E-Privacy for Electronic CommerceE-Privacy for Electronic Commerce

Implementing E-Privacy - Implementing E-Privacy -

An Enterprise ApproachAn Enterprise Approach

Tony LAMTony LAM

Deputy Privacy Commissioner for Personal Data, Hong Kong SARDeputy Privacy Commissioner for Personal Data, Hong Kong SAR

Conference on E-Privacy in the New EconomyConference on E-Privacy in the New Economy

March 26, 2001March 26, 2001

1

Why the concern about E-PrivacyWhy the concern about E-Privacy

It’s a core value of an organisation in any E-

Business initiative

“It is not whether an organisation can afford to adopt an E-Privacy policy, but whether it can afford not to do so”

2

E-Privacy : A Business issueE-Privacy : A Business issue

How can organisations improve key processes in an increasingly competitive environment?

How can organisations maximise the benefit of information in the new information age?

Can E-Commerce maximise its value to consumers and simultaneously retain their trust and confidence?

3

E-Privacy : A Management issueE-Privacy : A Management issue“Failure to deal with privacy issues can present frightening risks to the E-Business enterprise”

Loss of competitive advantage

Loss to potential business

4

E-Privacy : A Management issueE-Privacy : A Management issue

“When the client of a major bank can have $900,000 stolen from his account despite all the protections that are written into the system, it seems that even the biggest companies are vulnerable against the skills of a determined Internet criminal.”

Source : South China Morning Post, February 22 2001

Unfavourable publicity

Customers walk away

5

E-Privacy : A Management issueE-Privacy : A Management issue

“In 1998, a federal jury in the US awarded an identity theft victim $50,000 in actual damages and $4.7 million in punitive damages against a major credit-reporting agency. Jurors found that the company failed to follow reasonable procedures to maximise accuracy and that it, in doing so, willfully defamed the defendant”

Source : Privacy Times Magazine, May 29 1998

Other costs of remedy

Direct costs of litigation

6

E-Privacy : A Consumer issueE-Privacy : A Consumer issue

“Despite the fact that the majority of the sites collected personal information from the user, only a tiny minority provided a privacy policy that gave users meaningful information about how that data would be used. Sites both in the US and EU fall woefully short of the standards set by international guidelines on data protection”

Source : Consumer International Privacy@net Report, 2001

Trust and confidence are not yet the hallmarks of E-Commerce

7

E-Privacy : A Consumer issueE-Privacy : A Consumer issue

“Fewer than 2% of all respondents have bought goods or services or traded securities online. The main reason cited by respondents for not using the Internet to shop or trade was concern about security”

Source : Census & Statistics Department Survey, 2000

“Of all the respondents, about 52% gave a rating of 8 or more on a scale of 0 to 10 to indicate their privacy concern about purchasing online. The highest privacy concern was “money loss due to interception of your credit card (84%), followed by “misuse of personal data by third parties (72%)””

Source : PCO Opinion Survey, 2000

8

E-Privacy : Consumer ConcernsE-Privacy : Consumer Concerns

Security threatsSecurity threats– Insecure transmission of Insecure transmission of

sensitive datasensitive data

– Unauthorised access, Unauthorised access, modification of informationmodification of information

Privacy intrusionPrivacy intrusion– Unlawful & unfair collection of personal dataUnlawful & unfair collection of personal data

– Disclosure of data for fraudulent purposesDisclosure of data for fraudulent purposes

– Misuse of data for unintended purposes without consentMisuse of data for unintended purposes without consent

– Unsolicited commercial e-mailsUnsolicited commercial e-mails

9

E-Privacy : A Regulatory compliance issueE-Privacy : A Regulatory compliance issue

E-Privacy data practices should operate on the principle that what

is illegal offline is illegal online

Hong Kong Privacy Law

Personal Data (Privacy) Ordinance

International and National Regulation

EU Directive on Trans-border Data Flow

International Conventions and Codes of Practice

10

Privacy StoriesPrivacy Stories Real Networks - online software distributorReal Networks - online software distributor

– Collect musical tastes of users without their knowledge

– TRUSTe announced to review its licence agreement

DoubleClick - online advertising agency– Profile users’ browsing habits with data of Abacus, a

direct marketing firm it had acquired

– FTC investigation ~ a drop of one-third in its share price

Toysmart - a toy retailer– Intended sale of a bankrupt business’ customer database

– Court injunction to prevent the sale taking place

11

E-Privacy : A Policy FrameworkE-Privacy : A Policy Framework

Stage I

E-Privacy Drivers

Stage II

Strategic Planning

Stage III

Strategy Implementation

Stage IV

Pursuit of Excellence

12

E-Privacy : A Policy FrameworkE-Privacy : A Policy Framework

Stage I

E-Privacy Drivers

Organisation Culture

Privacy Core Value

E-Privacy Policy

13

E-Privacy : A Policy FrameworkE-Privacy : A Policy Framework

Stage II

Strategic Planning

Identify E-Privacy issues

Formulate strategies

Privacy Impact Assessment

14

E-Privacy : A Policy FrameworkE-Privacy : A Policy Framework

Stage III

Strategy Implementation

E-Privacy Policy Statement

Privacy Enhancing Technology

Compliance & Audit

15

E-Privacy : A Policy FrameworkE-Privacy : A Policy Framework

Stage IV

Pursuit of Excellence

Manage & Review

Enhance Compliance

Continuous Improvement

16

E-Privacy Policy StatementE-Privacy Policy Statement

Privacy policies and accurate public statements outlining such policies are a vital step

towards encouraging openness and trust in E-

Commerce among consumers

“They can help consumers to make informed choices about entrusting an organisation with personal data and doing business with it”

17

Core elements of an E-PPSCore elements of an E-PPS General statement of personal data policyGeneral statement of personal data policy

– your overall commitment to protecting the privacy your overall commitment to protecting the privacy interests of your consumersinterests of your consumers

Statement of data handling practicesStatement of data handling practices– the kind of personal data heldthe kind of personal data held

– main purposes for which personal data are usedmain purposes for which personal data are used

Notice of other practicesNotice of other practices– data disclosure practicedata disclosure practice

– data retention and security policydata retention and security policy

– choice & consent in Internet marketingchoice & consent in Internet marketing

18

Making an Effective E-PPSMaking an Effective E-PPSWhenever a web site collects personal data of consumers

• A prominent “hotlink” from the home page

• A linked page from any data collection forms

• Written in simple and easy to understand manner

• Conforming with acceptable privacy standards

• Relevant to the online environment of the site

• Reflecting the core values of privacy protection

Avoid “over-commitment” and “under-delivery”

19

E-Privacy : The Pay-offE-Privacy : The Pay-off

Building trust & confidence Building trust & confidence in the E-Economyin the E-Economy

Gaining competitive Gaining competitive advantageadvantage

Enhancing corporate Enhancing corporate governancegovernance

20

Contacting PCOContacting PCO

Hotline - 2827 2827Hotline - 2827 2827 Internet - http://www.pco.org.hkInternet - http://www.pco.org.hk

Email - pco@pco.org.hkEmail - pco@pco.org.hk Correspondence -Correspondence -

Unit 2001, 20/floor, Office Tower,Unit 2001, 20/floor, Office Tower,

Convention Plaza, 1 Harbour RoadConvention Plaza, 1 Harbour Road

Wanchai Hong KongWanchai Hong Kong

21