E-Privacy for Electronic Commerce Implementing E-Privacy - An Enterprise Approach Tony LAM Deputy Privacy Commissioner for Personal Data, Hong Kong SAR Conference on E-Privacy in the New Economy March 26,

Why the concern about E-Privacy It’s a core value of an organisation in any E- Business initiative “It is not whether an organisation can afford to adopt an E-Privacy policy, but whether it can afford not to do so” 2

E-Privacy : A Business issue How can organisations improve key processes in an increasingly competitive environment? How can organisations maximise the benefit of information in the new information age? Can E-Commerce maximise its value to consumers and simultaneously retain their trust and confidence? 3

E-Privacy : A Management issue “Failure to deal with privacy issues can present frightening risks to the E-Business enterprise” Loss of competitive advantage Loss to potential business 4

E-Privacy : A Management issue “When the client of a major bank can have $900,000 stolen from his account despite all the protections that are written into the system, it seems that even the biggest companies are vulnerable against the skills of a determined Internet criminal.” Source : South China Morning Post, February Unfavourable publicity Customers walk away 5

E-Privacy : A Management issue “In 1998, a federal jury in the US awarded an identity theft victim $50,000 in actual damages and $4.7 million in punitive damages against a major credit- reporting agency. Jurors found that the company failed to follow reasonable procedures to maximise accuracy and that it, in doing so, willfully defamed the defendant” Source : Privacy Times Magazine, May Other costs of remedy Direct costs of litigation 6

E-Privacy : A Consumer issue “Despite the fact that the majority of the sites collected personal information from the user, only a tiny minority provided a privacy policy that gave users meaningful information about how that data would be used. Sites both in the US and EU fall woefully short of the standards set by international guidelines on data protection” Source : Consumer International Report, 2001 Trust and confidence are not yet the hallmarks of E-Commerce 7

E-Privacy : A Consumer issue “Fewer than 2% of all respondents have bought goods or services or traded securities online. The main reason cited by respondents for not using the Internet to shop or trade was concern about security” Source : Census & Statistics Department Survey, 2000 “Of all the respondents, about 52% gave a rating of 8 or more on a scale of 0 to 10 to indicate their privacy concern about purchasing online. The highest privacy concern was “money loss due to interception of your credit card (84%), followed by “misuse of personal data by third parties (72%)”” Source : PCO Opinion Survey,

E-Privacy : Consumer Concerns n Security threats –Insecure transmission of sensitive data –Unauthorised access, modification of information n Privacy intrusion –Unlawful & unfair collection of personal data –Disclosure of data for fraudulent purposes –Misuse of data for unintended purposes without consent –Unsolicited commercial s 9

E-Privacy : A Regulatory compliance issue E-Privacy data practices should operate on the principle that what is illegal offline is illegal online Hong Kong Privacy Law Personal Data (Privacy) Ordinance International and National Regulation EU Directive on Trans-border Data Flow International Conventions and Codes of Practice 10

Privacy Stories n Real Networks - online software distributor – –Collect musical tastes of users without their knowledge – –TRUSTe announced to review its licence agreement n n DoubleClick - online advertising agency – –Profile users’ browsing habits with data of Abacus, a direct marketing firm it had acquired – –FTC investigation ~ a drop of one-third in its share price n n Toysmart - a toy retailer – –Intended sale of a bankrupt business’ customer database – –Court injunction to prevent the sale taking place 11

E-Privacy : A Policy Framework Stage I E-Privacy Drivers Stage II Strategic Planning Stage III Strategy Implementation Stage IV Pursuit of Excellence 12

E-Privacy : A Policy Framework Stage I E-Privacy Drivers ê Organisation Culture ê Privacy Core Value ê E-Privacy Policy 13

E-Privacy : A Policy Framework Stage II Strategic Planning ê Identify E-Privacy issues ê Formulate strategies ê Privacy Impact Assessment 14

E-Privacy : A Policy Framework Stage III Strategy Implementation ê E-Privacy Policy Statement ê Privacy Enhancing Technology ê Compliance & Audit 15

E-Privacy : A Policy Framework Stage IV Pursuit of Excellence ê Manage & Review ê Enhance Compliance ê Continuous Improvement 16

E-Privacy Policy Statement Privacy policies and accurate public statements outlining such policies are a vital step towards encouraging openness and trust in E- Commerce among consumers “They can help consumers to make informed choices about entrusting an organisation with personal data and doing business with it” 17

Core elements of an E-PPS n General statement of personal data policy –your overall commitment to protecting the privacy interests of your consumers n Statement of data handling practices –the kind of personal data held –main purposes for which personal data are used n Notice of other practices –data disclosure practice –data retention and security policy –choice & consent in Internet marketing 18

Making an Effective E-PPS Whenever a web site collects personal data of consumers A prominent “hotlink” from the home page A linked page from any data collection forms Written in simple and easy to understand manner Conforming with acceptable privacy standards Relevant to the online environment of the site Reflecting the core values of privacy protection Avoid “over-commitment” and “under-delivery” 19

E-Privacy : The Pay-off n Building trust & confidence in the E-Economy n Gaining competitive advantage n Enhancing corporate governance 20

Contacting PCO n Hotline n Internet - n - n Correspondence - Unit 2001, 20/floor, Office Tower, Convention Plaza, 1 Harbour Road Wanchai Hong Kong 21