Trustmark Schemes Struggle to Protect Privacy (2008)
11. Government and Trustmark Schemes
There has been some minimal overlap between government regulation of privacy and trustmark schemes, although to date this has been restricted to a few instances in the United States.
For example, several trustmark schemes, including TRUSTe, are approved complaints resolution bodies for the purposes of the EU Safe Harbour regime. Their actual legal role in the Safe harbour regime is limited to the provision of dispute resolution services.
Similarly, a small number of trustmark schemes, including TRUSTe and Privo, have been approved by the FTC as complaints resolution bodies for the purposes of the Children's Online Privacy Protection Rule (COPPR).[91]
There has been no published analysis by either the EU or the FTC of the effectiveness of these schemes since their approval.
Although this level of Government approval is limited to specific seals (such as the TRUSTe Children’s Seal), there is a risk that trustmark schemes may gain broader legitimacy for their generic privacy seals, through this association with Government.
An important development is that trustmark schemes are set to play a role in the APEC Privacy Framework 2005.[92] The APEC Privacy Framework is designed to provide a consistent approach to information privacy protection across APEC member economies. A major focus of the APEC work is now the development of Cross Border Privacy Rules (CBPRs).
These Cross Border Privacy Rules will be assessed by an approved accountability agent against a set of common criteria and the accountability agents will vary per jurisdiction – they could be Privacy Commissioners or trust-mark scheme operators. If an organisation’s CBPRs are assessed as compliant they will be added to a public directory of compliant organisations.[93]
Under this system, a decision by an approved trustmark scheme could be considered equal to a decision by a Government regulator such as a Privacy Commissioner:
Under the agreed framework, a participating economy accepts the assessments made by the designated entity in another participating economy following the choice of approach to CBPRs in that economy (e.g. one economy may have a privacy commissioner it designates to make assessments and another economy may choose to use existing Trustmark bodies, but it would be agreed that a decision by either entity to include an organisation on the list would be accepted).[94]
There is a real concern that this approach in APEC may result in trustmark schemes being seen as an adequate form of privacy protection in the region, or (even worse), equivalent to privacy legislation. TRUSTe already states that it has been chosen as the US Accountability Agent for the 2008/2009 APEC Pathfinder project (similar to a pilot project).[95]
The use of trustmark schemes has not been legitimised in this way elsewhere. Indeed, the OECD recommendations on cross-border privacy enforcement exclude commercial organisations such as TRUSTe:
‘Privacy Enforcement Authority’ means any public body, as determined by each Member country, that is responsible for enforcing Laws Protecting Privacy, and that has powers to conduct investigations or pursue enforcement proceedings.[96]
There are other limitations on the potential use of trustmarks as a complement to privacy legislation at the regional level. In practice trustmark schemes are effectively restrained to domestic companies. For example, trustmark scheme information in Japan and Vietnam is largely available only in local languages. In Japan the list of trust-mark members is not available in English and the trustmark logo itself is written in Japanese characters. [97]
[91] Children's Online Privacy Protection Rule, 64 Fed. Reg. 59888, 3 November, 1999, <http://www.ftc.gov/os/1999/10/64fr59888.htm>.
[92] More information on the Framework and Principles is available at:
<http://www.apec.org/content/apec/apec_groups/committees/committee_on_trade/electronic_commerce.html>.
[93] Asia-Pacific Economic Cooperation, The Cross-Border Privacy Rules – Implementation and Operating System, 2006/SOM3/ECSG/DPM/009, September 2006, <http://www.rsaconference.com/uploadedFiles/2007/us/Conference_Content/ESAF/Cross_Border_Privacy_Rules_Implementation_and_Operation.pdf>.
[94] Crompton M, The APEC Privacy Framework - Creating Trust in developing Cross-Border Privacy Rules: A Progress Report, 2007, <http://www.iispartners.com/apec8march.pdf>.
[95] Rotman D, Phillips J, Kurtz C, Tomaszewski, How to Effectively Transfer Data Overseas, 2007, <http://www.truste.org/webinars/eu_data_transfer/Website_EU_Presentation.pdf>.
[96] Organisation for Economic Cooperation and Development, OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, 2007, <http://www.oecd.org/dataoecd/43/28/38770483.pdf>.
[97] <http://privacymark.org/application/new/qualification.html>