PRIDE Requirements and Success Factors
Work Package 2 of Telematics for Libraries project PRIDE (LB 5624)
PRIDE
Title page
Table of Contents

Previous

3. Legal and Commercial Issues

3.1 Glossary

Copyright

Protection of works defined by national, and increasingly, international, legislation granted to creators and their appointed agents

Licence

A framework for creators and their appointed representatives to define the terms and conditions, under which a creation may be used, copied, distributed and exploited.

3.2 Copyright Law

PRIDE will have to take into account copyright law and other rights of intellectual property particularly if it permits the information it has identified to be modified in any way. If this is the case, the EU Directive on databases will apply to PRIDE. Under the EU Directive, databases are seen as creative works and have been awarded copyright status. Relevant examples include holdings of manuscripts and letters in the form of electronic catalogues.

As far as PRIDE is concerned the copyright directive will not apply to a broker service, i.e., a medium or conduit that identifies resources with read accesses only. However the transition of copyright from print to electronic works of art is not a smooth process since copyright legislation cannot follow the rapid technological change. The introduction of advanced technological products such as PRIDE raises problems of appropriateness of the law especially when one looks at Z39.50 information retrieval clients and the potential to copy records from a distributed network, which makes these issues even more complex.

3.3 Data Protection

On 24 October 1995 the European Parliament and the Council adopted directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. <URL:http://www.privacy.org/pi/intl_orgs/ec/eudp.html>

This EU directive is most significant to PRIDE because the PRIDE directory service will contain personal data. Personal data will be used for authorisation, registration and cost recovery and integration with other services outside the library domain. Therefore privacy rights will have to be respected. Recent surveys have indicated that concerns about privacy are one of the major inhibitors to e-commerce.

The EU directive empowers EU authorities to cut off after October 25 exports of many kinds of personal information to countries which they judge do not have adequate data protection arrangements. This includes the US where data protection has been left to industry self-regulation. This may be an impediment to the future growth of PRIDE services if it is to develop into a one-stop declaration of personal information rather than a multiple registration service.

The UK Data Protection Act 1998 gives no clarification on the position of personal information and the Internet. In essence the Act is very close to the current law: at least 80% of compliance with the Act flows from complying with the Data Protection Act 1984. Key elements which will continue under the new law include: the data protection principles of good practice; registration; an independent supervisory authority to oversee data protection legislation; and the data subjects' rights to access their personal data, to correct inaccurate data and claim compensation for damage suffered in certain circumstances.

3.4 Self Regulation

Personal information is widely available because it is collected by numerous organisations such as schools, universities, business (employers and telephone companies) and membership records. The government collects and makes personal information widely available in the form of the Electoral Roll and Public Registers. Much of this personal information is held in databases and can also be found on the Internet. There is little law governing its collection and distribution - only self-regulatory polices and procedures adopted by the information services industry.

Because there is little law governing the use of personal information on the Internet it may be prudent for PRIDE to adopt a self-regulation policy. This policy may involve the selection of those sites for inclusion in the directory that adopted data protection principles of disclosure and informed consent or adopt the use of a branded on-line seal or trustmark to signify compliance with personal information policy.

This policy is already being used by organisations like CommerceNet and the Electronic Frontier Foundation (EFF). Sites that display the trustmark have formally agreed to adhere to privacy principles, disclose their information gathering and dissemination practices, and submit to a comprehensive assurance process.

The main industry principles include removing certain categories of non-essential, personally identifiable data from information products and services such as financial or medical records, removing the records of individuals under the age of eighteen from locator service products. The principles are directed at directory services such as PRIDE that provide information that assists users in identifying individuals for various purposes.

3.5 Cryptography

Cryptography covers systems used for protecting information against unauthorised access. Cryptography is one important technical means by which PRIDE will ensure the integrity and confidentiality of its electronic payment services. In a networked environment information is increasingly at risk from theft or misuse. Cryptography is the key enabling technology that allows personal information and communications to remain private and safeguards the security of online transactions, without fear of fraud.

Governments have tried to limit the use of encryption for fear that their intelligence activities are hampered by the cryptographic use of foreign states and criminals. Since the rise of cryptography over the past decades, governments increasingly worry about criminals using cryptography to thwart law enforcement. Thus, many countries are considering laws focusing on maintaining law-enforcement and national-security capabilities through regulation of cryptography.

The regulatory mechanisms in place to restrict cryptography are through import/export controls on cryptographic products. This policy is in deference to law enforcement and national security concerns over the ability for governments to listen in. Any regulation hindering the use of encryption products and services will hinder the flow of personal information, which is related to the provision of PRIDE services.

