E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

Similar documents
Taking care of what s important to you

WidePoint Solutions Corp. SAFE HARBOR PRIVACY POLICY

PIPEDA and Online Backup White Paper

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

Johnson Controls Privacy Notice

Privacy Law in Canada

Policy Implications: Privacy, Security and Liability Big Data in Telecom. June TIA 2012: INSIDE THE NETWORK Dallas TX

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

Consumer Confidence Trustmarks

I. Need for Federal Privacy Legislation

Information Governance Policy

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Privacy Risk Assessments

Protecting your privacy

Best Practices for Protecting Individual Privacy in Conducting Survey Research

AN INTRODUCTION TO THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA

Article 29 Working Party Issues Opinion on Cloud Computing

PROTECTION OF PERSONAL INFORMATION

Cloud Computing: Legal Risks and Best Practices

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

We will not collect, use or disclose your personal information without your consent, except where required or permitted by law.

How To Ensure Health Information Is Protected

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

technical factsheet 176

The Manitoba Child Care Association PRIVACY POLICY

Best Practices in Data Management - A Guide for Marketers -

Privacy and Electronic Communications Regulations

Index All entries in the index reference page numbers.

Credit Union Code for the Protection of Personal Information

MIS Privacy Statement. Our Privacy Commitments

INTRODUCTION. Application of the Principles

Privacy Statement. What Personal Information We Collect. Australia

Privacy Law in Canada

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

Cloud Computing: Privacy and Other Risks

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

Privacy Law Basics and Best Practices

DATA PROTECTION POLICY

Privacy Policy. Effective Date: November 20, 2014

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

ESTRO PRIVACY AND DATA SECURITY NOTICE

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

JOB APPLICANT PRIVACY NOTICE

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

The Health Information Act. Use and Disclosure of Health Information for Research

Application of Data Protection Concepts to Cloud Computing

Personal Information Protection and Electronic Documents Act

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

The U.S.-EU Safe Harbor Guide to Self-Certification

The HR Skinny: Effectively managing international employee data flows

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

European Privacy Reporter

SCHEDULE "C" ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL

Personal Information Protection and Electronic Documents Act (PIPEDA)

Corporate Policy. Data Protection for Data of Customers & Partners.

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices

Privacy Policy for Data Collected by Blue State Digital s Clients

The Digital Marketing Ecosystem: Trends, Risks and Obligations

PRIVACY AND DATA SECURITY MODULE

PRIVACY POLICY Personal information and sensitive information Information we request from you

SHAREYOURJOB.COM PRIVACY POLICY

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

FINANCIAL PLANNING CLIENT AGREEMENT

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

// CODE OF ETHICS FOR DENTISTS IN THE EUROPEAN UNION

AN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

Merthyr Tydfil County Borough Council. Data Protection Policy

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

NORTHWESTEL CODE OF FAIR INFORMATION PRACTICES. Effective January 1, 2001

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?

3. Consent for the Collection, Use or Disclosure of Personal Information

AlixPartners, LLP. General Data Protection Statement

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

How To Understand The Data Protection Act

ROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014.

Personal Data Protection Policy

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA)

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY

Declaration of Internet Rights Preamble

Maximum Global Business Online Privacy Statement

Accountable Privacy Management in BC s Public Sector

Abilities Centre collects personal information for the following purposes:

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

ChangeIt Privacy Policy - Canada

Data Protection Good Practice Note

Office 365 Data Processing Agreement with Model Clauses

singapore american school

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Data Protection Policy.

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.

Privacy and Transparency for Consumer Trust and Consumer Centrality

Protecting your privacy

Data Protection and Privacy Policy

Transcription:

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada

INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce: more than just transactions 2

PRIVACY AND ONLINE CONFIDENCE Why a discussion about privacy and mobile e-commerce? Exponential growth mobile web economy may double by 2016. Confidence in the company behind the online transaction a leading trend influencing online business practices. Appropriate treatment of personal information online - an important tool for maintaining and growing that trust. Presentation will focus on: Applicable normative and self-regulatory mechanisms. Aspects of mobile e-commerce that pose privacy risks and can damage confidence in the brand. Practical strategies to promote privacy and confidence in online transactions. 3

NORMATIVE PRIVACY FRAMEWORKS Preserving trust in online transactions by understanding general principles set out in normative frameworks. Canada, US and EU significant differences underlying the complexity of the borderless context of online transactions. 4

NORMATIVE PRIVACY FRAMEWORKS: CANADA Applicable legislation Federal and provincial statutes that govern the collection, use, disclosure and management of personal information by private sector organizations. Personal Information Protection and Electronic Documents Act (PIPEDA) Applies to organizations engaged in commercial activities anywhere in Canada and when personal information is moved across borders (between provinces or internationally). 10 principles of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, challenging compliance. 5

