Where is my Privacy?
As many business readers will be aware, privacy and the protection of personal data are a very hot topic. Recent revelations involving the alleged misuse of information harvested from Facebook by Cambridge Analytics has brought these issues into the mains
However, what recently happened at Facebook is just one of a series of large organisations either failing to secure private information, or not being straightforward with people on how data may be used. Whilst the EU has been developing strict new privacy laws, US lawmakers can be accused of overlooking large-scale data breaches at prominent organisations such as Yahoo. With the public becoming increasingly conscious about the use of their data and the impact on their privacy, demand for change is coming from the populace.
Increased public awareness around privacy issues may result in an impact on business far greater than initially expected. With the General Data Protection Regulation (GDPR) coming into force in less than a month, the timing of privacy taking the spotlight is auspicious. Many GDPR readiness projects are therefore pivoting from being purely about privacy compliance to a focus on improving client relationships.
With consumers becoming savvier about their privacy and the lawful basis on which organisations may use their personal data, companies need to be prepared to counter privacy arguments raised by their clients. Come the formal implementation of GDPR in Malta, we can expect many consumers to start refusing to provide information on the grounds of “breach of privacy” and “Data protection”. Empowering consumers One of the main drivers for the GDPR was to empower individuals and ensure they have control over their private data and how it is used. Indeed, the GDPR does enhance personal privacy rights and requires companies to make changes to information sourcing, processing, handling and security.
If the GDPR succeeds in its objectives it will rebalance the focus on the needs and privacy of individuals who have seen their data being harvested and used without their valid consent or even knowledge. Take the targeted adverts one tends to receive after spending some time looking around for a new laptop or accommodation for your next holiday. Will these disappear?
But what is privacy in reality and can it even exist when we live in such a connected world? It depends on who you ask. In layman’s terms, privacy is the right to be left alone. It can also mean freedom from interference in matters considered as personal or private. When it comes to information, privacy is focused on the control an individual has over their personal information in terms of its collection and use.
When it comes to the data that should be considered to be private, the GDPR is clear. Any information related to a person that can be used to identify them, including their name, photo, email address, IP address, bank details, posts on a social networking site, medical information, biometric data and sexual orientation falls within scope. Using this definition you may be surprised to discover what personal information certain companies hold on you.
From the perspective of the organisation, having a solid lawful basis, when obtaining or requesting information, is critical. For example, in order to fulfil the obligations of the 4th Money Laundering Directive (4th AMLD), Insurance Distribution Directive (IDD) and mar- kets in Financial Instruments Directive II (MiFID II), the collection of certain private information is required. Application of these laws can even require firms to refrain from offering services unless the consumer accepts to provide certain levels of information.
The same goes for employers where employees cannot hide behind the privacy barrier if that information is required for the employer to fulfil its legal obligations, for example related to the 4th AMLD or Health and Safety Legislation. There is also the concept of “legitimate interest”, which allows for businesses to obtain, or ask for, certain personal information when the controller has a legitimate interest to have that information which is not overridden by the intrusion on the individual’s privacy rights. An example would be obtaining an individual’s credit history in order to make a decision on offering a retail loan.
Article 17 of the GDPR enshrines the right to be forgotten. Firms need to comply “without undue delay” to such requests. There are only limited, pre-defined instances where this right may not apply. What’s more, the requirement is very extensive and onerous on companies as it requires them to inform third parties that are processing any personal data for which a request for erasure has been made.
It should be noted that the right to be forgotten already existed. In 2014, the European Union’s court of justice ruled that “irrelevant” and outdated data should be erased on request. Following this case, Google reportedly received over 650,000 'Right to be forgotten' requests. Google, like Facebook and other technology giants, has been at the receiving end of these privacy initiatives.
A recent high court judgement reaffirmed this with Google being ordered to block search results about a past conviction that came up against a businessman’s name. The conviction was considered as spent, so it fell within the provisions of the Rehabilitation of Offender Act in the UK.
With technology moving at high speed, managing information privacy is becoming more complex for companies as more data is being collected and exchanged with other businesses. This leaves organisations facing an incredibly complex conundrum. They need to ensure that personal information is protected in line with law, which can be very challenging to guarantee from a technological or organisational standpoint.
Educating consumers on their rights, as well as obligations when asking for a product or service, is key. The onus might ultimately fall on businesses who could even stand to gain from having a relationship with individuals who understand that giving away some of their privacy may produce a benefit in terms of the products and service they are seeking to acquire. Stefan Lia is a Manager within the Risk Advisory team. For more information, please visit www.deloitte.com/mt/risk