Until there is an international settlement on full strength encryption products, the encryption industry will not be able to move forward. The prohibition of such products would be unenforceable in practice, since the basic mathematical methods are published and well known and can be easily implemented in software. In May 1997 Microsoft announced that it had obtained US government approval for the export of powerful 128-bit encryption to banks world-wide for protection of online financial transactions and other moves since have continued to demonstrate the problems.

3.6 International Protection

The EU Data Protection Directive has tried to harmonise the conditions under which access to personal data processing and transfer to third countries is lawful. The main shared principles enacted by member states are in the area of:

3.6.1 Access

The data subject is entitled to a description of the data being processed about them, a description of the purposes for which it is being processed; a description of any potential recipients of the data and any information as to the source of the data (where available). In addition where the data are processed automatically, and are likely to form the sole basis for any decision significantly affecting the data subject, then they will also be entitled to know the logic involved in that decision making.

3.6.2 Processing

The UK Data Protection Law provides that processing may only be carried out where one of the following conditions has been satisfied.

Stricter conditions apply to the processing of sensitive data. This category includes information relating to racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life and criminal convictions.

3.6.3 Transfer of data overseas

Personal data may only be transferred to third countries if those countries ensure an adequate level of protection for the rights and freedoms of data subjects. It is unlikely that adequate protection to EU standards will be found widely outside the EU.

3.6.4 Data Protection and the Internet

Data protection laws vary considerably from country to country and therefore make it difficult to know which laws apply. What may be subject to data protection in one country may well be considered fair use or legitimate private use in another. For example the EU directive also applies where the processing involves the transmission of data over a network, but legislation by member states covering the networks seems to be still further away. This is because of the practical problems of combating unlawful behaviour over a network like the Internet. The Internet knows no geographical boundaries or time constraints, to such an extent that, in the time it takes to draw up a writ or issue an injunction, the illicit activity will already have been relocated to a more tolerant host country. <URL:http://europa.eu.int/comm/dg15/en/speeches/rome0598.htm>

Sweden has attempted to address the problem of personal information in computers and has passed The Swedish Personal Register Law which came into effect on 24 October 1998. The law makes much of the publication of information about individual persons on the Internet illegal, such as criticism of named persons, publication of lists of references in scientific papers or the sending of e-mail messages outside of Europe.

If you interpret the act literally, it would mean that the projects developing electronic commerce tools such as PRIDE will be severely limited. It is almost impossible to ensure compliance of specific technologies with the current Swedish legal framework. For example, writing of an e-mail message to a recipient outside Europe without the prior permission of the recipient is imprudent. Such compliance will imply high cost and is probably impractical.

Regarding the Internet, the EU Data Protection Directive has not been enacted by member states to the same degree as Sweden. In fact the UK Data Protection Act 1998 gives no clarification on the position of personal information and the Internet. The European Commissioner for the Single Market, Mario Monti, is disappointed that some Member States are lagging behind on implementing the Directive in national law, and will not hesitate to open infringement procedures against them. <URL:http://europa.eu.int./rapid/start/welcome.htm>

3.6.5 Jurisdiction

The need to heed local laws, including those relating to obscenity or religion should not be underestimated. PRIDE will have to take into account the type of material held in the directory if it wishes to avoid unwelcome attention.

(Don't do that, by Owen Keane Internet works, September 1998, p.86-87)

The cross-border nature of PRIDE can create problems of conflicts between different countries' laws and require the courts to decide whether they have the jurisdiction to hear a case. PRIDE will have to be familiar with the legal requirements and jurisdictional effects of a given country in which it operates. For example, in the Atlanta Georgia case, French law forced the French campus of an American school based in Tubon, France to translate its web pages into the French language in order to comply with the French language law because it was located in France. This ruling may have a significant effect on PRIDE. Under French local consumer law, PRIDE may have to show its information in the local language in order for contracts to be enforceable.

3.7 Licensing

It will be necessary to acquire a collective licence agreement, which covers all repositories in the PRIDE Directory. The licence defines the terms and conditions that apply for different types of exploitation. It will give PRIDE a clear instruction in the form of conditions and terms. The rise in the use of distributed network resources will render individual licensing obsolete and collective licensing the only form of licensing possible.

PRIDE will have to acquire all the rights necessary to produce and market the service. This will include the right to link to data repositories home page.

3.8 Contracts

3.8.1 Personal data contracts

The development of model contract clauses to guarantee the protection of personal data is one possibility of dealing with the EU principle on transfer of personal data overseas but the problem of enforcing such a contract to protect the data subject is still being considered.

The International Chamber of Commerce has written a model contract for cybertrading in relation to data protection. Under the terms of the model clauses companies outside the European Union would undertake to give personal data emanating from within the EU the same level of protection as the EU's data protection directive. The clauses also provide for legal remedies if consumers believe their legal rights on privacy have been breached.

