taking official positions. When asked to comment on proposals such as the APEC framework, a Yahoo! representative made the following indecisive statement:
Yahoo! is dedicated to protecting the privacy of our users. It is a cornerstone of the trusted relationship that we have built with consumers. We are involved in a number of discussions, internally, and with others in the industry about the best methods for
130. Pounder, supra note 30. 131. Id. 132. Id. 133. Id. 134. Id. 135. Id. 136. Kenneth Corbin, The Privacy Debate Beyond Google-DoubleClick, InternetNews.com (Mar. 13, 2008), http://www.internetnews.com/security/article.php/3733801/The+Privacy+Debate+Beyond+Goog leDoubleClick.htm.

WAFA

5/31/2009 2:06:55 PM

150

INTELL. PROP. L. BULL.

[Vol. 13:131

protecting consumer privacy. Those important conversations will continue in the months ahead .137

Google, on the other hand, supports APEC and is lobbying hard to push the framework onto international regulators.138 In order to determine why Google is pushing for the APEC framework while other companies have abstained from taking a position, it is helpful to explore the various schools of thought and examine the competing forces that seek to shape tomorrows privacy framework. There are three major schools of thought that encompass the debate on what the future of online privacy should look like. One view, which espouses top-down regulation, favors stringent regulatory oversight and would require companies to follow a welldefined minimal standard of privacy.139 The closest real-world example of such a system would be the privacy framework put forth by the European Union, which emphasizes government participation in regulating online privacy.140 A second view discourages mandated enforcement of any privacy protection. Supporters of this view are: (1) authoritarian and despotic governments, (2) individuals/groups who view government and corporate entities as untrustworthy, and (3) free-market (laissez-faire) capitalists who believe the market should be left to its own devices.141 A third view advocates for industry self-regulation on grounds that companies in control of technology are in a better position than government actors to create privacy rules, implement compliance monitoring, and manage enforcement.142 Proponents of this view can be seen as straddling the other two views, since they do not necessarily want weak consumer protection, but also resist top-down regulation and enforcement. In the corporate context, the debate about how privacy should be handled is slightly more nuanced. There is a strong push for companies to generate profits by monetizing functionality and building as many profit-centers as possible. Outsell Inc., a leading analyst of the publishing and information industry, forecasts total U.S. advertising spending will grow 5.8 percent in 2007, with advertisers planning to increase their online advertising by 17.8 percent in 2007, faster than any other major media type.143

137. Elinor Mills, Google Proposes Global Privacy Standard, ZDNET (Sept. 13, 2007), http://news.zdnet.com/2100-9588_22-6207927.html. 138. Peter Fleischer Privacy blog, supra note 129. 139. GREGORY F. REHMKE, NATIONAL CENTER FOR POLICY ANALYSIS, THE EVOLVING TECHNOLOGIES OF INTERNET PRIVACY 6-7, Apr. 27, 2001, http://www.ncpa.org/pub/bg156?pg=5 (). 140. See Council Directive 95/46, supra note 23. 141. James Glassman, Online Privacy, Reason.com (May 29, 2000), http://www.reason.com/news/show/36057.html. 142. Center for Democracy and Technology, Guide to Online Privacy, http://www.cdt.org/privacy/guide/protect/ (see section on Industry Self-Regulation)(last visited Apr. 29, 2009). 143. Convera, http://www.convera.com/solutions/servicePublisher.asp (last visited Nov. 7,

