![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
Problems with consumer trust and confidence in the Internet as a safe environment in which to shop, browse and associate are well documented, as are the correlations between this lack of consumer trust and fears about privacy and security online. This paper attempts first to show why existing legal and extra‐legal modes for the protection of privacy online are failing to protect consumers and promote consumer trust. In particular it critiques the European regime of mandatory data protection laws as outdated and inappropriate to a world of multinational corporatism and ubiquitous transnational data flows via cyberspace. In the second part lessons are drawn from the crisis currently faced by intellectual property in cyberspace, particularly in reference to MP3 music files and peer‐to‐peer downloading and useful parallels are drawn from the solution devised by William Fisher of the Berkman Centre, Harvard, in the form of an alternative payment scheme for copyright holders. Finally, the insights drawn from Fisher's work are combined with original proposals drawn from a comparison of the consumer–data collector relationship in cyberspace with the roles played by truster, trustee and beneficiary in the institution of common law trust. The resulting ‘modest proposal’ suggests that a ‘privacy tax’ be levied on the profits made by data collectors and data processors. This could fund no‐fault compensation for identified ‘privacy harms’, improve public privacy enforcement resources, provide privacy‐enhancing technologies to individuals, satisfy the desire of commerce for less data protection‐related internal bureaucracy and possibly create the conditions for better promotion of consumer trust and confidence. The uptake of electronic commerce would thus be significantly enhanced.
Notes
Correspondence: Lilian Edwards, Co‐Director, AHRB Centre for Research into Intellectual Property and Technology and Senior Lecturer, Law Faculty, Edinburgh University, Edinburgh, UK; E‐mail: [email protected].
Or, more accurately, as Graeme Laurie puts it, why privacy causes problems. See Laurie, G. (2001) Genetic Privacy: A Challenge to Medico‐legal Norms (Cambridge University Press). I would like to thank Dr Laurie, whose original suggestion it was that trust might have something to offer in the field of protection of personal information and also Professor Geraint Howells of Sheffield University with whom I collaborated at an earlier stage of this research, Professor Hector MacQueen of Edinburgh Law School who made many helpful comments in draft, particularly on the question of European trust harmonisation, the participants of the conference on Privacy, Property and Personality, Edinburgh, November 2002 and those at Securing Privacy in the Internet Age, Stanford Law School, March 2004. Any errors are of course the responsibility of the author alone.
Figures from the US Department of Commerce: see http://news.bbc.co.uk/1/hi/business/3515287.stm. However, these do not include online travel services, financial brokers and ticket sales agencies, which were excluded from both online and total retail sales figures. If these were included the percentage figure might be as much as doubled.
EU EuroBarometer Survey March 2004. See http://europa.eu.int/comm/consumers/topics/btoc_ecomm.pdf. It is worth noting however that a majority of e‐commerce refuseniks, 57% of EU citizens surveyed, said they did not shop online simply because they did not have access to the Internet. A total of 16 000 people were surveyed, with distinct differences observed across countries, income groups and age groups, e.g. 37% of Swedes had purchased online compared to only 3% of Greeks.
These advantages to consumers of shopping online are examined in more detail in Edwards, L. and Howells, G. (2003) Anonymity, consumers and the Internet: where everyone knows you're a dog, in: C. Nicoll, J. E. J. Prins & M. J. M. Van Dellen (Eds) Digital Anonymity and the Law (T. M. C. Asser Press).
European Commission report on Unsolicited Commercial Communications and Data Protection, February 2001 at http://europa.eu.int/comm/internal_market/en/dataprot/studies/spamstudyenpdf.
It is rare to see a value publicly put on a customer database in business sales or mergers. However, in one well‐known incident, when Egghead Software was sold to Fry's Electronics in 2001, for example, its only major asset apart from some intellectual property rights was acknowledged to be its database of 4 million customers and the price paid for the company was $10 million.
Swire, P. & Litan, R.E. (1998) None of Your Business: World Data Flows, Electronic Commerce and the European Privacy Directive, pp. 81–83 (Brookings Institution Press).
See the Eli Lilly Prozac list and Microsoft Passport disclosure cases reported in (2002) Privacy and Data Protection, 3(2), p. 12.
