One of the most significant and globally controversial pieces of European Internet-related legislation becomes official EU policy on Monday - a document which affects you if you either use the Internet or have a company website which gathers data on site visitors.
The Data Protection Directive will introduce regulations on how personal information can be collected, held, used, and redistributed. EU states already abide by some of the most comprehensive guidelines for handling personal information, but elements of it were becoming outmoded, specifically those regarding electronic handling of data.
This is because the existing directive, dating from the last decade, preceded the advent of the Web. It was also much narrower in scope than the forthcoming legislation. Current Irish law applies only to data held on computers, for example, and is intended to apply to databases of information kept in files or on disk. It does not specifically address how information might be gathered online, collated, and redistributed.
Yet Web technologies are making it easier and easier for data of the most intimate kind to be gathered about Web surfers, often without detection. The most obvious way this is done is through forms you are asked to complete on some sites, often to "register" to use it, or when returning online product warranty forms. These typically ask not just for name, address, phone and email fields to be filled in, but also income bracket, profession, and details on your interests. Many sites will not allow you to register or file your warranty form unless every field is filled in.
Surrendering such information is not necessarily a bad thing, if you are interested in news on further products for example. But many, if not most, sites do not make clear the purpose of collecting such information. Is it for internal use only? Will the information be sold to marketers, credit agencies, other retailers?
More surreptitious ways of collecting information utilise little programs called "cookies", which are placed on your computer when you visit some websites. Sometimes they only go to your computer and are returned, simply supplying the website's server (the computer which hosts the site) with basic information, like the domain name from which you came (the domain name is the part of your email address that comes after the @).
But other cookies settle into a folder in your browser and actually reside on your computer. They can send back information to the host server of a site every time you visit it. Some resident cookies are useful - they'll allow you to get right into a site without having to type in a user name and password every time (as on the New York Times website). Or, they'll allow you to go to a site and receive the news and features you have asked for (as when you personalise a page on the search engine sites - a.k.a. "portals" - like Yahoo or Excite).
But many privacy advocates fear the potential of cookies to secretly examine your files, or to track your movements everywhere on the Web and report them back to a host computer, or even deliver belligerent programs which could damage your own system or a network. (Most browsers allow you to block cookies or only accept those which simply send information straight back to the host computer, but do not remain on your hard drive. Look for the "preferences" or "options" file on the menu bar of your browser and then look for the section which controls cookies.)
The Data Protection Directive will not allow websites to gather information on EU residents without clear notification and without their permission. It places tight controls on how any data gathered in this way can be used. It also limits how any computerised personal information on Europeans can be processed outside the EU.
In the US, the push has been to avoid government intervention in how personal data is handled.
Companies are trying to come up with a self-regulatory approach. Unfortunately for them, they've produced nothing so far to persuade the EU that it should opt for the same set-up.
Indeed, the EU has shown absolutely no intention of relaxing its privacy protections for its citizens. This is a source of serious concern for US industry and, several months ago, the US government was supposed to be aiming for some sort of compromise because it feared the EU stance could stifle e-commerce.
Obviously, no compromise was reached, and we get our Data Protection Directive on Monday. Of course, the US could always adopt the EU approach, which may end up being the "compromise" achieved down the line. But in the meantime, expect to see some sparks fly as the "personal data as commodity" approach clashes with barriers protecting personal data as private property.
Karlin Lillington is at klillington@irish-times.ie
