Uniform legislation of Data Protection and Privacy will be the tool for enhancement of electronic commerce.


Sumathi Dharmawardena*


The European Union’s lead in protection of Data and Privacy has created a trade barrier between the strongest economies in the globe and the United States in online trading. Consumers are been trapped in this war of data and information in which software companies provide tools for both parties.

Declaration of the Independence of Cyberspace

“Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather. We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty it always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear”1.

John P. Barlow’s Declaration of the Independence of the Cyberspace depicts the autonomy Internet has obtained with the advancement of technology. Electronic commerce spearheads the online business activities known as B2C (Businessman to Consumer) and B2B (Business to Business) dealings. Specially Business to Consumer (B2C) business dealings have had set backs due to consumers’ lack of confidence in declaring their personnel data such as credit card, bank account numbers and other personal details to online marketing companies.

“The Declaration of Independence asserts Americans have certain inalienable rights, among them life, liberty, and the pursuit of happiness. Should privacy be included in this list? If you think so, 79% of Americans agree with you, according to a poll conducted in 1990 you may also be amongst the 68% of Americans who, in a 1992 poll, felt computers

* LL.M (Singapore), State Counsel

1 John Perry Barlow -“Declaration of the Independence of the Cyberspace”-

Final.html . John Perry Barlow is a longtime online and Internet activist, and the co-founder and Vice Chairman of a

US Internet civil liberties organization, The Electronic Frontier Foundation

were an actual threat to their personnel privacy”2 D’Amico leading writer on internet privacy said.

Privacy of the Internet is a major concern of the consumers, since most of the online trading firms have the ability to collect data pertaining to customers’ privacy even though they wish to maintain the same. Protection of privacy is one of the critical issues that must be resolved. “Will the Digital Age be one in which individuals maintain, lose, or gain control over information about themselves? Will it be possible to preserve a protected sphere from unreasonable government and private sector intrusion? In the midst of this uncertainty, there are reasons for optimism.”3

In order to safe guard online privacy in the United States many organizations commenced activities in this area during the last decade of the 20th century. They were concerned about online trading companies collecting and selling of Personnel Data and Personal Medical records and constitutional issues, including privacy.

Major organizations, which were battling these privacy issues in the United States, are Electronic Privacy Information Center EPIC, American Civil Liberties Union and Computer Professionals for Social Responsibility. Further they provide tools to maintain on line privacy.

Internet, a major instrument in collecting data, which has the advantage of sorting out the same using computer technology, about the life styles of individual’s habits etc., draws the attention of data collectors who earn millions of dollars by selling the same.

“The Internet accelerates the trend toward increased information collection that is already evident in our offline world. The trail of transactional data left behind, as individuals use the Internet, is a rich source of information about their habits of association, speech, and commerce. When aggregated, these digital fingerprints could reveal a great deal about an individual’s life. The global flow of personal communications and information coupled with the Internet’s distributed architecture presents challenges for the protection of privacy.” 4

Transactional data, click stream data, or ” Mouse Droppings” can trace what the person did on his previous visit to the web sites.

These digital blue prints about life styles of individuals being sold for money has become a growing concern in dealing online business activities.

2 Marie D’Amico –

3 Jerry Berman and Deirdre Mulligan. Privacy in the Digital Age: Work in Progress- Nova Law Review. Volume 23.

Number 2. Winter 1999 – 4 Deirdre Mulligan – statement made before subcommittee on courts and intellectual property committee on the

judiciary US House of Representatives on “PRIVACY AND ELECTRONIC COMMUNICATIONS” Thursday. May

18. 2000 –

To control this menace the European Union in 1995 issued a directive, which was subsequently implemented by the member states.


European Convention on Human Rights, which provides that “Everyone has the right or respect for his private and family life, his home and his correspondence.”5

Article 10 of the Human Rights Convention states “This has to be balanced against a basket of other rights for example the right of free speech and right to acquire information. Any interference with such rights by public authority must be sanctioned by law”.

