As the accelerating speed of technological advances is now an
unquestioning reality. It is fundamentally transforming every aspect of our
personal and business lives, every industry, and every country across the
globe. However, it also has the effect
of fundamentally transforming the notion of privacy — what it means to affected stakeholders
(individuals, regulators, organizations)
and how each party can remain accountable in a world that technology has turned on its head.
One of the most pressing privacy
issues related to digital devices today is the increasing ubiquity of bring your own device (BYOD)
policies. According to Gartner, by 2018 up to 70% of mobile professionals will
be using their smartphone to conduct work. As enticing as BYOD is for an
increasing number of organizations, it is apparent that there are two sides to
the BYOD coin: heads represents increased efficiencies; tails results in increased
risk. And the risks are substantial. In 2014, we expect to see organizations
continue to deal with a number of privacy challenges related to BYOD.
Organizations need to maintain ownership of their information. With BYOD, this
information is stored on devices that now sit outside the organization’s immediate
control. To keep an eye on their data, organizations tend to install monitoring
tools on employee smartphones. However, when implementing these tools,
organizations need to be very careful that they are only monitoring the
company’s data and not collecting personal information about their employees
and others such as friends and family who may use the device.
The organizations can only collect
personal information for a stated reason - and can use it only for that
purpose. Among others things that mean a company that supplies a service can't
sell its list of subscribers to another company's marketing department.
Individuals must be informed, and give their consent, before personal
information is collected, used or disclosed. But most firms are unaware of the
new law and very few are prepared to comply. For any
organization that already sends commercial electronic messages, they presumably
comply with the privacy law, that requires organizations to obtain user
consent, allow users to withdraw their consent, and provide the necessary
contact information to do so. Compliance with the new anti-spam law
involves much the same obligations. While there are certainly some additional
technical requirements and complications (along with tough penalties for
failure to comply), the basics of the law involve consent, withdrawal of
consent (ie. unsubscribe), and accessible contact information.
While privacy does create some new obligations, what is not new is the claims that business is unaware and unprepared to address their privacy law obligations. The IT Act 2000 of India defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software”. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly as follows: accessing; downloading/copying/extraction of data or extracts any data ; introduction of computer contaminant[3];or computer virus; causing damage either to the computer resource or data residing on it; disruption; denial of access; facilitating access by an unauthorized person; charging the services availed of by a person to the account of another person; destruction or diminishing of value of information; stealing, concealing, destroying or altering source code with an intention. The Act further provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both.
In N G Arun Kumar case of November
2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced
N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for
one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section
66 of IT Act (hacking). Investigations had revealed that Kumar was logging on to the BSNL
broadband Internet connection as if he was the authorised genuine user and
‘made alteration in the computer database pertaining to broadband Internet user
accounts’ of the subscribers. The CBI registered a cyber crime case against Kumar and carried
out investigations on the basis of a complaint by the Press Information Bureau,
Chennai, which detected the unauthorised use of broadband Internet.
The complaint also stated that
the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act.
He used to ‘hack’ sites from Bangalore as also from Chennai and other cities.
In 2014, as organizations begin
to think about the endless possibilities associated with the “internet of
things” — nanotechnology, product sensors, sensor-driven analytics and sophisticated
tracking capabilities — they also need to think about the privacy risks. There
is a strong possibility, for example, that when an organization embeds a
tracking mechanism into a product or service, it has not first sought the
permission, either implicit or explicit, of the consumers being tracked. And
when consumers find out, chances are they’re going to be irate. These kinds of
privacy gaffes erode the very trust many organizations are attempting to
cultivate to create the ultimate customer experience.
There is no question that the
internet of things holds huge promise for an organization to vastly improve its
strategic trajectories and business models, generate efficiencies and lower
costs. However, this promise needs to be balanced against the privacy that
consumers innately expect, and the privacy that they will demand alongside
their customized customer experience. In 2013, participants at the 35th
International Conference of Data Protection and Privacy Commissioners continued
their progress by adopting eight new declarations and resolutions that delved
deeper into the issues raised the year before. Four resolutions focused on technology
challenges (appification, profiling, digital education and webtracking), two
addressed better coordination among jurisdictions (enforcement coordination and
international law), and one urged greater transparency on what data
organizations are collecting and why (openness).
At a more granular level, many
government bodies at federal and state levels are continuing to update their
breach notification laws. Unfortunately, the massive intelligence leak by
former US intelligence contractor Edward Snowden has cast a pall on the goals
of cooperation. In fact, the Snowden affair has so eroded trust among nations
that the European Union is considering a motion to suspend the US–EU Safe
Harbor Framework. Once a respected guideline for US organizations to provide
satisfactory protection for personal data of EU residents as required by the
European Union’s Directive on Data Protection, the Framework now lies in limbo.
This leaves Binding Corporate Rules (BCR) as one of the few frameworks
available for global organizations to adhere to when seeking to transfer data
of EU residents across borders.
In 2013, a number of
jurisdictions around the world improved or expanded their privacy regulations.
We expect similar progress to occur around the world in 2014. With the emerging
global digital economy and the increasing popularity of cloud computing
services, legislation which reinforces trust in the market will be a key driver
for business growth as follows:
Brazil: Brazil seeks to mandate
that global internet providers store data gathered from Brazilian users within Brazil.
Canada: Bill C-475, working its
way through Parliament, would unify and strengthen the country’s approach to breach
notification.
US: Although US lawmakers
continue to push for a federal data breach notification law, Congress continues
to debate whether federal law should supersede state laws.
Australia: In late 2012, the
Australian Parliament passed the Enhancing Privacy Protection Act. The Act is
set to take effect in 2014.
China: In late 2012, China’s standing
committee of the National People’s Congress approved a directive that strengthened
online personal data protection. That directive came into force in February
2013.
Singapore: Singapore’s Personal Data Protection
Act 2013 came into force in 2013.
EU: Under a policy implemented in
August 2013, European communication services providers are now required to notify
not only affected individuals but their respective national authority within 24
hours of detection. EU: Crafted in 2012 and expected to pass in 2014, the EU
General Data Protection Regulation is designed to simplify and strengthen the
European Union’s data protection framework. Instead of adhering to requirements
from 27 individual data protection authorities, organizations will only have to
address one set of data protection rules.
One solution, which is becoming
more feasible as smartphones become more powerful, is the partitioning of the
devices. This would allow employees to essentially operate two different
desktops — one for work and one for personal. The other option is the use of a
guest network that is separate from the main network. Organizations could
create a “sandbox” where company data would reside, separated from any
association with personal data, applications or online services. Organizations
need to be vigilant when collecting data from social media. Consumers are
voluntarily providing intimate details about themselves. Organizations need to
respect their privacy, even when the consumers themselves aren’t, by
anonymizing the data before using and sharing it. Anonymous data can still
provide deep insights into trends and opportunities, but with a much smaller
privacy impact.
