In the first article of this series, privacy was identified as a human right. However, personal data gathering practices by companies and governments illustrate that preserving one’s privacy is a challenge in today’s society. Organisations discovered early on that personal data possesses a real value and can be used to enhance revenue streams. Governments also discovered the value of personal data, i.e. it can be used to identify and track people easier and more comprehensively than ever before.
Such type of information gathering and surveillance appears to be accepted by most people. However, privacy breaches can have detrimental consequences on people and organisations.
Risks of Privacy Breaches
Risks for Individuals
When asked what they think about privacy, most people would answer: “So what? I don’t have anything to hide”. Looking at potential consequences of privacy breaches, this thinking might be a little bit short sighted. For one, email accounts can be hacked and misused to distribute advertisement. This would be somewhat annoying but could be prevented by changing the password of the email account. However, there is always the possibility that not “harmless” advertisement is distributed but malicious content. Suddenly, this privacy breach can have severe consequences for a person ranging from reputational damage to civil penalties.
Another risk is identity theft, i.e. a person assumes the identity of another person. For that the imposter needs to gain possession of appropriate personal information or gain access to personal devices such as a computer or a smart phone. Once the new identity is assumed, the imposter can sign contracts, accumulate credit card bills or take advantage of various other services. Under the cover of the new identity, the imposter could even commit criminal offences. Damaged parties would hold the person with the stolen identity accountable for each of these activities. Depending on the severity of offences, the reputation and honour of that person might be damaged beyond repair.
Risks for Organisations
Organisations collecting and processing personal data face always the risk of data breaches. Cost of these breaches may not only cover notification, remediation and investment in better systems, but may also comprise increasingly heavy fines by respective regulators. For example, the General Data Protection Regulation (GDPR) which became effective in May 2018 in the European Union (EU), permits fines up to 4% of global annual revenue. This makes data breaches very expensive for companies with a global footprint. Total cost for the most recent bigger data breaches such as at Cathay Pacific, Google+, Facebook, Uber remain to be determined.
Besides financial repercussions, reputation, market share etc. may be impacted. Consumers are more informed today and are more willing to take action. For example, Equifax’ not only delayed the regulatory notification of a severe data breach in the US but also focussed on limiting the damage to the organisation. The company completely ignored the fact that the breach also concerned individuals who were potentially exposed to detrimental consequences. Late notification and mismanagement of the data breach enhanced the fallout damaging the reputation of the company substantially. Consumers lost confidence that their data was safe with Equifax. On top of that, on 20/09/2018 Equifax was fined in the UK since it failed to protect data of 15m UK users.
Data breaches may also impact employees. According to a survey of Kaspersky, one in three organisations reported that non-IT personnel were asked to leave the firm after a data breach occurred. Notably, not only firms experience the damaging effects of data breaches but also individual employees.
Due to the growing concern about privacy, regulators around the world try to update respective requirements. As mentioned, in Europe the General Data Protection Regulation (GDPR) became effective in May 2018. In scope are all companies (in and outside of the EU) controlling or processing personal data of EU citizens residing in the EU. These firms need to evidence data protection by design and default, i.e. personal data must be protected to the highest standards and cannot be shared without the explicit consent of that person. Enforcement is achieved by heavy fines measured on the global revenue of the company.
In Australia, the Australian Privacy Principles (APP) outline what a company with a turnover of more than 3m AUD should consider in order to protect personal data. Strikingly enough, various exceptions are made specifying in which situations personal data could be used for other purposes such as direct marketing. In addition, while individuals have the right to stay anonymous, an entity can reject to deal with such a person on the basis of impracticability.
In addition, the Australian Treasury announced in 2017 that the Open Banking regime will be introduced. In order to grant consumers more control over their personal data, the treasury circulated some draft Consumer Data Right (CDR) regulation over the past months. However, even this new regulatory framework still needs to address some important questions. For example, to what extent will the privacy of individuals be preserved if they agree to share their data with other parties. Another question is to what extent consumers, who are not willing to share their data, will be excluded from using basic services such as bank accounts or will be charged substantially more for using these services. A potential consequence is that an entire consumer group will be disadvantaged.
Other countries take a different approach. For example, the Vietnamese government recently decided that personal data needs to stay in the country. This implies that international companies such as Google and Facebook would require a local representation, i.e. they would not be able to use their cloud services to manage cost and analyse data in correlation to other information. Conclusively, it would prevent them from using collected data for other purposes outside of Vietnam.
Other Attempts to Preserve Privacy
For some time, a few internet browsers offer the capability to suppress browsing activities. The Do Not Track feature is included in Firefox, Microsoft Internet Explorer and Safari. However, major websites including Google, Facebook and Twitter elected not to pay any attention to Do Not Track requests of users. For these companies, benefits gained from continued data collection far outweigh potential consequences, i.e. none for ignoring Do Not Track requests. The initiative for more privacy in the internet appears to have failed – mainly because there is no enforcement from the government side.
While some efforts to preserve privacy have been made on regulatory side, e.g. GDPR in the EU, other jurisdictions choose a different path by defining privacy in a different way. This raises additional questions which will be elaborated in the last article of this series:
- What is a possible future for privacy?
- What are possible actions for individuals and organisations?
First published on Enforcd.
 Source: https://www.bloomberg.com/news/features/2017-09-14/thank-you-for-calling-equifax-your-business-is-not-important-to-us and https://www.cnbc.com/2017/09/08/equifax-plunges-as-breach-will-cost-company-hundreds-of-millions.html