What's On

In this day and age, extensive and ubiquitous collection of personal data, both online and offline, together with the unpredictable use, transfer and breach of data, has posed unprecedented challenges to the data privacy frameworks around the globe. Worse still, individuals may not even be aware their data has been collected or shared. This makes exercising control over their data and objecting to unfair or discriminatory use of it next to impossible, even though personal data does not belong to any organizations but rather to the individuals from whom the data is collected. It being their own data, individuals would expect they are entitled to have the legitimate control or self-determination over it. On the other hand, in this data-driven economy that keeps growing in parallel with big data and information and communications technology developments from which individuals benefit tremendously, particularly in relation to scientific advancement and social interactions, it would not be in the interest of the community at large to have data locked up. Regulators worldwide are seeking to strike a balance between data protection and a variety of competing interests and rights.

Fragmented regulatory frameworks around the world — in Asia, in particular — have been a major concern for organizations having international or interregional operations. Fraudsters and cyber-bullying activists, for example, may find them a blessing, though. Naturally, individuals would look up to regulators. In the pursuit of effective data protection addressing, in particular, the sans frontiers nature of digital data flow, there is no justification for regulators not to put their heads together for a de-fragmented regulatory framework, if not a harmonized one. Similarly, international internet-related organizations will have all the reasons to reach a consensus on how best personal privacy and security with popular content and services could be balanced.

Compliance with the law is but part of the data ecosystem. While resonance of accountability has started to tune up, complementing compliance with the law by adopting data ethics will form the bedrock for nurturing and flourishing data protection in times of change. Data ethical values typically center on fairness, respect and mutual benefits. In practical terms, they involve genuine choices, meaningful consent, transparency, no bias or discrimination, and fair negotiation or exchange on a level playing field between organizations and individuals.

By adopting an ethical data stewardship framework, an organization is expected to consider the rights, interests and freedoms of all stakeholders in planning and conducting its data-processing activities. The stakeholders do not only include the clients and customers of the organization but also other individuals who may be impacted by the data-processing activities, as well as society as a whole.

Essentially, individuals expect no surprises when they deal with organizations in relation to their personal data. Individuals’ expectations, alongside their behavioral profiling, will become a constant in the organizations’ demand function, and the equilibrium against their supply of products or services will need to be adjusted from time to time.

So will the regulators. One of the challenges regulators have to continue to meet will be how they could help unlock and share personal data within the legal and ethical frameworks in the midst of widely applied sensory ability, cognition, robotics, machine learning and cloud services, etcetera, with a view to maximizing the benefits of data in a sustainable way, minimizing the risks and harms, creating healthy synergy with economic growth, and identifying and securing the innovative use of personal data in a post-data-driven economy. It is almost inevitable that much of the information or behavior we consider private today will not be so as time goes on.

Data protection policies, regulations and practices are invariably lagging behind ICT developments. While privacy-protective technology will continue to grow in power and magnitude, so will privacy-intrusive technology. We have never had ubiquitous surveillance before. Nor have we had internet social platforms or applications capable of influencing political results. That said, individuals will tend to give up more and more of their personal data than before for ease and convenience, if not to be trendy, especially in the emerging economies. The balancing exercise, whether on the part of regulators or organizations, that is working today may not been seen as workable in the year 2030.

While the balance will need to be adjusted constantly, a common denominator will ultimately be acted upon (i.e., respect and trust), which is being built among all stakeholders and will be pivotal to the balancing exercise. Notwithstanding the nature of privacy right being a fundamental human right, encroachment of the right may be justifiable, such as for the purposes of detection and investigation of crimes, or where public interests dictate. Organizations, public or private, will have to respect individuals’ privacy right to win their trust. Individuals will continue to expect organizations to do not only what they are required to do by the law, but also what they ought to do ethically. Regulators will need to play the roles of law enforcers, educators and facilitators in a respectable way. The evolution from an established privacy structure to a practicable privacy culture will probably take 10 years, if not more.