Paper for the 9th Consumer Law Conference, Athens 2003.
Abstract: This paper briefly examines issues concerning the protection of privacy on the Internet. It discusses the privacy risks, which are posed in the framework of e-commerce and, in particular, the issues of online data collection and online – profiling, credit scoring and online direct advertising (spamming). Also, it provides an overview of the regulatory framework in the European Union and examines the protection afforded by the EU-Directives in the context of e-commerce.
I. Introduction
The Internet is an explosive new medium, which opens up new ways of communication and information exchange between people. It also offers the potential to create new (virtual) markets for conducting commerce, which takes place on a worldwide network and across national frontiers. Electronic commerce (e-commerce) is, indeed, one of the most important applications of Internet technology. Ιt is an outcome of the Internet revolution and its evolution is depending on the features of the new communications and information technologies and their consequences.
Furthermore, e-commerce is a key factor to the development of a global digital economy and presents enormous opportunities for both businesses and consumers. It makes possible to trade at low cost across national frontiers and enables consumers to research, compare and finally, purchase products from their home and workplace.
However, the rapid growth of Internet and e-commerce has created increased threats to privacy, mainly due to the potential of modern technology to keep track of users’ activities on the Internet. Concerns about privacy affect mostly consumers, whose personal data are collected via the Internet and analyzed in order to build detailed profiles of consumers, which are used to predict the individual consumer’s needs and purchasing habits; these profiles enable the advertising companies to target advertising to individual consumers and to their specific interests. Even when personal information is collected directly from the consumer, there is always the risk of the misuse of the data, i.e., that this would be used for other purposes than of which it was collected etc.
Moreover, rating and scoring methods used to determine the creditworthiness of consumers infringe their right to informational self-determination, since the consumer has no influence, whatsoever, on this procedure and is subject to a decision based solely on automated processing of data, in the sense of Article 15 Directive 95/46/EC.
Another serious threat to privacy is the flood of unwanted electronic mail (Spam). Spamming, that is the practice of sending unsolicited bulk e-mails, most frequently of a commercial nature, is a major annoyance for consumers, who receive large amounts of unwanted e-mails and have to bear the cost of connection time, and a threat to ISPs, who are confronted with increased costs and with users’ complaints.
Evidently, these information practices infringe consumers’ right to privacy and hinder the development of e-commerce, since many consumers are opposed to such an extensive collection, storing, use and potential abuse of personal data and therefore, avoid electronic transactions. Therefore, data protection is an important factor in this context, for it is seen as necessary in order to guarantee the growth of e-commerce. In EU-level, the Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” represents the general framework for data protection. This Directive is complemented by the recently adopted Directive 2002/58/EC “on privacy and electronic communication”, which contains specified provisions on the use of advanced technologies, used in order to monitor Internet users’ activities on the Web, and also, on the use of automated calling systems for marketing purposes. These legal instruments provide a regulatory framework that aims at protecting fundamental rights and freedoms in particular with regard to the increasing capacity for automated storage and processing of data relating to Internet users. In this paper we will survey the protection afforded by these EU-Directives in the context of e-commerce. Before that we will give a technical description of the online collection of personal data.
II. Collection of personal information on the Internet
It is well known that Internet is not secure and that all transactions that take place on the net are identifiable. The online environment allows collection and use of information by commercial sites in a far more effective and efficient way than through conventional means. Information about consumers have been available long before the rise of Internet technology through offline sources, such as credit card transactions, phone orders etc. However, this new medium has revolutionized the collection and processing of personal information. In the online environment the possibilities for storing, comparing and linking information to create a detailed picture of a customer’s interests (customer profiles) are enormous.