3.8.2 Electronic contracts

All electronic contracts try to impose certain terms and conditions such as use of services, maximum liabilities, payment methods, disclaimers and various other points. It is assumed that PRIDE will be using electronic contracts for the purpose of agreement between users.

This raises questions of liability and applicable law. For example, web-wrap or click-wrap agreements are web page accept buttons which oblige the user to accept the standard terms and conditions before they see the rest of the site or place a query. Although no English case law exists concerning web-wrap contracts these were upheld in the US in the case of Hotmail v Van Money Pie 1998.

Under the draft US Uniform Commercial Code 2B regulations, contract terms must be presented at the time of access to, or immediately prior to the placing of a query on a online service. The user must also be required to take certain affirmative conduct to indicate acceptance, such as by clicking on an accept button and be able to cancel the query at any time before transmission. European rules on electronic commerce, which are currently being drafted, are likely to follow this model.

3.9 Taxation

There was an OECD agreement on the 8 October 1998 intended to develop a common approach to taxing electronic commerce and prevent fiscal discrimination against transactions and services on the Internet. The OECD agreed that indirect taxes on e-commerce should be levied on the basis of where they were consumed, not of where they were produced. This may result in PRIDE paying no tax, however governments have still to agree how the place of consumption for Internet services should be defined.

Another taxation issue is to decide how the "permanent establishment" principle, traditionally used to determine direct taxation of businesses, should be applied to Internet web sites and e-commerce. The OECD has started a work programme aimed at clarifying these questions and is expected to take two years. These issues need to be settled quickly to avoid uncertainty and unnecessary administrative costs.

3.9.1 VAT

Selling books on the Internet normally is VAT free (zero-rated), however, selling the same information for immediate download from the Internet would attract VAT at the full rate. Because of the existence of anomalies between EU and domestic laws concerning VAT, PRIDE will have to take into account whether the directory constitutes a book and whether the user will be charged VAT accordingly for its use.

3.10 Level of Services

3.10.1 Administration

Questions arise about who will be responsible for managing the necessary operational services, co-ordinating development activities and liasing with contracted repositories.

It will be necessary to establish a highly individualised system of controlling and accounting for individual uses (provided, of course, privacy issues can be resolved) of PRIDE. It will have to contain not only information regarding the rights of the user, but in addition the complete individual licensing terms and conditions of respective repositories.

In order to protect against abuse by users, PRIDE Administration will have to maintain certain records, including the identity of subscribers and the terms and conditions agreed by them such as type of access.

3.10.2 Protection

As regards data security the EU directive requires Member States to provide that a data controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration and unauthorised disclosure or access. The EU directive also applies where processing involves the transmission of data over a network, and against all other unlawful forms of processing. Furthermore, monitoring the flow of records accessed by users may violate data protection.

In order to maintain customer confidence PRIDE could include only those sites in the directory that had appropriate protection.

A recent survey published by Business Week showed that 78% of users would make greater use of the Internet if the confidentiality of personal data and communications were protected more effectively. Confidentiality was by far the main concern of persons interviewed, ahead of the issue of connection costs (64% of responses).

As with any other form of service, PRIDE will have to take into account the principles of supply and demand. If the concerns voiced on the demand side are for protection, PRIDE will have to take this on board if it is to enjoy genuine and sustainable growth. <URL:http://europa.eu.int/comm/dg15/en/speeches/rome0598.htm>

3.10.3 Security

Security requires policy, management, and constant monitoring and verification. PRIDE will have to provide security to avoid unauthorised access to the directory. The security provided would have to use strong encryption to ensure proper protection of personal information from persons who may exceed their authorisation.

3.10.4 Transactions

The most common method of payment over the Internet presently in use is the credit card. This method is perceived in some quarters as being insecure. One possibility would be the use of a Smart Card but it is still beyond the reach of most organisations in terms of cost to make it viable at present. Digital wallets are another method of payment PRIDE may wish to consider. Although in its developmental stage, the idea is that money is coded and held in a special file, the wallet, and can be used up in very small denominations, making it easier to pay for information (micro payments).

The main concern for PRIDE is whether the government will allow these systems to become part of the fiscal infrastructure. In a global environment PRIDE will need the support of a bank to be able to support multiple payment models in order to do business with customers.

3.10.5 User support

Where there are difficulties in using the system, PRIDE services realistically should support on-line and help-line services.

3.11 Marketing

3.11.1 Advertising

When PRIDE links to a data repository's home page it will have to take into account the advertising on that page. Misleading or offensive advertising will have an adverse affect on consumer confidence. Under any agreements with data repositories it will be difficult to bypass advertising on their home page, therefore PRIDE will have to have some kind of logo to indicate that its services are being used.

