3.6. Tentative answers: industrial self-regulation, attempts at standardization

1. The preamble to the EU data protection directive includes the following: “Member States and the Commission, in their respective spheres of competence, must encourage the trade associations and other representative organizations concerned to draw up codes of conduct so as to facilitate the application of this Directive, taking account of the specific characteristics of the processing carried out in certain sectors, and respecting the national provisions adopted for its implementation.”¹²³ In the United States industrial self-regulation concentrates primarily on avoiding state regulations. Below I would like to give an example concerning the context of electronic data processing, the TRUSTe-system, the goal of which is to guarantee the adequate data processing of web pages; its solutions and its limits are characteristic to most of the industrial self-regulatory attempts. After this I will treat the issue of standardization attempts within the field of data protection.

2. The underlying concept of TRUSTe is that according to its creators traditional industrial self-regulation cannot provide an effective solution (because it does not imply real barriers to those financing and operating it), neither is state regulation desirable in online data-protection (the reason for this latter is that implementation without the international harmonization of data-protection law is almost impossible in a global internet environment, and state intervention would endanger the boom of the internet that was experienced earlier). The idea was to find a solution which would join the weight of government control, the power of market dynamics, and build upon the control of the public as well.This is the solution of self-governance. The goal was to develop trust in the security of electronic communication as well as dispelling anxiety concerning data protection.¹²⁴

The essence of the self-governance concept is that industry does not act autonomously, but rather creates best practices, and relies on the results of state regulations, i.e. legislation. One of the most important incentives of the regulation, according to this concept, is the “well-informed market” where participants decide on which system for processing data they consider best. The task of the government according to this concept is to enforce effective law and to urge the actors of the sector to adopt best practices as widely as they can.

The TRUSTe program follows the principle of self-governance as well. Its aim is to build trust towards the data-protection policies of internet web sites in users who make use of services offered by these pages. The program is independent on both the actors of the sector and the government, and is operated by Trusted Universal Standards in Electronic Transactions, Inc., a non-profit organization incorporated in California. Pages that meet the requirements of TRUSTe regarding their data-protection policy, and that subject themselves to TRUSTe’s dispute resolution mechanisms, in order to signal this, become official seal bearers, bearers of the „registered certification mark.”

The mark signals to the customer that the company meets required standards for data protection, in any other case he can turn to a third party. There is a contact between TRUSTe and the web site entering the program, which guarantees a possibility for intervention in case of infringement of data protection regulations, regardless of the user’s nationality or the geographic location of the operator of the web site within the program.

4. The earliest among data protection standards is the 1996 Canadian standard, which was developed by the Canadian Standards Association, motivated by the adoption of the Directive – as a result of the Directive due to the lack of measures providing an adequate security level, the Canadian party feared of a situation that would damage trade. The other reason was the fact that in the wake of the OECD Directives several codes of practice were born, but there were significant differences in their content.¹²⁵This is why the CSA first coordinated the formation of a model code of conduct (CSA Model Code), which later became a national, voluntary-based data protection standard. The standard includes adequate certification, registration and audit mechanisms as well.¹²⁶

The standard defines ten basic principles concerning personal data processing; it was developed by a 45-member committee, which included representatives of finance, telecommunication, representatives of the direct marketing sector, local governments and bodies of central public administration, representatives of consumer interest, trade unions, as well as information technology experts on security technologies.¹²⁷ Similar standards were adopted in Australia (1997) and in Japan (1999).¹²⁸

The European Committee of Standardization, CEN launched its project called Information Society Standardization System in 1997 with the aim to identify and settle problems that may be solved with traditional and new technologies of standardization appearing in the context of information society. CEN/ISSS defines itself as a service offering a number of services to actors of the market, starting from establishing standards, to agreements registering the identification and exchange of best practices.¹²⁹ A project within CEN/ISSS was also launched with the aim of examining whether it is necessary and possible to establish standards based on the data-protection directive of the EU, which may provide help to comply with the directive and other data-protection regulations. In case the answer within the frames of the project is positive (at least concerning given questions), the goal is to define the advantages and disadvantages of standardization in a given case.

