What You Must Know About DRM

8 The 15 member states of the EU were required to implement the directive into national law by October 25, 1998. Consequently, many European countries have comprehensive privacy legislation that could apply to personal information of consumers that is collected, used or disclosed by European-based companies selling digital products that use DRM technologies. In addition, companies that use DRM technologies to protect digital music, movies, or books that are sold online to European customers should note that an EU Data Protection Working Party has published a paper that examines how EU data protection laws would apply to personal information processed on the Internet by non-EU based Web sites (e.g., in the U.S.). In particular, the paper notes that: The directive would also apply to information collected through spywares, which are pieces of software secretly installed in the individual's computer, for instance at the occasion of the downloading of bigger software (e.g. a music player software), in order to send back personal information related to the data subject (e.g. the music titles the individual tends to listen to) ... As these technologies are by definition used without informing the user (the name spyware is clear in that respect) they are a form of invisible and not legitimate processing. 27 In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) 28 applies to federally regulated private-sector organizations that collect, use or disclose personal information, either in paper or electronic format, in the course of their commercial activities. Consequently, PIPEDA would not likely apply to U.S. companies that use DRM technology to protect digital music, movies or books sold online to Canadian customers. However, PIPEDA could apply in certain circumstances to personal information that is collected, used or disclosed by any federally-regulated Canadian company (e.g., cable or telecommunications companies) that use DRM technologies to protect digital music, movies or books sold on Canadian Web sites. In the absence of privacy legislation, companies that provide DRM-protected products should consider adopting fair information practices. In 1980, the Organisation for Economic Co-operation and Development (OECD) adopted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. 29 These guidelines include eight Basic Principles of National Application, commonly known as "fair information practices," and form the basis for virtually all privacy legislation around the world. In 1996, the Canadian Standards Association (CSA) released a Model Code for the Protection of Personal Information, 30 which is based on the OECD Guidelines. The CSA Model Code includes the following 10 privacy principles: · Accountability · Identifying Purposes · Consent · Limiting Collection · Limiting Use, Disclosure, and Retention · Accuracy · Safeguards · Openness · Individual Access · Challenging Compliance