Privacy laws mostly represent common sense and best practices
They help build trust in, and boost commerce for the data economy
PRIVACY laws are now commonplace in most developed (and in many developing) countries around the world. In the Asia Pacific region, there are comprehensive privacy laws in many countries, including Australia, Hong Kong, Japan, Korea, Malaysia, New Zealand, the Philippines, and Singapore.
Where privacy laws don’t yet exist, they are being developed (for example in Thailand) or requirements relating to personal data protection can be found in various other laws in the country (for example in China, Indonesia and Vietnam).
A lot has been written on the subject of privacy, there are frequent news reports concerning privacy issues, and there has been some criticism of privacy laws and claims that these laws are bad for business.
In this article, we shall look at why we have these laws and explain who the laws are good for. Spoiler: Privacy laws are not just good for individuals, they are good for the whole of society at large.
Protecting information on you
Privacy laws (often called data protection laws) concern the protection of information about individuals (commonly referred to as ‘personal data’). Personal data includes any information about an individual who can be identified from the data.
So, as long as an individual can be identified, the scope of data can be wide, including everything from your name, address, telephone number, email address and identification documents to your bank statements, telephone records, emails, text messages, employment records, appraisals, website browsing history … the list goes on.
Privacy laws regulate the collection, use, storage and sharing of personal data by organisations (and sometime by the state as well, depending on the country).
In short, these laws protect information about or relating to individuals.
Protecting your privacy
The most obvious reason why privacy laws exist (as the name suggests) is to protect individual privacy.
Your name, address, telephone number, bank statements, emails, employment records and all the other categories of personal data mentioned in the previous paragraph should be information that is protected.
Organisations should not be free to do as they wish with all of this information. That would be a violation of your privacy, and it would be difficult to trust organisations with personal data which don’t protect it.
The societal dimension
Privacy laws don’t just benefit individuals, they benefit society at large.
Privacy laws help organisations that handle personal data by providing a framework of requirements for the organisations to follow when processing personal data. Organisations that follow the framework will be better able to gain the trust of their customers and employees.
The laws are also key to benefiting fully from the new age of big data, e-commerce, e-payments, the Internet of Things, cloud, and whatever comes next.
Technological developments are providing a huge amount of economic growth and will continue to be one of the main drivers of economic growth in the coming years.
Data is a common feature of all of these developments. So, data is an asset of immeasurable value, but it is also an asset that brings risk, if it is not used properly.
Privacy laws provide a framework in which organisations and societies can benefit from these technological developments, but at the same time respecting the risks that they bring – for example, the misuse or theft of data, security breaches, hacking and surveillance risks.
Comparing privacy and finance laws
It’s helpful to compare privacy laws to finance laws. Finance laws place requirements on the organisations that collect and use finance, whether as deposits, loans, securities or other instruments. Privacy laws do the same for organisations that collect, use and disclose personal data.
Banking laws are intended to build trust in financial markets, to help commerce, the economy and society in general. Privacy laws are intended to do the same thing for the data economy.
Singapore is a good example of a country that brought privacy laws into force, not only in order to protect individuals and their privacy, but also to drive economic growth and to promote the city-state as a safe place to process data.
However, data, as an asset, is much more varied. Many more uses can be made of data, and its value is not easy to measure – indeed, its value can be more than just financial; it is personal and can make (or break) reputations.
Society hasn’t yet started to exploit its full potential. So, privacy laws are commonplace, they certainly aren’t going to disappear and, in fact, they will continue to develop, just as technology will continue to develop in the future.
Bad for business?
There has been some criticism of privacy laws and claims that these laws are bad for business.
Compliance programmes cost money but companies can’t expect to make money from an asset, like data, and not spend money to make sure their actions are compliant.
However, the key requirements in privacy laws, as mentioned above, are mostly in line with common sense, so a compliance programme should never be a bottomless pit. A business that does not follow these requirements, not only risks breaching the law, but also risks losing its reputation with its customers and employees.
Yes, there is a compliance cost, but this should be seen as part of the cost of doing business with data, and building and preserving a brand’s reputation.
Of course, there are differences between the laws of different countries. For multinational organisations, operating in many different countries, it can be a daunting challenge to ensure compliance with the privacy laws in all the countries where they operate.
However, the challenge can be (and has been) easily overcome by multinational organisations. There are more similarities than differences, and a good ongoing compliance programme should be able to manage this challenge.
The good news is that there are lots of similarities between the laws of different countries. As mentioned above, privacy laws are becoming commonplace and there are a certain number of common requirements in all privacy laws.
As a minimum, in order to comply with these laws, organisations should always (in all the countries where they operate) get consent from individuals when they want to use personal data, inform individuals what they are going to use the personal data for, keep the personal data secure (this requirement is critical), correct/ update personal data (including when asked to do so by individuals), delete the personal data when they no longer require it, and have policies and procedures in place for dealing with personal data (e.g. by appointing a data protection officer).
None of these requirements should come as a surprise. In fact, most of it is no more than common sense.
If an organisation respects its customers and employees, the organisation was most likely already complying with these requirements, even before privacy laws came into force.
In summary, privacy laws provide important protection for individuals but they mostly represent common sense and best practice.
Most importantly, they are a necessary framework to allow the ‘data economy’ to fully develop whilst helping to protect against its inherent risks.
Matthew Hunter is an international commercial lawyer at Olswang Asia LLP. His focus areas are cloud, data, e-commerce and e-payments, franchising, IoT, licensing, procurement, sourcing and technology. You can contact him at [email protected], @matthew1hunter or linkedin.com/in/matthew1hunter
Companies unprepared for data privacy risks
The world needs to unite on privacy and trust: EU official
Privacy isn’t dead, you’re just doing it wrong
Privacy concerns may limit mobile app adoption in Malaysia: GSMA
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.