A regulatory tightrope on data privacy
Over the weekend, computers worldwide were hit by a cyber attack of unprecedented scale. The malware, known as WannaCry, holds your data hostage until a ransom is paid. What has transpired in such a short period of time demonstrates the fragility of data protection and the risks associated with this technology. Public fear and anger could bring about changes that hinder future innovators, unless a middle-ground solution is established.
Among the new wave of technologies that make its way into our everyday life, many are made possible by big data technology. New knowledge in the field of artificial intelligence and data analytics allow us to harness the power of data we have never used before such as texts and speech.
As companies, giant corporates and start-ups alike, begin to amass a huge amount of data, privacy becomes a major concern. In this connected world, nearly everything you do leaves a digital footprint. Stepping into a store, your steps and turns can be tracked. The store can then analyse video images to see your behaviour, facial expressions, or even body temperature. The goal is arguably well-intended to improve services for customers.
As of recently, incidents related to privacy protection and data breaches have been cropping up and spooking the public about what may happen to one’s private information. Just last year, an employee in a Thai company sold a customer’s sensitive information, resulting in a stalking case that threatened the person’s information. Other possible outcomes of a breach could range from annoying phone calls to harassment and identity theft.
The question is therefore how to address this privacy issue without hindering technological progress. As the digital revolution marches on, the rate of data being collected is expanding at an exponential rate. A delicate balance between privacy concerns and firms’ ability to better serve customers becomes harder to achieve.
A large part of this burden falls in the hands of regulators to strike such balance. The trend indeed gears towards tightening restrictions around data use to protect consumer rights. At the beginning of 2018, the European Union is rolling out its new General Data Protection Regulation (GDPR) to tighten the grip on privacy protection.
The laws will require firms to report incidents of data breaches and harden penalties for firms. Amendments to privacy laws in Australia that took effect in 2014 also ramped up the penalties.
Thai regulators too are catching up with a set of laws under the Personal Information Act that are before the legislative process. The laws have been in development for longer than a decade, with a draft released in early 2015. Despite some criticism, subsequent drafts improved significantly — taking into consideration the voices of the people from public hearings. A new draft that will soon be released is expected to meet international standards as it will be based on the APEC Privacy Framework, APEC Cross Border Privacy Rules, and OECD Guidelines.
As the new laws are developed, much discussion revolves around getting consent from people such as explicit consent for data collection, data processing, and disclosure. This is undoubtedly important in its own right. But consent alone does not protect customers. What needs to be discussed more is the very objective of such public policy: How to ensure that those handling private data are not misusing it and that they have proper measures to prevent the data from falling into the hands of ill-wishers.
Setting too many restrictions around data collection could make it costly to use data — for good and bad. This would impede the growth of data-driven innovation.
It would also hurt smaller companies like start-ups more than large corporates, which likely have the resources and economies of scale to work around certain legal barriers.
Rather, regulators should target their resources on stopping the misuse of data to tackle the root cause of privacy concerns. Setting the right incentives to make sure companies are cautious in handling private data, such as penalties for data breaches, is one example. But this would only cover the damage incurred. A more proactive approach taken by Australia is to set standards for companies to invest properly in their IT security and staff training to prevent breaches from happening.
Another issue to keep in mind is the nature of the networked world, in which national borders are barely relevant. Indeed, a huge amount of our data is already being stored and processed beyond the physical border of Thailand. While curbing data abuse, the new laws ought to be flexible enough to let domestic companies learn about their customers to improve service quality.
These improvements by individual firms combined lead to higher productivity that benefits society as a whole. In this light, the regulations should at least aim to provide a level playing field for Thai firms against foreign counterparts. Otherwise, we will be forever playing catch-up in terms of competitiveness.
Aside from the government, businesses should show a commitment to instill trust in the public. By maintaining IT security standards in handling private data and appropriate data governance that dictates who can access what to increase accountability and transparency, businesses can ease the public’s fear. Consumers should help too by being mindful when giving up data in exchange of services so data does not fall into the wrong hands.
Overcoming these hurdles will pave the way for future innovations and discoveries through the use of big data. As we wait for the next breakthroughs that could propel us from this prolonged period of sluggish productivity growth, we should make sure we are not blocking its way.
The regulations should at least aim to provide a level playing field for Thai firms.
Sutapa Amornvivat is Chief Economist and First Executive Vice-President at Siam Commercial Bank. She has international work experience at IMF, ING Group and Booz, Allen, Hamilton.