Marie Claire magazine (US edition) for March 2004 had a major spread on Internet privacy that noted breathlessly ‘What strangers can find out about you: Your dress size. Your salary. Your salacious affair! Secrets you thought were yours alone are actually available to the highest bidding marketer. Could the most intimate details of your life become public knowledge?’
And even (dare one add) House of Lords judges: see Shogun Finance Ltd v. Hudson [2003] UKHL 62, para 57, per Lord Hobhouse of Woodborough.
Downloadable at http://www.ncc.org.uk/pubs/e‐commerce.htm.
It is difficult to compare figures in surveys on Internet consumer privacy, trust and e‐commerce directly as each survey tends to ask questions in different ways and each also adopts its own methodology, which is not always revealed. In particular, fears about the disclosure of personal data, including credit card details, pertaining to personal privacy are often conflated with fears about fraud. The best recent objective survey of surveys on the themes of trust, risk, privacy and the Internet can probably be found in C. J. Bennett & C D. Raab (2003) The Governance of Privacy, pp. 56–67 (Ashgate).
Supra, note 3.
Supra, note 12.
See, for example, the EC eEurope initiative 2006, with its particular focus on secure infrastructure at http://europa.eu.int/scadplus/leg/en/lvb/124226.htm.
1999/93/EC.
2000/31/EC.
2002/58/EC.
At http://www.europa.eu.int/information_society/programmes/iap/index_en.htm. The current plan runs till 2008. This page also contains an evaluation of the Action Plan that ran from 1999 to 2002.
See discussion of the previous EC Action Plan in L. Edwards & C. Waelde (Eds) (2000) Law and the Internet: A Framework for Electronic Commerce (Hart Publishing) at pp 303 ff.
1995/46/EC.
The directive was promulgated in 1995 with prior negotiations which began in the early 1990s, a time when the modern commercial Internet had barely begun to evolve. In many ways the directive owes much of its substance to the earlier Council of Europe instrument on Automatic Processing of Personal Data which was issued in 1981. See Swire and Litan, supra, note 7, Chapter 2.
Supra, note 18 and see the account in P. Carey (2004) Data Protection, 2nd edn (Oxford University Press).
Spam here is shorthand for ‘unsolicited electronic mail and similar forms of unsolicited electronic direct marketing’. The Privacy and Electronic Communications Directive refers only to ‘unsolicited communications’ and ‘electronic mail’ (art 13).
Cookies are small text files that are typically placed on a user's hard disk while they are browsing an e‐commerce website which allow the operator of that site to record personal details about that user in a form which can be connected to that user on a subsequent visit to that site. The Privacy and Electronic Communications Directive refers to ‘so‐called spyware, web bugs, hidden identifiers and other similar devices’ but only within the recitals (recital 24) and not the main text.
The Children's On‐Line Privacy Protection Act (COPPA) 1998.
The Video Privacy Protection Act 1988
Bennett and Raab, supra, note 12.
Discussed infra on p. 325.
See L. Edwards (2000) Canning the spam: is there a place for legal control of junk electronic mail?, in: L. Edwards & C. Waelde (Eds) Law and the Internet: a Framework for Electronic Commerce (Hart Publishing); L. Edwards & G. Howells, supra, note 4; L. Edwards (‘Edwards IJLIT’) (2003) Consumer Privacy, On‐Line Business and the Internet: Looking for Privacy in All the Wrong Places, 11 IJLIT 226; L. Edwards (2003) The problem with privacy, 3 Privacy & Data Protection 6. In respect of other writers, see footnotes passim, but especially those cited at note 48.
Swire and Litan, supra, note 7, p. 80.
G. A. Guera, D. J. Zizzo, W. Dutton & M. Peltu (2003) Economics of Trust in the Information Economy: Issues of Identity, Trust, Privacy ad Security (Oxford Internet Institute), available at http://www.oii.ox.ac.uk/.
In Prins, Ribbers, Van Tilborg, Veth & Van der Wees (Eds) (2002) Trust in Electronic Commerce, pp. 194–195 (Kluwer).
