The further development of the World Wide Web is threatened by the lack of online privacy and efforts to destroy net neutrality, says the father of the Web, Sir Tim Berners-Lee. He believed the world had to think about privacy “from a completely different point of view” in future, because the threat to personal privacy will be so great. Consumer awareness about privacy is increasing, particularly among Internet users. Sooner or later, if it is not happening, consumers will demand that their privacy is respected by business
This may require some modification to business practices and customer service and may involve costs not previously incurred. Even American big business has accepted that privacy is a concern, which must be addressed. All the public surveys conducted by and for big business in America showed a lack of confidence that consumer’s personal information would be protected if they entered into transactions on the Internet. Privacy concerns have been clearly identified as a barrier to the development of e-business. The Colombo Municipality Council recently introduced seven online payment E-Services including: (1) Rates payments, (2) Trade tax, (3) Tax on businesses, (4) Market rental, (5) House rental, (6) Shops and boutiques rental and (7) Hawkers’ rental. Therefore the Authorities shall ensure that all possible privacy and security concerns related to data sharing and connecting to internal systems.
Barriers to Effective E-Business
First, personal information that an individual would prefer not to disclose to others can be obtained from imprints left by identifiers on the hard drive of a computer. For instance, in registering Microsoft Word, an identifier was placed on the hard drive that could have permitted Microsoft to track all movements on the Web. Although Microsoft changed the registration system, an identifier is now made through registration of Microsoft Media Player, as well as through other software systems.
"Moreover, marketers can then use information about an individual’s use of a site to tailor and fine tune sales and promotional offers to consumers, whether on the Web, via email, or at home. Marketers bring information to those who may not know of particular goods and services. Information links sellers to willing buyers, helping achieve a more efficient economy. To some extent, individuals who choose to participate in commercial transactions must give up some personal information to have access to credit and other financial services"
Third, an Internet Service Provider (ISP) is a gateway to the Internet. ISPs hook up a personal computer or system of computers to the Internet. ISPs can divulge a host of information about an individual, including name, address, and credit card. They can recapture email that was sent through their services. In addition, ISPs can recapture session information, such as the URLs visited by a user, through its service. ISPs at times have disclosed private information about individuals, leading to embarrassment and adverse employment consequences.
Fourth, cookies are small text files placed on an Internet user’s computer when a website is accessed. They contain information sent by the server to the user’s browser. If desired, a web user can sometimes view cookies in the source code of the header of a web page. However, generally, the information collected is not displayed to the user, but is recorded, tracked, and stored by the user’s computer and browser. The website can read the cookie later to identify the personal preferences. Such information will enable the user to navigate the website more easily on return visits. Websites, for instance, can recall registration information, so that users need not re-register each visit. Similarly, cookies enable each user to move forward and backward within a site each session. Most cookies last during a user’s “session,” but some can be programmed to last forever -- persistent cookies -- with the corresponding power to keep track of the user’s movements on the Web.
Moreover, marketers can then use information about an individual’s use of a site to tailor and fine tune sales and promotional offers to consumers, whether on the Web, via email, or at home. Marketers bring information to those who may not know of particular goods and services. Information links sellers to willing buyers, helping achieve a more efficient economy. To some extent, individuals who choose to participate in commercial transactions must give up some personal information to have access to credit and other financial services.
Such information, however, can also be used to reveal all of our personal habits. If marketers share information with each other, an entire mosaic is created revealing our buying patterns, our browsing interests, and the time we spend on the Internet. Many fear the adverse consequences if that information gets into the wrong hands. Estimates suggest that the average American is listed on many computerized databases. Individuals can disable cookies by setting their browsers not to accept them. Some websites will not do business with such users, and in any event, disabling cookies makes navigation through websites quite cumbersome.
Fifth, the Internet permits data marketers to pull together a vast amount of information easily. Public records are aggregated on many Internet sites.
Sixth, companies have programmed “”bots”” or spiders to canvas the web and retrieve personal information on other sites, usually email addresses. Thus, a third-party can relatively easily harvest email addresses and sometimes other identifying information supplied to a website. Although websites protect financial information through secure socket layer (and other) technology, less sensitive information can be obtained.
Is there any legal protection for data Privacy in Sri Lanka?
Information about an individual’s tastes and leisure activity has economic value, and the exchange of such information helps grease the economy. Sri Lanka has never banned the sale of such data, despite the potential impact on privacy. There are, however, many different levels of legal protection for privacy when websites and e-commerce firms -- without consent -- use private information for commercial purposes. No comprehensive protection exists. The following covers the constitutional & other legal protection for individual privacy in Sri Lanka.
"In registering for Microsoft Word, an identifier was placed on the hard drive that could have permitted Microsoft to track all movements on the Web. Although Microsoft changed the registration system, an identifier is now made through registration of Microsoft Media Player, as well as through other software systems"
In many countries around the world, there is a general law that governs the collection, use and dissemination of personal information by both the public and private sectors. An oversight body then ensures compliance. This is the preferred model for most countries adopting data protection laws and was adopted by the EU to ensure compliance with its data protection regime.
International agreements to protect privacy
There are three principal international agreements, which are of general relevance to data privacy: the Organization for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 23 September 1980, The Council of Europe Convention No 108 for the Protection of Individuals with regard to the Automatic Processing of personal data adopted 28 January 1981 and the International Covenant on Civil and Political Rights in 1966 (ICCPR) (and its European equivalent) apart from these agreements European Union Council Directive 95/46/EC entitled “Directive on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of Such Data” was adopted on October 24, 1995 and the United Nations General Assembly guidelines for the Regulation of Computerized Personal Data files on December 14, 1990.