Web sites collect information about consumers for every purchase or supply of a service, such as a subscription, as a condition of payment by credit card or for shipping purposes. The consumer is under the obligation to provide personal details, in order to be authenticated, to give payment guarantees or provide his e-mail or physical address for the delivery of goods or services. Moreover, every visit on the net leaves traces that can be used, without prior knowledge of the user, to build a profile. By every visit in an online shop, every customer’s step through the store is recorded; not only the products, which are observed, but also the rank, in which products are viewed and the relevant time, are being stored. Unless the consumer pays using e-cash or use privacy enhancing technologies to hide his/her IP address, there is no possibility for anonymity.
Web sites collect also information from consumers in exchange for a free service, such as free e-mail, stock-portfolios etc. Web sites known as “portals” offer personalized pages with selected information, once the user registers and provides his/her personal information. Some companies are offering free net access in exchange for monitoring users’ activities for advertisers.
Data collection on the Internet takes also place without the prior knowledge of the Internet user. Once the connection with a Web site has been established, the Web site starts collecting information on the visiting Internet user. The Web site is informed about the destination IP-address and also, from which page an Internet user has been transferred. This information on Web site visits is generally stored in the ‘Common Log File’. All the above-mentioned information can be used to create accumulated information on the traffic to and from a Web site and the activities of visitors. Generally, these include the following items:
- Operating system
- Type and version of browser
- Protocols used for Websurfing
- Referring page
- Language preferences
- Cookies
Other devices used to trace the activities of Internet users are the so-called “cookies”. These are small text files that are placed on a user’s hard drive by the Web site that the user is visiting; they store the preferences and other data about the visit to that particular site, allowing a site to identify the user on his/her next visit, check possible passwords, analyze the path during a session and within a site, record transactions, such as articles purchased, customize a site etc. It should be noted that cookies can be used across many different sites and that has led to the development of advertising network companies that track users’ surfing activities and develop profiles of their interests, which are then used to target specific advertising. Another method of tracking Internet users is the use of web bugs, which are invisible images that also place cookies etc.
Furthermore, one can name a whole range of ‘spyware’, i.e., software such as ActiveX, CGI-Scrit, Java and Javascript, Session-Ids etc., which can enter the users’ computer without their knowledge in order to gain access to information, to store hidden information or trace the activities of the user.
Consequently, these data collection methods are used from marketing companies, which collect data, e.g., by means of technological devices such as cookies and can then establish user profiles based on log file information and cookies. This information is used to customise advertisements depending on the habits and interests of consumers. Not only advertisements referring to the Web site owner of services or offers, but also those issued by third parties which have agreements to support the financial cost of running the server by displaying its publicity.
III. Regulations of Online Data Processing
1. Directive 95/46/EC
In the European Union, the collection and processing of personal data is governed by the Directive 95/46/EC. This Directive, which is applicable within EU-law and within the jurisdiction of the member states that have implemented it, applies unambiguously to Internet and e-commerce. According to Recital No 14 of the Directive 2000/31 on electronic commerce it is the data protection directive that applies solely for the protection of individuals with regard to the processing of personal data.
The general rules of the Directive, which deserve special attention hereto, are following:
The legality principle: The processing of personal data is allowed, when the conditions under which the processing is lawful are satisfied. As a basic rule, personal data may be processed only if the data subject has unambiguously given his/her consent (Article 7.a) or when one of the grounds mentioned in Article 7.b-f apply. In the context of e-commerce, processing may be justified on the ground that the data subject has given his/her consent. It could be said that any customer introducing his/her personal data in order to purchase a product or obtain a service, could be considered as consenting to the processing for this purpose.
The processing of personal data may also be allowed, if it is necessary for the performance of a contract to which the data subject is party, e.g. the provision of a service, or in order to take steps at the request of the data subject prior to entering into a contract (Article 7.b). Furthermore, the processing of personal data is justified where it is in the legitimate interest of a natural or legal person, provided that the interests of the data subject are not overriding (Article 7.f). This means that if the interest of a person in receiving personal data prevails over the data subject's interest not having his data processed or communicated, data may be processed.
The finality principle: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (Article 6.b). This principle is stressing the fact that processing of personal data in the online environment must serve a specific purpose, e.g. the delivery of a product, and should not take place for other purposes.