NORMATIVE PRIVACY FRAMEWORKS: CANADA Personal Information Defined very broadly as information about an identifiable individual. Organizations are generally required to seek consent for the use or disclosure of the personal information at the time of collection. Consent Requires knowledge as well as an understanding of the collection, use and dissemination of information, the repercussions thereof, and the existence of available alternatives. Freedom of choice is critical to privacy. Consent may be express or implied. 6

NORMATIVE PRIVACY FRAMEWORKS: CANADA Limits to Collection, Use and Disclosure Organizations must not require consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. Withdrawal of Consent An individual must be able to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Upon receipt of a withdrawal request, individuals must be informed of the implications of such withdrawal. Publicly Available Information Exception to consent requirements for publicly available information found in both federal and provincial legislation. The exception applies to the personal information of an individual that appears in a telephone directory or a professional or business directory, listing or notice that is available to the public. 7

NORMATIVE PRIVACY FRAMEWORKS: CANADA Cross-border flows of data: a Canadian provincial perspective Quebec - organizations must take reasonable steps to ensure that personal information transferred to service providers outside Quebec will not be used for other purposes and not be communicated to third parties without consent. Alberta - requires specific notice where the information is being transferred outside of Canada. Notice must include: The countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur, and The purposes for which the service provider outside Canada has been authorized to collect, use or disclose personal information for or on behalf of the organization. 8

NORMATIVE PRIVACY FRAMEWORKS: UNITED STATES Constitutional Protection The United States Courts have compensated for the lack of any provision in the U.S. Constitution that grants an explicit right to privacy, by recognizing a right to privacy. Federal Legislation and Privacy Protection Privacy legislation in the U.S. follows a sectoral approach: laws are developed and enforced for a specific industry sector and protect only certain types of information. Information Held by the Federal Government Privacy Act of 1974 and the Computer Matching and Privacy Act - personal information held by the federal government. No authority over the collection and use of personal information held by other private and public sector entities. The United States has largely avoided legislation governing the treatment of sensitive personal information in records systems held by sources other than the federal government. 9

NORMATIVE PRIVACY FRAMEWORKS: UNITED STATES Private Sector The Fair Credit Reporting Act: prevents consumer reporting agencies from disclosing personal data on consumer reports without a showing of a legitimate business need. The Financial Services Modernization Act (Gramm-Leach Bliley Act) : contains privacy provisions protecting non-public financial information and requiring that financial institutions employ measures to secure customer data against anticipated threats to confidentiality. The Federal Trade Commission March 2012, FTC Privacy Report - best practices for businesses to protect consumers privacy and give them greater control over their personal data. Calls on companies handling consumer data to adhere to three core principles: Privacy by Design Simplified Consumer Choice Greater Transparency 10

NORMATIVE PRIVACY FRAMEWORKS: UNITED STATES State Legislation and Privacy Protection 1. California Online Privacy Protection Act (OPPA) Reaches beyond California s borders - functions as a national law, potentially impacting every commercial website that collects personally identifiable information from consumers. Requires operators of commercial websites or online services to post a privacy policy that must contain certain features. Does not contain any enforcement provisions. However, OPPA presumably could be enforced through California s Unfair Competition Law. 2. Other States Laws Nebraska and Pennsylvania: amended their unfair business practice statutes. Minnesota and Nevada: laws that impose confidentiality requirements on Internet service providers with respect to their subscribers. 11

NORMATIVE PRIVACY FRAMEWORKS: EUROPEAN UNION European Data Protection Directive (Directive 95/46/EC ) Applies when the controller is established or operates within the EU, but also whenever the controller uses equipment located inside the EU to process personal data. Controllers from outside the EU who process personal data inside the EU must nevertheless comply with the directive. A controller is a natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of processing of personal data. Based on principles of: Notice Purpose Consent Security Disclosure Access Accountability 12

NORMATIVE PRIVACY FRAMEWORKS: EUROPEAN UNION Two broad sets of obligations on data controllers: Registration - Companies are required to register with the relevant national authority in all relevant countries. Compliance - Personal data may only be collected for specified, explicit, and legitimate purposes. Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are processed. EU Data Directive also requires data controllers to: Only use personal data collected for specific purposes for those purposes (with certain exceptions for historical, statistical, or scientific purposes) and no longer than is necessary. Be clear about the reason it collects personal data and use the data in strict compliance with its declared intentions. Implement appropriate security measures to protect personal information against accidental or unlawful destruction, and against accidental loss, alteration, unauthorized disclosure, or unauthorized access. 13

