The increasing adoption of digital technology has enabled the collection of broader, more in-depth, and real-time consumer data. Consumers’ personal information, locations, online behaviors, and transactions are increasingly being tracked. Richer consumer data creates opportunities for organizations’ business development; at the same time, data breaches and privacy scandals intensify consumer privacy concerns.
Governments, including Singapore’s, have responded with data privacy laws to regulate organizations’ collection, use, retention, and disclosure of personal data. As consumers, can we solely rely on government or businesses to ensure protection?
Since the development and enforcement of the Personal Data Protection Act (PDPA), great efforts have been made by the Singapore government to set up and refine a personal data protection regime. Meanwhile, more guidance and tools have been made accessible to businesses, which enables them to comply with the PDPA easily and confidently.
To address the over-collection of consumer data, the EU adopted the principle of “data minimization” (i.e., the collection of personal data should be limited to what is necessary and directly relevant for a specified purpose), as expressed in the 2016 General Data Protection Regulation (GDPR) and Regulation (EU) 2018/1725. Singapore’s PDPA does not articulate the data minimization principle, but the Personal Data Protection Commission (PDPC) explicitly recommends that organizations should minimize the amount of personal data collected in its guidelines (e.g., “Advisory Guidelines on Key Concepts in the Personal Data Protection Act” and “Guide to Data Protection Practices for ICT Systems”). The PDPA acknowledges the need to “strike a reasonable balance” between individuals’ right to privacy protection and organizations’ need to collect, use, and disclose personal data.
However, it is impossible for policymakers to cover all emerging issues in a timely manner with enough specificity defined, as the pace of technological development far outstrips the pace of policy improvement and social change. By the time a regulation or amendment is approved and enacted, technology might have evolved further beyond its original jurisdiction. For example, although personal data protection has increasingly been regulated globally, the regulation of algorithm-generated recommendations adopted by online platforms (e.g., Amazon, YouTube) remains relatively untouched, despite China’s ground-breaking legislative action.
Businesses are accountable for personal data under their control or in their possession, and must comply with obligations for conducting activities related to the collection, use, disclosure, and retention of personal data. They should also strive for a balance among privacy, convenience, and security, and hence create the best experience for their customers or users.
Nevertheless, in reality, it might be over-optimistic to rely solely on businesses to protect us online. Enterprises started to collect consumer data even before the digital era. These valuable data can help companies to better understand consumers’ behaviors and preferences, to form market insights and predictions, and to develop targeted products and services. More organizations have started collecting consumer data, no matter whether it is necessary for their business or legal purpose. Businesses might just play the cat-and-mouse game with the regulator: excessive money and time are spent in search of legal loopholes to achieve only “technical compliance.”
Businesses are leading consumers to trade their privacy for benefits, convenience, or efficiency. To enjoy benefits such as member-exclusive discounts, birthday vouchers, and accumulating loyalty points, consumers must provide their contact information and date of birth to sign up, and consent to the usage of their personal data for marketing purposes. For easier checkout, it is very common for consumers to store their contact number, delivery address, as well as payment information (e.g., credit card details) on online shopping platforms. For a personalized experience, consumers have to disclose their personal real-time data for algorithm-generated recommendations.
The pandemic era requires a minimization of close interpersonal contact in almost every facet of our lives. This minimization gave some industries a whole host of opportunities to collect personal data, which, strictly speaking, they might not need. For example, some self-ordering systems adopted by restaurants compulsorily require customers to key in their personal contact information before ordering or checking out.
In addition, not all organizations have the awareness or budget to adopt and maintain a highly secured data storage system. Hackers may have a higher chance to illegally obtain private information from businesses with weaker firewalls. For example, RedMart, a leading online grocery store in Singapore, was fined S$72,000 for failing to implement reasonable security measures for consumer data protection. In September 2020, around 898,791 users’ personal data were stolen from its customer database and put up for sale online.
In summary, it is risky for consumers to merely rely on the government or businesses for personal data protection. Yet, it seems that consumers’ awareness of online privacy protection needs to be significantly improved. Experian’s research found that 80 percent of Asia-Pacific consumers expected businesses to protect them online. Similarly, F5’s report showed that 75 percent of APAC application users did not feel they should be responsible to protect their own data.
Individuals’ actions can exacerbate security concerns as well. Despite the existence of security measures, 790 OCBC Bank customers lost a total of S$13.7 million in a spate of phishing scams. They had provided online banking log-in credentials and one-time PINs to phishing websites.
An individual’s self-protective actions depend on awareness of the risks of disclosing personal data. Disclosure of private information is associated with risks such as identity theft, stalking, scamming, harassment, and data breach. A sound understanding and assessment of potential risks ensures informed consent. Consumers, on many occasions, might have overestimated the value of what they could gain while underestimating the cost by sacrificing their privacy.
It is essential for individuals to be clear about to whom they are giving their personal data and why. The Infocomm Media Development Authority in Singapore has introduced the DPTM (Data Protection Trustmark) to certify organizations with accountable data protection practices. The PDPC has also provided some tips to the public.
While legal frameworks and regulations are important, protecting our personal data must start from ourselves.