Privacy protection by design
- By Eugene Clark
0 Comment(s)
Print
E-mail China.org.cn, April 1, 2013
We've all heard the saying that "An ounce of prevention is worth a pound of cure." Similarly, laws can be most effective when they encourage best practices to be built into business and organizational operations by design. It is far more efficient to prevent the harm from occurring in the first place than waiting for a harm to occur and dealing with a subsequent court case.
The best privacy laws encourage those in e-commerce to be proactive in designing policies and institute practices that protect consumer and citizen privacy. Such measures also are vital elements in building consumer and citizen trust in e-commerce and e-government, thereby promoting the growth, development, efficiency and effectiveness of e-commerce and e-government.
China has made a major step forward in its privacy protection when in December 2012 the Standing Committee of China's National People's Congress, passed the "Decision on Strengthening Network Information Protection" ("Decision"). The Decision provides a list of principles for protecting, collecting and using electronic personal information in China. The stated purpose of this reform is to protect information security, safeguard the lawful interests of citizens, legal persons and other organizations, and protect China's security and promote social order.
The law reform protects electronic information that is personally identifiable or involves personal privacy. It imposes obligations on network service providers and other entities that collect and use the electronic personal information of Chinese citizens (collectively, "Network Service Providers"). Chief among these obligations are:
• Requirements that Network Service Providers clearly and publicly indicate the objective, methods and scope for the collection and use of electronic personal information;
• Provisions requiring Network Service Providers to obtain consent when collecting or using electronic personal information and keep such information confidential;
• A requirement that Network Service Providers adopt technological measures to ensure information security;
• Prohibitions on the sending of commercial electronic communications to fixed telephones, mobile telephones or to e-mail accounts without consent; and
• Prohibitions on stealing, illegally obtaining, selling or illegally providing electronic personal information.
The Decision also imposes on Network Service Providers an obligation to improve their management of information disseminated by their users. When that information violates laws or regulations, Network Service Providers are required to take affirmative steps, including stopping the dissemination of the information, preserving the relevant records and informing the relevant government departments.
Under the Decision, when citizens discover any network information that discloses their personal identity, invades their personal privacy or otherwise infringes their lawful rights or are being harassed by commercial electronic information, they may require Network Service Providers to delete the relevant information or adopt necessary measures to stop the infringing activity. Any individual or organization may report illegal or criminal acts against the Decision to the appropriate government department and/or take legal action against the person or organization breaching their privacy rights.
Penalties for violating the Decision include warnings, fines, and cancellation of permits, closure of websites or an imposed ban on engaging in web-related business in future. The Decision took effect on December 28, 2012.
In Europe, on March 14, 2013, the European regulators (the Article 29 Working Party) issued a 30-page opinion addressing how mobile apps should comply with EU data protection law (the Opinion). The main focus of the Opinion is on app developers, but it also describes the obligations of other parties involved in the development and distribution of apps, such as app stores, operating system and device manufacturers, and third-party advertising providers.
While WP opinions are not binding, they provide a clear indication of how data protection authorities in the EU (DPAs) are likely to interpret their national laws and therefore should be taken into account when developing new apps targeted at EU individuals.
In the U.S., the Federal Trade Commission and individual states (eg California) have issued guidelines for privacy protection both generally and especially in the development and use of mobile phone applications.
In Australia on November 2012, Federal Parliament passed the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) which significantly reforms the Privacy Act 1988 (Cth) (Privacy Act). The Act creates a unified set of 13 privacy principles that will apply to both Commonwealth agencies and private sector organizations. The reform imposes greater obligations to ensure comprehensive privacy policies and processes are in place. It also imposes more onerous responsibilities when disclosing personal information to overseas entities, including cloud service providers. This includes requiring businesses to take reasonable steps to ensure the overseas recipient of information does not breach the privacy principles and making the business liable for any act or omission by the overseas entity in relation to a breach of the new privacy principles.
It is therefore an encouraging sign that countries around the world are increasingly developing guidelines to promote privacy protection by encouraging organizations engaged in e-commerce to build privacy protection into the design of what they do and how they do it. All those engaged in e-commerce should take notice of these and other developments and use them as a guide to best practice as they design their particular privacy policies.
The author is a columnist with China.org.cn. For more information please visit: http://www.china.org.cn/opinion/eugeneclark.htm
Opinion articles reflect the views of their authors, not necessarily those of China.org.cn.
Go to Forum >>0 Comment(s)