Indeed, in the wake of the Octopus investigation, six banks were found to have sold customer data to third parties, and local TV news reports claim that at least three of Hong Kong’s mobile operators have done the same. Like Octopus, all reportedly claimed that they hadn’t broken any rules or laws.
Whether new laws or amendments will fix that may depend on the nature of the “fix”. BT chief security technology officer Bruce Schneier makes a good case on his personal blog for legislation that addresses the problem by giving consumers more legal control over their data, which would limit the ability of companies to claim that simply providing a disclaimer or an opt-out feature is all the protection consumers need, and that it’s the user’s responsibility to dig for it.
In the meantime, service providers need to rethink their own privacy schemes and make it easier for customers to opt in and out of services where their data will be made available to others. As I’ve written before regarding Facebook’s privacy policies, it’s not what you do, it’s how you do it. Customers don’t respond well to legal loopholes and “deploy first, apologize later” tactics, and the more companies use those arguments as justification when they get caught selling customer data, legally or otherwise, the more customers are going to resent it.