A Comparative Study on Consumer Right to Privacy in E-Commerce ()
1. Introduction
“E-commerce” is widely used to describe shopping on the Internet. It has been rapidly developing in accordance with the development of information technology and network technology. [1] However, the concept of ecommerce is broader than internet shopping. It encompasses all commercial transactions based on the electronic processing and transmission of datum, text, sound and image. Electronic transactions are made between a company and a consumer, between different companies. While both of all raise issues of technical security, it is mainly the first transaction type that raises privacy issues. Also, the privacy protection for consumer transactions in e-commerce has become more and more important. It is thus essential to strengthen the study on the legislation of e-commerce consumer rights protection.
China has paid some attention to the consumer’s rights protection all along and constituted relevant laws and regulations to protect consumer rights. However, most of these laws and regulations have only been made for the protection on general consumer rights without specific provisions of the consumer rights protection in e-commerce. In sharp contrast to it, the developed countries and areas with advanced information technology, for example, EU, the United States, and Japan, have established a fairly sophisticated system of legal protection of e-commerce consumer rights [2].
In times of ubiquitous electronic communication and increasing industry pressure for standard electronic authentication, the maintenance of privacy (the right to control one’s personal information) becomes a subject of increasing concern. The possibility of an “invisible people” appears most obvious in e-commerce, due partly to the large amounts of data available, partly to the high payoffs expected from using this data for commercial purposes. [3] Thus, the right to privacy is particularly important in e-commerce. In this paper, a comparative study was made on how to protect consumer right to learn the truth in e-commerce, comparing the relevant laws and regulations in China and developed countries.
2. Definition and Characteristics of E-Commerce
E-commerce consists of the buying and selling of products or services through such electronic systems as the Internet and other computer networks. As a new form of business, it is the commercial activity which utilizes electronic and digital means. Parties carry out a transaction by means of electronic trading rather than face-toface transaction. [4] Modern electronic commerce typically uses the World Wide Web at least at some point in the transaction’s process, although it can encompass a wider range of technologies such as e-mail as well. The use of commerce is conducted in this way, spurring and drawing on innovations in electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems.
The characteristics of e-commerce come out of the advantages it provides. With the technology of computer and network, e-commerce produces a virtual global trade environment without limits of time and space, which has significantly expanded markets, reduced costs, promoted traditional industries transformations and improved the efficiency and quality of service in business activities [5]. E-commerce is conducive to the formation of circulation system of modern commerce and has become an important part of modern service industry.
There are several features of e-commerce transaction significantly different from the traditional commodity trading. Firstly, consumers only can obtain information of goods by advertisement, rather than actual observation, selection or inspection. If the online sellers do not disclose all pertinent information and provide false information, the interests of consumers would be violated. Secondly, the transfer of money paid for goods cannot be carried out immediately. Generally speaking, in e-commerce transactions, the consumers remit to online sellers at first and tell them the desired goods. The online sellers will consign the goods to the consumer after receiving remittance. Thirdly, one of important elements of ecommerce transactions is how to guarantee that a valid contract has been entered between the parties. Assessing the validity of contracts is difficult in the Internet environment because the contracts are paperless. The system of digital signatures is therefore essential in helping to promote e-commerce because it ensures that all parties have entered in a binding contractual agreement.
3. The Right to Privacy and Its Characteristics
The concept of privacy is highly interesting. Perhaps its most striking feature is the fact that there is no agreement upon what it actually is. The “right to privacy” has inspired considerable debate in many fields including the areas of law, philosophy, sociology, politics, and more recently, computer science. This debate is fascinating, complex, and at times rather surprising [6]. Furthermore, how the right to privacy fares when applied to the world of e-commerce is an even more contentious issue.
Today transaction in e-commerce typically requires the divulgence of large amounts of personal information. Necessary information includes credit card information and delivery details. Also the possession of such information gives e-business the opportunity to analyze it, discovering trends and increasing the efficiency of their business dealings. Consumers typically had no idea as to the range of possible uses that possession of this information allows for, and thus had no idea as to the possible violation of their privacy that could occur [7]. However, in the last decade, consumer awareness of privacy is increasing, particularly among the Internet users. They begin to demand that their privacy be respected by e-commerce, which requires the legislation of e-commerce consumer rights protection.
4. Policies of Major Legal Systems
4.1. The Data Protection Directive of the EU
On October 24, 1995, the EU Council of Ministers passed the EU Data Protection Directive, which would be officially implemented 3 years later. On September 12, 1996, the EU Council adopted the Electronic Communication Data Protection Directive, a supplement to Data Protection Directive. In October 1998, the EU enacted the Personal Data Protection Act, which was also revised from the Directive of 1995. In early 1999, the European Commission issued the General Principles on Personal Data Privacy Protection on the Internet, and then promulgated the Advices on sightless and automatic personal data processing carried by software and hardware in Internet. At the same time, the EU Ministerial Conference put forward the Guideline on the Individual Right Protection dealing with personal data collection and processing on information superhighway.
