@eLaw.com.hk 葉謝鄧律師行

Trust is an important element of e-commerce.

Businesses and consumers that trade over the Internet do not have the benefit of seeing each other face to face. Nor do they have a history of personal interaction to base their trust on. The Internet is an open network that is easily subject to misuse such as an outsider getting personal information such as credit card data and medical records without authority. To build trust, e-commerce providers must be able to ensure customer privacy and maintain security of websites and email communications. Enterprises taking inadequate privacy and security measures face the risk of litigation, negative publicity, and loss of customer loyalty. Consequently, most reputable e-traders employ security measures and publish an online privacy statement that guarantees commitment to a range of privacy issues.

The best way to get a broad understanding of online privacy issues that relate to corporations and businesses is to actually go online and to look at some commercial privacy policies. The following activity asks you to look at the privacy statements of three websites that receive a lot of traffic in Hong Kong. As you browse their privacy statements, try to assess the key issues that each statement addresses.

As we can see, disclosure of personal information online may unwittingly expose individuals to a host of on- and offline dangers. However, we also cannot escape the fact that we need to give information to access online services and that information is stored about us on a daily basis across a range of electronic databases. Most of the services that require us to give personal information should have security measures in place to protect this information (and in a moment we will look at examples of corporate privacy and security statements). We should also be aware of our rights to data privacy and later in the unit we will explore how we can access and enact these rights.

The most fundamental guideline for protecting your own personal data is to only disclose personal information whenever it is absolutely required and where organizations or corporations offer clear guidelines to protect data privacy.

You should be extremely careful not to disclose personal information online in situations where there are no privacy protection guidelines (for example, posting personal information in a chat room or newsgroup). Avoid disclosing your own or others’ personal information such as email addresses, home addresses, job and company details in a public forum. Disclosing this kind of information in a public forum such as a chat room can lead to many of the above abuses of privacy as well as other problems such as solicitation for fraudulent investments, electronic harassment or stalking, and attempts to establish undesired relationships or contacts. Also, take care not to pass on others’ email addresses or details without their permission. Simply forwarding an email with others’ email addresses on it can compromise the data privacy of others and result in privacy intrusions such as unwanted messages or spam.

Regrettably, many Internet users are not sufficiently aware of the dangers associated with disclosing sensitive personal information in the online environment. To assist surfers protect their own privacy, Hong Kong's Privacy Commission Office has published a booklet entitled "Internet Surfing with Privacy in Mind - A Guide for Individual Net Users". This booklet is available from the PCO's website at www.pco.org.hk/english/publications/guide_privacy_mind_1.html

Online medical data can also be abused. At the very least, the tampering with or unauthorized publication of someone's medical history can cause embarrassment and or inconvenience to an individual. However, if a person's medical records are changed or used without authorization, a person's health can be compromised if inaccurate medical records result in wrong diagnosis or treatment. The loss or compromise of medical information can be fatal if doctors are denied information about treatment history or are given incorrect or inappropriate data

Nowadays, most organizations and corporations store their human resources records on electronic databases. Although many organizations and institutions (including the Open University of Hong Kong) now adopt measures to safeguard and protect the personal records of employees, the potential still exists for employment record privacy to be violated intentionally and unintentionally. Incorrect data information relating to an employee can have a strong negative impact on someone's career; for example, it could result in a wrong performance appraisal or prevent someone from achieving a promotion.

Many people use online banking services. Financial data such as transactional records on deposits and savings are stored online. Unauthorised access and alteration can result in money being taken from accounts. Incorrect credit information can result in bad credit information, harming a person's credit rating and his/her future ability to borrow from financial institutions.

One online user may misuse another person's personal identifiers to forge his/her identity. An Internet user's personal information (such as name, address and identity card number) can be used by a cyber criminal to falsely represent someone online or gain fraudulent access to credit cards or e-commerce sites. Please give an example of how this might occur.

The following link tells you more about how identity theft can occur on the Internet
http://computer.howstuffworks.com/identity-theft5.htm

Internet users are frequently required to provide personal data online. If you start up a yahoo or hotmail account, register for an online banking service or buy your groceries online, you will be asked to provide personal information about yourself. Whenever you buy goods or services online, you also have to provide highly sensitive information such as credit card numbers or personal identifiers such as your Hong Kong ID card number. Similarly, as corporations and institutions such as hospitals and universities increasingly adopt electronic databases, private information about your health, education, employment and travel histories is increasingly prone to misuse. Although there are measures in the Data Protection (Privacy) Ordinance to protect how these kinds of data are collected, used and shared, a certain amount of responsibility for the protection of data privacy also falls upon individual Internet users.