NORMATIVE PRIVACY FRAMEWORKS: EUROPEAN UNION Amendments to the EU Data Protection Directive In February 2013, close to 900 amendments were proposed to the EU Data Protection Directive, generally as follows: Designation of the main establishment Flexibility in the public sector Personal data and pseudonymisation Consent Governance International transfers 14

HARMONIZATION OF DIFFERENCES? EU U.S. Transfer of Personal Data Under the EU Directive, personal data may only be transferred outside the EU if the data will receive adequate protection in the importing country. Safe Harbor set of voluntary data protection measures that U.S. companies may undertake to bring them within a safe harbor of adequate protection under the Directive. The Safe Harbor Agreement was adopted in May 2000 and requires compliance with 7 principles: Notice Choice to opt out Notice and choice to opt out when transferring to third parties Access to one s information Protection and security of personal information Data integrity and enforcement. Breach of the Safe Harbor Principles by a company that has committed to them may be actionable under the Federal Trade Commission Act (FTC Act). 15

HARMONIZATION OF DIFFERENCES? EU Canada Transfer of Personal Information The EU Commission has recognized PIPEDA as providing adequate protection for the transfer of personal information from the EU to Canada. This allows for the continued flow of personal information between the EU and Canada. Thus, EU companies can share personal information with Canadian companies and store personal information in Canada. 16

HARMONIZATION OF DIFFERENCES? Gap between the U.S. and Canada Same harmonization does not exist between Canada and the U.S., leading to a gap in protecting data flows between both countries. FTC and the Office of the Privacy Commissioner of Canada continuously work together in bringing forth legal proceedings and work collectively in enforcing the standards of privacy and security. The Privacy Commissioner recently supported the FTC in legal proceedings over a website operated by a US company which advertised and sold confidential consumer information to third parties without consent. 17

SELF-REGULATORY PRIVACY FRAMEWORKS Territorial-based normative frameworks are often insufficient to provide a uniform set of privacy rules, in a borderless online context. Various self-regulating protocols developed in response OECD Privacy Guidelines Platform for Privacy Preferences Standard use of confidentiality policies 18

TARGETED BEHAVIOURAL ADVERTISING, PRIVACY AND ONLINE CONFIDENCE E-commerce and online environment Potential challenges to privacy that can affect customer trust in online transactions. Targeted Behavioural Advertising Using cookies, algorithms collect both information identifiable and nonidentifiable information about an individual. Algorithms tracking individuals online activities in order to deliver tailored advertisements that user is more likely to click, view and ultimately purchase. 19

TARGETED BEHAVIOURAL ADVERTISING, PRIVACY AND ONLINE CONFIDENCE Why is Targeted Behavioural Advertising problematic for privacy? Rate at which behavioural profiles are growing and accumulating more and more personal information. Even a piece of non-identifiable information, in the presence of many other pieces of information, can quickly become identifiable information. Sensitive information can fall into or be seen by the wrong people. In most cases, lack of awareness means lack of truly informed consent to the collection, use and disclosure of individuals personal information for the purposes of target behavioural advertising. 20

TARGETED BEHAVIOURAL ADVERTISING, PRIVACY AND ONLINE CONFIDENCE Consent Implied, Express and In-between Informed consent express consent, rather than the implied consent achieved through notice in a privacy policy. The EU Cookie Directive (Directive 2009/136) goes some way to address the issue of consent to the collection of personal information from a user s Internet activity. Debate about what is sufficient consent: UK Information Commissioner s Office : [ ] The crucial consideration is that the individual must fully understand that by the action in question, they will be giving consent. US Federal Trade Commission 2007 report identified principles for self-regulation of targeted behavioural advertising: Transparency and control Reasonable security, and limited data retention Affirmative express consent for material changes to existing privacy promises Affirmative express consent (or prohibition against) using sensitive data for behavioural advertising 21

MOBILE E-COMMERCE: UNIQUE CHALLENGES TO ONLINE CONFIDENCE Practical aspects of Mobile e-commerce present privacy-related questions: Enforcement of inter-jurisdictional compliance Mobile user + divergent legal frameworks = confusing enforcement of privacy. Negative perceptions of geo-location functions Perception of lack of control over personal information that could be extracted from location data. 22

PRACTICAL TIPS FOR INCREASING ONLINE CONFIDENCE 1) Adopt a privacy by design approach to all products. 2) Establish business processes with regard privacy that prevent or mitigate negative perceptions. 3) Emphasize a maximum of transparency. 23

CONCLUSION Integrity and trust important currencies in the sphere of online commerce. Privacy protection as more than a legal requirement an important marketing tool. 24

25 QUESTIONS?

26 THANK YOU!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information