The aim of the project called Initiative on Privacy Standardization in Europe (IPSE) was to issue a Final Report. The question of compliance control mechanisms/audit was included among the possible topics of IPSE standardization already at the start of the project, together with issues of setting up and evaluating criteria regarding the level of data protection in programs similar to TRUSTe.¹³⁰ The first document presenting results of considerable research was the Discussion Paper prepared by the Interdisciplinary Centre for Law and IT at the Catholic University in Leuven,¹³¹ while the CEN/ISSS issued its Final Report based on the study of Dumortier and Goemans on 3rd February 2002.¹³² Different audit methodologies were examined within the scope of the standardization work carried out at CEN/ISSS, and even a data-protection audit-framework was accepted.

3. Self-regulation is an appropriate tool for enhancing the effectiveness of privacy protection technologies, but compared to data protection legislation, just as privacy enhancing technologies, self-regulation may be at most a supplementary tool. P3P does not work effectively in practice, and in literature several reservations are raised concerning TRUSTe. According to experts writing on the subject the weak point of TRUSTe and systems based on the use of a mark¹³³ is that since they are little known, the sanctions they impose – namely that in case a webpage pursues unlawful data protection practices, the operator will be cancelled the right to use the mark – provided ineffective, since no user actually missed the mark.¹³⁴ In the course of 2003 TRUSTe withdrew the right of using the mark in two cases, and in another case it initiated an investigation against a firm using the mark.¹³⁵

According to Schwartz without state regulations the tools of self-regulation (either sectorial self-regulating codes or technologies with through which the data subject might express his preferences, as in the case of P3P) are not sufficient in realizing an effective privacy-protection. Schwartz – who is examining norms realized in the cyberspace from an American point of view – thinks that the essential reason for this lies in the default that all users are accustomed to the complete disclosure of personal data; in this situation data subjects are unaware of the value of their personal data, while the interest of the industries using these data is to maintain the status quo.¹³⁶ This interferes with the idea that the data “subject” should have a better bargaining position at the “market,” and self-regulation is directed against state regulations as well. Schwartz claims that actors of the market should be forced into a situation in which they have to pay for using the data, taking into consideration the preferences of the data subjects. The notion he suggests is “privacy price discrimination.” A genuine market may be created only if the default rule is the prohibition of getting to know personal data, and this can be reached through state regulations.¹³⁷ Although I agree with Schwartz’s analysis of the market of personal data and the possibilities of self-regulation, it has to be pointed out that the only data-protection regulations that would ensure a good bargain position for the individual are the ones that exclude the possibility of the routine of “consent” based data processing (regarding this issue see above the discussion on the way the notion of “consent” becomes empty).

In Burkert’s view the development and application of privacy enhancing technologies makes it possible to tackle the matter of consent-based data processing. In his opinion the problem lies in the fact that experts planning the systems in the present situation simply rely on obtaining the consent of the person involved, without further investigation. With the development of privacy-enhancement technologies it may be reached that anybody involved in data processing has to prove what the substantial basis of processing is. If the principle of necessity is applied at the level of system planning, it might lead to a situation in which data controllers enter into a political debate where they have to explain the need to carry out the data processing in question.¹³⁸ Among the technological limitations Burkert too points out that there is no real bargain; he does not suggest any new term, but what he considers desirable is something very similar to what Schwartz calls “privacy price discrimination”: “personal information given away in a transaction process is part of the payment for the desired service or good. If this information is no longer there, the price of the good or service is likely to change. This change could be made transparent, and a “choice” could be offered: a company providing you with a good or service could ask a higher price that would include a higher degree of privacy of the information you provided, or you could pay a lower price but give additional information that [...] would allow that company to obtain extra revenue from that information”.¹³⁹

We have to see the efforts directed at the creation of “bargaining position” and the incentive of “privacy price discrimination” is fundamentally different from the opinion of the Hungarian legal thinking on data protection about the price of data. Although in Hungary it is possible to buy data for free for purposes of direct marketing from the population-registers, there are several opinions of the Data Protection Commissioner that regard revealing certain data as unlawful, and state that the service provider may be obliged to provide service even in case the data subject refuses to reveal data. In practice data subjects contribute to such revealing their data in large numbers, and the idea of consent loses its significance. The way out from this situation is regulation: the data controller with a monopoly in the situation has to be obliged to narrow down the scope of data processing, and ban it outside the given frame, while in case of a data controller not having monopoly we should aim at the creation of a real data market, and intervene significantly only if the bargaining position of the data subjects remains unreal.

3.7. The third generation data protection norms