The main object of the EU Directive on Data Protection which went into effect in 1998 is to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

Article 1 explains the purpose of the Directive: to “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”. Such protection ‘shall neither restrict nor prohibit the free flow of personal data between Member States1.

Article 5 to 21 of the Directive states about the obligations placed on data controllers and rights of data subjects. Further these chapters define what constitute legal data processing.

As per article 6 of the Directive, member states shall provide that data must be processed fairly and lawfully, should collect only for legitimate purposes and only adequate amounts and not in excess in relation to the purpose for which it was collected.

Article 7 of the EU Directive deals with about principles relating to the reasons for making Data Processing legitimate.

Member States shall provide that personal data may be processed only if, the data subject has given his consent unambiguously, processing is necessary for the performance of a contract to which the data subject is a party or compliance with a legal obligation to which the controller is subject to or is necessary to protect vital interests of the data subject.6

The data subject’s right to obtain from the data controller without delay, confirmation as to whether or not data relating to him are being processed and information pertaining to the procession, categories of data of recipient etc. was included in the EU Directive.

5 Article 8 of the European Convention on Human Rights

6 Article 12 EU Directive 95/46

The data subject’s right to object on compelling legitimate grounds was accepted as a right by the European Union and it was included in Article 14 of the Directive. As per Sect (b) of Article 14 a person has the right to object to processing of personal data relating to him by third parties for marketing purposes.

Article 17 of the Directive states that the Controller must implement appropriate technical and organizational measures to protect person data against accidental loss or unlawful destruction.

The data subject’s right to judicial review of his loss or damages suffered was accepted by the EU Directive and member states were to provide a mechanism for it.

The EU Directive made restrictions on transfer of data to third countries, which failed to ensure an adequate level of protection. This led to the creation of US safe harbor policy, which will be discussed later. Article 26 of EU Directive states that the derogation, which will allow the transfer of data to third countries, which do not ensure an adequate level of protection.

Data Protection Act of United Kingdom

The Data Protection Act (DPA) 1998 received the Royal Assent on JuJy 16, 1998. A new law was necessary to keep in line with EU Directive on data protection, which came in to force in 1995. The DPA applies to the private and public sector in processing of personal data.

The DPA outlines principles of data protection and states that data shall be processed only for fair and lawful purposes.

Section 1(1) of DPA adopts a three stage definition and describes data as being processed by means of equipment operating automatically and recorded as part of relevant filing system.

The Data Protection Commissioner maintains a register of all legitimate data controllers and they must enter in the registry the purpose of collecting data.

The Commissioner will make arrangements for public to inspect information collected. The DPA prohibits the collection of personnel data about subjects, religion, ethnic origin, race, political affiliation etc.

As per the EU directive transfer of data to third countries, which do not adhere to adequate protection, is prohibited under the DPA.

Current EU, US principles of Data and Privacy Protection are based on guidelines on the Protection of Privacy and Trans-border flows of Personal Data issued in 1980 by the Organization for Economic Co-operation and Development when the present Internet technology was born. However after the adoption of the EU directive, which prohibits the transfer of data to third countries, which lack adequate protection, the US was compelled to consider regulating the same.

The United States, which does not have specific Data Protection regime due to their policy, regulates data collection and transfer through the Federal Trade Commission. The EU data protection treaty compelled the US to reconsider their position.

“On October 25, 1998, the European Union’s Consumer Data Directive came into effect. Despite three years of prior notice, American Internet companies and government officials professed to be “shocked” to discover that their data privacy standards were inadequate and that, as a result, the EU would block US companies from receiving information about European consumers”.7

The consumers in US were of the view that measures to protect privacy and data were inadequate and this was a major concern in dealing with on line commerce. US companies have to face dilemma of need of data to promote their business and increasing consumer concern about data. Luc Hatelstad8 commenting on, on -line privacy states “The problem is simple. Companies need to glean information that will help target sales. Consumers want the convenience of secure e-commerce without worrying about having their identities stolen, being spammed, or having the aggregators of personal data knowing – and profiting from – every detail of their lives. As retailers and consumers force the issue, e-commerce could get squeezed in the process particularly among companies that minimize the privacy concerns of their customers”.

