It’s no secret that the world’s most powerful companies hold the largest treasure trove of personal data, having collected it from millions of their customers worldwide. This trend will not change anytime soon, as emerging technologies such as Artificial Intelligence and the Internet of Things will make it easier for more granular information about us to be gathered, aggregated, triangulated, and cross-referenced. A key end result will be new information that can and will ultimately be used to shape our behaviour, influence our decisions, and determine our entitlements, for better or for worse.
While legal norms around data protection have largely reached alignment through dedicated policy and regulation, the same cannot be said about privacy, which remains highly contextual across cultures and societies. In 2017, the Internet Society’s Asia-Pacific Regional Bureau organised and supported a series of online privacy workshops across the four sub-regions of Asia-Pacific: the Philippines in Southeast Asia, Hong Kong in East Asia, India in South Asia, and Vanuatu in the Pacific, culminating in a regional conference on Building Trust in the Digital Economy in Singapore in November last year.
Through these workshops, we were able to thresh out the different privacy dimensions that mattered most to local stakeholders. We were also able to feed relevant issues into ongoing deliberations in economies that have yet to formulate data protection policies (Vanuatu), are in the process of developing one (India), have just implemented one (Philippines), or are about to revise existing legislation (Singapore and Hong Kong). A number of these issues were specific to the local environment, but many resonated throughout the different sub-regions. We’d like to highlight some of the key takeaways:
- Online privacy and data protection are evolving concepts. New technological trends like Big Data analytics that allow for personal information to be de-anonymised, or aggregate bits of what we may deem inconsequential data to build profiles about us, are changing the definition and nature of what we consider “personal” data. New standards, such as the EU General Data Protection Rules, which seek to address these concerns, impose new obligations on data collectors and processors, including breach notification requirements and heavy fines for failure to comply. But it also assigns new entitlements to users, such as the right to erasure, data portability and object to profiling. Such policies, which have an extraterritorial scope, will force us to rethink our own data protection and privacy policies, perhaps prompting us to focus on the impact of data collection on privacy, rather than the act of data collection itself.
- Users want control over their personal data. Users want to have the choice to opt out of data collection – even if it means having reduced access to services. Participants in the India workshop suggested that businesses can make available different levels of service, for instance having more personalised service for users who opt into having data collected about them. More generally, users believe that data collection needs to have a clear and identifiable user benefit associated with it.
- We need to keep it simple for other stakeholders. Participants lamented that technologists tend to design privacy measures that are too complex for other stakeholders to follow. They emphasised the need to strike a balance between usability, or the convenience of access, and making sure the data collected by these services is secure. This may involve taking a more holistic view of privacy measures, to ensure that users and decision makers are drawn to the important details, instead of being overwhelmed by a wall of technical information. In the case of terms and conditions, one possible solution is to take a layered approach, wherein the policy is spelled out in easily understandable language in one page, with the more detailed policy on another. This will also help make privacy policies more digestible to communities that have low levels of literacy.
- Governments also need to think about privacy by design. Many economies in Asia-Pacific are in the process of, or have plans to, roll out digital ID systems, as a means to provide citizens access to public services online. Having privacy safeguards in place at the onset of designing these systems will drive governments to limit data collection to only the information necessary for the designated purpose, to ensure that data is adequately protected while it is in use, and disposed of properly when it is no longer needed.
- Data can be a burden as much as it is an asset. A very large pool of data is often considered a great organisational asset. But with it comes an equal responsibility to protect that data. Limiting data collection to what is only absolutely necessary, and destroying it when it is no longer needed, will help reduce the associated costs and legal liabilities to keep it secure.