Home > e-Commerce > Do E-commerce > Data Protection

10. Data Protection

Corporate marketing departments have always been hungry for customer data and the Internet has made it easier than ever before to collect that data. But there are some rules that must be respected in the collection and use of data about customers and visitors to your web site. Special attention needs to be paid to national data protection regulations and especially to the EU Data Protection Directive 95/46/EC of 24 October 1995 and to the Telecommunications Data Protection Directive 97/66/EC of 15 December 1997. Complying with data protection law is a complex process that requires a comprehensive and consistent management approach throughout the whole organisation.

The Data Protection Directive aims to ensure the free flow of data within the Union while safeguarding the fundamental rights and freedoms of individuals. It guarantees the confidentiality of electronic messages and prohibits any kind of interception or surveillance of such electronic messages by any party other than the senders and intended recipients.

According to the directive, Member States must determine the conditions under which the processing of personal data is lawful. In any event the directive provides that personal data can only be collected for “specified, explicit and legitimate purposes” and must be processed in a way which is compatible with these purposes.

When collecting data about an individual, there are several considerations that must be followed.

Collecting

Personal data can only be collected and processed by the provider if permitted by some law or if the individual has unambiguously given his consent.

Use

Data must not be processed for any purposes incompatible with those for which the data was initially collected. Data cannot be transferred to third parties without agreement from the data subject. Security measures must be taken to protect the personal data against any accidental or unlawful destruction or accidental loss. Data should not be kept longer than necessary for the purpose for which it was collected.

Access

Data should be accurate, complete and kept up-to-date. The customer must have access to any personal data concerning him/her that is being processed or kept. A request for correction or deletion of incorrect personal data must be granted within a reasonable period of time. The customer must have the possibility to opt-out of the processing operation of his/her data and to refuse certain use of the data.

The level of security must be appropriate to the risk presented by processing and the nature of the data. The individual has the right to object to the processing of personal data relating to him if it is used for the purpose of direct marketing. Also concerning payment systems are the compliance with data protection principles (specified and lawful purposes, adequate, relevant and not excessive, accurate, securely held, not transferred to third countries without adequate protection, consent).

It should be noted that detecting interception or surveillance is very difficult. However, there are numerous security systems on the market to prevent against surveillance.

Safe Harbour

The Data Protection Directive prevents transfers of consumers’ personal data to third countries where the level of data protection is considered “inadequate”. The Data Protection Directive addresses every individual’s right to privacy with respect to the processing of personal data, whether processed, stored or used in any fashion. Information can only be used for the purposes for which it is obtained, be kept as long as necessary, and must be kept up-to-date.

Because US data protection is non-statutory and there is no government data protection office, it is regarded as inadequate by definition. Yet blocking the transfer of business data to the US is widely regarded to be all but unthinkable,. Therefore, the European Commission adopted on 26 July 2000, a decision on the adequacy of the level of data protection in the US with the EU Data Protection Directive. The decision entered into force on 1 November 2000. Any transfer made before this date is not subject to the decision.

The Commission decision specifies the conditions under which there is an adequate level of protection in the US for the transfer of data from the European Community to the United States. By agreeing to the safe harbour principles, US business will therefore be able to collect data and transfer personal data between the US and EU Member States. This way US organisations can keep in line with the European data protection principles, create trust and confidence and develop best business practice.

To guarantee a smooth flow of data from Europe to the US it is important to follow this issue. The Safe Harbour is intended only for the US. There are (as with Hungary and Switzerland), or will be, other agreements for other countries.

Commercial Communications

Analysing how off-line and on-line promotion influence entertainment consumption, a research company found that web sites and e-mails are as effective as off-line promotion via magazine ads, billboards, and theatre previews. Tips gathered in chat rooms and instant messages are the most effective means of on-line promotion. Comparing individual off line promotional tools with on-line ones revealed that Web promotion can surpass the power of television.

Commercial communications are essential for the financing of electronic business and for developing a wide variety of new, charge-free services. In the interest of consumer protection and fair-trading, commercial communication, including discounts, promotional offers, and promotional competitions or games, must meet a number of transparency requirements.

Both the commercial nature of the communication and the person for whom the communication is provided should be clearly identified. In the case of commercial communications via e-mail, the commercial nature of the message should be obvious as soon as the consumer or professional receives the message. Moreover, the advertiser must honour opt-out lists – that are public lists of people who have explicitly asked not to receive unsolicited commercial e-mail.

The Electronic Commerce Directive enables Member States to both authorise and prohibit the sending of unsolicited commercial communications by electronic mail.

Where Member States allow it, it must be “clear and unambiguously” identifiable as such as soon as it is received. Besides, Member States can choose between:

·         an opt-in system (prior consent of the recipient required before the sending of unsolicited commercial communications, Denmark, Italy, Finland, Germany and Austria have chosen an opt-in system); or

·         an opt-out system (no sending of unsolicited advertising to individuals who have mentioned in a register that they do not wish to receive it). These opt-out registers would have to be checked regularly by providers of unsolicited commercial communications.

Besides the E-Commerce Directive, the Distance Selling Directive, the General and Telecommunications Data Protection Directive provide different regulation on commercial communications which creates confusion.

On July 12, 2000 the European Commission adopted a proposal for a Directive on ‘processing of personal data and protection of privacy in the electronic communication sector’. The proposal is part of a package of proposals for initiatives which will provide a future regulatory framework for electronic communications networks and services. It aims to adapt and update the existing Data Protection Telecommunications Directive (97/66/EC) to catch up with technological developments. Of course commercial communications send by e-mail are the most controversially discussed issue. It is not clear yet, if an opt-in or an opt-out system for e-mails will apply. If an opt-in system is chosen the provision of the E-Commerce directive on this issue would be overruled. The proposal is still under discussion in Parliament but expected to be adopted by end of 2001.

Suggestion