MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Privacy Forder & Quirk Chapter 11.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE

Privacy

Forder & Quirk Chapter 11


Privacy Governments are concerned with protecting citizens

from unscrupulous ‘data thieves’ who may misuse the information or gather it in illegal way.

Governments are also keen to preserve their own surveillance powers for the sake of ‘national security’.

The business community wants to encourage the use of e-commerce and are concerned with the building relationships of trust with their customers.

Customers are eager to use e-commerce, but usually only when they can be sure corrupt operators will not take advantage of them”.


The problemWhen you are using the Internet you may think youranonymous………BUT there are various ways that theinformation about you or your activities can be collectedwithout your knowledge or consent. Cookies Browsers Pre-existing information Internet Commerce E-mail Spam


US survey in 1998 92% of web sites collected personal information Only 14% provided a privacy statement 89% of children’s web sites collected personal

information on children Only 23% instructed children to get parental

permission to provision of personal information


Browsers: Security bugs in browsers allow hackers and web sites to access your personal information while you are surfing the web.

Pre-existing information: Governments, schools, businesses and other organisations may have already collected personal information about you.

E-mail: ‘e-mail is more like a post card than a letter in an envelope. Anyone who intercepts your e-mail can read it if it’s sent as plain text’.

Spam: Spam is junk E-mail. Spam is the use of you e-mail address for a purpose that you don’t agree to and are paying to have delivered.


Internet Commerce If you buy something from a commercial web site you

will probably have to use a credit card. Is this SAFE? Governments and businesses are keen to encourage

Internet commerce but there is resistance by consumers due to concerns about security and privacy.

E-businesses seem to require you to provide more personal information than you would for over the counter purchases.


Technical Solutions Intelligent Agents

Automatically negotiate a privacy agreement Requires an international standard (e.g. P3P)

Trust Marks (e.g. www.trustee.org) – signifies that site adheres to standards for: Privacy Dispute resolution


Technical Solutions (cont.) P3P

Uses XML Schema that acts as a set of “multiple choice

questions” on privacy Present a snap shot of site’s privacy policy Backed by W3C


Legal Solutions Common Law

Traditionally no right to privacy (Victoria Park Racing v Taylor (1937) 58 CLR 479)

Recently, High Court has left open the possibility of a right to privacy (ABC v Lenah Game Meats [2001] HCA 63


Legal Solutions (cont.) Common Law (cont.)

Other common law rights Trespass Implied terms of commercial confidentiality

Other countries do recognise a common law right to privacy New Zealand


Legal Solutions (cont.) Statute

Privacy Act (Cth) State legislation

e.g. Information Privacy Act 2000 (Vic) Not as comprehensive as Federal

legislation Generally applies only to the public sector

(i.e. government)


Legal Solutions (cont.) Statute (cont.)

Other Legislation Telecommunications (Interception) Act Freedom of Information Act Data Matching Program National Health Act


Privacy Amendment Act Originally covered only Commonwealth government Extended to private industry Strikes a balance between encouraging IT developments

electronic commerce generally and protecting the individual’s right to protect personal information.

Major element of the Government’s strategy to increase public confidence in doing business online and to position Australian businesses globally to take full advantage of electronic commerce opportunities.


Privacy Amendment Act Requires website operators that collect personal

information online to take reasonable steps to ensure that internet users know who is collecting their information and how it is used, stored and disclosed.

The legislation establishes minimum standards for the protection and handling of personal information and applies in both the conventional and electronic environments


Privacy Amendment Act Collection Use and Disclosure Data Quality Data Security Openness Access and Correction Anonymity Sensitive Information


CollectionAn organisation must: not collect information unless the information is

necessary for one or more of its functions or activities. collect personal information only by lawful and fair

means and not in an unreasonably intrusive way. If it is reasonable and practicable to do so, collect

personal information about an individual from that individual.

take reasonable steps to ensure that an individual is or has been made aware of the information if it collects personal information about the individual from someone else.


CollectionThe individual must be made aware of: the identity of the organisation and how to contact it the fact that he or she is able to access the information the purpose for which the information is collected the organisation (or types of organisations) to which the

organisation usually discloses information of that kind any law that requires the particular information to be

collected the main consequences (if any) for the individual if all or

part of the information is not provided.


