Octopus Hits Data Privacy Iceberg

I don't suppose Prudence Chan is paying too much attention to the newspapers these few days, but just in case she is, or a friend is monitoring them on her behalf, here are a few words in a more sympathetic tone than others she has been hearing lately.

First, let's be quite clear that the vast majority of Octopus card users are not in any danger of having their personal details passed on to others because they have never given the company any information. They, like me, have simply purchased a card and used it as a terrifically efficient tool to facilitate everyday life. You can use it to travel by most forms of public transport, to park in most car parks (some nowadays will accept nothing else) and make purchases in supermarkets or convenience stores. And no-one will know anything about you.

But a minority of users has signed up for some additional benefits such as eligibility for rewards. In the process they have provided information about themselves and also given a waiver about how that information could be used. It may have been in small letters, but waiver there was and they signed freely at the bottom in order to gain access to those extra services. There are no grounds whatever for them to complain.

Secondly, Octopus has done no more or less than many - maybe most - other companies which provide some sort of added service. Do you have an oil company customer discount card, an airline loyalty card with special benefits, a supermarket points card providing cheaper prices, a hotel privilege card? The list is (almost) endless, and the chances are, if you do, that the company which issued the card is also making use of the data to pursue a commercial advantage. Wake up people, that's what companies do. You get something, they get something. If you don't want them using your personal data, don't give them any and don't apply for the card. Or take the trouble to read the conditions thoroughly and opt out of the clauses authorizing them to pass on your information to other parties. It's really that simple.

If all the facts ever come out, then it is likely we are dealing with many different companies and hundreds of millions of dollars, and the Octopus Company's $44 million will seem a drop in the bucket.

Thirdly, it is inconceivable that the directors of all these companies did not know what was going on. Where did the directors think these hundreds of millions were coming from? Father Christmas dropping down the corporate chimney and putting it in their stockings? Did anyone take the trouble to ask how these extra millions were being earned? Let us put the question as clearly and concisely as we can: what did the directors know, and when did they know it.

What really sank the CEO in the Octopus case was of course the apparent flip flop on whether data was being sold. Technically in some cases it may not have been: the data was being shared , certainly, and when the use of it produced extra business, part of the benefit was passed back to Octopus. But it is at least arguable that in strict legal terms such an arrangement may not have constituted a "sale" as such. But this is a classic case where legal cleverness leads to PR disaster. In any event, as the saga unfolded, even the company was admitting that, in some cases, data was in effect sold.

Octopus is now engaged in a frantic crisis management exercise. Inevitably, the CEO had to go because the case quickly escalated to cause celebre and only a live human sacrifice would appease the mob. She had the misfortune to be closest when the bomb went off. And the Board's decision to give the $44 million to the Community Chest was a stroke of genius. After all, the needy have much more claim to the money than the beneficiaries of the various schemes.

We need to draw a couple of quick lessons: are the present rules on data privacy sufficient, or should they be strengthened, particularly in respect of "deemed consent" clauses in agreements. And secondly, the directors of all the companies involved need a crash course in the principles underlying data privacy, not just the strict wording of the law.

Meanwhile, let's look on the bright side. With all these millions pouring into the Community Chest, we may have found a way to narrow the wealth gap, at least temporarily.