International Internet Privacy Standards: Forging Common Ground amid Conflicting Policy in Cyberspace

by Michael Martinez-Schiferl

Is Google spying on you?  The web is full of processes scanning every click of the mouse and tap of the keyboard, logging this information, and at times making a decision to target users with advertising.  Information and data are increasingly valuable resources for the businesses and firms in our global economy; even Internet search providers keep their businesses running by collecting data on the information people seek and store.  If you use a popular search engine, you may be astonished to learn the amount of data collected on your search habits.  As search providers branch out into providing other services such as email, online document editors, spreadsheet editors, social networking sites and photo repositories, the amount of data collected on each of us approaches an alarming level.

The Internet presents a new set of challenges to privacy protection policy.  Jerry Berman, chair of the Advisory Committee to the Congressional Internet Caucus and co-founder of Center for Democracy and Technology (CDT), points out that these challenges stem from three main characteristics of the Internet: the trend of increased information collection by search providers, the globalization of information and communication, and the lack of centralized control mechanisms.  These characteristics—combined with the growing market value of personal information—pose a threat to the core expectations of privacy: anonymity, fairness, control over personal information and confidentiality.  These threats are far reaching with even governments themselves sometimes turning to private “lookup-service” companies, which profile users based on personal data collected from Internet use. Governments around the world are increasingly gathering information that may have once required warrant-based probable cause or another form of judicial oversight.  In other words, the process of gaining access to information kept in a physical location is governed by extensive search laws, while the data stored in a Google documents folder lacks such protection.

Scholars argue that global convergence in privacy policy exists, embodied by the First Principles of information privacy—ten principles for protecting personal information.  However, while there is substantial international convergence on the definition of the principles of privacy, divergence is observed in the implementation and execution of these principles.  These differences, within just a subset of democratic societies, run deep and go to the core of norms of the accepted role of state, market and citizen in society.  In the United States, liberal political philosophy tends toward state nonintervention, leaving the rule-making for the treatment of personal data to non-governmental standards groups—the product of private industry and liberal governance.  European countries, on the other hand, tend to favor omnibus legislation with a set of rights for individuals and responsibilities for companies and government.  In their system, supervisory agencies are established to ensure oversight and enforcement of data protection.  While the European system establishes government-protected rights to privacy, at times these rights have restricted the free flow of information that the US system allows.  Ultimately, the absence of coherent privacy protection across country borders increases the likelihood of dataflow barriers.

At last month’s United Nations Educational Scientific and Cultural Organization (UNESCO) meeting on ethics and human rights, Google’s privacy chief Peter Fleischer proposed the Asia-Pacific Economic Cooperation (APEC) Privacy Framework as a starting point for a broad international Internet privacy standard.  The APEC Framework is based on nine principles aimed at protecting personal information and facilitating responsible information flow (similar to the First Principles).  The Framework has been approved by many of the APEC nations including Australia, but the largest APEC nation, China, has yet to give its approval.  Google’s hope is to get a major international organization like the United Nations (UN) or Organization for Economic Cooperation and Development (OECD) to draw up the new international privacy guidelines. In a post on Google’s Public Policy Blog the day of the UNESCO meeting, Fleischer added “even if every country in the world did have its own privacy standards, this alone would not be sufficient to protect user privacy, given the web’s global nature.  Data may move across six or seven countries, even for very routine Internet transactions.  It is not hard to see why privacy standards need to be harmonized and updated to reflect reality.”

Of course, harmonizing privacy standards may be a difficult task.  Fordham University Law Professor Joel Reidenberg points out that “specific privacy rules in any particular country have a governance function reflecting the country’s choice regarding the roles of the state, market and individual in the country’s democratic structure.”  Extending this observation beyond democratic regimes to the diverse mix of governmental systems around the globe only amplifies the potential for differences between countries with regard to privacy protection policy.

While countries with no Internet privacy standards at all will benefit from a global standard, other countries with established standards may have reason to resist if new standards are weaker than the country’s existing policies.  Mark Rotenber, Executive director of the Electronic Privacy Information Center (EPIC), calls the APEC Framework a regression in privacy standards, stating that the Framework “is the weakest international framework for privacy protection, far below what the Europeans require or what is allowed for trans-Atlantic transfers between Europe and the US.”  The difference between Mr. Rotenberg’s and Mr. Fleischer’s points of view centers on a fundamental disagreement about the level of protection that ought to be afforded to prevent harm to the consumer.

Mr. Reidenburg suggests that technical standards bodies such as the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) may become key players in forging common elements of privacy policy across country borders.  These non-governmental organizations promulgate technical standards to be adopted on a larger scale, and offer a direct mechanism for the implementation of fair information practices that could narrow the scope of deviation between interpretations of First Principles.  While these standards groups have typically emerged from liberal market economies, countries that seek to protect social norms for information privacy have much to gain by influencing these organizations and their standards.

We have yet to see whether international Internet privacy standards can be forged without damaging privacy in countries with established privacy standards.  Information that flows outside the borders of countries with already high privacy standards to countries with low or no privacy standards at all may benefit from such a global standard.  Internet privacy policy makers should carefully weigh tradeoffs between self-regulation and government controlled implementations.  In addition to forging a set of formal privacy principles, the successful incorporation of these principles into Internet standards may hold the key to getting past potential barriers to the free flow of information between countries.

Email Michael Martinez-Schiferl at



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: