As the information revolution began at the end of the 20th century, it gave companies the power to inexpensively collect and process large databases of personal information. Information is powerful and its collection and use is fundamental to our way of life. But the misuse of personal information can cause a range of problems from the nuisance of junk mail, to the stress of recovering from identity theft, to potentially devastating forms of discrimination. The Internet, with its exchange of information between computers, companies, schools, individuals and countries, has drawn Web users´ attention to information privacy.
Each of the forces that shape our options and attitudes about privacy, whether they be governments, corporations, friends and family, or the technology infrastructure, are in their own way recognizing the importance of the privacy issue and are now involved in addressing concerns about data privacy. Governments are passing laws; companies are posting privacy policies and giving consumers more options; many individuals are questioning requests for personal information; and technology is being designed to not only process information more efficiently but to also store it securely and track its access and use.
How P3P Can Help? P3P can help balance the information economy´s need for information to provide consumers with desired services with each individual´s desire for control over information about them by empowering people with tools for notice and control to make decisions based on their own preferences.
Consumer polls have consistently demonstrated that privacy protection is a significant concern and are expressing concern about what data is collected from them, how it is protected, what it is used for, and how it is shared with others. A Business Week survey, released in March 2000 found that 82% of those polled were not at comfortable with online activities being merged with personally identifiable information, such as
As a result of such concerns about privacy, some consumers in Canada and Australia appear to be staying away from online shopping. Rather than becoming more comfortable with e-commerce as it becomes a more ubiquitous marketplace, some Canadian consumers are growing more concerned about the security and privacy of their personal and credit card information that is transferred online. A Canadian Ipsos-Reid survey found that:
83% of consumers who have not shopped online cited that their reluctance is due to not knowing what was being done with their information and who was watching their surfing habits and
69% of frequent Internet purchasers say they have concerns about handing out personal information like credit card numbers online.4
Similar concerns were voiced by Australian consumers in a recent survey conducted by the Australian Privacy Commissioner´s office. This survey found:
57% of Australians were more concerned about their privacy on the Internet than any other form of media.
90% of Australians considered practices, including the monitoring of Internet usage without consent and seeking personal details irrelevant to a transaction, to be an invasion of their privacy.
According to the Australian Federal Privacy Commissioner, Malcolm Crompton,
Companies often fail to grasp the importance their customers place on privacy. Nearly half of Australians say they have already stopped - not thought about stopping, but actually stopped - transacting with organizations they feel they can't trust with their personal information.5
How P3P Can Help? P3P enables businesses to build trust with their customers and potential customers by making the privacy/data-gathering process more transparent. This allows consumers to better understand why and how companies collect information.
This concern about privacy is starting to affect business practices. Companies are increasingly recognizing that providing clear information to their customers and allowing their customers a greater degree of control over the collection and use of their personal information makes good business sense.
Beyond overcoming consumer confidence concerns, we are beginning to see an environment develop where privacy will be viewed as a general enabler in a wide range of commercial and non-commercial transactions. Respect for individual privacy is beginning to be used to differentiate one company from another in the marketplace and to build a closer, more focused bond between the company and the customer.
Across the globe, many corporations are hiring executive level managers, often on the Chief Privacy Officer level, to create and implementing corporate-wide data management programs. There are Privacy Officer Associations and international training programs. Companies are recognizing the highly-valuable yet volatile nature of customer information and are beginning to take steps to manage it with the care such a valuable asset deserves.
How P3P Can Help? Although the initial user agents will be focused on traditional Internet browsing, P3P lays the groundwork for standardizing the way in which an organization´s privacy practices are communicated via other communications devices such as wireless, PDAs, and voice-based devices. P3P is therefore just as relevant to emerging as it is to existing technologies.
Computer programmers, the millions of individuals responsible for creating the computer revolution, the Internet, and the myriad of applications that we take for granted each day are taking informational privacy much more seriously. Technology ethics courses that include security and privacy issues are now part of curriculum at colleges and universities. Organizations such as the European Data Commissioners, Computer Professionals for Social Responsibility and the Association for Computing Machinery are helping developers recognize the power they wield when architecting new information systems and user applications.
