Data protection and privacy, not to be ignored
IT MATTERS … because data manipulation can lead to unethical corporate practices
Though often neglected in mainstream discussions, the thorny issues of data protection and privacy must not be ignored. Put simply, we must create the conditions for fair play in business – without proper rules enforced, exploitation of big data could lead to widespread corruption and corporate manipulation. As more responsible investors pay attention to better data protection, the increasing pressure on corporations and governments in this area could help foster a safer and fairer world for everyone.
Case in point is Asia, which in the last two years has seen turning points in data protection and privacy regulations. Asia’s regulations in this area have traditionally been less comprehensive than the European Union’s Personal Data Protection Act, and have struggled to keep up with the sheer growth of online business. But this appears to be changing.
Take China. In 2016, China recorded 701.3 million internet users, 40 million short of the entire population of Europe. By 2021, the number of China’s internet users is projected to grow to 951 million.
In November 2016, the PRC Cybersecurity Law was introduced, coming in to force on 1 June 2017. The new law intends to combat online fraud and protect China against internet security risks by imposing new security and data protection obligations on “network operators”. In addition, the new law restricts transfers of data outside China and introduces new restrictions on critical network and cybersecurity products.
Despite concern that this new law may stifle competition among businesses, both for Chinese and multinational companies, it seems to be part of a bigger trend with other regulators in the region stepping up their efforts.
Hong Kong, which has a longer history of data privacy regulation compared to Mainland China, has stepped up enforcement after a number of data breaches. Although Hong Kong’s data protection laws are among the most sophisticated in Asia, the breaches suggest that the 20-year-old regime may need some updating. Penalties for data breaches and loss of data are likely to be increased substantially under a reformed data protection framework.
Companies that fall afoul of data protection rules in Hong Kong can expect to be fined as much as HK$1 million (US$130,000) and face imprisonment for five years.
Singapore’s Personal Data Protection Act (PDPA) requires organizations to notify individuals of the purposes of collecting, using and disclosing their personal data. On 11 September 2014, the Personal Data Protection Commission issued a set of guidelines on how organizations can comply with notification obligations.
Meanwhile, Japan amended its Personal Information Protection Act in 2015 by introducing the concept of “sensitive personal data” which added data export controls and, most importantly, made provision for the appointment of a dedicated regulator.
Neighboring South Korea also added punitive damages to its already strict data privacy laws. The country has enacted stricter penalties for violations of data protection or privacy requirements by telecommunications and online service providers, including potentially steep damages in the wake of a data breach.
The amendment to South Korea’s Act on the Promotion of IT Network Use and Information Protection became law on 22 March 2016 and took effect in September.
But despite all these amendments, will governments in Asia need to do more to strengthen data protection and privacy? Given the growing number of internet users and online businesses tied to the collection of personal data, investors may want to think closely about the data management practices of companies. And the impact of potential regulatory changes that may be just round the corner.