Europese en Amerikaanse consumentenrechtenorganisaties pleiten voor label voor beveiliging persoongegevens bij online winkelen (en)
EUOBSERVER / BRUSSELS - US and EU consumer protection bodies are pushing for a data privacy labelling system which would make it easier for online shoppers to become aware of how their personal data is being used and passed on to other companies.
"By placing an order via this website ... you agree to grant us a non-transferable option to claim, for now and for ever more, your immortal soul. If you a) do not believe you have an immortal soul, b) have already given it to another party, or c) do not wish to grant us such a license, please click the link below to nullify this sub-clause and proceed with your transaction."
Intended as an April Fool's joke earlier this year, this optional clause was inserted in a privacy policy of a British online retailer, GameStation.
One would assume that most customers checked c). But in fact, 7,500 people, representing 88 percent of all shoppers that day did not click on the nullifying link.
"This is a funny, but very telling example of the fact that no one reads privacy policies when shopping online," David Vladeck, the US director for consumer protection in the Federal Trade Commission (FTC) said on Tuesday at a briefing on commercial data privacy in Brussels organised by The Centre, a Brussels-based think-tank.
Consumer data has become a priced commodity, he explained, companies are gathering all sorts of data on their customers which can be aggregated for "behavioural advertising", geolocation tools are now used in linking them up with personal consumer profiles, but most people are unaware of this when ticking the box "I accept."
"The best way to educate consumers would be to develop a market for privacy, with standardised privacy notices, in a way consumers can compare and choose," Mr Vladeck said, giving the example of the "nutritional facts" info box printed on every packaged food.
A similar model is being pushed in the EU by the European Consumers Organisation (BEUC), whose director, Monique Goyens, was also present at the event.
"Our position is that the data is yours and you should not give it away unnecessarily. For instance, why does an online ticket seller need to know the age and gender of the buyer? It's unnecessary data to target you as a consumer," Ms Goyens said.
Fresh regulation was however useless without proper enforcement. "It's estimated that 92 percent of data breaches are not notified in Europe. The rules and regulations are very protective, but enforcement is very weak, unlike the US," she noted.
Part of the problem, in Ms Goyens' view, is that European consumers can't file collective complaints against companies, as it is the case in the US, with individual damages being too small to make the time and costs of going to court worth the trouble.
Moreover, European data protection authorities are highly adept when it comes to pushing for general rules, but less so when it comes to enforcing rulings on individual cases.
"We need to see more sanctions when data breaches happen and clear rules on the law applicable. For instance, if it is a US company, the law applying should be the European one, if that is the residence of the harmed citizen," she said.
Mr Vladeck saw "absolutely no problem" with EU law applying to US companies and suggested that the best way to get more cases and penalties was to put in place a functional complaints system. In the US, the Federal Trade Commission receives yearly some 13 million complaints, he said, and this is "the best tool in fighting fraud and privacy breaches."
While in Brussels, the American official met with several data privacy experts in Brussels and said he appreciated the "input" for a proposal his office was preparing later this year on how to upgrade consumer protection with all the recent developments related to online commerce.
His office was looking with interest at the upcoming EU legislation under the Digital Agenda package, noting that even if the "means are different", with the US emphasising law enforcement over regulation, there is a shared transatlantic goal in protecting the consumers' personal data.