Furthermore, navigational data should in principle only be collected by ISPs insofar as they need to provide a service to the user; also, software programs, such as cookies, which are used to monitor the Internet activities of users, must only be used for specific purposes, e.g., to analyse the effectiveness of Web site design and advertising etc., provided that the users are informed about their purposes.
Data quality and proportionality: Personal data must be accurate and kept up to date (Article 6.c). They must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (Article 6.d). Consequently, information should only be collected if it is necessary for the transaction (the scope of the processing). Personal data must also be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the data are collected (Article 6.e). Therefore, once data are anonymised, they can be used for other purposes, e.g., to measure the performance of a service offered by an ISP.
Transparency: The data subjects must be provided with information about the purposes of the processing for which the data are intended and the identity of the controller of the data (Article 10 and 11). This principle is of eminent importance, since the speed of data flows on the Internet has as a consequence that the requirements that the data subject be informed and made aware of the processing of his/her personal data are often ignored.
Rights of the data subject: Outside the rules concerning the information to be given to data subjects, they have the right of access to data (Article 12), the right to object at any time on compelling legitimate grounds relating to his particular situation to the procession of data relating to him/her (Article 14) and the right not be subject to a decision, which is based solely on automated processing of data (Article 15).
Restriction of transfer of personal data to third countries: The transfer of personal data to a third country is allowed only if the third country in question ensures an adequate level of protection (Article 25) or in very limited circumstances (Article 26).
Protection of special categories of personal data: The processing of special categories of data that is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life is prohibited, unless the data subject has given his/her explicit consent or the processing is necessary for explicit reasons (Article 8). Sensitive information should not be collected from consumers, even when they consent, except in limited circumstances, where the data are collected for legitimate purposes.
2. Directive 2002/58/EC
The recently adopted Directive 2002/58/EC of 12 July 2002 aims at adapting Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications sector to developments in the markets and new technology, mainly to Internet related issues as regards privacy.
The Directive lays down the obligation of the provider of a publicly available electronic communications service to take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. (Article 4 paragraph 1). Furthermore, in case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved (Article 4 paragraph 2). ISPs who offer electronic communication services over the Internet should inform user and subscribers of measures they can take to protect the security of communications for instance by using specific types of software or encryption technologies.
Article 5 § 1 the Directive states that Member States shall ensure the confidentiality of communications, including both the contents and the data related to such communications (traffic data). Listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, shall be prohibited, except when legally authorised to do so in accordance with Article 15(1). It is made clear that software, which is used to trace data transmitted via the Internet (so-called packet sniffing software) shall be prohibited and that the storage of traffic data, in order to build up users profiles, without their consent, shall also be prohibited.
However, this prohibition does not prevent technical storage, which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality. This means that any automatic, intermediate and transient storage of this information may not be prohibited, in so far as this takes place for the sole purpose of carrying out the transmission in the electronic communications network (from an Internet Service or Access Provider) and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed. The regulation of confidentiality does not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication (Article 5 paragraph 2).
As regards the use of technological devices such as cookies, the Directive provides that only where such devices are intended for a legitimate purpose their use should be allowed with the knowledge of the users concerned. Article 5 paragraph 3 states that: “Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller”.
Therefore, users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment (PC). It is also worth mentioning that information and the right to refuse may be offered once during the same connection and also covering any further use that may be made of those devices during subsequent connections.
However, such devices can be a legitimate toll, e.g., in analysing the effectiveness of Web site design and advertising. Consequently, Article 5 paragraph 3 states that the aforementioned prohibition may “not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”.
Furthermore, the Directive regulates the use of traffic data, i.e., data needed by the protocols to carry out the proper transmission from the sender to the recipient, consisting of information supplied by the sender (e.g. e-mail address of the recipient) and of technical information generated automatically during the processing of the transmission (e.g. date and time). According to Article 6, “traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1)”.
