E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada
INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce: more than just transactions 2
PRIVACY AND ONLINE CONFIDENCE Why a discussion about privacy and mobile e-commerce? Exponential growth mobile web economy may double by 2016. Confidence in the company behind the online transaction a leading trend influencing online business practices. Appropriate treatment of personal information online - an important tool for maintaining and growing that trust. Presentation will focus on: Applicable normative and self-regulatory mechanisms. Aspects of mobile e-commerce that pose privacy risks and can damage confidence in the brand. Practical strategies to promote privacy and confidence in online transactions. 3
NORMATIVE PRIVACY FRAMEWORKS Preserving trust in online transactions by understanding general principles set out in normative frameworks. Canada, US and EU significant differences underlying the complexity of the borderless context of online transactions. 4
NORMATIVE PRIVACY FRAMEWORKS: CANADA Applicable legislation Federal and provincial statutes that govern the collection, use, disclosure and management of personal information by private sector organizations. Personal Information Protection and Electronic Documents Act (PIPEDA) Applies to organizations engaged in commercial activities anywhere in Canada and when personal information is moved across borders (between provinces or internationally). 10 principles of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, challenging compliance. 5
NORMATIVE PRIVACY FRAMEWORKS: CANADA Personal Information Defined very broadly as information about an identifiable individual. Organizations are generally required to seek consent for the use or disclosure of the personal information at the time of collection. Consent Requires knowledge as well as an understanding of the collection, use and dissemination of information, the repercussions thereof, and the existence of available alternatives. Freedom of choice is critical to privacy. Consent may be express or implied. 6
NORMATIVE PRIVACY FRAMEWORKS: CANADA Limits to Collection, Use and Disclosure Organizations must not require consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. Withdrawal of Consent An individual must be able to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Upon receipt of a withdrawal request, individuals must be informed of the implications of such withdrawal. Publicly Available Information Exception to consent requirements for publicly available information found in both federal and provincial legislation. The exception applies to the personal information of an individual that appears in a telephone directory or a professional or business directory, listing or notice that is available to the public. 7
NORMATIVE PRIVACY FRAMEWORKS: CANADA Cross-border flows of data: a Canadian provincial perspective Quebec - organizations must take reasonable steps to ensure that personal information transferred to service providers outside Quebec will not be used for other purposes and not be communicated to third parties without consent. Alberta - requires specific notice where the information is being transferred outside of Canada. Notice must include: The countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur, and The purposes for which the service provider outside Canada has been authorized to collect, use or disclose personal information for or on behalf of the organization. 8
NORMATIVE PRIVACY FRAMEWORKS: UNITED STATES Constitutional Protection The United States Courts have compensated for the lack of any provision in the U.S. Constitution that grants an explicit right to privacy, by recognizing a right to privacy. Federal Legislation and Privacy Protection Privacy legislation in the U.S. follows a sectoral approach: laws are developed and enforced for a specific industry sector and protect only certain types of information. Information Held by the Federal Government Privacy Act of 1974 and the Computer Matching and Privacy Act - personal information held by the federal government. No authority over the collection and use of personal information held by other private and public sector entities. The United States has largely avoided legislation governing the treatment of sensitive personal information in records systems held by sources other than the federal government. 9
NORMATIVE PRIVACY FRAMEWORKS: UNITED STATES Private Sector The Fair Credit Reporting Act: prevents consumer reporting agencies from disclosing personal data on consumer reports without a showing of a legitimate business need. The Financial Services Modernization Act (Gramm-Leach Bliley Act) : contains privacy provisions protecting non-public financial information and requiring that financial institutions employ measures to secure customer data against anticipated threats to confidentiality. The Federal Trade Commission March 2012, FTC Privacy Report - best practices for businesses to protect consumers privacy and give them greater control over their personal data. Calls on companies handling consumer data to adhere to three core principles: Privacy by Design Simplified Consumer Choice Greater Transparency 10
NORMATIVE PRIVACY FRAMEWORKS: UNITED STATES State Legislation and Privacy Protection 1. California Online Privacy Protection Act (OPPA) Reaches beyond California s borders - functions as a national law, potentially impacting every commercial website that collects personally identifiable information from consumers. Requires operators of commercial websites or online services to post a privacy policy that must contain certain features. Does not contain any enforcement provisions. However, OPPA presumably could be enforced through California s Unfair Competition Law. 2. Other States Laws Nebraska and Pennsylvania: amended their unfair business practice statutes. Minnesota and Nevada: laws that impose confidentiality requirements on Internet service providers with respect to their subscribers. 11
NORMATIVE PRIVACY FRAMEWORKS: EUROPEAN UNION European Data Protection Directive (Directive 95/46/EC ) Applies when the controller is established or operates within the EU, but also whenever the controller uses equipment located inside the EU to process personal data. Controllers from outside the EU who process personal data inside the EU must nevertheless comply with the directive. A controller is a natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of processing of personal data. Based on principles of: Notice Purpose Consent Security Disclosure Access Accountability 12
