Abstract
The Internet also creates many threats to our personal privacy. Unless we know the “rules of the road,” our online activity may lead to significant privacy problems. For convenience, this article uses the term “e-privacy” to stand for our personal privacy in the Internet. To avoid an off-limit discussion, after discussing the definition of privacy and e-privacy, this paper analyzes the e-privacy issue and some legal instruments at international and national level with the concern on the collection of personally identifiable information (PII) by Web site operators from visitors to government and commercial Web sites, or by software that is surreptitiously installed on a user’s computer (“spyware”) and transmits the information to someone else, then discusses the captioned problems including a case study in China. Finally, as there is not any complete e-privacy rule for the Internet in China, this paper wants to make some suggestions to Chinese legislature for further specific regulations based on the analysis of the e-privacy in the conclusion.
Published by “Proceedings of 9th Academic Research Conference on Cross-Straits Chinese Culture and Operation Management”, July 8, 2006. pp. 300–308.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Spyware, a catch-all phrase for software that enables a person’s online movements to be tracked, has quietly become the latest threat to cyber security, affecting eight out of 10 computers. See Anita Kumar, “Can Congress get arms around spyware problem?”, http://www.sptimes.com/2005/05/02/Technology/Can_Congress_get_arms.shtml.
- 2.
Brandeis and Warren (1890).
- 3.
Ibid.
- 4.
Id, at 195.
- 5.
Boufford (1998).
- 6.
Prosser (1960). See also Zacchini v. Scripps-Howard Broadcasting Co., 433 U.S. 562,571(1977), Note 7.
- 7.
Westin (1967) at 7.
- 8.
See supra note 4.
- 9.
See Privacy and E-Government (2003).
- 10.
See “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”, 1980, http://www.oecd.org/EN/document/0,,EN-document-0-nodirectorate-no-24-10255-0,00.html.
- 11.
See supra note 8.
- 12.
“Personal (or personally identifiable) information” is data that can be associated with an individual. Notably, a person’s name need not be attached to the information for it to qualify as “personal information.” For example, data categorized by a unique numeric identifier is considered personal information even where no name is attached to it, since the numeric identifier can be used to determine the name.
- 13.
- 14.
Reference to the Guidelines is made in the preambles to both Australia’s federal “Privacy Act of 1988” and New Zealand’s “Privacy Act of 1993”. Further on the Guidelines’ importance for Australian policy, see Ford (2003). In Canada, the Guidelines formed the basis for the Canadian Standards Association’s “Model Code for the Protection of Personal Information” (CAN/CSA-Q830-96), adopted in March 1996. The Model Code has been incorporated into Canadian legislation as Schedule 1 to “the Personal Information Protection and Electronic Documents Act of 2000”.
- 15.
See, e.g., Gellman (1993).
- 16.
See generally the documentation collated at http://www.apecsec.org.sg/apec/documents_reports/electronic_commerce_steering_group/2004.html.
- 17.
See “Global data protection law needed, say regulators,” OUT-LAW News, 19/09/2005, http://www.out-law.com/page-6132.
- 18.
Adopted Oct. 24, 1995, O.J. L 281, Nov. 23, 1995, p. 31 et seq. Two sectoral Directives on data privacy have also been adopted. The first of these was “Directive 97/66/EC of Dec.15, 1997 Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector”, O.J. L 24, Jan. 30, 1998, p.1 et seq. This has now been replaced by “Directive 2002/58/EC of July 12, 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector”, O.J. L 201, July 31, 2002, p. 37 et seq.
- 19.
See e.g., Kuner (2003), Chap. 4.
- 20.
- 21.
A “data controller” is a person or organization who/which determines the purposes and means of processing personal data: see E.U. Directive, Article 2(d).
- 22.
See further Bygrave (2000); Kuner, supra note 14, Chap. 3.
- 23.
See further Bygrave (2000); Kuner, supra note 17, Chap. 3.
- 24.
See “EU Directive on e-mail marketing”, http://www.extravision.com/eudirective.cfm.
- 25.
“Preamble, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)”, O.J.L 201, 31/07/2002, pp. 0037–0047.
- 26.
Ibid.
- 27.
Article 13 provides that: the use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.
- 28.
See “EU implements Anti-spam Act, spyware becomes illegal software,” Dec. 3, 2003, http://news.ccidnet.com/pub/article/c951_a69660_p1.html.
- 29.
Most notably the Privacy Act of 1974 and Computer Matching and Privacy Protection Act of 1988. Note also the limited protection of data privacy afforded under the Constitution as construed by the Supreme Court: see especially Whalen v. Roe, 429 U.S. 589 (1977). See further Schwartz and Reidenberg (1996), Chap. 4.
- 30.
See generally the overview in Schwartz and Reidenberg, supra note 13, especially Chaps. 9–14.
- 31.
See “http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list” (accessed July 6, 2004).
- 32.
Decision 2000/520/EC of July 26, 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (O.J. L 215, 25th Aug. 2000, p. 7 et seq.). However, the scheme is presently under review by the Commission.
