Privacy Commissioner for Personal Data
"The Public Voice in the Development of Internet Policy"
October 7, 1998
Radisson Hotel, Ottawa
Sponsored by the
Global Internet Liberty Campaign
Electronic Commerce and Internet
Telematics - the marriage of computers and telecommunications technology - is creating new application and services in our daily life. The awesome growth of Internet, with 100 million people world-wide now surfing the Internet for fun and information and with the estimated number of Internet users to reach at least 300 million by the end of the century, provides impetus to new initiatives in electronic commerce.
Electronic commerce, conducting business over Internet, is growing at an phenomenal rate. Its many recognised advantages include a new channel of doing business which brings in new revenue, particularly with small and medium enterprises (SMEs) which could now access global markets easier and cost-effectively. New and innovative businesses also are mushrooming, e.g. contents providers with numerous databases, WEB design and marketing companies, and specialised hardware and software vendors for Internet applications and security.
There is a significant road block to the seemingly unstoppable momentum in harnessing the potentials of electronic commerce. This stumbling block is to do with ensuring trust and confidence of both the consumers and the businesses. A European Union document on electronic commerce summaries this concern admirably 1.
"For electronic commerce to develop, both consumers and businesses must be confident that their transaction will not be intercepted or modified, that the seller and the buyer are who they say they are, and that transaction mechanisms are available, legal and secure. Building such trust and confidence is the prerequisite to win over businesses and consumers to electronic commerce. Yet many remain concerned about the identity and solvency of suppliers, their actual physical location, the integrity of information, the protection of privacy and personal data, the enforcement of contracts at a distance, the reliability of payments, the recourse for errors or fraud, the possible abuses of dominant position - considerations which are heightened in cross-border trading."
Of all these concerns related to trust and confidence, data privacy is regarded as dominant, as the Internet is multiple networks with many pathways connecting many thousands of computers. Messages which could contain sensitive personal data are routed to their destinations via different routes often than not without adequate security. There exist the dangers of data being intercepted during transmission as well as their use and disclosure for unintended, unauthorised or fraudulent purposes.
Such a concern is consistently reflected in the annual Electronic Commerce and Privacy Survey2 conducted by Louis Harris and Associates and Dr Alan Westin in the US which has the largest electronic marketplace in the world.
The primary focus of the survey examines the experiences, concerns and policy preferences of the American public with regard to using the Internet.
The 1998 findings recently announced are consistent with previous Harris-Westin surveys conducted in the mid to late 1990's. Computer users and Net users in 1998 register similar patterns of intense concern over threats to their personal privacy:
- 87% of computer users say they are concerned, with 56% "very concerned";
- 86% of Net users say they are concerned, with 56% "very concerned"; and
- 86% of Net users that buy products and services are concerned, with 55% "very concerned".
- 85% of Net users rated collecting personal information about children without parental consent as "very serious" and 48% felt that receiving unsolicited e-mail (spam) was "very serious".
Net users in the 70% ranges rated the following four issues as "very serious":
- Someone tracking what web sites people visit and using
that information improperly 72%
- Personally-identified public record information about
individuals being put on the Internet .. 72%
- People reading e-mail that is not addressed to them .. 71%
- Websites collecting the e-mail addresses of site visitors
without their knowledge or consent to compile e-mail
marketing lists 70%
Of those who say they are not likely to access the Internet in the next year, greater privacy protection is the factor that would most likely convince them to do so.
According to Patrick Sullivan of PriceWaterhouse, "The results of the survey, especially concerning meaningful, verifiable privacy policies, are made all the more important by the Federal Trade Commission's recent report that only 14% of commercial websites in the U.S. tell consumers anything about the sites' information practices, and only about 2% have any clear privacy policies posted".
Another consumer survey conducted in March 1997 in the US by the Boston Consulting Group (BCG)3 indicated that three in five consumers do not trust Web merchants with their personal information. Based on the survey results, BCG estimated that as much as US$6 billion in additional electronic commerce could be gained by the year 2000 if consumers' privacy issues were addressed.
A recent survey conducted in Hong Kong4 found that only 26% of Internet users polled had used the Internet for purchases and 45% of the non-buyers felt that transaction on the Internet were not safe.
