E-Privacy and Online Data Protection

April 30, 1998

Albert Einstein once observed that “things should be as simple as possible, but not simpler”. There is no reason why legal practitioners should be exempt from this sound dictum and I am pleased to report that the authors of E-Privacy and Online Data Protection have resisted the temptation to over-complicate this area of the law.

A recent study of online business placed the UK third out of the ten countries surveyed for the use of e-commerce technology to transform business processes. To the extent that such transformation involves the increasing use of personal data gathered online, a text specifically developed to provide guidance on the data protection issues arising from the use of the online medium is overdue. The authors must, however, be as disappointed as the reader will be with the timing of publication of their text. It was published shortly before the European Directive on the processing of personal data and the protection of privacy in the electronic communications sector was adopted, and so contains no detailed analysis of that important Directive. This is a shame for a text that markets itself as an essential reference work for practitioners dealing ine-commerce. The Directive will, despite its numerous fudges, do much to clarify the ground rules for data protection in the electronic communications sector, particularly in the area of location data, where the existing law is unsatisfactory.

E-Privacy and Online Data Protection provides a good overview of the legal framework which regulates the handling of personal information in thee-business world. It contains a logically organised structure informing the reader about significant privacy case law before setting out the statutory framework in the UK, and then an overview of United States privacy law. It then proceeds to consider in more detail specific issues of sectoral interest, and to offer useful precedents covering some of these issues.

As data protection practitioners know, however, data protection issues are often so closely entwined with business processes unique to individual industry sectors and sometimes individual businesses that the first challenge to providing practical, commercial advice is to acquire a thorough understanding of the specific technical and commercial environment in which their advice will be implemented. This creates a conceptual problem for specialist texts such as this, which attempt to survey the field as it applies to e-business in general. How does one translate the general principles of the statutory framework into compelling practical illustrations relevant to electronic communications media in different industries.

There is not much case law to go on at present and that makes it all the more important to provide worked examples and to apply the law to hypothetical cases, in order to draw out the likely impact of the law, and here E-Privacy and Online Data Protection misses an opportunity. There was an opportunity to look at technical issues such as whether standards like P3P offer a full solution to privacy problems online (No, they don’t). Or to breathe life into commercial considerations, such as how to implement a privacy-compliant viral marketing campaign.

Yet E-Privacy and Online Data Protection is rather short on case studies and there are no flow diagrams to help us better to analyse relationships between real world players in these sectors. The text provides a useful overview of specialist e-business privacy issues but then stops short of exploring how to apply them to specific scenarios. By way of example, the glossary merely defines P3P (the industry standard which provides an automated method for users to gain greater control over the use of their personal data online) without a discussion of its merits in the text itself.

It is a small omission, but omissions such as this are slightly disappointing. The conclusion must be that E-Privacy and Online Data Protection sets out to satisfy a more basic need: the need to provide the reader with a starting point for what s/he needs to know about the legal background to the data protection issues of conducting business online, leaving room for a more sophisticated specialist text in this field. In this at least the book remains true to Einstein’s dictum and does not over-complicate the key issues nor oversimplify the legal position about which the CEO of Sun Microsystems, Scott McNealy, once quipped “We have no privacy [online] – get over it”.

Marc Dautlich is a Solicitor in the Media, Communications and Technology Department at Olswang.