Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » trustmarks struggle 20080926  

Subscribe to Galexia news and announcements.
More information »

Research archive: Galexia's research archive includes our published articles, casenotes, presentations, submissions, and intelligence reports. This material spans areas including e-commerce regulation, identity management and authentication, privacy, security, and internet jurisdiction. Find out more »

[2018 Global Cloud Computing Readiness Scorecard]

2018 Global Cloud Computing Readiness Scorecard
Find out more »

Trustmark Schemes Struggle to Protect Privacy (2008)

[« previous] [next »] [title page] [full contents]

11. Government and Trustmark Schemes

There has been some minimal overlap between government regulation of privacy and trustmark schemes, although to date this has been restricted to a few instances in the United States.

For example, several trustmark schemes, including TRUSTe, are approved complaints resolution bodies for the purposes of the EU Safe Harbour regime. Their actual legal role in the Safe harbour regime is limited to the provision of dispute resolution services.

Similarly, a small number of trustmark schemes, including TRUSTe and Privo, have been approved by the FTC as complaints resolution bodies for the purposes of the Children's Online Privacy Protection Rule (COPPR).[91]

There has been no published analysis by either the EU or the FTC of the effectiveness of these schemes since their approval.

Although this level of Government approval is limited to specific seals (such as the TRUSTe Children’s Seal), there is a risk that trustmark schemes may gain broader legitimacy for their generic privacy seals, through this association with Government.

An important development is that trustmark schemes are set to play a role in the APEC Privacy Framework 2005.[92] The APEC Privacy Framework is designed to provide a consistent approach to information privacy protection across APEC member economies. A major focus of the APEC work is now the development of Cross Border Privacy Rules (CBPRs).

These Cross Border Privacy Rules will be assessed by an approved accountability agent against a set of common criteria and the accountability agents will vary per jurisdiction – they could be Privacy Commissioners or trust-mark scheme operators. If an organisation’s CBPRs are assessed as compliant they will be added to a public directory of compliant organisations.[93]

Under this system, a decision by an approved trustmark scheme could be considered equal to a decision by a Government regulator such as a Privacy Commissioner:

Under the agreed framework, a participating economy accepts the assessments made by the designated entity in another participating economy following the choice of approach to CBPRs in that economy (e.g. one economy may have a privacy commissioner it designates to make assessments and another economy may choose to use existing Trustmark bodies, but it would be agreed that a decision by either entity to include an organisation on the list would be accepted).[94]

There is a real concern that this approach in APEC may result in trustmark schemes being seen as an adequate form of privacy protection in the region, or (even worse), equivalent to privacy legislation. TRUSTe already states that it has been chosen as the US Accountability Agent for the 2008/2009 APEC Pathfinder project (similar to a pilot project).[95]

The use of trustmark schemes has not been legitimised in this way elsewhere. Indeed, the OECD recommendations on cross-border privacy enforcement exclude commercial organisations such as TRUSTe:

‘Privacy Enforcement Authority’ means any public body, as determined by each Member country, that is responsible for enforcing Laws Protecting Privacy, and that has powers to conduct investigations or pursue enforcement proceedings.[96]

There are other limitations on the potential use of trustmarks as a complement to privacy legislation at the regional level. In practice trustmark schemes are effectively restrained to domestic companies. For example, trustmark scheme information in Japan and Vietnam is largely available only in local languages. In Japan the list of trust-mark members is not available in English and the trustmark logo itself is written in Japanese characters. [97]

[91] Children's Online Privacy Protection Rule, 64 Fed. Reg. 59888, 3 November, 1999, <http://www.ftc.gov/os/1999/10/64fr59888.htm>.

[92] More information on the Framework and Principles is available at:
<http://www.apec.org/content/apec/apec_groups/committees/committee_on_trade/electronic_commerce.html>.

[93] Asia-Pacific Economic Cooperation, The Cross-Border Privacy Rules – Implementation and Operating System, 2006/SOM3/ECSG/DPM/009, September 2006, <http://www.rsaconference.com/uploadedFiles/2007/us/Conference_Content/ESAF/Cross_Border_Privacy_Rules_Implementation_and_Operation.pdf>.

[94] Crompton M, The APEC Privacy Framework - Creating Trust in developing Cross-Border Privacy Rules: A Progress Report, 2007, <http://www.iispartners.com/apec8march.pdf>.

[95] Rotman D, Phillips J, Kurtz C, Tomaszewski, How to Effectively Transfer Data Overseas, 2007, <http://www.truste.org/webinars/eu_data_transfer/Website_EU_Presentation.pdf>.

[96] Organisation for Economic Cooperation and Development, OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, 2007, <http://www.oecd.org/dataoecd/43/28/38770483.pdf>.

[97] <http://privacymark.org/application/new/qualification.html>

[« previous] [next »] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]