The emergence of P3P is evidence of this shift within the technology community. P3P has been developed to help steer the force of technology a step further toward automatic communication of data management practices and individual privacy preferences.
How P3P Can Help? Governments around the world are closely watching how companies and organizations communicate their data management practices, handle consumer complaints, and transfer personal data. P3P facilitates the process of providing notice of data gathering and can therefore be a useful tool for compliance.
In some jurisdictions, adherence to a set of privacy principles is not just good business; it´s also the law. It is an increasingly popular opinion that individuals, have an important stake in the proper management of their identity and that information6. Many policy leaders support, and some jurisdictions enforce, an individual´s right to determine who has access to personal information about them, to authorize what it is used for, and to be provided with a mechanism to review and correct that data.
Europe. As the global community has faced the issues created by mass collection and exchange of personal data, some have taken the lead to promote strict standards for responsible information management. The European Union has taken the strongest steps to deploy information privacy regulation (called
data protection legislation) including the creation of country-level data protection agencies7. Other non-EU countries such as Canada and Australia have passed comprehensive data protection legislation as well. The European data protection legislation includes strict provisions regarding when and how a European data controller may transfer data to other countries8.
United States. In general, the United States has focused its data privacy laws on specific misuses of information, such as regulations prohibiting disclosure of video rental records, or on specific industries that deal with the most sensitive kinds of personal data, such as the credit, banking, and healthcare industries and information about children. Using existing trade and advertising laws and recognizing the importance of this issue to consumers, individual states attorneys general and the U.S. Federal Trade Commission have taken action against companies that mislead the public with regard to their privacy practices.
How P3P Can Help? By implementing P3P, a Web site does not automatically comply with the OECD guidelines or the FTC recommendations, however when combined with other procedures and technical tools, P3P can help an organization address some of the Fair Information Practices.
In 1980, recognizing the importance of the data privacy issue in international commerce, the Organization for Economic Cooperation and Development (OECD) issued privacy guidelines that have become an important foundation for the privacy debates since that time9. The guidelines were proposed to harmonize national privacy legislation and, while upholding human rights, prevent interruptions in international flows of data. They represent a consensus on basic principles which can be built into existing national legislation, or serve as a basis for legislation in those countries which do not yet have it.
The guidelines formulate a set of eight principles, often referred to as
Fair Information Practices. The principles are10:
Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the Data Controller.
Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Accountability Principle: A Data Controller should be accountable for complying with measures which give effect to the principles stated above.
Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle of the OECD Privacy Guidelines except:
- with the consent of the data subject; or
- by the authority of law.
Individual Participation Principle: An individual should have the right:
- to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
- to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
- to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
- to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Other Variations of the Data Protection Guidelines
The Fair Information Principles represent an international consensus on how best to balance effective privacy protection with the free flow of personal data. These principles have been re-cast by some with variations. For example, organizations in the United States should note the formulation by the Federal Trade Commission of five elements that should be addressed in any data privacy standard:
- Notice of the ways in which information will be used;
- Consent to the use or third-party distribution of information;
- Access to data collected about oneself;
- Security and accuracy of collected data; and
- Enforcement mechanisms to ensure compliance and obtain redress.
P3P Facilitates Fair Information Practices
The adoption of P3P into Web sites and communication technologies, promotes a technology environment that supports the Fair Information Practices.
- P3P provides an automatic way for organizations to communicate to Web site visitors about the purposes for which personal data is collected.
- P3P is based on openness and improving the level of conversation between data subjects and organizations who collect personal information on the World Wide Web.
- With P3P, users can be notified prior to collection of information increasing their opportunity to consent or reject a specific request for information.
- By improving notice to Web site visitors about what data is being collected about them, P3P will trigger more questions to the organizations collecting the information. This scrutiny will hopefully help organizations to take care to collect only information that is relevant and necessary to the organization.