This Article covers all types of transmissions of electronic communications and applies, therefore on the online environment. In particular, processing of header information, data such as the session login data or the list of Web sites visited by an Internet user must be considered as traffic data. Hence, online profiling on the basis of log file information is governed by the provisions of Article 6.
Consequently, paragraph 3 states that the subscriber or user has to give his consent if the provider of a publicly available electronic communications service wants to process his/her traffic data for the purpose of marketing or for the provisions of value added services. The service provider must inform the subscriber or user of the types of traffic data, which are processed for the purposes mentioned above, and the duration or such processing for the purposes of billing and interconnection payments and, prior to obtaining consent, for the purposes of marketing (paragraph 4).
3. Online direct marketing
Directive 2002/58 regulates also the use of automated calling machines, fax machines and e-mail for the purposes of direct marketing. Article 13 paragraph 1 defines that the sending of unsolicited e-mail may only be allowed in respect of subscribers who have given their prior consent. This means that the European legislator has made his choice, adopting an opt-in system.
However, this provision does not apply, when a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC. Article 13 paragraph 2 of Directive 2002/58 states that: “the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use”.
The prohibition of unsolicited e-mail is unconditional in case of unsolicited commercial e-mail disguising or concealing the identity of the sender on whose behalf the communication is made, or when there is not a valid address to which the recipient may send a request that such communication cease (Article 13 paragraph 4).
According to paragraph 5 of article 13, the aforementioned provisions of paragraph 1 and 3 will be only applicable to natural persons. However, Member States shall also ensure that the legitimate interests of subscribers other than natural persons are sufficiently protected with regard to unsolicited communications.
4. Credit scoring
Another issue that deserves attention is the issue of credit scoring. This method is used in e-commerce, where the assessment of the customers’ credit-worthiness cannot be done by interview. The solvency of a person is assessed by means of a statistical - mathematical method, which estimates the creditworthiness of a person. In the context of e-commerce, such methods are used for example, in order to apply a payment option. In more particular, some Web sites offer a different payment method (e.g. cash on delivery or only on advance), depending on the city quarter of the consumers’ domicile. However, the legitimacy of this procedure is questionable, since it infringes the provision of Article 15 of the Directive 95/46, which establishes the right of every person “not to be subject to a decision, which produces legal effects concerning him or significantly affects him and which is based only on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, credit-worthiness, reliability, conduct, etc”.
ΙV. Conclusion
In the global information society, privacy risks are increased. Concerns about privacy affect mostly consumers, whose personal data are collected via the Internet without prior knowledge of the persons concerned. The EU-regulations, which establish general rules for the protection of personal data (Directive 95/46/EC) and specific rules for the protection of privacy in the electronic communications sector (Directive 2002/58/EC), constitute a regulatory framework that affords a high level of protection. The provisions of the European Directives impose the obligation of consumer-oriented commercial Web sites to provide consumers the choice as to how their personal data are used. This obligation extends to personal data and to data used for online profiling, such as traffic data and information contained in “cookies”. In the field of online marketing, the European legislator has adopted for an opt-in regime that respects the privacy of Internet users.
See COUNCIL OF EUROPE, RECOMMENDATION No. R (99) 5, For the Protection of Privacy on the Internet, available at . For an overview of the privacy risks see P. Schaar, Datenschutz im Internet. Die Grundlagen, 2002, p. 12 et seq.
Commission Nationale de l’Informatique et des Libertés, Electronic mailing and data protection, October 14, 1999. W.K. Khong, Spam Law for the Internet, 2001 (3) The Journal of Information, Law and Technology, available at
Article 29 - Data Protection Working Party, WP 37 ‘Privacy on the Internet - An integrated EU Approach to On-line Data Protection’, p. 66, available at <http//:europa.eu.int/Comm/internal_market/media/dataprot/wpdocs/wp37en.pdf>
Article 29 - Data Protection Working Party, WP 37, p. 42.
S. Louveaux, Privacy Issues (Esprit Project 27028), p. 11, .