- 33.
42 USC § 201 et seq. (42 USC 1320d-2).
- 34.
Part I of title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.) is amended by adding at the end the new section 231: (d) Privacy Protection Requirements.
- 35.
“Child Online Privacy Protection Act (COPPA)”, 15 USC 6501-6506.
- 36.
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act), 18 USC 1037.
- 37.
On Sept. 30, 2005, California Governor Arnold Schwarzenegger signed the Anti-Phishing Act of 2005 into law. The first-of-its-kind bill makes Internet phishing a punishable offense. The new law will permit victims to seek recovery of actual damages or up to $500,000 for each violation, whichever is greater. See Walaika K. Haskins, “California Passes Nation’s First Antiphishing Law”, Oct. 4, 2005, http://www.newsfactor.com/story.xhtml?story_id=38456.
- 38.
So far, the anti-spyware legislation has been enacted in twelve states. For example, in 2004, California has enacted “the Consumer Protection Against Spyware Act”, to “protect California consumers from the use of spyware and malware that is deceptively or surreptitiously installed on their computers.” See “Schwarzenegger Signs California Anti-Spyware Bill”, Sept 28, 2004, http://www.reuters.com/newsArticle.jhtml?storyID=6359582.
- 39.
Declan McCullagh, “Bill would force Web sites to delete personal info”, February 8, 2006 http://news.com.com/2100-1028_3-6036951.html.
- 40.
Brad Smith, “Protecting Consumers and the Marketplace: The Need for Federal Privacy Legislation”, Nov. 2005, http://www.cdt.org/privacy/20051103microsoftprivacy.pdf.
- 41.
Brent Krause, “An Overview of the Canadian Personal Information Protection and Electronic Documents Act”, Feb. 2001, http://www.gigalaw.com/articles/2001-all/krause-2001-02-all.html.
- 42.
See, e.g., Quebec’s Act on Protection of Personal Information in the Private Sector of 1993.
- 43.
Decision 2002/2/EC of Dec. 20, 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (O.J. L 2, Jan. 4, 2002, p. 13 et seq.).
- 44.
Further on Australian law, see, e .g., Hughes and Jackson (2001); on New Zealand law, see Longworth and McBride (1994) and Roth (1994)—(looseleaf, regularly updated); on Hong Kong law, see Berthold and Wacks (2003); on Korean law, see Yi and Ok (2003) and Chung (2003); on Japanese law, see Case and Ogiwara (2003).
- 45.
See Privacy Act of 1993.
- 46.
For Australia, see Privacy Act of 1988; for Japan, see Act for Protection of Computer-Processed Personal Data Held by Administrative Organs of 1988; for Korea, see Act on Protection of Personal Information Maintained by Public Agencies of 1994.
- 47.
For Australia, see Privacy Amendment (Private Sector) Act of 2000; for Japan, see Privacy Law of 2003; for Korea, see Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. of 1999. Note too that several of the Australian States have enacted data privacy laws covering their respective government agencies and, to a lesser extent, the health sector. See, e.g., Victoria’s Information Privacy Act of 2000 and Health Records Act of 2001.
- 48.
For example, with a few exceptions, the Australian legislation does not apply to “small business operators”; i.e., businesses with an annual turnover of AUD$3 million or less [see federal Privacy Act, sections 6C(1), 6D, 6DA & 6E)]. Another major gap is that the legislation does not cover the processing of data by employers about their present and past employees (as long as the processing is directly related to the employment relationship) [Section 7B(3)].
- 49.
The Japanese laws, for example, do not formally operate with a distinction between sensitive and non-sensitive data, and they make relatively extensive use of “opt-out” consent mechanisms.
- 50.
See Pedersen (2003).
- 51.
See Official Information Act of 1997, described in Opassiriwit (2002).
- 52.
See “Model Data Protection Code for the Private Sector of 2002”; Industry Content Code of 2002.
- 53.
For criticism of the schemes, see Greenleaf (2002).
- 54.
Art.101 of the China’s “General Principles of Civil Law” protect both personal dignity and the “right of reputation” and have been construed by the Supreme People’s Court to include the right to privacy. Most likely, Chinese legal scholars extrapolate this conclusion from the relevant SPC decisions. See Privacy Protection in China's Cyberspace, China Law and Practice, February 2003.
- 55.
Art.12, Administration of Internet Electronic Messaging Service Provisions.
- 56.
Art.19, Id.
- 57.
Art.25, Protection of the Safety of Computer Data Systems Regulations; Article 58(2), Telecommunications Regulations.
- 58.
Art.4.2, Internet Security Decision.
- 59.
Art.66, Telecommunications Regulations.
- 60.
Art.116, Criminal Procedure Law.
- 61.
Ministry of Public Security, Questions Relevant to the Implementation of the Circular.
- 62.
See “Lawmaker Urges Legislation to Curb Rampant Privacy Infringement”, Xinhua News Agency March 6, 2005. It is also available at http://www.china.org.cn/english/2005lh/121920.htm.