Interestingly, De Hert, as here, also went on to consider whether existing legal regimes are sufficient to protect consumer privacy and promote trust and confidence adequately. Like this writer, he had doubts about the efficacy of the US self‐regulation system, but regarded it as ‘premature alarm’ to dismiss the EC data protection as ineffective in the global context of cyberspace (p. 226).
Vintage Books (2000), reprinted with a new afterword in 2001.
Rosen noted, for example, that everyone learnt via subpoenas during the Starr enquiry that Monica Lewinsky had read Vox by Nicholson Baker, a book about telephone sex, but not, according to Ms Lewinsky, that in the same period she also bought and read several other less ‘raunchy’ works including a Shakespeare play.
The Federal Trade Commission official definition of ‘identity theft’ and advice on combating it can be found here at http://www.consumer.gov/idtheft/.
The Federal Bureau of Investigation received half a million complaints on identity theft in 2003 and consumers reported losses from fraud of over $400 million. See http://www.consumer.gov/sentinel/pubs/Top10Fraud2003.pdf.
According to the BBC News website, identity theft is the fastest growing crime in the UK and costs the UK £1.3 billion a year. New pilots for introducing a national identity card were announced in April 2004, with one of the justifications being the need to cut down on identity theft. The BBC report also notes that victims of identity theft may recover the monies that they lose as a result of the fraud, but the average victim spends around 300 hours sorting out the mess caused. Interestingly, the House of Lords (in Shogun Finance v. Hudson, supra, note 10) have also recently addressed the concept of identity theft, dealing with a dispute which, while not exactly an online identity theft case, does have online elements in its factual background of fraud.
See press release http://www.apacs.org.uk/downloads/cardfraudfigures2003%20‐%208mar04.pdf.
Supra, note 9. Another recent disclosure harm story involves Tower Records in the USA, which in 2002 made changes to their website which inadvertently made some records of customer orders visible to other customers, exposing names, billing addresses, email addresses, phone numbers and past Tower purchases. The Federal Trade Commission brought charges and a consent agreement settlement was reached in April 2004 which if breached exposes Tower to a fine of $11 000 for each item of the settlement broken. See http://www.out‐law.com, 23‐04‐2004. Similarly, Barnes and Noble also recently negotiated a $60 000 settlement with New York authorities after a design flaw in the New York‐based company's website granted unauthorised public access to customer information such as name, billing address and account information but not credit card numbers. See http://news.com.com/2110‐1038_3‐5203091.html.
Brightmail survey, February 2004: see http://www.brightmail.com.
However, it is true that some spam addresses are generated randomly by computer programs. However, the majority of spammers are still using ‘real’ addresses harvested from the WWW, Internet service provider membership databases, etc. It is interesting to note that, until the 2002 Privacy and Electronic Communications Directive, there was residual doubt as to whether email addresses were indeed protected as ‘personal data’ under data protection law (see L. Edwards, Canning the spam, supra, note 31, p. 321): this now seems a settled matter.
L. Lessig (1999) Code and Other Laws of Cyberspace (Basic Books).
See inter alia work by Bennett and Raab, Kuner, Bygrave, Carey, Charlesworth, Reidenberg and Swire and Litan cited at note 48 infra, as well as much more. The Art 29 Working Party, which set up the Data Protection Directive 1995, has also closely monitored the need for changes to data protection law and produced many useful policy documents. It is also worth noting the work being done in the Asian‐Pacific area on building a privacy charter to deal with all aspects of privacy on‐ and offline (version 1.0 circulated September 2003 by Baker & McKenzie Cyberspace Law and Policy Centre, Faculty of Law, University of New South Wales): while in theory separate from data protection law, it must be noted that its draft principles bear a certain family resemblance.
The phrase of course originates with Jonathan Swift, whose original satirical ‘modest proposal’ was that, to deal with the Irish famine and over‐population problem, Irish babies should be fattened for English tables. See Swift, J. (1729) A Modest Proposal: For Preventing the Children of Poor People in Ireland from being a Burden to their Parents or Country, and For Making Them Beneficial to The Public, available at http://art‐bin.com/art/omodest.html.