Use and DisclosureAn organisation must not use or disclose personal information about an individual for a purpose other thanthe primary purpose of collection unless the individual has consented to the use or disclosure the information is not sensitive information and is for

the secondary purpose of direct marketing the information is health information and the use or

disclosure is necessary for research, the compilation or analysis of statistics, relevant to public health or public safety


Use and Disclosure (cont.) it reasonably believes that the use or disclosure

is necessary to lessen or prevent a serious and imminent threat to either individual or public health and safety.

The organisation has reason to suspect that unlawful activity has been, is being or may be engaged in

the use or disclosure is required or authorised by or under law


Data Quality An organisation must take reasonable steps to

make sure that the personal information it collects collects, uses or discloses is accurate, complete and up-to-date.


Data Security An organisation must take reasonable steps to

protect the personal information it holds from misuse and loss and from unauthorised access, modification and disclosure.

An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed.


Openness An organisation must set out, in a document,

clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.


Access and Correction If an organisation holds personal information

about an individual, it must provide the individual with access to the information on request by the individual.

However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision the organisation may give an explanation of the decision rather than direct access to the information


Access and Correction (cont.) If the organisation is not required to provide the individual

with access to the information, the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties needs.

If an organisation charges for providing access to personal information, those charges: must not be excessive must not apply to lodging a request for access.


Access and Correction If an organisation holds personal information

about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.


Access and Correction If the individual and the organisation disagree

about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not so accurate, complete or up-to-date, the organisation must take reasonable steps to do so.

An organisation must provide reasons for denial of access or a refusal to correct personal information.


Anonymity Wherever it is lawful and practicable, individuals

must have the option of not identifying themselves when entering transactions with an organisation


Sensitive Information

Information or opinions about an individual's: racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record;


Sensitive Information (cont.) An organisation must not collect sensitive information

about an individual unless: the individual has consented the collection is required by law the collection is necessary to prevent or lesson a

serious and imminent threat to the life or health of an individual

if the information is collected in the course of the activities of a non-profit organisation

the collection is necessary for the establishment, exercise or defence of a legal claim or equitable claim


Sensitive Information (cont.) if an organisation collects health information

about an individual the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.


Privacy Codes Must be at least equivalent to National Privacy

Principles Approved by the Privacy Commissioner


Privacy Codes (cont.) Examples

Australian Direct Marketing Association Internet Industry Association Telecommunications Industry Code of Banking Practice Smart Card Industry Code of Conduct Electronic Funds Transfer Code of Conduct


Privacy Codes Advantages

Avoid onerous and costly implementation Less rigid Easy to adjust to changed circumstances More likely to be adhered to Policed by industry peers


Privacy Act Exemptions Businesses with less than $3 million pa turnover

other than: health service providers Federal contractors Not for profit organisations

State or Territory authorities Political parties and political representatives Media organisations


International Perspective OECD encourages trade in order to support

growth of eCommerce Guidelines for the Protection of Privacy and

Trans-border Flows of Personal Data (1980) S17 International Covenant on Civil and Political

Rights “No one shall be subjected to arbitrary and

unlawful interference with privacy…”


International Perspective European Union Privacy Directive (1995)

Being adopted by member countries Transfer of personal information to third

countries only permitted if third country Ensures an adequate level of protection Level is assessed “in all of the

circumstances” (F&Q p344) To date, France, Germany, Luxembourg &

Ireland have not complied


International Perspective (cont.) USA negotiated with EU for “safe harbours” where

businesses voluntarily subscribe to a code of 7 principles that the EU has deemed adequate Notice Choice Onward transfer Access Security Data integrity enforcement


International Perspective (cont.) Australian Response to EU Directive

EU says Australian privacy laws “not adequate”

EU concern with “co-regulatory” approach Australian Government disagrees Aust legislation goes further than US “safe

Harbours” Only 2 countries outside EU have adequate

privacy laws according to the EU


International Perspective USA

No legislation Ineffective codes (unsupported by legislation) Failure to comply with code may be

prosecuted as an unfair or deceptive act (similar to s52 Trade Practices Act)

Growing push for legislation

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Privacy Forder & Quirk Chapter 11.

Documents

Transcript of MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Privacy Forder & Quirk Chapter 11.