In the UK, trades description legislation applies equally to services on the Internet. The dangers of not keeping a Web sit up to date were demonstrated when Virgin Atlantic in New York was fined $14,000 for misleading advertising information. The prices on its Web site were simply out of date. This may put PRIDE in a difficult position insofar as it may have to limit the description of data repository services and charges in the directory.

3.11.2 Branding

This is an area which must be addressed by PRIDE because it will influence the way that users access services and the way that the services are packaged and made attractive to consumers.

PRIDE could adopt an organisation brand, on-line seal or trustmark to signify security and product quality assurance similarly to the privacy program by TRUST (<URL:http://www.truste.org>), an independent, non-profit organisation dedicated to establishing a trusting internet environment

Opportunities

Archived information. Old catalogue material, which may not have been used during recent years, could be easy to exploit. The directory will in effect seem like a yellow pages with data repositories wishing to advertise their collections, particularly if charges are levied for items retrieved.

3.12 Commercial context

John Kay's book (OUP, 1993) 'Foundations of Corporate Success' is recognized by Arthur Andersen Consulting staff as identifying four areas in which ventures must succeed: innovation, branding, access to strategic assets and good business architecture (the web of relationships within which the business operates). As a whole, assessing libraries against this suggests: 1) libraries have been innovative, but may be lagging other organisations in Web development; 2) there is currently a problem with branding libraries together, by region, subject area or library/service type, as no infrastructure exists to build or support the brand(s), despite the relative popularity of public libraries compared with other public services, and the acknowledged role of librarians in corporate, government and educational institutions; 3) strategic assets are a strong point, but again, access terms are critical; 4) libraries need to take the best of their traditional networking, such as the UK ILL network and international ILL/ national library networks, but be prepared to set up new relationships to strengthen the overall network presence. Strong research-based development of clearly-defined goals and a roadmap of service developments are needed. Pilots should be based on involving key players with specific expertise. Areas to be looked at should include discussion with organisations such as major publishers (eg Chadwyck-Healey, HarperCollins), broadcasters (eg BBC), associations which have existing large communities (eg Library Association), new media companies, for digital TV and Web development (eg Microsoft, cable companies, WebTV - <URL:http://www.webtv.com/home/index.html>) and also government, local and national. EARL in the UK could be used to provide the basis for international understanding of the way forward.

An early aim could be to establish PRIDE library services as an entity which could be added to Net directories, portals and homepages of other organisations through simple links which would results from negotiations with the operators. Trials and pilots combined with careful measurement of results would then guide future marketing efforts. This strategy might then result in some restructuring of supplier services to better match demand.

3.13 Content

Issues concerning how and from where content is accessed are ones that require more serious consideration. Information will have to be acquired from reputable sources whose data collection practices and policies will have to be reviewed before adding to the PRIDE Directory. This may ensure against inaccurate data and subsequent claims for compensation from individuals who may have suffered as a consequence.

3.13.1 Metadata

PRIDE may consider the use of PICS (Platform for Internet Content Selection) metadata for digital signatures and privacy. PICS was originally designed to help parents and teachers control what children access on the Internet.

PRIDE will have to take into account differences amongst data repositories' particular resource description formats and data element definitions. The use of a metadata registry seems to offer a solution to this problem. It would encourage the use of standard formats for describing resources by data repositories and ensure against duplication of records.

For relevant information concerning Metadata in relation to legal and business issues, PRIDE will have to monitor the work being carried out by UKOLN (The UK Office for Library and Information Networking) Metadata Group. <URL:http://www.ukoln.ac.uk/metadata/>. The group's mandate is to continuously review current approaches to resource description and look at future options for metadata in the wider context of resource discovery.

3.14 Enabling Technology

PRIDE will have to consider which data repositories support the Z39.50 standard for data search and retrieval that enables information to be interchanged regardless of the systems used to store or retrieve information. This standard will determine the breadth of service provided by PRIDE. PRIDE will have to consider the extent to which data repositories will rush to implement Z39.50 standard or any enabling technology for that matter for searches by PRIDE.

Because the Web has become the predominant source for networked information, PRIDE must work on the Web to demonstrate true access.

Of great significance is the growing acceptance of LDAP by leading Internet companies such as Microsoft, Novell and Netscape.

3.15 Conclusion

During the course of the project the legal environment will have changed and PRIDE will have to take into account those changes to ensure a straightforward deployment of an operational service at the end of the project.

3.16 Recommendation

PRIDE management should identify suitable responses to the issues raised in this report, and continue to monitor developments in these areas at appropriate intervals.


1999-01-22 PRIDE Requirements and Success Factors