The United States has from the early seventies been accepting the right to privacy, passing legislation such as Fair Credit Reporting Act, Privacy Provisions in Cable and Telecommunication Acts and Children’s Online Privacy Protection Act, which came in to effect in April 2000, which deals with on line collection of information from children

7″EU and US Data Protection Law – And Soon the Twain Shall Meet” . This article was prepared by Beck & Arad, LLP, a New York-based law firm dedicated to serving the needs of domestic and international business clients. htlp://www,

8 Luc Hatelstad-ON LINE PRIVACY MATTERS January 16.2001, issue of Red Herring magazine. l8/ind-mag-90-privacy01 180l.html

below 13 years of age. This legislation was inadequate from the point of view of consumers to deal in electronic commerce. Specially banks in the US dealing with banks in EU countries, which necessitates cross border transfer data had to face the uncertainty due to EU directive since the US failed to create legislation to make adequate protection. The US view of self regulation by the members of the industry will be adequate for privacy and data protection, had critics within the US and outside, who were of the opinion that this lacuna was a detriment to the development of E-commerce since other developed nations like Japan, Canada, Australia were following the European Union pattern.

Self-regulation by the industry was lagging far behind the expected protection according to generally accepted view of the veterans of legal field and commenting on this matter. Deborah Pierce, staff attorney for the Electronic Frontier Foundation (EFF), says, “We used to strongly favor self-regulation, but it’s become clear that won’t work. We need some kind of legislation that doesn’t rely on a particular technology but focuses more on a set of established fair information practices”.9

Commenting on this subject Marc Rotenberg states “that the United States has typically protected privacy by self- regulation and industry codes know very little about the long tradition of privacy legislation in this country. It is however, correct to say that the United States, over the last twenty years, has taken a sectoral approach as opposed to an omnibus approach to privacy protection in the private sector. But it is also important to note that the sectoral approach has several weaknesses. For example, we have federal privacy laws for video records but not for medical records. There are federal privacy laws for cable subscriber records but not for insurance records”.10

US Safe Harbor Policy

The United States in order to diminish the uncertainty created due to the EU directive on Data Protection issued safe harbor privacy framework with European Union. Under this frames work the US Department of Commerce in July 2000 issued Safe Harbor Privacy Principles.

US Department of Commerce states “They are intended for use solely by U.S. organizations receiving personal data from the European Union for the purpose of qualifying for the safe harbor and the presumption of “adequacy” it creates. Because the Principles were solely designed to serve this specific purpose, their adoption for other purposes may be inappropriate. The Principles cannot be used as a substitute for national

9 Deborah Pierce- January 16, 2001, issue of Red Herring magazine.

10 Marc Rotenberg – Director, Electronic Privacy Information Center Adjunct Professor, Georgetown University Law Center. Testimony on The European Union Data Directive and Privacy Before the Committee on International Relations, U.S. House of Representatives May 7. 1998

provisions implementing the Directive that apply to the processing of personal data in the Member States”.

The US Safe Harbor framework was able to shift the imbalance created by the EU Directive. However, whether state legislation would be effective as against self-reglation by the industry is yet to be seen.

Kenneth Neil Cukier states “the result was that in international trade imbroglio that was settled, in part, in late 2000 when the European commission accepted a so-called safe harbor provision. It allows firms in third-party countries like the United States to provide decent …yet slightly weaker privacy safeguards. Though accepted by the commission, the European Parliament raised strong doubts about the rules and is studying the situation in order to assess its viability.”11

The United States 7th Congress is considering new legislation to protect privacy and industry viewed that this will bridge the gap of EU Directive. “The bill, co-sponsored by Reps. Chris Cannon, R-Utah, and Anna Eshoo, D-Calif., would require Web sites to notify visitors how personal data such as telephone numbers and ZIP codes are used, and allow visitors to limit its use. Consumers shouldn’t have to reveal their life story every time they surf the Web”, Eshoo said in a press release.

