6th APB Forum, 2018 Fall

The National Privacy Commission (NPC) in the Philippines is currently enacting a piece of legislation called the Data Privacy Act. Rather than the actual legislation itself, the competency and actions of stakeholders after the law goes into effect is much more important. First, the regulator must have the following four requirements: (1) clear goals, (2) adequate financial resources, (3) transparent communication networks, and (4) sufficient understanding of each sector. Based on these capacities, the regulator may apply the law strictly or loosely, however, it is most important that they develop their strengths. Moreover, the capacity required of the general manager after the legislation takes effect is the proper mobilization of funds and deep insight in the whole process. Hence, the five key processes that a general manager must perform are: (1) appointing a data protection officer, (2) implementing a privacy impact assessment, (3) financing privacy management policies, (4) enforcing technical security measures, and (5) continuing to finance evaluative reporting

Due to globalization, the scope of utilizing personal information is not limited to mere geographical borders. In other words, licensed personal information readily given up for convenience can now be accessed across the world. With the expanding scope of application, however, adverse effects are also mass-produced. Therefore, we need international regulations in order to solve this problem. Specifically, a blueprint is needed to create rules and guidelines regarding privacy protection when the data subject’s personal information is extended and accessible to the data controller and processor. In order to achieve this, the data controller should inform the data subject immediately and without falsification, and relevant measures should be enacted uniformly so that the personal information can be effectively protected.

Entering the Fourth Industrial Revolution, data (or information) has become the core of the digital world and economy. Hence, Singapore also recognizes data protection as a key issue. Although one must consider the corporations that profit from data collection, it is more important to understand that personal information exists beyond national borders and that the digital world transcends such boundaries. Therefore, Singapore’s countermeasures against data leakage can be explained on two levels: the international and domestic aspect. On the international level, cooperation beyond national boundaries is a paramount countermeasure to leakage incidents. Therefore, Singapore strives toward this international collaboration by participating in APEC’s Cross-Border Privacy Rules System through our Personal Data Protection Commission. On a legal level, as well, Singapore cooperates with foreign governmental bodies based on the 2012 Personal Data Protection Act. Not only do we share data and provide aid, but we also request for foreign aid as well. This is particularly useful should a criminal offence occur. On a domestic level, the PDPC has the right to investigate according to the 2012 Personal Data Protection Act Section 50. Moreover, Singapore has addressed cyberattack countermeasures through the newly enacted 2018 Cybersecurity Act. With the Cyber Security Agency of Singapore protecting important data infrastructure, this will further play a role in sharing cyber-security information between regulatory agencies during a cyberattack. Although not reporting a data leakage is not yet a criminal offense, the PDPC is currently undergoing discussion to implement a mandatory reporting system. The standard of such a mandate will depend on how harmful the data leak is to the client, or how large the damage. This is so that the PDPC can more effectively monitor the market for massive leakage accidents. Particularly after the 2018 scandal in Singapore—the largest information leak in the country’s history which affected 1.5 million citizens—the need for a more active response against cyberattacks has piqued. To summarize Singapore’s cybersecurity strategies: first, we should establish a responsive infrastructure; second, create a secure cyberspace; third, develop a thriving cybersecurity ecosystem through strengthening international partnerships.

As information becomes increasingly accessible, the risk of exposing one’s private information has given rise to the importance of data privacy. Recent topics related to data privacy can be summarized as follows. First, when identifying the individual, use as many data points as possible. Second, the trend set by the General Data Protection Regulation (GDPR) classifies the traditional definition of data into Personal Identifiable Information (PII). Third, not all information is equal, and recognition of varying degrees of the data’s ripple effect should determine its level of importance. Fourth, regulatory authorities are increasingly sharing technology codes in order to understand organizational behavior on privacy protection. In this context, the role of the regulator is extremely significant. The regulator role can be divided into three classes: the data subject(provides the fundamental personal information), the data controller(collects the data), and the data processor(receives and processes the information from the data controller). Therefore, the data controller, rather than allow the data subject to take benefits, simply takes the data subject’s consent and transfers the information and responsibility to the data processor. Within this process especially, one must be wary of preventing security issues. Moreover, it is necessary to discuss the changes as well as the pros and cons when blockchain technology is applied to the above-mentioned classes of regulators.

2018 was a meaningful year in which the PyeongChang Winter Olympics, the inter-Korean summit, and the Korea-U.S. summit were all held. In the field of data protection, 2018 was also the year the EU’s GDPR took effect. In a short period of time, the GDPR has had significant global influence. For example, Brazil enacted its first data protection legislation in August 2018, and India and the Philippines followed suit by drafting legislation in mid-2018. Korea also established a new law regarding the protection of intellectual property. Although much of the Korean press frightened domestic companies by raising concerns that the GDPR would be a burdensome penalty, this fear arose because of the emphasis on the sense of crisis rather than correct understanding of what the GDPR entailed. Therefore, in order to provide more information regarding the GDPR, KISA has conducted workshops for companies as well as published a GDPR guidebook. Delegates from Germany, Belgium, France, Hungary, Australia, and other nations also attended the workshops to discuss appropriate measures regarding the GDPR. In addition, KISA is working with corporations, government organizations, and various government departments to prepare for a successful implementation of the GDPR. In particular, video conferences and offline meetings are continuously held with the EU in order to discuss ways to maximize the decision making capabilities of the network legislation.

Can we claim the right to our personal data transference while playing online games? In the gaming industry, personal information is generally divided into regulation, account information, and game information. Regarding one’s account information, it is common for the game company to request the user’s email or SNS account. For game information, as well, users frequently purchase in-game items with money transferred from their bank accounts. This gives rise to several questions: how much are account information and game information controlled and transferred? To whom does the power reside in and to what extent? Such issues related to data portability bring forth other aspects of consideration: 1) restricting the recipient’s access of an individual’s personal information; 2) standardizing clear protocol about the data transference service or the overall system and public space; 3) the business entity that has acquired the right to move the data controls itself or set mandates. Likewise, further discussion on data portability policies in order to clarify the scope and authority of these areas is needed.

When viewing data portability with a focus on user protection, several concerns arise. If download my data is allowed to become a method for data transference, this will induce a series of privacy related issues. Moreover, it may lead to problems regarding exploitation of data or creation of data garbage dumps. Such massive quantities of leftover data can also impact search engines of portal services. For example, the data processing cost and time may increase sharply, or it may become more burdensome to classify search results. Given these difficulties, it would be advantageous to create a platform to manage data and data portability. In particular, enabling platforms to track data movement or allow users to compare different services will be beneficial to data portability as well.

Consumer data sovereignty is the consumer’s sole right as a data subject to control data, as well as generate, save, store, circulate, and utilize it. Portals and e-commerce corporations, such as Google and Amazon, are already setting up data transference platforms and awareness on automatic or manual data portability and management has been increasing. However, the dangers following data portability still exist, and four aspects must be considered. First, that data selection is increasingly limited by existing barriers and technologies in the market. Second, that it is difficult to identify how much data sovereignty is damaged. Third, that data control is decreasing (excessive replication of data, etc.). Fourth, that continual regression occurs due to consumer exclusion (consumers neglect privacy invasions, etc.). For these reasons, rather than rush into implementing the GDPR, structuring a stable ecosystem on data usage and portability, as well as developing the necessary technology, is needed.