- 63.
“Do We Need Legislation to Protect Personal Information?”, Beijing Review, March 24, 2005, Vol. 48, No. 12, at Col. 44.
- 64.
Zhu Yuan, “Web users worry about ease of obtaining personal data”, China Daily Jan. 16, 2006 at p. 4. It is also available at http://www.chinadaily.com.cn/english/doc/2006-01/16/content_512461.htm.
- 65.
Ibid.
- 66.
Yves Poullet, Internet and privacy: any conclusions, http://www.droit.fundp.ac.be/textes/conclusions.pdf.
References
Berthold, M., and Wacks, R. 2003. Hong Kong data privacy law: Territorial regulation in a borderless world, 2nd ed. Hong Kong: Sweet & Maxwell Asia.
Boufford, John G. 1998. Privacy on the information highway. U.N.B.L.J. 47: 219.
Brandeis, L.D., and S.D. Warren. 1890. The right to privacy. Harvard law review 4: 193.
Bygrave, L.A. 2000. Determining applicable law pursuant to european data protection legislation. Computer Law and Security Report 16: 252–257.
Bygrave, L.A. 2002. Data protection law: Approaching its rationale, logic and limits. The Hague/London/New York: Kluwer Law International.
Bygrave, Lee A. 2004. Privacy protection in a global context—a comparative overview. Scandinavian Studies in Law 47: 319–348. privacy%20in%20global%20context.pdf.
Case, D., and Y. Ogiwara. 2003. Japan’s new personal information protection law. Privacy Law & Policy Reporter 10: 77–79.
Chung, H.-B. 2003. Anti-spam regulations in Korea. Privacy Law & Policy Reporter 10: 15–19.
Ford, P. 2003. Implementing the EC directive on data protection—an outside perspective. Privacy Law & Policy Reporter 9: 141–149.
Gellman, R.M. 1993. Fragmented, incomplete, and discontinuous: the failure of federal privacy regulatory proposals and institutions. Software L. J. 6: 199, 230.
Greenleaf, G. 2002. Singapore takes the softest privacy options. Privacy Law & Policy Reporter 8: 169–173.
Henke, F. 1986. Die Datenschutzkonvention des Europarates. Frankfurt am Main/Bern/New York: Peter Lang.
Hughes., and Jackson, M. 2001. Hughes on data protection in Australiam, 2nd ed. Sydney: Law Book Co. Ltd.
Kuner, C. 2003. European data privacy law and online business. Oxford: Oxford University Press.
Longworth, E., and T. McBride. 1994. The privacy act: a guide. Wellington: GP Publications.
Opassiriwit, C. 2002. Thailand: a case study in the interrelationship between freedom of information and privacy. Privacy Law & Policy Reporter 9: 91–95.
Pedersen, A. 2003. India plans EU-style data law. Privacy Laws & Business (68): 1, 3.
Privacy and E-Government. Privacy impact assessments and privacy commissioners –two mechanisms for protecting privacy to promote citizen trust online. 1 May 2003, http://www.internetpolicy.net/practices/030501pia.pdf.
Prosser, William. 1960. Privacy. Cal. L. Rev. 48: 383.
Roth, P. 1994. Privacy law and practice. Wellington: Butterworths/LexisNexis.
Schwartz, P.M., and J.R. Reidenberg. 1996. Data privacy law: a study of united states data protection. Charlottesville: Michie Law Publishers.
Shaffer, G. 2000. Globalization and social protection: the impact of e.u. and international rules in ratcheting up of U.S. privacy standards. Yale J. of Int’l Law 25: 1–88.
Smith, Brad. Protecting consumers and the marketplace: The need for federal privacy legislation. http://www.cdt.org/privacy/20051103microsoftprivacy.pdf.
Smith, Marcia S. 2004. Internet privacy: Overview and pending legislation. Updated 6 July 2004, CRS Report for Congress. http://fpc.state.gov/documents/organization/35133.pdf.
Swire, P.P., and R.E. Litan. 1998. None of your business: world data flows, electronic commerce, and the european privacy directive. Washington, DC: Brookings Institution Press.
Waters, N. 2003. The European influence on privacy law and practice. Privacy Law & Policy Reporter 9: 150–155.
Westin, A.F. 1967. Privacy and freedom. New York: Atheneum.
Rice, Denis T. Privacy in cyberspace: A primer. http://www.howardrice.com/uploads/content/privacy_cyber.pdf.
Yi, C.-B., and K.-J. Ok. 2003. Korea’s personal information protection laws. Privacy Law & Policy Reporter 9: 172–179.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Guo, Y., Luo, Y. (2015). E-privacy Protection—Centering on Global Main Legal Instruments and Prospects. In: Guo, Y. (eds) Research on Selected China's Legal Issues of E-Business. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44542-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-662-44542-6_8
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44541-9
Online ISBN: 978-3-662-44542-6
eBook Packages: Humanities, Social Sciences and LawLaw and Criminology (R0)