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

151

Moreover, Outsell Inc. predicts that as [b]ehavioral targeting becomes a mainstream online advertising technique those publishers with search history information about their target audience can expect to increase yields more effectively across their web sites and not just on search results pages.144 The temptation on the part of corporations to expand advertising margins by leveraging behavioral profiles seems almost irresistible. But there is a strong countervailing force, as most tech organizations have entrenched and vocal geeks in those organizations that strongly oppose the diminishment of endusers privacy rights. These geeks are often founders of large and powerful technology companies, as was the case with Linus Torvalds, creator of the Linux operating system.145 Unfortunately, more often than not, the drive for profits overcomes even the most impassioned corporate privacy geek. But there may be good business justification for pursuing privacy-friendly policies. Internet consumers could one day abandon companies that do not offer strong privacy protection.146 Former FTC Chairman Christine Varney referred to this possibility in the early days of the modern Internet. In 1996, she said: in the online world, privacy may become a market commodity, given adequate levels of government initiatives and public education.147 If end-users begin to perceive a company like Google as a privacy piranha, they may switch to a privacy-friendly site in droves. Companies seem to be aware of this possibility.148 As the mainstream media has increasingly scrutinized online privacy policies, various search engines have responded by reassessing their corporate practices when dealing with user data. In 2007, CNET reported that in the last few months the search engine business has experienced its own version of cutthroat competition: a privacy policy war with Google, Ask.com, and Microsoft vying to outdo one another.149 In response to earlier privacy surveys conducted by news organizations, search engines began to tighten some of their quantifiable privacy protections.150 In early 2007, Google agreed to set expiration dates on retention of user data,151
2007). 144. Id. 145. Linux, Biography of Linus Torvalds, http://www.linux.org/info/linus.html (last visited Nov. 7, 2007). 146. Christine A. Varney, Commissioner, Fed. Trade Commn, Address at the Privacy & American Business National Conference, Consumer Privacy in the Information Age: A View From the United States (Oct. 9, 1996), available at http://www.ftc.gov/speeches/varney/priv&ame.shtm. 147. Id. 148. Declan McCullagh, How Search Engines Rate on Privacy, CNET News.com (Aug. 13, 2007), http://www.news.com/2100-1029_3-6202068.html. 149. Id. 150. Id. 151. Danny Sullivan, Google Responds To EU: Cutting Raw Log Retention Time;

WAFA

5/31/2009 2:06:55 PM

152

INTELL. PROP. L. BULL.

[Vol. 13:131

and Ask.com promised to stop recording user search histories altogether.152 Google also has shortened the lifespan of its cookies from expiring in 2038 to expiring two years from the users last visit.153 New ventures have launched to address the privacy concerns of endusers and privacy advocates. IxQuick.com, a meta-search-engine company started in 1998, deletes all user search data within 48 hours.154 The company claims to have become profitable over the last two years by leveraging its unique privacy-friendly philosophy to garner a wide audience of end-users.155 The debate on how best to address privacy concerns is not limited to the business sector; competing interests are also skirmishing on the legislative front.156 Recently, legislative bills completely at odds with one another have been introduced to address data retention requirements.157 In early 2007, Republican Lamar Smith of Texas sought to introduce a provision in the SAFETY Act which would have given the attorney general discretion to write the rules on what data information companies would have to retain and how long they would have to retain them.158 Smith identified mandatory data retention as the number one tool law enforcement needed to identify and prosecute Internet sexual predators.159 Privacy advocates such as Lauren Weinstein, co-founder of People for Internet Responsibility, said Smiths proposal was far too vague. [The] bill is so incredibly bad that it opens up a whole array of things that can go wrong, because theres nothing in this legislation to prevent the attorney general from simply saying, Save everything forever.160 Weinstein called data retention the single most important issue relating to privacy, free speech, and technology.161 Another legislative bill proposed by Representative Ed Markey, Democrat from Massachussets, would require every web site operator to delete information about visitors, including e-mail addresses, if the data is no longer required for a legitimate business purpose.162 The
Reconsidering Cookie Expiration, SearchEngine Land (June 12, 2007), http://searchengineland.com/google-responds-to-eu-cutting-raw-log-retention-timereconsidering-cookie-expiration-11443. 152. Jennifer LeClaire, Ask.com Gives Privacy Control to Users, Top Tech News (Dec. 11, 2007), http://www.toptechnews.com/story.xhtml?story_id=02300243I5FJ. 153. Sullivan, supra note 151. 154. IxQuick.com, IxQuick Protects Your Privacy, http://us.ixquick.com/eng/protect_privacy.html (last visited Nov. 7, 2007). 155. IxQuick.com, Q&A, http://us.ixquick.com/eng/press/qa.pdf , (last visited Nov. 7, 2007). 156. Ellen Nakashima, Bill Would Make ISPs Keep Data on Users, WASH. POST, Feb 13, 2007, at D03, available at http://www.washingtonpost.com/wpdyn/content/article/2007/02/12/AR2007021201337.html. 157. Id. 158. Id. 159. Nakashima, supra note 156. 160. Id. 161. Id. 162. Declan McCullagh, Bill Would Force Web Sites to Delete Personal Info, CNET

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

153

bill would apply to every U.S. web site, even ones run by individuals, bloggers, nonprofit groups, and charities.163 The bill was referred to the Subcommittee on Commerce, Trade, and Consumer Protection in February of 2006, but no further action has takenplace as of April of 2009.164 The chaotic state of the privacy debate may be the opportune time for a corporate titan to push its own agenda. As a leader in leveraging user data, Google would benefit most from an unregulated market-space. But as mentioned previously, Google is aware that regulation is coming and they want to get ahead of the problem.165 The scrutiny that online companies are under by the mainstream media, the technology community, and the government is really hitting home for some tech executives. Jerry Yang, CEO of Yahoo!, was grilled and humiliated on Capitol Hill for providing private user data to Chinese authorities that resulted in the detention and alleged torture of political dissidents.166 Yahoo! settled the case for an undisclosed sum and said it would provide financial support to the families and back a humanitarian relief fund to support other political dissidents and their families.167 With all the scrutiny that website operators are under, it is hard to imagine that they would push for an unregulated space. Corporate behemoths have to push for the next best thing, self-regulation. But many commentators argue that the line between self-regulation and no regulation is hard to distinguish.168 Solveig Singleton of the Cato Institute points out that true marketbased self-regulation blurs into no regulation at all, with each company regulating itself according to internal standards of customer or client service and no third party oversight.169 Googles push for global regulators to adopt the APEC framework should be of great concern to the general public. By taking advantage of its huge user base and functional superiority, Google could easily undermine the rights of users by (1) deceptively portraying themselves as privacy advocates; (2) taking advantage of this image to slowly and methodically monetize and exploit increasing amounts of customer data; and (3) push for a purely self-regulated global framework (like APEC) which would facilitate their ability to exploit vague language in order to operate in a regulatory vacuum.
News.com (Feb. 8, 2006), http://www.news.com/Bill-would-force-Web-sites-to-delete-personalinfo/2100-1028_3-6036951.html. 163. Id. 164. Govtrack, H.R. 4731: Eliminate Warehousing of Consumer Internet Data Act of 2006, http://www.govtrack.us/congress/bill.xpd?bill=h109-4731 (last visited Apr. 29, 2009). 165. Kaplan, supra note 93. 166. Eric Auchard, Yahoo! settles with Chinese dissidents, SYDNEY MORNING HERALD, Nov. 14, 2007, available at http://www.smh.com.au/news/technology/yahoo-settles-with-chinesedissidents/2007/11/14/1194766770407.html. 167. Id. 168. Singleton, supra note 39. 169. Id.

WAFA

5/31/2009 2:06:55 PM

154

INTELL. PROP. L. BULL.

[Vol. 13:131

VIII. WHAT SHOULD THE REPLACEMENT SYSTEM LOOK LIKE?

The preceding analysis sought to expose the flaws of the existing system and the potential dangers of the APEC/Google replacement solution, which either falls short because of vagueness or lacks uniform regulation altogether. Finding a viable solution that balances efficiency concerns while still ensuring privacy and respecting cultural sensitivities is no easy task, but there are several important features that a successful system should contain. These include, (1) top-down regulation, (2) aggressive enforcement, and (3) innovative auditing procedures.
A. TOP DOWN REGULATION HAS A ROLE TO PLAY