It is therefore not surprising the increasing clamour for a "consumer bill of rights" for the electronic age to be promulgated which would establish for the consumer the right:
a) to be informed of and to validate the identity and location of the organisations offering electronic commerce;
b) to procure authentic products and services as specified in the offerings;
c) to have a mechanism for redress of problems arisen from business transactions;
d) to be provided with adequate consumer education of their rights in cyberspace; and
e) with regard to personal data privacy:- to have the choice and individual empowerment to browse and transact business on an anonymity basis;
- to be informed up-front of the purpose and subsequent use and disclosure of personal data to be collected by the data users;
- that the personal information collected is kept accurate and secure;
- to have the right of data access and correction;
- to have the right to "opt-out"; and
- the collection of personal data from children should have parental consent and control.
Organisations Offering Electronic CommercePolicy on Data Privacy
To protect the data privacy rights of the consumers, organisations offering electronic services should:
- provide a choice of anonymity for browsing visitors and customers;
- have a policy on personal data privacy which should include purpose specifications of data collection, subsequent usage and disclosure of data collected, the availability of opt-out, data access and correction procedures, complaint and redress mechanisms, and where relevant a policy on the collection of data from children which should involve parental consent and control;
- display the afore-mentioned policy at the website; and
- provide encryption facilities for the collection of sensitive data.
In addition, business organisations should provide for their employees on-going education on the importance of data privacy and instil a "privacy conscious" culture.
US TRUST.e5 (Commerce Net and The Electronic Frontier Foundation)
WEBTRUST6 (AICPA, American Institute of Certified Public Accountants)
Privacy Seal Program (On line Privacy Alliance)
Japan Privacy Protection Mark7 (JIPDEC, Japan Information Processing Development Center)
Privacy Enhancing Technologies and Tools
Business organisations should keep up to date with and implement relevant privacy enhancing technologies and tools for their online operations to enhance consumers' trust and confidence. Solutions based on such technologies should provide a practical response to consumer concerns while still preserving business interests.
A good example is P3P (Platform for Privacy Preferences)8 developed by the W3C (World Wide Web Consortium) which allows websites and consumers to describe their privacy practices in a common language and format, and allow seamless access if the profiles match or allow for conscientious overrides through negotiation if the profiles mismatch.
Sectoral representative bodies should develop for their members codes of practice on data privacy, which provide specific guidelines to their respective sector through application of a set of data protection principles to the unique operational characteristics of the sector. These data protection principles are either based on those enshrined in legislation on personal data privacy or recognised standards established jointly by government and the private sector. Besides their monitoring role, these representative bodies should also have the responsibility to handle and to provide redress mechanisms for complaints from customers on non-compliance of the codes of practice.
The Role of Government
It is recognised that the effective development of electronic commerce should be led by the private sector and market-driven. However, there is a critical role played by the government to provide a regulatory framework for a legal environment for electronic commerce, and to protect consumers' interests in accordance to the "consumer bill of rights", including the protection of data privacy. The regulatory framework, may it be on the basis of legislations (government regulatory), or codes of practice developed by industries (private sector self-regulatory) or a mix of legislations and complementary codes of practice by industries (co-regulatory), should aim to bring about an environment which is:
- at the minimum equivalent (to the legal protection as provided by the laws and practices that apply to traditional forms of commerce);
- internationally consistent; and
- technology neutral.
The regulatory areas notably include:
- Electronic Transactions
To enact legislations or amend existing commercial and contract laws to facilitate electronic recording and filing of documents; to establish procedures and standards regarding the authentication and integrity of electronic signatures, and to establish effective dispute resolution mechanisms.
- Contents Control
Many countries place an emphasis on the need to monitor and control contents of websites within their jurisdiction or to block access to prohibited materials in overseas websites. The reasons include the protection of children from offensive materials such as pornography, materials deemed as politically subversive, or discriminatory, e.g. racial hatred.
- Intellectual Property Rights (IPR)
Laws and regulations with respect to copyrights, patents, and trademarks need to be updated to take into account of these issues in cyberspace. In addition, two specific areas which require attention are the registration of Internet domain names and the establishment of sui generis database protection.
- Crimes in Cyberspace
Crimes in cyberspace, e.g. phoney investment schemes, Internet gambling in some jurisdictions, the access to information where the offender has an intent to defraud or frauds are resulted, would require specific regulations or updating of existing criminal laws.
- Open and Fair Trade Practices
Fair competition for the offering of goods and services, open access to telecommunication networks and services, truthful and accurate advertising, protection of children from harmful advertising practices, are some of the issues for consideration.
- Regulations Which have Direct or Indirect Bearing on Data Privacy
Specific regulation on data privacy
Whether through the enactment of a generic legislative measure or the development of codes of practice for industries, the rights of an individual regarding data privacy as outlined earlier on in the consumer electronic bill of rights should be adequately protected.