Good accounts of the differences between the US and European regimes can be found in Charlesworth, A. (2000) Data privacy in cyberspace, in: L. Edwards & C. Waelde (Eds) Law and the Internet: A Framework for Electronic Commerce (Hart Publishing); Reidenberg, J. (2000) Resolving conflicting international data privacy rules in cyberspace, 52 Stanford Law Review 1315; and Swire and Litan, supra, note 7; Bygrave, L. (2002) Data Protection Law: Approaching Its Rationale, Logic and Limits (Kluwer) is an excellent recent critical account of EU data protection law with particular reference to its application (or rather, not) to (1) juristic persons and (2) personal data profiling online; Kuner, C. (2003) European Data Privacy Law and Online Business (Oxford University Press) and Carey, P. (2004) Data Protection, 2nd edn (Oxford University Press) are both detailed descriptive accounts of the system from, respectively, a mainly European and primarily UK perspective.
Data Protection Directive 1995, Art 6 and 7 and Art 2(h).
Ibid, Art 2(a).
‘Processing’ is given a very wide meaning in data protection law: Art 2(b) of the Data Protection Directive 1995 defines it to include ‘collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, aligment or combination, blocking, reassure or destruction’. Processing need also not be by automatic means, although it must be an ‘operation or set of operations’. Manual files are also now included in the data protection regime, subject to transitional arrangements.
See Data Protection Directive 1995, Art 2 (c).
Ibid, Arts 18–19.
Ibid, Art 6 (1) (b)–(c).
Ibid, Art 28.
Ibid, Arts 16 and 17.
Ibid, Art 6(1) (e).
Ibid, Art 12.
Ibid, Art 14.
Ibid, defined in Art 2.
Ibid, Art 11.
Supra, note 7.
See Klosek, J. (2000) Data Privacy in the Information Age (Quorum Books).
Swire and Litan, supra, note 7, p. 50ff.
Ibid, p. 100ff. See also Swire, P. Of elephants, mice and privacy: international choice of law and the Internet, 32 International Lawyer 991.
The top penalty for a breach of the UK Data Protection Act 1998 is currently £5000. One of the few recent prosecutions for data protection infringement in the UK resulted in a total fine of under £3000, for 16 offences, i.e. £150 for each offence. The offences were committed by a debt collection agency that rang various agencies and companies illegally obtaining personal data. It is hard to see how such a level of fine could act as much of a deterrent. See http://www.out‐law.com, 21‐4‐2004. Compare the recent fines levied by the regulator for abuses of premium rate phone calls, ICSTIS, established under a later piece of legislation. ICSTIS has recently imposed several headline‐grabbing fines of £50 000 to £75 000. No jail term can be imposed under the Data Protection Act 1998, no matter how serious the breach: compare the EC Copyright Enforcement Directive and the US Federal ‘Can the Spam’ Act 2003, both of which allow for serious prison terms to be imposed in respect of ‘digital’ offences of arguably no greater degree of moral culpitude than infringement of privacy.
See report at http://www.pcmag.com/article2/0,1759,1130826,00.asp.
See report at http://news.bbc.co.uk/1/hi/sci/tech/1264205.stm.
See further Swire, Of elephants, mice and privacy, supra, note 65.
Swire and Litan, supra, note 7, pp. 69–70.
Noted in April 2004. In July 2003 this figure was around 3000 million, whereas in August 2002 it was 2500 million.
Study of Compliance of UK Websites with Data Protection Law, May 2002, by the University of Manchester Institute of Science and Technology for the Information Commissioner's Office. Copies now only available on request from the Information Commissioner's Office (see http://www.dataprotection.gov.uk/dpr/dpdoc.nsf). Sites surveyed were not chosen randomly, but to represent a range of different variables, including large and small websites and sites collecting certain types of information, e.g. sensitive information and information from children.
See p. 14, National Consumer Council report, supra, note 10.
See study at http://www.marketimprove.com/FTSE100_Data_Protection_Study.pdf.
Data Protection Directive 1995, Art 28.
