Data privacy: Looking back, moving forward II

Compared to last year, 2023 is turning out to be a mishmash of sorts, comprised of both legacy concerns and novel developments that come in all shapes and sizes.

Everyone will have their hands full navigating a world that is becoming populated with modern subjects like Artificial Intelligence and the metaverse, while still buried in dated issues like phishing, ransomware attacks, and data breaches. If we were to give them a quick run through, a number of distinct strains stand out.

First of all, we are looking at more laws, more regulations, and more fines. The data protection policy caravan is showing no signs of slowing down. Many governments will be legislating new rules, while others review and amend theirs. The US Congress, for one, will continue tackling the prospect of finally having a federal data protection law. Countries like Canada, Australia, and Japan will be revisiting theirs. Almost in lockstep is the trend involving massive fines being imposed by regulators. Even the Irish privacy watchdog, usually described as a lightweight when dealing with tech companies, is now baring some fangs.

Here in the Philippines, there are policy proposals with data protection implications that are worth monitoring. There is that bill calling for social media (account) registration. The proposed Internet Transactions Act is another. The former requires individuals to submit valid IDs when opening a social media account, while the latter imposes penalties against online merchants that violate consumer protection policies. The NPC is also working on at least two new policies. One aims to provide an updated set of requirements for the security of personal data. The other establishes the prerequisites for a certification program the agency is planning to put up.

Meanwhile, eager eyes are paying attention to the NPC’s implementation of two critical policies it released last year (i.e., on administrative fines and on the registration of data processing systems). It’s been six months since the schedule of fines was released and people have yet to hear about the NPC coming down on an erring company. Even with many questions still left hanging, the Commission also issued the new protocols for its registration system. Covered entities are expected to comply with them by mid-year. How that will pan out—especially now that the agency is expected to collect fees—is fodder for the curious.

On a related note, two data-intensive systems will share the limelight: the country’s national ID system and the SIM card registration system. Both are actively endorsed by the NPC—despite persistent claims by the former Privacy Commissioner that the agency is technology-neutral. The national government expects PhilSys to be functional by the end of the first quarter, while SIM card registration databases are supposed to be up as early as April. With both experiencing issues long identified by civil society groups, it’ll be interesting to see how things play out the rest of the way. The more serious concerns, after all, surface once these systems move past their registration phase.

In terms of specific risks, experts say the threat posed by ransomware will remain despite the drop in numbers last year. Threat actors have evolved and are diversifying their operations. Instead of focusing on encrypting data, they are now resorting to data exfiltration. State-sponsored attacks will also continue but percolate mostly in active conflict areas, like Ukraine, and regions with complex border disputes, like East and Southeast Asia. In the private sector, third-party vendors and service providers need to brace for more incursions or unauthorized disclosures. It’s become clear that data processors constitute a significant Achilles heel for many organizations. Even if a company takes its security measures seriously, criminal elements still manage to cause damage via third-parties it has significant ties to.

As for relevant technologies, people are waiting for news regarding the continued use of cookies. There is a chance that a cookie-less future may come as early as this year. As a tracking technology, cookies have been under intense scrutiny for some time now. Some governments have already declared them illegal and have banned them outright. This has led many organizations to look past them in favor of less intrusive tracking methods. Google, for instance, is actively developing Trust token API and other privacy technologies as possible replacements.

Related to the growing number of data protection legislations is a similar increase in data subject requests and complaints involving data protection violations. Since data subject rights are a staple in data protection laws, organizations expect to encounter them more often with every year that goes by. People are becoming more aware of their rights. Many are keen to exercise them, especially in the wake of data breaches or after controversial data processing activities are brought to light.

To help address or keep up with all of these changes, organizations will continue to aggressively recruit skilled data protection practitioners into their inhouse privacy teams. Even among the holdouts and fence-sitters, it is becoming clear that legal counsels or information security staff are often not enough to deal with the ever-expanding universe of data protection requirements. Dedicated personnel are necessary, if not inevitable.

All this and more point to one reality that is still often overlooked, taken lightly, or set aside by those most affected by it: concern for data protection is here to stay and is set to influence our lives in more ways than we care to admit.

It’s about time we all get on board, arrive at a common understanding, and play our part to make sure we’re headed towards the right direction.

For entities engaged in data processing both in the government and the private sector, it all begins with transparency—becoming upfront with one’s data processing activities. Transparency allows for informed decisions. Informed decisions means better control over the processing of one’s personal data, which is what data protection is all about.

Data protection authorities and other regulators must constantly challenge themselves. They need to make sure they are competent and equipped to deal with the problems they come across. They have to be productive both in terms of supplementary policies and enforcement actions. For implementing agencies like the NPC, that means circulars and advisories that are clear, precise, and responsive to the needs of stakeholders, and enforcement actions that are fair, effective, and consistent.

As for all of us, data subjects, the challenge is simple but not that easy. We must weigh our options carefully whenever we’re given an opportunity to enjoy some benefit at the expense of our personal data, our privacy.
We ought to remind ourselves that convenience is not all there is to life (especially when individual freedoms are at stake) and that data protection, like most good things, is a shared responsibility. Both represent an outlook that is useful on any given day, but 2023 would be a good time to start.

This article first appeared on GMANews on February 14, 2023,  3:06 pm