Privacy Law and Policy Reporter
A major OECD Ministerial Conference on Electronic Commerce was held in Ottawa on 7-9 October. Participants were drawn from government, business, and labour organisations, and included some representatives of consumer and privacy groups from the US and elsewhere, who had gained entry either as invited speakers or members of trade union delegations.
Australians attending the conference included Privacy Commissioner Moira Scollay and Louise Sylvan, CEO of the Australian Consumers Association (ACA) and Vice-President of Consumers International. The conference appears to have been heavily dominated by commercial, and predominantly by large corporate, interests, with limited representation either of smaller businesses or of consumer groups. James Love from the Consumer Project on Technology (http://www.cptech.org) noted that the level of corporate sponsorship on display pretty much set the tone for the meetings, and was also reflected in the documentation, which made a strong pitch for self-regulation as the preferred approach.
One of the aims of the conference seems to have been to re-assert a leading role for the OECD in international discussions on e-commerce regulatory matters. The OECD’s 1980 Guidelines on privacy protection have remained at the core of these discussions, and the OECD has revisited aspects of privacy in its 1992 Security Guidelines and its 1997 Guidelines on Cryptography Policy. However, despite these initiatives, debate about privacy protection has in recent years been taking place largely outside OECD processes — notably in the European Union and in bilateral negotiations about the potential impact of the EU Directive on third countries.
A lot of preparatory work had been done by officials for the conference, and there is a comprehensive web site at http://www.ottawaoecdconference.org/english/homepage.html.
A useful background paper on privacy was available, and a draft declaration, circulated before the conference, was adopted unchanged by Ministers from the 29 countries. After noting various factors and developments, and re-affirming the three existing OECD Guidelines, the declaration commits governments to ensure that the Privacy Guidelines are effectively implemented, by:
[See p 97 for full Declaration — Ed].
This position remains painfully astride the fence — leaving open the options of law and and of self-regulation — but does at least emphasise the importance of compliance mechanisms, enforcement and remedies.
Despite the imminence of the EU Directive commencement (25 October), the US Government position remained pretty clear at the conference. William Daley, the US Secretary of Commerce, said on the issue of privacy:
We believe that our self-regulatory approach can co-exist with approaches taken by other governments.
White House adviser Ira Magaziner, in a later session, gave what press reports described as a tough and deregulatory address (quoted from The Ottawa Citizen, 9 October, 1998):
Mr Magaziner [said] ... the laws and regulatory tools used in the industrial revolution could only damage the development of electronic commerce. Mr Magaziner favors a deregulated system in which the corporate world sets the rules and provides the enforcement. He envisioned an international code of conduct for electronic commerce companies. Organisations that agree to protect client privacy would be allowed to display a special seal on their web pages. Government could conduct public information programs but non-government organisations such as the Better Business Bureau would be responsible for dealing with violations and conducting audits.
James Love reports that Ira Magaziner clearly wants to challenge EU privacy rules under the theory that they represent barriers to trade. Apparently an EU staff document circulated at the May World Trade Organisation’s meeting had suggested that the WTO become the arbitrator of disputes over privacy policies.
Opposing views were however quite well represented in the formal plenary sessions. Martin Bangemann, the European Commissioner for Industrial Affairs, Information Technology and Telecommunications emphasised public polls indicating that 58 per cent of Americans want privacy safeguards for personal information.
Jim Murray, head of an association of European consumer groups (Bureau Europeen des Unions des Consommateurs) spoke out against the notion that self-regulation is the answer to all problems of privacy and consumer protection on the Internet, or that government should turn over important governance functions to private corporations. Australian Privacy Commissioner Moira Scollay also gave a paper in which she argued that industry self-imposed standards and law were both essential.
After the first day the conference split into three streams: one for the trade Ministers, one for business, and one for the various labour, consumer and privacy groups in attendance. This last stream — ‘Labour and NGO leaders: Social Perspectives on Global Electronic Commerce’ — included papers from Marc Rotenberg, from the US Electronic Privacy Information Centre (EPIC), Louise Sylvan (ACA and Consumers International) and James Love of CPT.
Marc Rotenberg began his talk by comparing the day’s emphasis on self-regulation for privacy and consumer protection to the calls for self- regulation of working conditions in the 19th century, and later he contrasted the US Government’s positions on intellectual property and encryption to its policies on the EU privacy directive. Louise Sylvan outlined the Australian ‘co-regulatory’ approach, which often involves legislative framework for industry schemes. She emphasised the need to look at industry enforcement mechanisms and the ways that the industry codes were maintained or updated. James Love asked for a show of hands by those who believed self-regulation was not adequate to protect individual privacy. About two-thirds of the audience (admittedly the union and consumer groups) raised their hands to reject the idea that self-regulation by large corporations would be sufficient for privacy and consumer projection. Only one person was brave enough to declare himself in agreement with the US position!
As usual with international conferences, of more interest than the formal proceedings were the informal exchanges and fringe events. The Global Internet Liberty Campaign (GILC) took the opportunity of the conference to launch the results of its survey of privacy protection [The Asian part of this report is reproduced on p 85 of this issue —Ed] and the non-government organisations negotiated a joint statement which was issued on the final day of the conference. The privacy section of the NGO statement, which was addressed to the Ministers attending the conference, reads in part:
The OECD should urge member states to implement fully and develop means to enforce the Privacy Guidelines of 1980. The OECD Guidelines provide an essential framework to establish consumer trust in online transactions. Self-regulation has failed to provide adequate assurance. We further recommend efforts to promote anonymity and minimise the collection of personal information so as to promote consumer confidence.
The NGO statement also called on the OECD to establish a Public Interest Advisory Committee, similar in type and function to the Business Industry Advisory Committee (BIAC) for industry and the Trade Union Advisory Committee (TUAC) for trade unions. Such a committee should include representatives of public interest groups in the fields of human rights and democracy, privacy and data protection, consumer protection, and access.
The conference also considered the issue of authentication of electronic signatures, and the Ministers agreed to a declaration which encourages the development and use of authentication technologies and mechanisms for electronic commerce and the delivery of government services and programs to the public. The declaration makes no reference to the privacy issues associated with authentication.
The NGO statement responded to this in the following words:
Authentication and certification: We recommend that all OECD member countries implement and enforce the 1992 OECD Guidelines for the Security of Information Systems, particularly the Principles on Democracy, Ethics, and Proportionality. The OECD should also consider issues of authentication and certification within the context of consumer protection and privacy and protection. Policies and practices that disregard consumer and privacy concerns will ultimately undermine public interest.
Cryptography: The OECD should promote implementation of the Cryptography Guidelines of 1997 and urge the removal of all controls on the use and export of encryption and other privacy enhancing techniques. Trust requires the widespread availability of the strongest means to protect privacy and security.
Those who attended the conference appear fairly cynical about the outcome, noting the US Government and business lobbies leaned heavily on other countries to head off stronger wording in the declarations. But they also noted that there is now a general acceptance that privacy does matter which is an advance on some years ago. The OECD Guidelines are now widely affirmed by the private sector and by governments which don’t want laws, so there is at least some uniformity of approach. And the emphasis on enforcement and remedies is also new, and may put the US, Japan, and Australia in a difficult position if their current preference for self-regulation fails to deliver.
Nigel Waters, Associate Editor.
Official OECD documentation and reports of the conference by various consumer and privacy advocates.