National Consumer Council report, supra, note 10. To give some perspective to how careless (or carefree) consumers are about protecting their personal information privacy, a recent experiment at London Liverpool Street Station found that 71% of office workers stopped by researchers were prepared to give away their office password for a chocolate bar. See http://www.out‐law.com, 20‐04‐2004.
See, for example, the very useful National Consumer Council publication Consumer Privacy in the Information Age, available at http://www.ncc.org.uk.
UK organisations concerned with rights of privacy online generally seem to get more attention when campaigning against state invasions of privacy, e.g. close circuit television monitoring, national biometric identity cards and Internet surveillance by national security, than they do when looking at consumer privacy. However, even the anti‐surveillance blog site SpyBlog (http://www.spy.org.uk/) recently rather sadly commented that ‘Although there is a general lack of interest in privacy and civil liberties issues amongst the British public and politicians, we have now been persuaded to continue with this website, partly by Liberty who are now campaigning for a Privacy Act.’
See Spamhaus site at http://www.spamhausorg/.
(2003) Privacy & Data Protection, 3(2), p. 3.
At issue here was Art 25, introduced for the first time in the 1995 directive, which forbade the export of personal data from the EU to countries which did not have ‘adequate’ data protection, notably the USA.
See Charlesworth, supra, note 48; note by six US privacy professors (including Cate, Reidenberg, Schwartz, Swire and Litan) archived at http://www.ita.doc.gov/td/ecom/comabc.htm.
Four hundred and ninety‐three members listed on http://www.export.gov/safeharbor/, visited at 28/04/04.
Art 26, Data Protection Directive 1995 allowed the EC to set up model contractual conditions under which personal data could be lawfully transferred to a country outside the EU without ‘adequate’ privacy protection. Those model clauses can be found at http://www.privacydataprotection.co.uk/documents.
There are in fact five legal bases for data export other than the ‘adequacy’ of the country of destination: model contract clauses, ad hoc contracts, unambiguous consent of data subject, transfer ‘necessary’ for performance of contract between data subject and controller and codes of conduct. See Kuner, supra, note 48, pp. 124 ff.
‘Safe harbor’ had if anything more explicit post‐transfer safeguards for data subjects built in to the regime than does transfer of data by contractual conditions, yet safe harbor itself was trenchantly criticised on its compliance record, e.g. repeated scandals relating to misuse of personal data by prominent TrustE members such as Microsoft, Yahoo! and GeoCities. See supra, note 82.
See Art 4 of the Data Protection Directive 1995, para 4(1) (c) of which states that a member state may apply is national laws to a data controller if ‘the controller is not established on Community territory, and for the purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said member state, unless such equipment is used only for the purposes of transit through the territory of the Community.’ Such a definition appears to catch the typical US‐based e‐commerce website (e.g. Amazon.com) which sells goods or services to UK consumers and collects personal data about UK consumers using ‘equipment’ here. ‘Equipment’ is not defined, but is usually deemed to include conduits necessary for the ‘processing’ such as UK Internet service provider wires, cables, routers, etc. It is less obvious if it catches, say, a US weblog site, where users in the UK write personal information straight to the US‐based server, since there may arguably be no ‘collection’ or ‘use’ and, hence, no ‘processing’ of personal data (see definition in Art 2(b).)
See Drahos, P. and Braithwaite, J. (2002) Information Feudalism: Who owns the Knowledge Economy? (Earthscan Publications) and Castells, M. (2000)The Rise of the Network Society, 2nd edn (Blackwells).
See Data Protection Position paper of the Global Privacy Alliance at http://europa.eu.int/comm/internal_markt/privacy/docs/lawreport/paper/gpa_en.pdf.
Regan noted that, in the negotiations surrounding the 1995 DP Directive, many EC‐based companies lobbied alongside US business for laxer laws: Regan, P. (1999) American business and the European Data Protection Directive: lobbying strategies and tactics, in: Bennett, C. & Grant, R. (Eds) Visions of Privacy: Policy Choices for the Digital Age (University of Toronto Press).
Kuner, supra, note 48, pp. 45–48.
