A recent survey shows that individuals and businesses believe a lack of online data privacy is hampering the development of electronic transactions, but that they are content to maintain the current status quo, write Angus Forsyth & Yvonne Chia

The surveys, conducted by IT Practice Group of Stevenson, Wong & Co., in co-operation with the Internet Professionals Association, polled general Internet users (data subjects) and IT companies (data users) about their attitudes towards personal data privacy.

Some 95.4 percent of data subject respondents said they are afraid about the release or transfer of their personal data without their knowledge. A total of 93.4 per cent of respondents said they would be concerned if their personal data were transferred out of Hong Kong -- especially to somewhere with less privacy protection than in Hong Kong -- for direct marketing/business analysis purposes.

One would expect that this revelation by data subjects -- who are principally customers or potential customers -- suggest that they would check if the service providers are "privacy protection friendly" and would hesitate to use their services if they lacked such protection.

But this is not the case. Surprisingly, only 9.8 percent of the data subject respondents said they first check privacy terms of Web sites when they surf the Internet, even though 60.7 percent said they know that many Web sites automatically collect their personal data, e.g. via cookies.

In fact, in the context of e-transactions not involving online payment (for information only), 16.3 percent said e-privacy or security problems would persuade them out of Internet usage. Similarly, 86.2 percent of the respondents said e-privacy or security problems would persuade them out of online payment.

While the survey for data subjects shows respondents are concerned about their personal data protection, the results also show that these concerns simply fade into insignificance if users can get what they want free of charge online by disclosing personal details about themselves.

But such a trade-off could result in the customer getting a rotten deal because the loss occasioned by mishandling of collected personal data may be severe.

There is no "free lunch." Customers who exchange their privacy protection for free online services are all too often blithely unaware that their personal data may be sold and transferred to endless channels without anyone keeping track of where their personal data has gone.

As expected, general consumers' willingness to compromise their privacy protection is reflected in the providers' response to the data user survey. Some 74.6 percent of the 150 data user respondents do not include privacy terms on their Web sites, with 54.9 percent of respondents saying the main reason for doing so was because they think it is not important as surfers mainly want their services/products.

However, 77.3 percent of the data user respondents utilise cookies to get information about visitors to their Web sites without asking surfers' consent. Moreover, 75.3 percent said they are aware they have not taken all practicable steps to ensure the accuracy of personal data collected as required by the Personal Data Protection Ordinance (PDPO). This involves conducting regular checks to erase collected data when it is believed to be no longer accurate and they choose to continue to ignore their legal obligations.

An alarming 72 percent confessed they have not taken all practicable steps to ensure that personal data collected are protected against unauthorised access.

It is unclear whether this lax approach is due to businesses feeling they can skirt the PDPO -- there has only been one successful case of prosecution to date since it was enacted in December 1996 -- or they do not fully understand the ordinance, or because they simply do not have the knowledge, skills or resources to do it.

The results of the surveys show that data users and data subjects should be given the benefit of innocence. Almost three-quarters (73.3 percent) of the data user respondents said they were not aware that they are legally required to publish a Privacy Policy Statement and Personal Information Collection Statement online to actively inform surfers of their personal data policies and practices. Similarly, 75.4 percent of the data subject respondents confessed they do not know all of their rights under the PDPO -- for example data access and correction rights -- even though they have heard of the ordinance.

If the PDPO is to protect privacy interests of individuals in relation to their personal data, in the authors' view, practical guidance must be given to data users and data subjects on how to comply with their duties to make the law and its sanctions meaningful.

The authors also advocate that serious efforts to educate businesses on privacy protection be carried out. This is especially important given the view of the added danger to service providers since Hong Kong Court of Final Appeal's December 2002 judgement, which substantially extended the concept of vicarious liability of employers for negligent acts and omissions of their employees on the basis that it is "fair" to do so not just -- as previously -- arising directly out of acts simply done in the habitual course of a particular employment.

Although the government has identified specific pillar industries for Hong Kong's long-term development, the authors urge the authorities to think one step further: to identify and recognise the underlying -- albeit indirect -- factors of boosting the local economy which, in light of the surveys, must include raising personal data privacy awareness and preservation.

The authors urge the government and the Office of the Privacy Commissioner for Personal Data to consider initiating a personal data privacy awareness project. This would help create an automatic human reflex -- like looking right and left when crossing the road -- in both data subjects and data users and which flashes the relevant civil and criminal sanctions in the minds of those concerned to enable them to avoid prosecution and civil liability.

But raising awareness alone is not enough. As the surveys indicate, many people are already aware of the need for privacy protection. What is now needed is concrete help and practical advice to help businesses, especially SMEs, to put in place adequate privacy protection mea-sures. These measures must go beyond simply making available guidance notes for businesses.

Incentives for businesses to comply with the PDPO are also needed. Businesses, especially in this poor economic environment, are unlikely to commit any cash or effort toward improving personal data protection unless it can increase revenue/goodwill/efficiency or reduce cost of production.

In this regard, we recommend that a central quality personal data privacy protection scheme be established. Under the proposed scheme, organisations that have fulfilled certain prescribed privacy protection assessment criteria -- which certainly should include the PDPO requirements -- and have maintained their continuous privacy protection can display a specially designed quality decal.

This decal would symbolise a quality organisation that cares about customers' personal data privacy protection and it would be a sign that customers would look for. Details of the scheme need to be worked out but it is broadly similar in concept to the "Quality Tourism Services Scheme" initiated by the Hong Kong Tourism Board or an ISO 9000 quality standard.

It appears that we are now at an impasse -- businesses, especially SMEs, are reluctant to implement personal data privacy protection, and customers have come to accept the "deal" where they get online information/services free of charge in exchange for their personal data. This is unhealthy for the development of e-commerce involving payment.

To break though this impasse will require a generous injection of incentives and education, which will also drive Hong Kong forward as the IT hub of Asia.

Authors: Angus Forsyth (left) and Yvonne Chia (right), Partners of IT Practice Group, Stevenson, Wong & Co. (Web site: http://www.sw-hk.com), legal advisers to Hong Kong Information Technology Federation, Hong Kong & Mainland Software Industry Co-operation Association, Internet Professionals Association, Hong Kong Internet Service Providers Association and Hong Kong Logistics Association.