Considering different levels of the protection of personal data in the member states, the EU enacted the Directive in order to unify these levels. One of major features of the Directive is that the scope of protection is expanded to manual data. There are two basic purposes of the Directive: the first is to protect the fundamental rights and freedoms of a natural person, especially their rights to privacy; the second is to ensure that information is flown freely in the member states according to the general principles of free flow of goods and services [8].
The Directive of the EU provides high standards of data protection and attempts to eliminate data transmission barriers in 15 member states. In the meanwhile, in order to transmit data between the member states and a country outside the EU, the Directive stipulates that the country must adopt the same protection standards as the EU countries. The EU member states are not allowed to transfer their personal data to any non-member state, until it ensures adequate protection on data. The measure taken by the EU is used to protect personal data and prevent some data from destroying accidentally. Moreover, accidental data loss, data transform, unauthorized data access or exposure, as well as other forms of illegal operation, are protected by the measure.
The EU announced that it prohibited America Online, Bell, Atlantic, and other American enterprises from sending consumer personal data across the Atlantic in 1998 according to the EU Directive. This led to a debate on the issue of data privacy between the United States and the EU. In the United States, data transfers are made by the carriers themselves, while in Europe, the carrier who violates the data protection act will be fined. The EU and the United States reached an agreement on individual “safe harbors”, which is used to regulate the scope of data transfer between them. The agreement also tells American companies the ways in which they should give an adequate protection to personal data within the limits of the Directive. But only a small number of American companies signed and promised to comply with the agreement.
The directive restricts American companies from collecting, organizing, storing, adopting, juggling, consulting or disclosing personal data collected in Europe; that is, it restricts any behaviors of “data processing”. According to the directive, data controllers have two obligations. One obligation is to ensure the quality of data. According to the Article 6 of the Directive, data controllers must ensure that personal data is processed under fair and reasonable conditions. The directive provides some principles of monitoring data quality, which are used to control the means of obtaining information and the available data type. The principles require that data controllers do as follows: they have a legitimate purpose of data collection and interpret the purpose; they collect only the data relevant to the purpose; they retain the data necessary to achieve the purpose; ensure the new and accurate data; supply appropriate security measures to protect the data; allow individuals to visit their own data and correct the inaccurate data; tell data collectors the situation of personal data, the purpose of collecting data and the situation of a third party who will accept the data in the future; explain that an individual must or may supply the data.
4.2. The Self-Regulation Model in the United States
The United States is one of the countries where Internet technology is most developed. In the United States, the concern for privacy protection and the measures adopted have kept at the foreword ranks of the world. The House and the Senate enacted the Privacy Act in 1974, which is the fundamental law on privacy protection in the country. The Act provides that the federal government agencies have the power to collect and use personal data, and stipulates that government agencies cannot use any private information without the consent of the parties. In 1986 the Congress passed the Electronic Communications Privacy Act, which is the most important act dealing with e-commerce consumer privacy issues.
In the United States, the protection of e-commerce consumers’ right to privacy has been sought through the means of self-regulation by the e-commerce industry. Self-regulative measures fall into four groups. The first is constructive industry guideline. For example, the Online Privacy Alliance (OPA) in June 1986 announced its online privacy guideline, which claimed the members to agree to adopt and implement its privacy policy, but it does not monitor the performance of members. The second group is e-commerce privacy authentication program, which means that private enterprises commit them to realize the e-commerce privacy protection. The third group is technology protection method, which concentrates protecting the right to privacy by consumers themselves. By using software technology to protect the right to privacy, consumers can be alerted automatically before entering into the website what information will be collected. The choice to proceed or not is then up to the consumers. Moreover, consumers can decide in advance what data will be collected, and they can choose permissible data in advance, other data is outside of the selection will not be collected. The last group is safe harbor method, as a new method which combines self-regulation with legislative rules. The so-called safe harbor refers to the e-commerce privacy protection guideline promulgated by specific online service providers.
The United States advocates mainly take advantage of industry self-regulation to protect e-commerce consumer right to privacy. But its first priority is the legal protection of minors’ right to online privacy. The United States passed the Child Online Privacy Protection Act on October 21, 1998 and it was come into effect on April 21, 2000. This is the first effective network privacy act in the United States, and the first real network legislation in which the rights and interests of consumers are first considered. The act centers on protecting children’s privacy rights, which clearly provides provider obligations and penalties when the consumer is 13 years old or younger.
