General Data Protection Regulation (GDPR) became effective on 25 May this year, however, it is not due to the recent Facebook data sharing scandal. GDPR has been passed by the European Union since two years ago, and has been given two years of buffer period before enforcement.
The new GDPR is an amendment to EU’s Data Protection Directive since 1995, and re-enforces the data ownership of each user by specifying more in more detail how personal data is used and protected. As data privacy is particularly valued by European society, this regulation certainly sets the precedence for being of the strictest standard.
Why does it matter to you?
The Internet is boundaryless, which also means that all user data can be captured, used, and shared across the web, easily. The new GDPR identified explicitly the category of personal details including biometric data, religious belief, sexual orientation, and so on. (This made me think of Senator Durbin asking Mark Zuckerberg what hotel he stayed at.)
As individual users, GDPR ensures the rights to know what and how your data has been used, as well as the rights to reject usage, or to delete them. For Internet companies, it is critical because of huge fines can be imposed, (EUR 20 million daily, or 4% of the global annual revenue of the previous year) if any reported cases of misuse or lacking in proper data protection.
Stricter data privacy means the make or break for some industries
There’s no doubt that Facebook’s Cambridge Analytics scandal helped stir up the discussion on data privacy recently. Growing amount of internet businesses are deploying data analytics to predict user behaviours, such as Chinese Toutiao and American news company Twitter.
Stricter data control may hinder the development of these businesses. As more compliance checks are required when acquiring the user data, industries such as retail, payment, machine learning are most impacted. Needless to say, the potential impact of such regulations goes beyond affecting companies developing driverless-cars, who rely on continuous data feedback based on driver behaviour.
GDPR is an ambitious and heavy-handed regulation on data control, but definitely not the last: regulation on Privacy and Electronic Communications, “ePrivacy Regulation” has already been passed by the EU parliament and is now under review by the EU committee. The act is to further control against online messaging providers.
Good or bad?
While consumers may thank EU for putting them back in control over their personal data in the digital space, they should expect some sacrifices in terms of convenience – such as suggested search and location-based recommendations.
A more regulated data control also suggests more participation from different sectors. We can foresee new roles being created; data (compliance) officers for example.
The growing concern, of course, would be when companies are expected to spend more on compliance – can they remain competitive?
At the end of the day, regulations are supposed to provide “some” protection, but there’s no way even for companies (such as Facebook) to allocate resources to educate every user of their rights when they are mostly happily giving it away in return for some digital gold. Also, how many of us actually read through the emails and the terms and conditions?
Growing awareness in Southeast Asia
The number of FinTech companies have grown by several folds over the past few years. Take Indonesia for example; all FinTech companies are mandated by OJK, the Financial Service Authority of Indonesia. Mandates require FinTech companies to store all user data with local database providers. It also requires multiple standards on KYC (Know Your Customer) and data protection mechanism in order to legally operate in the country.
Singapore has a general regulation on data control based on Personal Data Protection Act (PDPA) drawn up in 2012 and came into full effect on 2nd July 2014. The act designates a Data Protection Officer (DPO) in the companies to be publicly contactable by the customers and employees.
Similarly in the Philippines, Data Privacy Act (DPA) was passed into law in 2012, but the rules and regulations were not fully implemented until the establishment of the National Privacy Commission in 2016.
In Malaysia and Thailand, it gets slightly vague – since Malaysia is currently enforcing the Personal Data Protection Act 2010 (PDPA) through its Personal Data Protection Department, but unlike the Philippines’ PDPA, the regulation excludes government involvement. As for Thailand, a new Personal Data Protection Bill (Amended PDPB) is still pending the approval for legislation.
Recently, the Indonesian National Police had decided to launch a criminal investigation against Facebook, as it was believed that at least a million Indonesian users were affected in the Facebook data-breach scandal. Indeed, this scandal is a blessing in disguise – pushing governments to go to work, taking immediate and swift action.
Many of the Southeast Asian countries share similarities to Indonesia – having underdeveloped infrastructure to host personal data. While this is the responsibility of businesses to develop such infrastructure, it is the task of the governments to support with proper (and conducive regulations) – so both businesses and consumers can benefit.
It is our hope that the leaders in the ASEAN region recognise this.
Thanks for reading The Low Down, insight and inside knowledge from the team at Momentum Works. If you’d like to get in touch with us about any issues discussed in our blog, please drop us an email at [email protected] and let us know how we can help.