7 impending Data Protection Trends in the region for 2020 (Part 1)

The initial years of computerisation and digitisation has enabled businesses to be more nimble to the market. However, with the recent hyper-jump in the use (and abuse) of personal data, personal data protection is fast becoming an important aspect of business operations today. With technology and convenience, complacency may set in and any mistakes (especially in handling personal data) can be accentuated by technology.

The European Union quickly realised the need to revamp their data protection laws in light of these technological changes. It introduced the General Data Protection Regulation, the GDPR, (which came into force on 25 May 2018) to do so. With the EU’s wide reach in trade, the requirements of the GDPP have deep implications on foreign blocs, markets and suppliers as well. 

The EU is not the only market whose laws are trying hard to play ‘catch-up’ to the warp speed at which technology and businesses have been evolving. In fact, almost the entire world is pressing the reset button as far as data protection laws are concerned: countries are either introducing new laws or amending existing ones. With that, the evolution of data protection laws has been driven primarily by two other factors – privacy/human rights and cross border trade.

With these as the foundation, the following are impending data protection trends that will shape the ASEAN regional landscape and the data protection industry/profession in 2020 and beyond.

1. More intensive enforcements with increased emphasis on operational compliance amid data breaches arising from mass digitisation and improper use of privacy-intrusive technologies

It is evident that the world needs to leverage heavily on the digital economy, from consumers to producers; Big data, IoT, AI and the likes would require data for transactions to take place. Hence data is fast becoming an essential part and commodity of business transactions.

In delivering such digitised services to people, the Prime Minister of Singapore correctly put it

Data is the lifeblood of the digital economy and a digital government. We need to use and share data as fully as possible to provide better public (and private sector) services. In doing so, we must also protect the security of the data  … 

Failure to safeguard personal data especially sensitive personal data can lead to serious harm to individuals. For this reason, many countries are seeing the need to implement rules to regulate how personal data is processed and to enforce those laws. Cases the GDPR or Singapore’s Personal Data Protection Act have been enforced very clearly demonstrate the importance of operational compliance with the rules – legal compliance with them is not enough.

Published enforcements in Singapore (number of organisations fined) more than doubled in 2019, over 2018.

 

Meanwhile the number of published GDPR enforcements has increased by 1,000% in the EU (albeit from a tiny base).

The cases, many of which involve online technologies, can happen anywhere. Singtel was fined S$25,000 recently for a data breach involving it’s My Singtel mobile app. Due to a design problem, My Singtel users could potentially access up to 330,000 other customers' accounts, exposing their billing information - including names and addresses.

Neighbouring countries Malaysia and the Philippines too are expected to enforce more rigorously in 2020. In some cases, regulators are beginning to see the immediate tangible benefits enforcing data protection laws.

The National Privacy Commission of the Philippines (NPC) investigated major online lending businesses in the country for alleged public shaming of borrowers. The NPC pointed out that the operators of these so-called ‘FinTech’ businesses may be liable for imprisonment for up to 7 years and fines of up to ₱5 Million (around S$133,000) under the Data Privacy Act of 2012 (DPA).

These FinTech businesses created apps which a person could download into their mobile phones. These apps enabled easy access to credit, especially with debtors having to contend with fewer requirements to access small loans. In the process of installing the apps, however, people unwittingly allowed the app providers to gain unprecedented access to their phones, including their contact lists, photos, camera, microphone, and files. Then, if the hapless person failed to settle their debts on time, they are harassed by company reps or shamed through the people in their phone directory.

According to the NPC, it received over 4,000 complaints (both formal and informal) involving these apps as of August 2019. In October, it summoned 67 of these FinTech firms in relation to these complaints. It banned 26 of them from processing personal data after finding them to have committed practices in violation of the DPA, and for failing or refusing to appear before the Commission. By November the formal complaints had fallen by 90%.

2. Both the public and private sectors will continue to grapple with data protection issues and new requirements

However, data protection is not solely a private sector concern. The data protection laws in many of the more advanced markets are comprehensive, covering both the private and public sectors. Many of the jurisdictions that are looking into data protection laws are considering implementing comprehensive law. 

