Chapell & Associates

Friday, September 01, 2006

The privacy investigation of eBay UK

eBay UK is being investigated for possible privacy violations by the UK Information Commissioner’s Office (ICO). eBay UK allegedly violated the UK Data Protection Act of 1998 by making it extremely difficult for users to delete their accounts. Although the other large website companies cited in the report by Privacy International, which spawned the complaint, don’t even offer users the ability to delete their accounts, Privacy International targeted only eBay in its complaint to the ICO.

Although Privacy International’s report focuses primarily on the issue of deleting users’ accounts, the reason that its “test complaint” was filed against eBay UK is probably due to eBay’s Verified Rights Owner (VeRO) Programme, which was also mentioned in the report.

eBay’s VeRO Programme is supposed to guard against copyright, trademark or patent infringement and help prevent the sale of counterfeit goods by sharing users’ personal information among the over 10,000 Programme participants. In an article that appeared in The Guardian, eBay stated that it shared user information only with law enforcement agencies. The same article reported that the ICO would be looking into what criteria are used to share the information among VeRO Programme participants.

I think it’s perfectly reasonable for the UK ICO to want to examine eBay’s VeRO Programme more closely – and for Privacy International to bring it to the ICO’s attention. However, it seems a bit disingenuous for Privacy International to prepare a report based upon the receipt of “a number of complaints from Internet users claiming that some large online organisations operating in the UK market have either disabled or obstructed the deletion of customer accounts,” and then to file a complaint against the only large company that permitted the deletion of users’ accounts, rather than against its other “case study,”

Privacy International notes that Amazon “provided the most blatant example of companies that refuse to provide account delete facilities.” Privacy International also acknowledges that eBay UK permits users to delete their accounts, albeit after some non-intuitive hoop-jumping. If this were really about denying users the ability to delete their accounts, why not go after Amazon UK, a well-known company that doesn’t permit account deletion at all? That would, after all, make a relatively easy and straightforward case for violating the UK Data Protection Act. Yeah, but then the Information Commissioner’s Office couldn’t also be looking into a law enforcement-type data-sharing program like VeRO as part of the complaint.

It would be nice – and consistent – if privacy advocates were as transparent in their motives as they expect other entities to be.

posted by Elise on Friday, September 01, 2006

© 2005 by Alan Chapell & Associates LLC