The 4th Industrial Revolution bestowed unprecedented and enormous value to personal identity. Never before in the recorded human history has information that directly or potentially identifies a human being been the cause of the rise and fall of business players. Tech giants such as Apple, Amazon, Google, Facebook, and Microsoft continue to dominate the digital market because of strategic mining of personal data which has been deemed as the new oil. Conversely, the downfall of Yahoo, an internet titan once valued at more than US$100 Billion, was the inevitable conclusion of a series of data breaches which ultimately affected all of its 3 Billion users.
Digital disruption gave birth to the relatively novel concept of data privacy. Consumers now capitalize on their digital identities, online profiles and user accounts in demanding personalized products and services. Businesses are compelled to compete on the basis of the ability to provide instantaneous, user-friendly, easily accessible, or on-demand goods and services. The value of personal information in the digital age has been confirmed by the proliferation of numerous forms of cyberattacks - almost all with the intent of illegally obtaining and profiting from personal data. In fact, recent studies shows that the possible costs to the global economy resulting from cybercrime is US$375 to US$575 Billion per year.
Governments from numerous jurisdictions and in varying degrees have stepped up in its regulatory and enforcement efforts to circumvent illegal use of personal data of its citizens and/or in their respective territories. Public interest in the use of personal data and in protecting the right to privacy are apparent in the rise of newly-enacted omnibus legislation on data protection and privacy, such as data privacy legislation in the Philippines and China, or the strengthening of existing ones like the EU General Data Protection Regulations which supersedes Directive 95/46/EC.
The vital significance of data privacy in the digital age has also caught the attention of the United Nations which, through its Human Rights Council, adopted in 2016 a Special Rapporteur on the right to privacy. One of the mandates of the UN-appointed expert is to “[t]o raise awareness concerning the importance of promoting and protecting the right to privacy, including with a view to particular challenges arising in the digital age, as well as concerning the importance of providing individuals whose right to privacy has been violated with access to effective remedy, consistent with international human rights obligations.”
Recent developments in the area of data privacy and protection, particularly high profile incidents of cybercrime cases and data breaches, reveal the following effective methods in data protection:
1. Demonstrate compliance with law and best practices in protecting personal data. Data protection should not be a confidential affair within the business. Management should not be bashful in flaunting to its business’ target market that the company is not just compliant with law, but also adheres to best practices in keeping its customers’ trust with respect to data privacy. A business should therefore consider the costs and benefits in securing relevant and credible information security or data privacy certifications such as those provided by the International Organization for Standardization (ISO), the International Association of Privacy Professionals (IAPP), among many others. It may also opt to voluntarily register with its jurisdiction’s data privacy regulator, if such registration system is available, to show commitment and ability to comply with Philippine data privacy legislation.
2. Adopt privacy by design approach. Adherence to the general principles of lawful data processing and developing risk management protocols should be one of the paramount considerations of businesses. These protocols should be considered from the start of the business operations, and not only as an afterthought resulting from a security incident or a data breach. Businesses should therefore be proactive, rather than reactive, in implementing security measures to protect personal information. The UK Information Commissioner’s Office encourages organizations to “integrat[e] core privacy considerations into its project management and risk management policies.” For instance, a privacy impact assessment (PIA) should be conducted at the earliest stages of a project involving personal data such as when building new information technology infrastructure for data processing, engaging a new personal information processor, or venturing into a data sharing initiative. PIAs are believed to be an effective tool in identifying and minimizing data privacy risks to individuals and in reducing the possibility of potential liability for data privacy violations and loss of valuable consumer goodwill.
3. Engage the customers in all stages of the process. A key to earning and keeping customer trust is transparency. In matters involving personal information entrusted by consumers to businesses in exchange for goods or services, this means user-friendly, brief, and concise consent language and privacy notices, as well as the availability and effectiveness of methods in exercising consumers’ rights as data subjects. In case of unavoidable data breaches, data controllers should also be able to provide regulators and affected consumers with prompt, clear, and candid communications in managing the risks attendant to the breach.
Despite the common and increased efforts of public regulators to promote and protect rights to data protection and privacy, the speed of advancement of technology, including data processing techniques and practices, means that relatively static data protection laws will always have to play catch-up with the dynamic, rapid, and significant technological evolution. Bare compliance with data protection laws may therefore be insufficient for businesses in deterring malicious intrusions in data systems and cyberattacks which grow more ubiquitous and sophisticated each day. Businesses which comply with applicable data privacy legislation may keep their existing customers’ trust and survive the digital age. However, companies which recognize that legal compliance is the bare minimum, and complement its compliance efforts with best practices, attract new customers while retaining existing patrons.
The 4th Industrial Revolution installed several intangibles, such as the right to privacy, in the pedestal of collective consciousness, and changed altogether the landscape of capitalism and individual freedoms. The key to earn competitive advantage is diligence in protecting personal data. Businesses should therefore understand that in order to survive and thrive in this unprecedented era, consumer trust is an indispensable currency.
About the Authors
Partner, Quisumbing Torres
Divina Ilas-Panganiban is a partner in Quisumbing Torres’ Intellectual Property Practice Group and Information, Technology & Communications Group. She has 17 years of experience in the fields of intellectual property law, commercial law and litigation. She has been cited as a Leading Individual in Technology, Media, and Telecommunications and Intellectual Property by the Legal 500 Asia Pacific for 2016 to 2018. She currently serves as the Vice-President and Director of the Philippine Chapter of Licensing Executives Society International and the Chairperson of the Committee on Intellectual Property Rights, The American Chamber of Commerce of the Philippines.
Associate, Quisumbing Torres
Neonette Pascual, CIPP/E is a senior associate in Quisumbing Torres’ Intellectual Property Practice Group and Information, Technology & Communications Group. She has 12 years of experience handling matters involving contracts, incorporation, compliance, litigation, and corporate housekeeping. She also has nine years of experience in handling matters on data privacy legislation of multiple jurisdictions, including the EU, US, Canada, and Southeast Asian countries.