In the recent years, the United States is under the pressure from stringent rules of the EU, at the same time the effect of domestic industry self-regulation is imperfect, so the voice of calling for legislating on e-commerce consumer privacy protection has arisen. The United States government still asserts that the problem should be handled by Internet companies. The United States has not enacted comprehensive and systemic federal legislation to protect e-commerce consumer right to privacy, because of the consideration of preferential development of e-commerce. It is afraid of hindering the development of Internet due to hasty legislation. In addition, the United States is a country of case law and case law also plays an important role in protecting the right to privacy of ecommerce consumers [9].
4.3. The Private Data Information Processing in Japan
In the 1980s, Japan set up the “Private Life Protection Research Group”, which made research on the issue of e-commerce consumer right to privacy. In September 1982 the Japanese government enacted the policies for privacy protection in private data information processing, which put forward the principles for regulating the new law. The principles are made of the following four categories. The first is principle of restricting collection. When collect the personal information, the purpose of the collection must be clear, at the same time, the content of information should be restricted to the necessary information. Moreover, the collection of information must be done in fair and legitimate ways. The second is principle of restricting taking advantage of materials. The use of personal data, in principle, should be limited to within the scope of the collection purposes. The third is principle of personal participation. Measures should be taken to allow individual to know the existence and contents of one’s own information, and when it is necessary, can revise the information. The last is principle of proper management. The collected or deposed personal materials should be managed by the correct and new ways. At the same time, they should be prevented from being stolen, damaged, altered, and improper circulated, and so on.
5. A Comparison on the Protection of Right to Privacy
At present there is no country with a comprehensive legislative protection of e-commerce consumer privacy, but many countries are more concerned with this issue than before. Some countries with developed network technology have provided a number of laws to tackle the issue. From a legislative standpoint, there are two approaches. One is aggregative legislation, which is adopted by EU and the United States. This approach refers to laws are regulated by public agencies and private enterprises. The other is divisive legislation, which takes public and private institutions as different regulation subjects. From a protective standpoint, there are also two kinds of approaches. One is legislative approach, largely adopted in EU and Canada. It is the government who enacts laws and regulations. The other is industry self-regulation approach largely adopted in the United States.
On March 11, 1996, the European Parliament and the EU Council enacted the information on database legal protection. It required the member states of the EU pass domestic legislation by January 1, 1998, and to carry out the content of the information in their own countries. The Consumer Policy Advisory Committee of the International Standardization Organization (ISO) proposed a standard for international personal privacy [10]. It is ready to regulate this standard for IT and e-commerce privacy. It sets up a technology committee to take charge of privacy issues. The International Telecommunication Union (ITU) not only established technical standards for multimedia terminal privacy protection, but also developed the relevant e-commerce standards involving privacy issues. The Universal Postal Union (UPU) worked out the global policy framework for consumer private data involving encryption and authentication.
Among the aforementioned privacy-protection measures, the most representative is the Data Protection Directive of the EU, which not only provides the principle for e-commerce consumer right to privacy protection, but also lays out specific criteria to be abided. The United States adopts the approach of industry self-regulation to protect the right to privacy of e-commerce consumers. However, the self-regulation approach has brought about many problems. Thus, the voice of calling for legislation on the protection of e-commerce consumer right to privacy is higher than before [11]. Canada and Japan lag behind the United States and the EU in the e-commerce legislation. They have only specific regulations on protecting e-commerce consumer right to privacy, but without a clear principle for guidance, how can solve all the problems just rely on these specific regulations? On the bases of the above, it is the EU who provided the most perfect regulations on protecting e-commerce consumer right to privacy [12].
6. Discussion
6.1. The Current Status in China
At present, China has a number of legal departments involved in the protection of personal privacy, but it has not yet formed a complete system as the concept of right to privacy is not clearly defined by law. In civil law, it is classified as an independent aspect of human nature and treated as independently. China takes an indirect method to protect the right to privacy. In order to protect right to privacy, the Supreme People’s Court makes it apply to the provisions of infringing the right to reputation by the means of analogy. This judicial interpretation is used to respond to this emergency situation by taking an alternative way to protect the right to privacy indirectly. Thus, this is a necessary supplement to the lack of legislation. However, the shortcomings of integrating the right to privacy into the right to reputation are obvious. Certain laws do regulate some aspects of protecting citizens’ privacy [13]. For example, Articles 39 and 40 of the Constitution states that the home of citizens is inviolable, the freedom of privacy and correspondence of citizens are protected by law. Article 140 of the General Rule of Civil (Trial) Law states making others privacy public is regarded as the behavior of infringing the right to reputation. The Interpretation of Questions on Mental Anguish Compensation Liability in Civil Tort stipulates that people who infringe the privacy of others will compensate for the mental anguish. And articles 252 and 253 of the Criminal Law regulate the criminal liability of infringing free communication.
Violating e-commerce consumer privacy involves collecting and disclosing illegally others’ personal datum and obtaining or disclosing illegally others’ communications secrets without permission. In addition, online sellers, in order to promote goods or services, send junk e-mails to consumers without permission, encroach upon consumer personal life, and violate e-commerce consumer privacy. At present, there are no directly applicable laws and regulations to adjust these violations in China.