While private industry may encourage self-regulation, it is important to recognize the dangers of relying exclusively on such an approach. The release of private data can inflict irreparable harm on users. In a perfect marketplace where end-users are provided with an adequate degree of notice to help them make purchasing decisions, a market-driven solution may be viable. Unfortunately, todays marketplace does not provide such a luxury. The complexity, fluidity, and one-time nature of online shopping makes it unlikely that most users will receive the notice needed to make efficient choices. Assuming users are informed about corporate privacy policies and practices, a market driven solution would still only be viable if consumers could turn to meaningful alternatives. Unfortunately, oligopolies control critical aspects of the Internet and the temptation for them to exploit end-user data is significant.170 As of September 2007, the top four search engines (Google, Yahoo!, MSN, and AOL) controlled nearly 92 percent of searches; while the top ten controlled nearly 97 percent of searches.171 This compelling evidence reveals that the marketplace lacks the functionally equivalent alternatives necessary to facilitate a market-based solution. Moreover, relying on oligopolies to provide privacy protection is unwise in light of business models that make the leveraging of private user data extremely lucrative. Even if viable alternatives do start to emerge, smaller companies would be in danger of being acquired or squashed by oligopolies who have the financial wherewithal and incentive to crush them before they become a threat.

170. Fred Aun, Social Nets Sit on Goldmine of Behavioral Data, Says Jupiter, ClickZ (June 19, 2007), http://www.clickz.com/3626212. 171. Enid Burns, Top 10 U.S. Search Providers, September 2007, SearchEngineWatch.com (Oct. 26, 2007), http://searchenginewatch.com/showPage.html?page=3627422 (rounding out the top ten, in descending order, are: Ask.com; My Web Search; Comcast; BellSouth; SBC Yellow Pages; and My Way).

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

155

B. AUDITING OF POLICIES IN A SYSTEMATIC WAY IS CRITICAL

The FTCs existing recommendations for protecting online privacy are weak.172 The commission recommends that users get a copy of their credit report173 and warns that users should realize that those reports may be obtained by others.174 Even leading privacy organizations have a hard time giving consumers useful advice about how to stay protected online TRUST-e, a leading privacy-rights organization, makes a vague recommendation on its website that users should be careful and choose wisely.175 Consumers do not have the information or practical choices to heed this advice each time they shop online. We live in a fast-paced world where corporate policies are difficult to scrutinize and interpret. The inability of governments or privacy advocates to give concrete guidance on how to protect personal data stems not from the ineptitude of those groups, but rather, from the lack of tools that the existing system provides. One powerful tool to quickly and easily ensure privacy protection would be to mandate that all websites engaged in commercial activity (e.g. any website generating revenue through advertising, sales, or donations) receive an annual privacy audit and an ensuing grade. CertifiedSecure is a privacy auditing firm based out of the Netherlands that audits websites and data providers to ensure that their practices meet minimum privacy standards.176 The firm investigates the processes, technology, and data-retention and handling practices of companies to ensure compliance with welldefined requirements guided by industry best-practices that are even more granular than those proposed by European Union initiatives.177 These requirements include: (1) documentation procedures (e.g., that all stored private information and its retention period be classified and documented); (2) storage practices (e.g., that all private information be stored when explicitly required by law or when required by the business model of the collector); (3) security (e.g., that all inter-system communications containing private information use advanced encryption); and (4) privacy policy validation (e.g., that company practices comport to the online privacy policy put forth by the company).178 Auditing is a time tested strategy that can help streamline operations by elucidating areas of weakness, increase

172. Regan, supra note 34. 173. Id. 174. Id. 175. Id. 176. Certified Secure, Website Privacy Protected Checklist, http://www.certifiedsecure.nl/checklists/cs-spec-checklist-privacy-protected.pdf (last visited Nov. 7, 2007). 177. Id. 178. Id.

WAFA

5/31/2009 2:06:55 PM

156

INTELL. PROP. L. BULL.

