By: Betty K. Steele
In order for the Internet to realize its potential as a full-fledged global method of doing business, there are a number of key areas in which the Web must mature. The areas that are receiving the most attention in the United States and the European Union, and from the Organization for Economic Cooperation and Development (OECD), the 29 members of which represent the world’s most developed democracies, are consumer privacy, confidentiality and the ability to contract, and consumer protection. Set forth below is a brief discussion of the status of each one of these areas.
Consumer privacy on the Internet is the subject of much discussion, proposed legislation and self-regulation in the U.S. In Europe it is the subject of the European Union’s Directive on Data Protection, which became effective on October 25, 1998. The directive requires that transfers of personal property take place only to non-EU countries that provide an “adequate” level of privacy protection. The United States and the EU approach privacy protection in different ways. While the Europeans rely upon legislation (the directive), the United States has approached privacy issues with a mixture of legislation, regulation and self-regulation. (Recent highly public privacy lapses and the failure of self-regulatory entities to monitor and discipline members, as well as the disillusionment of the consumer watchdog agency, the Federal Trade Commission (“FTC”), with self-regulation, make it likely that the United States will legislate more in the privacy area.) Because of differences in approaches to privacy protection, many U.S. companies have been uncertain about the impact of the “adequacy standard” on personal data transfers from the EU to the U.S.
A U.S.- European safe harbor agreement, negotiated by the U.S. Department of Commerce and the EU, should reconcile U.S. and European policy with regard to U.S. organizations receiving personal data from the EU. This agreement reflects compromises between the advocates of industry self-regulation (the Americans) and advocates of legislative regulation (the Europeans).
So what does this mean for U.S. companies with Web sites? While an online privacy statement is not usually required by the Federal Trade Commission (“FTC”) in its role as generic U.S. consumer watchdog agency, such a statement is highly recommended. This is because the FTC has created a set of guidelines for a privacy statement that any prudent company should follow. What the international agreement does is provide “safe harbor” standards that go beyond the FTC guidelines with respect to U.S. companies that access European consumer data. Among other things, these standards provide for a two-tier treatment of personal data. Information concerning union membership, religious or philosophical beliefs, political opinions, medical or health conditions, sexual preferences, or racial or ethnic origin is considered sensitive and requires the user to specifically “opt-in” before this data may in any way be used by the Web site provider. For other less sensitive personal information, an “opt-out” provision will be adequate. However, even such less sensitive data not covered by an “opt-in” provision may only be transferred by the U.S. company to third parties that comply with the safe harbor rules.
Decisions to qualify for the safe harbor are voluntary. A self-certifying procedure by which the U.S. party self-certifies to compliance with the U.S. Department of Commerce is part of the U.S. – European agreement.
Confidentiality and the Ability to Contract
The EU’s recently adopted directive on electronic signatures will be incorporated into the laws of each of the fifteen EU members. This directive is presented by the EU as a positive step toward increasing consumer and business confidence in the medium of e-business and the Internet. Its stated purpose is to define the requirements for both the electronic signature certificates that link the signature verification data to a person and confirm that person’s identity, as well as for the companies providing electronic signature certification services. It is hoped that the directive will provide a framework that ensures minimum levels of security for electronic signature use. From the American perspective the directive does have certain positive attributes. A key feature is that EU countries will not be able to deny the legal validity of an electronic signature solely because it does not comply with the directive. Moreover, the directive itself does not contain many detailed provisions.
Of course, the United States has its own Uniform Electronic Transactions Act, which has been adopted in a few states and contains very broad and nonspecific provisions concerning electronic signatures and their validity. In addition, there is pending legislation in Congress that could preempt conflicting state legislation.
Concerns aside, what the EU directive is, in reality, is one more link to a system that legitimizes and validates the use of the Internet for a broad range of commercial and other activities. The end result for this directive appears to be a compromise. It may be somewhat more specific than many in the U.S. might like, but it certainly does not go as far down that path as the Europeans could have gone.
On December 9, 1999, the OECD issued its “Guidelines for Consumer Protection in the Context of Electronic Commerce.” While the Guidelines are non-binding, they reflect a consensus of industry, consumer and governmental groups on a variety of issues confronting consumers seeking to use the Internet for online purchases. They also reflect the necessity of a global approach to consumer protection given the inherent international nature of the Internet.
The Guidelines provide a minimum set of standards in business-to-consumer electronic commerce in a variety of different areas, including: transparent and effective protection for consumers; fair business, advertising and marketing practices; online disclosures; confirmation process for purchases; payment mechanisms; dispute resolution and redress; and privacy. The Guidelines run the gamut from the general, such as in the area of dispute resolution and redress, to the very specific. One of the most specific areas of the Guidelines is online disclosure concerning information about the business making consumer sales.
As noted above, an area not well-developed in the Guidelines is jurisdiction and consumer redress. There is a recognition that cross-border transactions are subject to complex jurisdictional and choice-of-law issues. However, the drafters of the Guidelines are concerned that if mechanisms are not put into place to resolve consumer conflicts in international electronic commerce then this could become a major limitation to its growth. The Guidelines encourage the development of effective redress for consumers in the form of alternative dispute resolution mechanisms. (This has been put into place in the much less complicated arena of domain name disputes, as noted above.)
The OECD’s Committee on Consumer Policy and its business and consumer partners’ next step is to create awareness on consumer issues through Web sites. The OECD will also be encouraging the implementation of the Guidelines.