As the accelerating speed of technological advances is now an unquestioning reality. It is fundamentally transforming every aspect of our personal and business lives, every industry, and every country across the globe. However, it also has the effect of fundamentally transforming the notion of privacy — what it means to affected stakeholders (individuals, regulators, organizations) and how each party can remain accountable in a world that technology has turned on its head.
One of the most pressing privacy issues related to digital devices today is the increasing ubiquity of bring your own device (BYOD) policies. According to Gartner, by 2018 up to 70% of mobile professionals will be using their smartphone to conduct work. As enticing as BYOD is for an increasing number of organizations, it is apparent that there are two sides to the BYOD coin: heads represents increased efficiencies; tails results in increased risk. And the risks are substantial. In 2014, we expect to see organizations continue to deal with a number of privacy challenges related to BYOD. Organizations need to maintain ownership of their information. With BYOD, this information is stored on devices that now sit outside the organization’s immediate control. To keep an eye on their data, organizations tend to install monitoring tools on employee smartphones. However, when implementing these tools, organizations need to be very careful that they are only monitoring the company’s data and not collecting personal information about their employees and others such as friends and family who may use the device.
The organizations can only collect personal information for a stated reason - and can use it only for that purpose. Among others things that mean a company that supplies a service can't sell its list of subscribers to another company's marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed. But most firms are unaware of the new law and very few are prepared to comply. For any organization that already sends commercial electronic messages, they presumably comply with the privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
While privacy does create some new obligations, what is not new is the claims that business is unaware and unprepared to address their privacy law obligations. T accessing; downloading/copying/extraction of data or extracts any data ; introduction of computer contaminant;or computer virus; causing damage either to the computer resource or data residing on it; disruption; denial of access; facilitating access by an unauthorized person; charging the services availed of by a person to the account of another person; destruction or diminishing of value of information; stealing, concealing, destroying or altering source code with an intention.
In 2014, as organizations begin to think about the endless possibilities associated with the “internet of things” — nanotechnology, product sensors, sensor-driven analytics and sophisticated tracking capabilities — they also need to think about the privacy risks. There is a strong possibility, for example, that when an organization embeds a tracking mechanism into a product or service, it has not first sought the permission, either implicit or explicit, of the consumers being tracked. And when consumers find out, chances are they’re going to be irate. These kinds of privacy gaffes erode the very trust many organizations are attempting to cultivate to create the ultimate customer experience.
There is no question that the internet of things holds huge promise for an organization to vastly improve its strategic trajectories and business models, generate efficiencies and lower costs. However, this promise needs to be balanced against the privacy that consumers innately expect, and the privacy that they will demand alongside their customized customer experience. In 2013, participants at the 35th International Conference of Data Protection and Privacy Commissioners continued their progress by adopting eight new declarations and resolutions that delved deeper into the issues raised the year before. Four resolutions focused on technology challenges (appification, profiling, digital education and webtracking), two addressed better coordination among jurisdictions (enforcement coordination and international law), and one urged greater transparency on what data organizations are collecting and why (openness).
At a more granular level, many government bodies at federal and state levels are continuing to update their breach notification laws. Unfortunately, the massive intelligence leak by former US intelligence contractor Edward Snowden has cast a pall on the goals of cooperation. In fact, the Snowden affair has so eroded trust among nations that the European Union is considering a motion to suspend the US–EU Safe Harbor Framework. Once a respected guideline for US organizations to provide satisfactory protection for personal data of EU residents as required by the European Union’s Directive on Data Protection, the Framework now lies in limbo. This leaves Binding Corporate Rules (BCR) as one of the few frameworks available for global organizations to adhere to when seeking to transfer data of EU residents across borders.
In 2013, a number of jurisdictions around the world improved or expanded their privacy regulations. We expect similar progress to occur around the world in 2014. With the emerging global digital economy and the increasing popularity of cloud computing services, legislation which reinforces trust in the market will be a key driver for business growth as follows:
Brazil: Brazil seeks to mandate that global internet providers store data gathered from Brazilian users within Brazil.
Canada: Bill C-475, working its way through Parliament, would unify and strengthen the country’s approach to breach notification.
US: Although US lawmakers continue to push for a federal data breach notification law, Congress continues to debate whether federal law should supersede state laws.
Australia: In late 2012, the Australian Parliament passed the Enhancing Privacy Protection Act. The Act is set to take effect in 2014.
China: In late 2012, China’s standing committee of the National People’s Congress approved a directive that strengthened online personal data protection. That directive came into force in February 2013.
Singapore: Singapore’s Personal Data Protection Act 2013 came into force in 2013.
EU: Under a policy implemented in August 2013, European communication services providers are now required to notify not only affected individuals but their respective national authority within 24 hours of detection. EU: Crafted in 2012 and expected to pass in 2014, the EU General Data Protection Regulation is designed to simplify and strengthen the European Union’s data protection framework. Instead of adhering to requirements from 27 individual data protection authorities, organizations will only have to address one set of data protection rules.
One solution, which is becoming more feasible as smartphones become more powerful, is the partitioning of the devices. This would allow employees to essentially operate two different desktops — one for work and one for personal. The other option is the use of a guest network that is separate from the main network. Organizations could create a “sandbox” where company data would reside, separated from any association with personal data, applications or online services. Organizations need to be vigilant when collecting data from social media. Consumers are voluntarily providing intimate details about themselves. Organizations need to respect their privacy, even when the consumers themselves aren’t, by anonymizing the data before using and sharing it. Anonymous data can still provide deep insights into trends and opportunities, but with a much smaller privacy impact.