The requirements for security range from the security of telecommunications networks and information systems to the security of data, including personal data, collected and transmitted over the Internet. Whenever relevant, particularly for sensitive data, highly secure and reliable data encryption measures should be provided for data transfer. There should be a balanced solution to protecting the individual's right of data privacy while allowing for exceptional access to personal data to satisfy overriding public interests or national security when relevant.
Protection from privacy intrusion caused by unsolicited emails should be provided by making it a violation for spammers to send messages without a return address or with a forged return address, or messages with misleading subject lines. The ISPs could also be required to establish spam-blocking policy and to deter spamming.
Flaming, sending an abusive or derogatory message, is a known phenomenon on Internet, which is often regarded as a lawless zone due to its borderless nature. Defamation issues arise with regards to the liability of individuals, websites and ISPs.
. Direct Marketing
Mandatory provision of an "opt-out" choice, and the establishment of a national "opt-out database" of individuals to switch-off unwanted direct marketing messages or emails should be considered.
Besides the afore-mentioned regulatory measures, continuous and effective public education should be provided to the community by the government on the rights of the consumers, the responsibilities of the businesses and service providers and the mechanisms to handle consumers' complaints.
In addition, the government should take a leading role in using the Internet for the dissemination of information, the provision of on-line services for its citizens, and the interaction with suppliers in government procurement activities. Not only would such a role serve as an example of and to promote electronic commerce, it would also demonstrate practical compliance to the regulatory regime as promulgated.
Novel applications based on new scientific discoveries and technological innovations, while enriching the quality and efficiency of our lives, increasingly pose considerable issues of potential privacy intrusion. Prominent examples include electronic road pricing, genetic engineering, genetic testing, smart card applications, biometrics etc. The government has a role to monitor the development of new technologies and be involved in the planning and implementation stages for applications based on these technologies to ensure the privacy rights of citizens are not endangered.
As electronic commerce is international, the regulatory framework should also be consistent across borders.
Multi-lateral agreements through international bodies like UNCTAD, WTO, EU, OECD, APEC and others, as well as bilateral agreements between countries should be reached to protect consumers in the global electronic market and allow businesses to trade and compete on a fair, open and secure basis. The critical areas for international consensus include:
There should be an international agreement on the "consumer bill of rights" as afore-mentioned (see earlier section on Consumer), particularly with regard to the legal protection of consumers equivalent at the minimum to that provided by the laws and practices that apply to traditional forms of commerce, and to their privacy rights.
2) Electronic Transactions
A global legal framework is necessary to recognise, facilitate and enforce electronic transaction world-wide. The United Nation Commission on International Trade Law (UNCITRAL) has completed work on a model law9 that supports the commercial use of international contracts in electronic commerce. This model law10 establishes rules and norms that validate and recognise contracts formed through electronic means, sets default rules for contract formation and governance of electronic contract performance, defines the characteristics of a valid electronic writing and an original document, provides for the acceptability of electronic signatures for legal and commercial purposes, and supports the admission of computer evidence in courts and arbitration proceedings.
While ideally the Internet should be a tariff-free environment for the deliveries of goods and services, any taxation on electronic sales if levied should be harmonised internationally. Such taxation should be administratively simple, and easy to understand by the consumers.
To provide incentive for content development and protect again theft and unfair competition, international consistency for on-line IPR should be based on relevant treaties, e.g. WIPO Copyright Treaty. The allocation and administration of domain names should have adequate international participation to reduce alleged infringement and litigation.
5) Free Flow of Information
With the provision of adequate safeguards to information privacy, there should not be restriction to the free flow of information between countries.
1. "A European Initiative in Electronic Commerce", COM(97)157, April 1997, http://www.ispo.cec.be/Ecommerce.
2. "E-Commerce & Privacy: What The Net Users Want", Privacy & American Business, April 1998.
3. "Implementing the OECD Privacy Guidelines in the Electronic Environment: Focus on the Internet", OECD, May 1998.
4. "Report on a Survey on Internet Commerce" by the Democratic Party, Hong Kong, April 1998.
5. TRUST.e, http://www.truste.org.
6. AICPA, http://www.aicpa,org/webtrust/index.htm.
7. "Privacy Protection Mark System" Yuji Yamadori, JIPEC. Presentation at the Asia Pacific Privacy Forum, Hong Kong, April 1998.
8. "P3 and Privacy on the WEB", The World Wide Web Consortium, http://www.w3.org/P3/Overview.html.
10. "A Framework for Global Electronic Commerce", The White House, US, July 1, 1997.