5 minute read
Who is Responsible for Your Privacy?
Who Should Pick Up the Tab for Privacy?
RAJU CHELLAM
Advertisement
SCS Fellow Chief Editor, AI Ethics & Governance Body of Knowledge Vice-President, SCS Cloud Computing Chapter
In 2021, about 50 million US consumers fell victim to identity theft. While traditional identity fraud accounted for about US$13 billion of the total US$56 billion losses, the bulk (or US$43 billion) was due to criminals phishing to steal personally identifiable information (PII) via robocalls and emails.1
Let’s start with a privacy parable.
If the story above made you smile – great! Because the following statistics are about to make you shudder.
A factory had a power outage that ground the manufacturing line to a halt during the night shift. The news reached the CEO, who called the plant on the landline without identifying himself. “What’s wrong with the power?” he demanded.
“If we knew what’s wrong, we’d have fixed it,” the factory worker who picked up the call replied.
“Find out what’s wrong and fix it asap,” the CEO said.
“Who are you to tell me what to do?” the factory worker snapped at the CEO.
“Do you know who I am?” the CEO shouted. “I’m your CEO.”
“Do you know who I am?” the worker asked.
“No.”
“Phew! Thank God!” the worker said and hung up.
Closer to home, victims in Singapore have lost over S$965 million since 20162. In one written response to a parliamentary question on scams, Home Affairs and Law Minister K Shanmugam revealed that scammers pocketed a record S$268.4 million in 2020 – nearly triple the S$89.7 million in 2016. If that wasn’t sobering enough, of the 7,400 scam reports Police Anti-Scam Centre received in the first six months of 2020, the authorities recovered only S$66 million of the over S$201.7 million.
GOVERNMENTS – WITH DATA PRIVACY REGULATIONS
Thanks to these proliferating breaches, data privacy is now on everyone’s mind. Consumers’ demand for privacy and control of their data have led governments to implement the Personal Data Protection Act (PDPA) in Singapore, the General Data Protection Regulation (GDPR) in Europe, and the California Consumer Privacy Act (CCPA) in California, US. Many others are following suit. It is expected that by 2023, 65% of the world’s population will have personal data covered under current privacy regulations, up from 10% in 2020.3
Mandating that end user consent be valid, freely given, specific, informed and active, the GDPR which came into effect across the European Union (EU) states in May 2018 became a model for national laws outside the EU, including Chile, Japan, Brazil, South Korea, Argentina and Kenya.
In ASEAN, Malaysia was among the first countries to initiate the PDPA in 2010; it was passed in November 2013 to protect individuals’ PII in commercial transactions. The penalty for non-compliance ranges from RM100,000 to RM500,000 and up to three years’ imprisonment.
Singapore’s PDPA Act 2012 came into effect in July 2014 and was updated in November 2020. Singapore residents can register their local phone numbers with the Do Not Call Registry to opt-out of receiving unwanted telemarketing messages. Organisations that breach PDPA regulations may be fined up to S$1 million and suffer reputation damage.
COMPANIES – WITH CUSTOMER DATA PROTECTION POLICIES
Unsurprisingly, the market for data privacy management software is also soaring. Sales jumped 46% in 2020 over 2019. IDC estimates that privacy management software sales will reach US$2.3 billion in 2025, double 2020 revenues, at an annual growth rate of 14.3% during the period.
The paradox? Despite data privacy regulations becoming stricter, COVID-19 has led to a data generation and consumption surge with employees working from home. “Data visibility continues to be a blind spot for many organisations,” says Ryan O’Leary, IDC’s research manager for privacy. “There is a growing demand for automated data discovery and classification tools that scan for sensitive data across both cloud and on-premise environments to provide that single source of data truth. Solving the challenge of patchwork enterprise infrastructure and automation is the golden ticket in data privacy.”
CONSUMERS – BY WATCHING OUT FOR THEMSELVES
Are consumers willing to pay the price for privacy? About 10% of internet users worldwide (and 30% in the US) buy and deploy ad-blocking software to prevent companies from tracking online activity. About 87% of survey respondents told McKinsey that they would not do business with companies with lax data security practices – and 71% would stop doing business with a company if it gave away sensitive data without permission. Indeed. The scale of breaches is staggering. “Breaches at several corporations exposed hundreds of millions of records. The stakes are high – even consumers who were not directly affected by these breaches paid attention to the way companies responded to them,” McKinsey notes. “Because stakes are so high – and awareness is growing – the way companies handle consumer data and privacy can become a point of differentiation and even a source of competitive business advantage.”
THE TECH INDUSTRY – WITH STRONG PRIVACY FRAMEWORKS
So, can data be shared legally? Yes. In September 2021, Credence Lab launched the Data Trust Rating System (DTRS), developed by a consortium comprising tech giants like IBM and Alibaba Group. “Companies certified with the Credence DTRS demonstrate accountability in handling personal data, assure regulators of their compliance to legislation, and offer business partners confidence in exchanging or receiving data,” says Philip Heah, CEO of Credence Lab.
Regionally, the Asia-Pacific Economic Cooperation (APEC) formulated the CrossBorder Privacy Rules (CBPR) in 2005 and updated them in 2015. “The CBPR benefits consumers and business by ensuring that regulatory differences do not block businesses’ ability to deliver innovative products and services,” APEC states. “Developed by all 21 APEC economies, an APEC economy must demonstrate that it can enforce compliance with the CBPR system’s requirements before joining.”
THE BOTTOM LINE
The only way you can protect your digital privacy is if you go off grid, become a digital nomad and stop using all electronic equipment. Even then, you might not be spared.
WHY DO COMPANIES FEAR THE GENERAL DATA PROTECTION REGULATION (GDPR)?
In July 2019, the British Information Commissioner’s Office (ICO) issued an intent to fine British Airways (BA) a record £183 million (1.5% of turnover) for lax security arrangements following a breach that affected 380,000 transactions. Fortunately, after due consideration given to BA’s representation and the economic impact of COVID-19 on its business, BA’s fine was reduced to £20 million.