In July 2000, the European Commission, issued a proposal for a new directive on “the processing of personal data on the protection of privacy in the electronic communications sector” and this replaces the 1997 EU Telecommunications Directive and the General Agreement on Trade in Services (GATS) (Stating in art XIV that member states are not prevented by this worldwide agreement to adopt or enforce regulations relating to the protection of privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentially of individual records and accounts).
The 1978 Constitution of the Democratic Socialist Republic of Sri Lanka does not explicitly recognize the right to personal privacy as a basic fundamental right. Though October 1997 and the year 2000 proposed Constitutions envisaged right to privacy as a fundamental right. The proposed October 1997 Constitution’s Article 14 (1) specifically states, “Every person has the right to respect for such person’s private and family life, home, correspondence and communications and shall not be subjected to unlawful attacks on such person’s honour and reputation. Therefore unlike U.S.A there is no reasonable expectation of privacy against intrusions by the state.
Yet the government has not introduced any specific legislation, which protects the individual privacy or collection of personal information. The only legislation, which refers to this area, is the 1991 Telecommunication act that too refers to interception of communication.
The Indirect Protection of privacy
The Common law in Sri Lanka does not recognize any right to protect personal information. It only permits peripheral protection or remedial action for, invasions of privacy stemming from the inappropriate use of personal data.
It is possible to include the terms of a contract express protection for personal information. Typically, such provisions are broader than just personal information; they extend to the protection of all information flowing between the parties to the contract. These types of clauses supplement any existing rights the parties may already have under the tort of breach of confidentiality. The law also implies a number of protections into a variety of contractual relationships.
There are various possibilities in tort. The most obvious possibility would an action brought by the data subject against the data controller for negligent use of storage of the data. This may be, for instance, because a third party has gained unauthorized access to personal data about the data subject due to the direct or vicarious negligence of the data controller. Such an action will be possible only where a duty of care owed by the data controller to the data subject is established, and this will involve inter alia a consideration of the nature of the information.
"Cookies are small text files placed on an Internet user’s computer when a website is accessed. They contain information sent by the server to the user’s browser"
Trespass consists of the wrongful entry by the defendant onto land belonging to the plaintiff without consent, the plaintiff being the rightful possessor of the land. Where access to personal data is achieved through the unauthorized access to a computer, which is accomplished in turn by the wrongful physical entry of the defendant upon the plaintiff’s premises, an action will obviously lie for the trespass to land, though this has been incidental to the main objective of gaining access to personal data.
Defamation is a cause of action intended to protect the reputation of a person whose standing has been lowered in the estimation of “right thinking members of society” by the publication of a derogatory and untrue statements. The electronic dissemination of derogatory statements about a data subject through discussion groups or other Internet facilities will provide the subject matter with a cause of action in defamation provided that they are untrue.
A mechanism for addressing Data Privacy issues
Global consistency is fundamental to achieving effective privacy protection. If different standards and approaches are taken, the confusion that would result could well undermine rather than enhance consumer protection and it could hinder the development of E-business. If one stand is to be adopted globally, I suggest that the Informational Privacy Principles based on OECD guidelines and European Directives would be a practicable solution. Therefore Sri Lanka draft Data Protection law should be based on these principles. All these principles are based on protection of the individual privacy protection.
The Role of Data Protection Commissioner
An essential aspect of any privacy protection regime is oversight. In most countries with a data protection act, there is also an official or agency that oversees enforcement of the act. This must be absolutely an independent supervisory authority. Independence is also a problem in many countries; the agency is under the control of political arm of the government or part of the ministry. This agency is given considerable power; government must consult this agency when the government draws up legislation relating to the processing of personal information; the body also has the power to conduct investigations and have a right to access information relevant to their investigations; impose remedies such as ordering the destruction of information or ban processing, and start legal proceedings, hear complaints and issue reports. The agency is also generally responsible for public education and international liaison in data protection and data transfer. Also maintain the register of data controllers and databases. Another significant feature of this body is that the agency issue guidelines and drafts industry code of conduct and practice for public consultations before it implements.
"Trespass consists of the wrongful entry by the defendant onto land belonging to the plaintiff without consent, the plaintiff being the rightful possessor of the land. Where access to personal data is achieved through the unauthorised access to a computer"
A major problem with many agencies around the world is a lack of resources to adequately conduct oversight and enforcement. Independence is also a problem. In many countries, the agency is under the control of political arm of the government or part of a particular Ministry and lacks the power or will to advance privacy or criticizes privacy invasive proposals.
Unlike the European Union, the United States traditionally has adopted a different approach to data protection. The European Union embraces privacy as a fundamental right and thus considers comprehensive legislation as the most appropriate means to protect personal information. Such an approach requires the creation of government data protection agency and approval before the processing of persona data. By contrast, many Americans believe in the free market and are constantly suspicious of government intrusions. Therefore U.S approach relies on a mix of legislation, administrative regulation and industry self-regulation through code of conducts developed by industries as an alternative to government regulation. In my opinion, I firmly believe that, If Sri Lanka really willing to accept the benefits of the globalization and absorbing into the International trade still we are not late therefore any proposed data protection law should be definitely based on European model of the EU directive and the data privacy principles because U.S data protection model is an ad hoc one and therefore no independent authority to protect and implement data users rights. Finally we should recognize data privacy as one of our fundamental rights and we need more laws in this emerging new area to attract more E-business from the western world.