6.2. Existing Problems in China
The e-commerce consumer in China cannot resort to either the traditional protection of the right to privacy or specific e-commerce consumer privacy protection laws and regulations; currently the only privacy protection of e-commerce consumers is the privacy protection statements on websites. Most of these statements are included in the policy bulletin on the website. In fact, the policies are unrelated to the use of personal information at all, moreover written in ambiguous words and often are attached to numerous exemption clauses.
From the standpoint of the legal status quo of right to privacy protection in China, there are regulations on right to privacy protection in the Constitution, the General Principles of Civil Law, Criminal Law, Administrative Law, Procedural Law, etc., but there are still many shortcomings.
First, the right to privacy is not clearly defined as independent right separated from human nature by law. The Constitution only asserts that citizens’ personal dignity is not to be infringed, that citizens’ residences are not to be infringed unlawfully, and that secret communications are protected by law. The General Principles of Civil Law, as the most important law sector, does not provide clearly the concept of right to privacy, also does not regard the right to privacy as an independent aspect of human nature. In judicial practice it protects the right to privacy is by the means of protecting the right to reputation. Although this provides a way to protect privacy, it obviously cannot meet the needs based on the particularity of privacy protection. A large number of administrative regulations and judicial interpretations have provided privacy protection, but their contents are scattered in different laws. Civil Procedure Law does not entitle citizens to lodge a complaint when right to privacy is infringed. A victim can achieve legal remedy in some matters such as the right of portrait, right of reputation, etc., but when victims meet absolute disputes on the right to privacy, they are often unable to appeal to legal relief as an independent right.
Second, the existing laws regarding citizens’ right to privacy cannot meet the need of increasingly advanced technology in e-commerce era. With the development of modern society, some products that endanger the right to privacy are coming out, such as wiretapping, surveillance, video, etc. Especially, the development of computer network technology brings about a new threat on protection of right to privacy. China has some relevant provisions, such as the Computer Information Network International Online Security Protection Management Approach, and the Computer Network International Online Management Approach for Chinese citizens regulated by the Ministry of Posts and Telecommunications [14]. However, these provisions are provided largely from the standpoint of national security and social stability. It is lack of clear provisions to protect privacy. Moreover there are some provisions related to protection of privacy, but the protection is not comprehensive.
6.3. Suggestion to Perfect the Legal System
In my opinion, the framework of e-commerce consumer right to privacy protection should take laws/regulations, conduct criterions and technology applications as the basis. Because China’s actual conditions are different from the Europe and United States, the same methods cannot be used directly. It’s better to take advantage of those aspects that can be applied to China. In the Europe, personal data is considered as a part of personal property, and right to privacy is one of basic human rights. Most of the European countries think much of privacy protection, in particular personal data protection, thus many European countries have legislations to protect personal data. The United States focuses on government agencies’ protection of personal data while encouraging self-regulation of private enterprises, which keeps in line with a traditional stance in the United States—small government and big corporations. There are not many enterprises with a long history and good reputation in China, so if these enterprises were allowed to regulate entirely themselves by their own norms without corresponding laws, regulations, and management from government agencies, they would not be trusted by people. In other words, pure self-regulation cannot work in China. In order to make the Internet become a truly free transaction space, and protect fully e-commerce consumer rights and interests, standardized management by the government on the network is indispensable. That is, the government must regulate laws and regulations, and implement them.
China is a country with a tradition of statute law, which will not be changed in the contemporary legal system. Law is the preferred solution to protecting the right to privacy of e-commerce consumers. However, if only depending on the government, or the enterprise, or individuals, the right to privacy of e-commerce consumer will be difficult to be protected [15]. Only through cooperation among these parties, the problem will be possible to be solved, and the harm or loss will be reduced to a minimum. There is no contradiction between law and self-regulation, but both must complement each other. Therefore, based upon the traditional cultural backgrounds and social environments at present in China, in my opinion, the best measure is to take the protection mode including the main legislation and complementary self-regulation.
7. Conclusions
The main purpose of this paper was to make a comparative study on regulations of the right to privacy in EU, the United States and Japan. EU provides the most advanced regulations to protect e-commerce consumer right to privacy, which regulates the principle for e-commerce consumer right to privacy protection and lays out specific criterion to be abided.
Currently, there are no directly applicable laws or regulations to adjust the violations of e-commerce consumer privacy in China. Although there are regulations on right to privacy protection in the Constitution ant other laws, the right to privacy is not clearly defined as independent right separated from human rights by law and the existing laws regarding citizens’ right to privacy cannot meet the need of increasingly advanced technology in e-commerce era. Thus, in China, the better way is to make the protection mode including the main legislation and complementary self-regulation.