Ibid, pp. 49–54. And see the recent UK case of Durant v. FSA 2003 EWCA Civ 1746, discussed by this author in Edwards, L. (2004) Taking the ‘personal’ out of personal data: Durant v FSA and its impact on the legal regulation of CCTV, 1:2 SCRIPT‐ed, at http://www.law.ed.ac.uk/ahrb/script‐ed/issue2/durant.asp.
Ibid, p. 95ff.
See Lindqvist v. Sweden, 6 November, 2003, ECJ Case C‐101/01.
Kuner, supra, note 48, p. 37ff.
Data Protection Directive 1995, Art 2(h).
See Edwards, L. (2004) Protecting consumer privacy online: spam and cookies in European law, in: Edwards, L. (Ed.) The New Framework of European E‐Commerce Law (Hart forthcoming).
See discussion in Edwards, L., supra, note 31 (‘Edwards IJLIT’), at pp. 239–240.
Self‐regulation is well explored from a social policy perspective in Bennett and Raab, supra, note 12, Chapter 6: they divide self‐regulatory instruments into privacy commitments, privacy codes of practice, privacy standards and privacy seals. See also Strauss, J. & Rogerson, K. (2000) Policies for online privacy in the United States and the European Union, paper presented at conference on Regulating the Internet: EC and US Perspectives, April 27–29 (University of Washington, Seattle).
See Study of Compliance with the Data Protection Act 1998 by UK Based Websites, supra, note 72.
Privacy policies have also become more popularly known as a result of the impact of the P3P technology. See below, p. 322.
Supra, note 99.
Supra, note 12 at p. 134.
See accounts in Charlesworth, supra, note 48, pp. 103–106; Edwards and Howells, supra, note 31.
Federal Trade Commission, Final Report of the FTC Advisory Committee on Online Access and Security, 15 May 2000, available at http://www.ftc.gov/acoas/papers/finalreport.htm.
Ibid.
http://truste.org/truste_annual_report.pdf. In 2003 itself there seems to have been some recovery however: although the site does not admit its membership, it reports that 900 members have ‘returned to the fold’.
Charlesworth, supra, note 48, at p. 120.
See http://www.zeroknowledge.com. In fact Zero Knowledge's website (visited at 28/04/04) seems to indicate that they have re‐oriented their commercial product range towards the Internet service provider market as opposed to the savvy consumer market, an interesting observation in itself.
See http://www.w3.org/P3P/. The latest iteration of P3P, v. 1.1, was released as a working draft on 27 April 2004 so the system is still very much a work in progress.
For a fuller version of this argument, see Edwards (‘Edwards IJLIT’), supra, note 31, at pp. 244–247. The EU has so far largely theoretically embraced PETs while in practice remaining suspicious of the value of P3P. However, in March 2004 a 16 million Euro project funded by the EU (PRIME) commenced which intends to develop privacy and identity management tools for Europe to enable ‘end‐user’s sovereignty over their private sphere and enterprise's privacy‐compliant data processing'. See http://www.prime‐project.eu.org.
Unreported civil damages court cases on ‘identity theft’ where individual addresses or social security numbers are ‘stolen’ put these items at almost nominal value.
This is not to say that the US data privacy is in real terms worse at protecting online privacy than the European model. Indeed, for many of the reasons listed above, although EC data protection law may look as if it provides more stringent protection, US self‐regulation and sectoral provision may sometimes indeed be more effective at protecting consumers. This was in fact exactly the finding of a Brookings‐AEI study published in 2003: however see critique at http://www.enn.ie/frontpage/news‐9370133.html.
See generally an excellent summary of the entire MP3 crisis in the Berkman Centre for Internet and Society Research Publication Series, 8/2003 with Gartner G2 ‘Copyright and Digital Media in a Post Napster World’ at http://cyber.law.harvard.edu/home/uploads/254/pdf. See also Lessig, L. (2001) The Future of Ideas, Chapter 11 (Random House).
See A & M Records v. Napster, 239 F.3rd 1004 (9th Circ., 2001) (the ‘Napster’ case); MGM v Grokster US District Ct, Cen D Cal, CV 01‐08451‐SVW, CV 01‐09923‐SVW, (the ‘KaZaa case’) at http://www.eff.org/IP/P2P/MGM_v_Grokster/030425_order_on_motions.pdf.