[Vol. 13:131

proactivity on the part of those being audited to meet their responsibilities, and improve transparency about a company to the general public. The auditing process for websites would be comprised of a number of steps. First, sites deemed covered entities (e.g. those that meet the commercial test laid out above) would be required to register with a newly formed regulatory agency charged with online privacy regulation. This agency would maintain and certify qualified auditors (private companies or individual agents) who would be tasked with facilitating the inspection and audit of the covered entities. Certified auditors would be tasked with the identification of all critical components (see paragraph above) necessary to ensure a privacy friendly experience for end-users. Once an audit and inspection report were completed, the auditor would provide a copy to the website operator and provide them an opportunity to remediate problematic issues. If the issues were not remediated in a timely manner, the auditor would disclose that the site was privacy unfriendly, place the site on a public watchlist, and encourage visitors to avoid transactions with this business until the issues become resolved. Depending on the egregiousness of the violation, fines may be levied against noncompliant covered entities. Funding for this process could be facilitated by a small levy on commercial websites or by way of a nominal fee as part of the annual audit registration. Without mandating audits, there is no way to ensure corporations are meeting their privacy obligations to users and no easy way for consumers to objectively gauge how one site compares to another. In the same way that consumers (and clean businesses) have found restaurant health and safety code ratings a valuable tool, end-users (and privacy friendly web operators) would likely find audits and inspections of online privacy a very valuable tool.

IX. CONCLUSION
The current global privacy system is overly complex and dysfunctional. As a result, regulatory bodies have avoided legitimate action against privacy law violators for fear of chilling online commercial activity. Even though compliance action has thus far been minimal, it is not implied that this trend will be perpetual. If and when regulatory agencies begin taking stronger action to protect consumer privacy, the existing privacy framework will be unable to cope because of its inherent lack of uniformity. Businesses will continue to be confused as to their responsibilities across multiple jurisdictions, and Internet investment will contract as the cost of complying with the previously un-enforced potpourri of jurisdictional laws becomes overly burdensome. If, on the other hand, regulatory bodies maintain the status-quo (characterized by weak enforcement of divergent legal standards),

WAFA

5/31/2009 2:06:55 PM

2009]

GLOBAL INTERNET PRIVACY RIGHTS

157

consumer privacy rights will continue to suffer. Unscrupulous companies and individuals armed with new technologies (behavioral profiling, advanced cookies, interlinked databases etc.) will be able to exploit user data without fear of repercussion. Action must be taken to head off the disaster ahead, but the lead replacement system, the APEC Privacy Framework, is not a good solution. APEC would give private corporations carte blanche to exploit private user data through an overly flexible self-regulated interpretive system and would provide no mechanism for oversight. Some argue that a truly comprehensive global privacy framework will never come about because it would be impossible for the nations of the world to reach consensus on the granular issues that would need to be standardized for such a framework to succeed. Others contend that public interest groups and international citizens (as represented by their governments) will be unable to protect privacy because powerful business lobbies will stop at nothing to assert their own agendas. Privacy is a deeply personal issue that is sensitive to the impulse of public opinion. Although cynical views may prevail in the short-run, the outcome may change as the public is increasingly exposed to the ramifications of the new privacy paradigm in: (1) the legal world (with questionable online searches being used against citizens in court); (2) the burgeoning black-market for identity theft (as security breaches become more and more prevalent); and (3) in the intentional or inadvertent exposure of private facts that Internet searches facilitate. If and when the public does wake up to the harms that widespread collection and dissemination of private data can cause, it is critical that a viable global privacy framework be set up to quickly facilitate the protections the public seeks. Long ago, a respected group of leading technologists claimed it would be impossible to effectively standardize Internet technology because of conflicting views about which methodologies were most efficient. In 1992, these individuals, led by David Clark, coined the famous computing phrase, [W]e reject: kings, presidents, and voting. we believe in: rough consensus and running code.179 Some of the most remarkable and innovative solutions were produced during this age of standardization, as the international community pooled its resources and worked using a collaborative and open-source approach to come to a rough-consensus.180 This collaborative standardization approach has been refined over the years and continues to enjoy much success, as evidenced by the popularity of open-source solutions such as Linux and Firefox. If technology standardization can be achieved through rough global consensus, then
179. Andrew L. Russell, Rough Consensus and Running Code and the Internet-OSI Standards War, 28 IEEE ANNALS OF THE HIST. COMPUTING 48, 49 (2006), available at http://www2.computer.org/portal/web/csdl/doi/10.1109/MAHC.2006.42. 180. Id.

WAFA

5/31/2009 2:06:55 PM

158

INTELL. PROP. L. BULL.

[Vol. 13:131

surely international actors can agree to legal standards that ensure the right to privacy.