As tech becomes more pervasive, data privacy and data security issues rise with it. Customers are asking targeted questions of the companies they conduct business with, including: What are transnational companies doing with my data? How are they guarding it, and who within the firm has access to it?
A recent tweet by Netflix has raised these questions again. No company wants to be caught on the wrong side of the privacy debate—it’s bad PR and immediately causes a reputational risk. No matter how beneficial your product is, consumers will be highly reluctant to transact with you if they feel their privacy is at stake.
Looking at data security laws in the EU and North America
In response to this need, governments and businesses around the world are implementing stricter data regulations. For example, one of the foremost pieces of legislation surrounding data protection is the European Union’s General Data Protection Regulation (GDPR). The GDPR, which was passed in 2016 and required all member states to comply within a period of two years, incorporates some of the toughest data protection laws in the world.
This new set of data protection laws casts its net far and wide. It’s no longer just applicable to companies registered within the EU—any firm that processes personal data of EU citizens is subject to these laws. There’s also a provision for monitoring the behavior that takes place within the EU. Non-EU businesses that deal with personal data of EU citizens will be forced to appoint a representative in the EU.
Data protection guidelines in Canada are similarly robust. Citizens have a right to access personal data held by an organisation, and companies need specific consent from their users before collecting any data whatsoever. Alongside that, there’s a series of proposed changes to data protection laws in Canada. If implemented, the new laws would require all registered firms across the country to notify the Office of the Privacy Commissioner of Canada (OPC) in the case of a data breach and also send a notification directly to the individuals affected. Currently, similar laws only exist in the province of Alberta—but efforts are being ramped up to apply them in all the other provinces, too.
Measuring the landscape of data security and privacy laws in Southeast Asia
Singapore’s take on data privacy regulations is via the Personal Data Protection Act 2012. It’s similar to EU’s GDPR in the sense that the laws also apply to organisations collecting data from residents in Singapore, whether they have an actual presence in the lion state or not.
Under the regulations, Singapore set up the Personal Data Protection Commission, which works with organisations and individuals to settle matters of privacy compliance. Recent guidelines from the Commission address growing fears of individual privacy—there’s encouragement for corporations to encrypt all sensitive data stored in electronic mediums and that said data should be used discretely and for limited purposes.
While the Kingdom of Thailand doesn’t have any statutory laws governing data privacy, its constitution does have protection of privacy in a broad sense. A draft of the Personal Information Protection Act was introduced in the Thai parliament recently, and lawmakers have begun discussions on whether to enact it into law.
The draft aims to protect individuals by restricting the gathering, using, and disclosing of personal data by enterprises without specific consent. It also imposes criminal penalties and civil liability for violations, and calls for the promulgation of an independent commission to ensure compliance with the proposed laws. At the moment, however, it’s unclear if the draft will be officially approved by Thai legislators and when it will be enacted into law.
The United States has some of the most rigorous data privacy laws in the world. There’s about 20 pieces of legislation that cover the ambit of privacy, and the powerful Federal Trade Commission (FTC) is tasked with ensuring companies don’t engage in unfair or deceptive trade practices.
Privacy is within this sphere of responsibility. Individuals should be notified in the case of a security breach, and penalties for violating or not complying with data protection and privacy requirements vary from state to state but are stiff overall. Companies need to take this job very seriously. Data security measures should be extremely robust, and information collection practices must be spelled out clearly.
Understanding the implications for the region
The fact that the privacy debate is gaining momentum across the world means there’s burgeoning expectation and requirement from a customer standpoint. Public discourse shapes law and future legislative acts—when citizens demand their rights, lawmakers will relent. They run the risk of losing their jobs, otherwise.
From a broad overview of data protection laws across the world, it’s fair to say that Southeast Asia is still lagging behind Western countries when it comes to implementing a stringent regulatory landscape. Some countries use legislation from decades ago to monitor company behavior. Singapore, widely considered to be the most forward-thinking country in the region, is also not currently on par with Western laws governing this aspect of customer-client interaction.
It’s high time that fact changed. It’s on all business owners and IT teams to begin tightening their data protection and data privacy policies across the board in Southeast Asia. By turning to more secure devices that comply with rising data protection regulations, businesses will be better able to protect their customers and their employees.