NORMATIVE PRIVACY FRAMEWORKS: EUROPEAN UNION Two broad sets of obligations on data controllers: Registration - Companies are required to register with the relevant national authority in all relevant countries. Compliance - Personal data may only be collected for specified, explicit, and legitimate purposes. Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are processed. EU Data Directive also requires data controllers to: Only use personal data collected for specific purposes for those purposes (with certain exceptions for historical, statistical, or scientific purposes) and no longer than is necessary. Be clear about the reason it collects personal data and use the data in strict compliance with its declared intentions. Implement appropriate security measures to protect personal information against accidental or unlawful destruction, and against accidental loss, alteration, unauthorized disclosure, or unauthorized access. 13
NORMATIVE PRIVACY FRAMEWORKS: EUROPEAN UNION Amendments to the EU Data Protection Directive In February 2013, close to 900 amendments were proposed to the EU Data Protection Directive, generally as follows: Designation of the main establishment Flexibility in the public sector Personal data and pseudonymisation Consent Governance International transfers 14
HARMONIZATION OF DIFFERENCES? EU U.S. Transfer of Personal Data Under the EU Directive, personal data may only be transferred outside the EU if the data will receive adequate protection in the importing country. Safe Harbor set of voluntary data protection measures that U.S. companies may undertake to bring them within a safe harbor of adequate protection under the Directive. The Safe Harbor Agreement was adopted in May 2000 and requires compliance with 7 principles: Notice Choice to opt out Notice and choice to opt out when transferring to third parties Access to one s information Protection and security of personal information Data integrity and enforcement. Breach of the Safe Harbor Principles by a company that has committed to them may be actionable under the Federal Trade Commission Act (FTC Act). 15
HARMONIZATION OF DIFFERENCES? EU Canada Transfer of Personal Information The EU Commission has recognized PIPEDA as providing adequate protection for the transfer of personal information from the EU to Canada. This allows for the continued flow of personal information between the EU and Canada. Thus, EU companies can share personal information with Canadian companies and store personal information in Canada. 16
HARMONIZATION OF DIFFERENCES? Gap between the U.S. and Canada Same harmonization does not exist between Canada and the U.S., leading to a gap in protecting data flows between both countries. FTC and the Office of the Privacy Commissioner of Canada continuously work together in bringing forth legal proceedings and work collectively in enforcing the standards of privacy and security. The Privacy Commissioner recently supported the FTC in legal proceedings over a website operated by a US company which advertised and sold confidential consumer information to third parties without consent. 17
SELF-REGULATORY PRIVACY FRAMEWORKS Territorial-based normative frameworks are often insufficient to provide a uniform set of privacy rules, in a borderless online context. Various self-regulating protocols developed in response OECD Privacy Guidelines Platform for Privacy Preferences Standard use of confidentiality policies 18
TARGETED BEHAVIOURAL ADVERTISING, PRIVACY AND ONLINE CONFIDENCE E-commerce and online environment Potential challenges to privacy that can affect customer trust in online transactions. Targeted Behavioural Advertising Using cookies, algorithms collect both information identifiable and nonidentifiable information about an individual. Algorithms tracking individuals online activities in order to deliver tailored advertisements that user is more likely to click, view and ultimately purchase. 19
TARGETED BEHAVIOURAL ADVERTISING, PRIVACY AND ONLINE CONFIDENCE Why is Targeted Behavioural Advertising problematic for privacy? Rate at which behavioural profiles are growing and accumulating more and more personal information. Even a piece of non-identifiable information, in the presence of many other pieces of information, can quickly become identifiable information. Sensitive information can fall into or be seen by the wrong people. In most cases, lack of awareness means lack of truly informed consent to the collection, use and disclosure of individuals personal information for the purposes of target behavioural advertising. 20
TARGETED BEHAVIOURAL ADVERTISING, PRIVACY AND ONLINE CONFIDENCE Consent Implied, Express and In-between Informed consent express consent, rather than the implied consent achieved through notice in a privacy policy. The EU Cookie Directive (Directive 2009/136) goes some way to address the issue of consent to the collection of personal information from a user s Internet activity. Debate about what is sufficient consent: UK Information Commissioner s Office : [ ] The crucial consideration is that the individual must fully understand that by the action in question, they will be giving consent. US Federal Trade Commission 2007 report identified principles for self-regulation of targeted behavioural advertising: Transparency and control Reasonable security, and limited data retention Affirmative express consent for material changes to existing privacy promises Affirmative express consent (or prohibition against) using sensitive data for behavioural advertising 21
MOBILE E-COMMERCE: UNIQUE CHALLENGES TO ONLINE CONFIDENCE Practical aspects of Mobile e-commerce present privacy-related questions: Enforcement of inter-jurisdictional compliance Mobile user + divergent legal frameworks = confusing enforcement of privacy. Negative perceptions of geo-location functions Perception of lack of control over personal information that could be extracted from location data. 22
PRACTICAL TIPS FOR INCREASING ONLINE CONFIDENCE 1) Adopt a privacy by design approach to all products. 2) Establish business processes with regard privacy that prevent or mitigate negative perceptions. 3) Emphasize a maximum of transparency. 23
CONCLUSION Integrity and trust important currencies in the sphere of online commerce. Privacy protection as more than a legal requirement an important marketing tool. 24
25 QUESTIONS?
26 THANK YOU!