In ASEAN, the data protection laws of the Philippines, Thailand and (the imminent data protection bill of) Indonesia cover the public sector as well as the private sector. Malaysia is evaluating the need to extend its Personal Data Protection Act into the public sector when it is reviewed soon. Meanwhile, the Singapore public sector is adopting best practices from the private sector to enhance its data protection practices. It is not surprising that research conducted by the DPEX Centre found that 40% of data protection positions in Singapore are with government organisations.

Many of the breaches, both private and public sectors are due to ignorance and negligence / lack of attention to the risks that have led to failures in operational compliance, rather than cyber attacks from external parties per se.

For example, following a major breach in 2018, the Singapore health sector again saw the personal data of 14,200 individuals leaked online in January 2019. Personal data of HIV patients including HIV test results and related medical information was leaked online following a failure of an authorised staff “to take reasonable care of confidential information...”

In March 2019, the Singapore government convened a Public Sector Data Security Review Committee to scrutinise how its public sector handles citizen data and its recommendations were submitted to the Prime Minister of Singapore on 27 November 2019 . Though exempted from the PDPA, the recommendations to the public sector are strikingly consistent with best practices in the private sector. Broadly they need to:

1. Enhance data protection & prevent compromise
2. Enhance detection & response to incidents
3. Raise competencies, instill culture of excellence
4. Accountability at every level
5. Ensure sustainability and resilience

In another case in Malaysia, the Domestic Trade and Consumer Affairs Ministry (KPDNHEP) had to suspend the newly-launched Petrol Subsidy Programme microsite after a tech portal reported that it exposed users’ bank account details. It was reported that once a person’s MyKad number was entered in the portal, it would reveal the last four digits of the user’s bank account number. However, when it looked into the source code, the full account number was visible. Cybersecurity observers said the security flaw was likely due to tight deadlines and thus probably less than methodological system tests. The Malaysian government has announced that it intends to review its Personal Data Protection Act (2010) with the following considerations:

1. To cater the needs for effective and efficient implementation of PDPA 2010 such as additional Classes of Data Users, Structure, Staffing, Enforcement (Applicability to public sector being evaluated)
2. To streamline PDPA 2010 with the international requirements / concerns on PDP relating to Cross-border data transfer, e-Commerce activities, trade facilitation (bilateral/multilateral) and PDP Technical Standards
3. To attend to specific requirements under extra-territorial legislation i.e. EU GDPR relating to the appointment of Data Protection Officers in companies and notification of data breaches.
4. To address other areas of concern such as Cloud Computing, Technology identifiers and a Do Not Call Registry (Direct Marketing)

Regulators are realising the impact of personal data breaches (such as the risk of identity theft and fraud), and many regulators are also considering making personal data breach notification mandatory, including because significant data breaches can be indicative of underlying systemic issues.

As legislation is enacted, there will likely be a separate development of sectoral frameworks, approaches and standards for data protection. This is because each would have its uniqueness and hence require their own codes of practice. There cannot be a one-size fits all solution for all sectors and industries.

With these mega trends in industries, data protection will draw Increased awareness at the c suite and board level in the private sector. Data protection is fast becoming an important component of Governance Risk & Control (GRC) and Enterprise Risk Management (ERM) for business success and competitiveness.

3. Continued Importance and applicability of GDPR to ASEAN

The announcement that Malaysia is using the EU GDPR as a reference in its review of its data protection act is no surprise. Many of the new and upcoming laws are also using GDPR as a baseline - Indonesia, Thailand, India, Sri Lanka, China.

The basis of the GDPR is the free movement of goods and services within the EU, coupled with human rights concerns, rather than being only business-centric. However, it is not only countries within the EU that take human rights into account and doing so seems to have a high level of appeal to consumers throughout the world. 

As GDPR enforcement increases in the EU, more organisations with the headquarters in the EU will likely require organisations in the ASEAN region to at least adopt practices that are equivalent to those required by the GDPR. As countries sign Free Trade Agreements with the EU, there is pressure on those countries during their negotiation to implement strong data protection laws that extend over both the public sector and the private sector, along with strong enforcement mechanisms. For instance, EU is a significant market for the ASEAN, with trade valued at about €240 billion. Singapore alone has total trade of €58 billion with the EU. Indeed, the trade opportunities outweigh the challenges of personal data protection requirements.

(Click here to read the continuation in Part 2)

Article contributed by

Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP), Lyn Boxall (FIP, CIPM, CIPP/A, CIPP/E, GRCP) ,  William Hioe (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP)