The emergence of personal data privacy issues can be traced back to the 1970s, when the increasing societal affluence that led to a rising awareness of individual rights.
The advent of powerful digital computers has also allowed the instantaneous access, consolidation and processing of personal data being used beyond their original purpose of data collection.
The rise of Internet in the 1990s gave birth to electronic commerce, which led to an explosion of cross-border collection and sharing of personal information. Inadequate security protection of data in cyberspace causes prolific identity theft of personal data for criminal use in particular of sensitive financial data, e.g. credit card and bank account information.
From identity threat to personal data use
Identity theft in the new millennium has been the fastest growing form of consumer fraud in North America. The US Federal Trade Commission, the watchdog for consumer affairs, in its 2010 identity fraud survey report, suggested that over 3% of its adult population, approximately 11 million, were victims of some form of identity theft with estimated fraud of US$54 billion.
On the international front, notable data breaches include personal data breaches of 77 million players of Sony PlayStation in 2011 including their name, email address, password and credit card details.
Apart from data hacking by criminals for illegal financial gain, there are increasing concerns of questionable personal data collection by business organizations and social media without adequate notification to and awareness of their customers and constituents. Notable examples include Apple and Google found in 2011 to be collecting excessive personal data for their smartphones and tablets' users for locating their users.
In Hong Kong, the infamous case of Octopus selling personal data of its 2.4 million customers from its loyalty program to third parties in 2010 has brought awareness to the community on the cavalier privacy invasion for monetary gain. Amidst all the complains from the community, a positive spin of the incidence is a significant amendment to the Personal Data (Privacy) Ordinance, which enhance data privacy protection in respect to the use of personal data in direct marketing.
Personal data -- currency of digital future
With the rising consumerization brought by the advance of cloud computing, big data, mobility and social media, the cyberspace is fraught with the intrusion of personal data. It is estimated that 70% of the information in the digital universe is created by individuals through phone calls, photos, banking transactions or postings on social networks. More of this data is being mined and analyzed, as well as regarded by many businesses as the "currency of the digital future". Meanwhile, consumers are expressing great concerns and ranking personal data privacy as their number one concern.
Many economies, including those in Asia, have enacted legislation to provide personal data protection. But the success comes in varying degrees. The obstacles are multi-folds, including legal provisions lagging behind the fast pace of technology development, difficulties in cross-border enforcement due to jurisdiction issues, and the increasingly debatable legal definitions of "personal data", "data access" and "data collection."
Business value for data protection
Given the economic value of personal data and the privacy concern among consumers, Hong Kong enterprises are strongly encouraged to place a priority in personal data protection, not only for legal compliance and damage control, but also to bring a competitive edge in enhancing business values and gaining new customers.
If one looks at the consequential damage of a significant data breach or improper data collection, analysts estimate a loss of US$1.5 billion for Sony with the personal data breach of 77 million players of PlayStation; Google in 2013 had to pay US$17 million to settle a dispute with 37 US States after it bypassed Safari browser privacy settings to place cookies to track consumers' behavior allegedly without their knowledge nor consent.
The high cost of data breach--including financial penalties, expenses in crisis management, damage control and notification to customers, as well as legal and administrative expenses in litigation--could amount to millions of dollars. In some cases, including the Octopus incident, the chief executive had to resign.
The intangible costs are also far reaching, including the damage in brand and commercial reputation and loss of client trust.
Personal data privacy as a business priority
It is therefore important for businesses to institute and implement a policy that respects the personal data privacy for their customers and employees. With senior management commitment, personal data protection should become a corporate priority throughout all levels of the organization.
A culture to protect personal data should be built and sustained, through education, technology, processes and procedures.
In making data privacy a business imperative, an enterprise could gain a competitive edge by enhancing trust and customer confidence, keeping existing customers and attracting new ones, while minimizing the risks of a data breach.
It is particularly encouraging that the Office of the Privacy Commissioner for Personal Data is promoting the adoption of Privacy Management Programs (PMP) within organizations as a strategic framework.
According to Privacy Commissioner Allan Chiang, "organizations, as responsible corporate citizens, should adopt a paradigm shift from compliance to accountability. To this end, top management's commitment is required to build and maintain PMP, which ensures that privacy is built by design into all initiatives, programs or services, and data protection is practiced throughout the organization. This proactive approach should lead to a win-win-win outcome for the organizations and their staff as well as customers"
Stephen Lau is the former HK Privacy Commissioner for Personal Data, and a past President of the HK Computer Society. Currently he is Adviser to HP Enterprise Services, and Vice President (Executive) of the HK Computer Society.