Prof. Reidenberg criticized the US Safe Harbour Agreement as inadequate, to meet the European standards in his testimony before the US House sub committee on Energy and Commerce on 8 March 2001. He states, “While the approval was an important short-term political victory for both the US and the European Commission, the safe harbor agreement is unworkable for both sides and will not alleviate the issues of weak American privacy protection”.1

Privacy War

Consumers in the United States have been caught in the ongoing war of privacy between tech savvy companies who need personal data to enhance business on line and civil liberty groups and privacy concerned vigilantes promoting the right of privacy. Michel Miller states, “On one side, many companies are trying to get more information about their customers or potential customers. Up to a point, it’s good business: The more you know about your customers, the more you can tailor your products or services to meet their needs. On the other side are individuals, who are concerned about privacy rights. Certainly, the Web brings with it a wealth of new ways of tracking individuals, often in ways we may not want to be tracked”.

” Kenneth Neil Cukier, Senior Editor and Paris correspondent Communications Week International – January 16, 2001, issue of Red Herring magazine - .html

12 Prof .Joel Reidenberg. Professor of Law Fordham University School of Law, Testimony before U.S. House of Representatives Oversight Hearing on Privacy and Electronic Commerce May 18. 2000. Testimony.html

In this war software companies are winning by promoting tools for both sides, hi-tech programs to collect data and tools for consumers to protect their privacy.


The US Standards of Data Protection lags behind the EU Directive Period. This has compelled the United states to formulate the US Safe Harbor Policy and new legislation in order to promote cross border transfer of Data, which is the key for development of on line business. Many countries are seriously considering data protection, which has become a cross border trade barrier due to privacy protection.

Data protection and Privacy on Internet has created a barrier in the development of commerce due to the growing mistrust in consumers about protection of their privacy. Sarah Andrews1″3 a policy analyst commenting on this subject states “American consumers currently have high levels of concern about online privacy and a corresponding reluctance to shop online. EPIC has found that such reluctance is justified. In “Surfer Beware 3: Privacy Policies without Privacy Protection”, EPIC14 documented that none of the top 100 shopping sites provided necessary elements of privacy protection in their privacy policies”.

As discussed above lack of data protection in the United States will curtail entry of the US entrepreneurs into the global market of electronic commerce, which are following the worlds largest on line market the European Union.

Sarah Andrews states “The passage of the European Union Data Protection Directive and the lack of a comparable law in the United States threaten to curtail a valuable market. A study by the Boston Consulting Group (BCG) estimated that online European retail sales reached $3.6 billion in 1999. Other trading partners such as Canada are also in the process of passing comprehensive privacy legislation that would include provisions for blocking data flow to countries that do not offer adequate protection.15

Adoption of new uniform legislation for data protection strengthens the point that adequate protection of privacy and data is the key to the development of electronic commerce, which will be active in a borderless world.

13 Sarah Andrews, LEGAL BARRIERS TO ELECTRONIC COMMERCE – submitted on march 17th 2000 to US Dept of Commerce to E-commerce.html

14 EPIC –

15 Sarah Andrews, LEGAL BARRIERS TO ELECTRONIC COMMERCE – submitted on march 17th 2000 to US Dept of Commerce to., E-commerce.html


Children’s Online Privacy Protection Act –

Data Protection Act 1998 UK – www.

Data Protection Commissioner UK – Register of Data /

Electronic Privacy Information Center – epic Comment on Barriers to Electronic Commerce

European Union Directive 95/46

Federal Trade Commission

Children’s Online Privacy Protection Rule

Jerry Berman and Deirdre Mulligan –

Marie D’Amico