See the Napster case, supra. As Cornish describes it, Napster (as a free downloading service) collapsed due to ‘martyrdom by slow stoning’ by the music industry. KaZaa/Grokster however, so far, survives due to a less centralised architecture. See Cornish, W.R. (2004) Intellectual Property – Omnipresent, Distracting, Irrelevant?, p. 52 (Clarendon Press Lectures).
See inter alia the US Digital Millennium Copyright Act 1998; EC Copyright Directive 2001/29/EC; Eldred v. Reno 239 F. 3d 372, 375 (D.C.Cir., 2001).
http://tfisher.org/.
Such ‘levy’ systems have also been proposed by other writers, Netanel, Jamie Love and Peter Eckersley for example, but Fisher's system is probably the best known and most worked through proposal. Details can be found in a chapter from his forthcoming book available at http://cyber.law.harvard.edu/people/tfisher/PTKChapter6.pdf. A short version can be found at http://news.com.com/2010‐1071_3‐1024856.html?tag=fd_nc_1.
Since Fisher's book detailing his proposal is not yet published, detailed critiques in the literature are as yet few. Lessig broadly commends Fisher's approach in his book Free Culture: How Big Media Uses Technology and the Law to Lock Down Culture and Control Creativity (Penguin, 2004) albeit with some caveats. Fisher's approach is not entirely new: it has some affinity with the mechanical reproduction right which existed in UK (and US) copyright law between 1911 and 1989 and which was approved by the economist Sir Arnold Plant in the 1930s for extension beyond sound recordings (which is what it applied to initially). This never happened and the Copyright Designs and Patents Act 1988 abolished it in the UK.
Although the element of total ‘control’ is not essential to privacy according to some writers, notably Ruth Gavison. See discussion in Wacks' introduction (p. xi) to Wacks, R. (1993) (Ed.) Privacy (Dartmouth) drawing on ideas in his earlier book Personal Information: Privacy and the Law (Clarendon Press, 1989).
See Rosen, supra, note 36.
See Bennett and Raab, supra, note 12, p 62, deriving the term from Westin.
See the discussion in Hayton, D. J., Kortmannn, S. C. J. J. & Verhagen, H. L. E. (Eds) (1999) Principles of European Trust Law (Kluwer Law).
Ibid, pp. 3–4.
See Principles of European Trust Law, supra, note 123, p. 13ff, Arts I–VIII setting out the generic characteristics of European trust law across both civilian and mixed systems.
It is perfectly legal in most if not all systems that have trust for a truster to also be a beneficiary, so long as there is at least one or more third‐party trustees: see e.g. Gardner, S. (1990) Introduction to the Law of Trusts, p. 3 (Clarendon Press).
There are no individual data subject rights to enforce under safe harbor, nor under most if not all seal programmes. Enforcement is a matter for the Federal Trade Commision and therefore subject to their own internal priorities and resource issues. See further Schachter, M. (2003) Informational and Decisional Privacy, p. 199ff (Carolina Academic Press).
See Gardner, supra, note 125, p. 216. See also Principles of European Trust Law, supra, note 123, p. 18, Art VI.
However, they may have technological means of withholding their data from data collectors: see further below.
There is no reason why it could not be retained as an excellent voluntary code of practice for certain organisations or industry sectors. Common law rules as to negligence and invasion of privacy torts or delicts would of course remain in place. Incidentally, the desirability of the ‘withering away’ of copyright law is one of the places where Fisher and Lessig part company.
See p. 313.
See several US state anti‐spam laws and, most recently, the federal ‘Can the Spam’ Act 2003 in which both basic and aggravated damages when spammers are sued by either Internet service providers or the government are laid out in detail.
See p. 316.
The latter has been a conspicuous concern in the UK during the introduction of the change in the law from ‘opt out’ to ‘opt in’ under the new Privacy and Electronic Communications Directive 2002 rules on databases and direct marketing.
See Principles of European Trust Law, supra, note 123
See the discussion in the 2000 European Review of Private Law special issue (Vol. 8(3)) on European trusts.