The principle of privacy is recognized in several international covenants. The United Nations Declaration on Human Rights, for example, says that ‘no-one shall be subject to arbitrary or unlawful interference with his privacy, family, home and correspondence'. The European Convention on Human Rights, and the International Covenant on Civil and Political Rights make similar statements.

Similarly, the Organization for Economic Cooperation and Development OECD issued a set of Guidelines concerning the protection of privacy of personal records in 1980. These broad and voluntary Guidelines were meant to establish standards for privacy rules followed by governments and businesses. You can view these guidelines at the following link: http://www.cdt.org/privacy/guide/basic/oecdguidelines.html (Although many companies claim to have adopted the guidelines, very few have ever implemented practices that directly matched the OECD standards.)

Despite the presence of covenants and guidelines recognizing and supporting the principle and importance of privacy, it must be emphasized that the laws of most places (including Hong Kong's Basic Law) give no general right to privacy. Moreover, courts in Hong Kong have rejected opportunities to create such general rights. For example, in the English case Malone v MPC (No.2) [1979], the contention that the tapping of the plaintiff's telephone in the course of a criminal investigation violated his right to privacy was rejected. The ruling for this cased said that –‘It is no function of the court to legislate in a new field. The extension of existing laws and principles is one thing; the creation of an altogether new right is another’.

Therefore, in Hong Kong, in the absence of a clearly defined legal right, privacy must be looked at in the context of the Data Protection (Privacy) Ordinance which offers data privacy protection, as opposed to personal privacy protection. Hence, personal privacy per se, is not covered by legislative provisions in Personal Data (Privacy) Ordinance. Hong Kong's Data Protection (Privacy) Ordinance is based on a similar 1984 UK act, which is turn was based on a European data protection convention. We will examine the Data Protection Ordinance in more detail later in this unit, but for the moment let's briefly look at how and why the Personal Data (Privacy) Ordinance evolved.

Justice Brandeis' definition of being "let alone" no longer adequately defines the concept of privacy in the 21st Century Cyber Age. The modern definition of privacy therefore needs to also include ‘the right to control our personal information, even after we disclose it to others.’ (http://www.cdt.org/privacy/guide/start/). Therefore, a contemporary definition of privacy also needs to include the concept of personal data protection in which an individual has the right to control the flow and access of information and data related to his/her personal details. Professor Raymond Wacks sums up this modern concept of privacy by arguing that ".... at the heart of our concern to protect 'privacy' lies a desire, perhaps even a need, to prevent information about us being known to others without our consent." (Wacks 1996)

Modern technology clearly poses new and increasing threats to this broader definition privacy. As a US Privacy Protection Study Commission argued, "The real danger (posed to privacy by the Information Age) is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable." (US Privacy Protection Study Commission 1977). In recent years, privacy advocates have increasingly lobbied for measures to safeguard the protection of personal data. One example of an organization committed to defending data protection privacy issues is the US-based Electronic Frontier Foundation www.eff.org

Suppose you receive an anonymous letter one day. The letter describes in details what you have done in the past 3 days. It tells at what time you leave your home, which bus you took, where you have shopped and with whom you have met. It even refers to how you changed your clothes before you went to bed. Your immediate reaction will be anger and then you may become scared because you would wonder how the writer has come to know so much about you. After you have calmed down yourself, you probably would think that you have been psychologically hurt because you have not foreseen that someone have been watching over you in so much detail. Because you have heard about ‘privacy’ before and know that it is known to be a right to a person, you would probably think about the legal remedies in order to prevent that to happen again.

Now ask yourself the following questions:

1. In the above example, you have been hurt psychologically. Do you think that there will surely be a legal remedy to you just because of that?

2. Are you sure that you can find out who your privacy intruder is so that you can have him successfully prosecuted?

3. What remedies you are looking for: civil so that you can get a compensation or criminal so that the privacy intruder can be arrested and punished?