arrow_back Capital Edition

Share on Twitter
Share on Linkedin
Share on Facebook
Print
Subscribe
Edition 5 - Cyber security

Living life on your phone? Change is coming

Story by
Ted Bowler
February 2020
Subscribe
Download Full Publication
file_download Download (9121KB)

It’s a reasonable assumption that most personal smartphones contain photos, screenshots and text messages that their owners wouldn’t willingly publicise or share. The power of data to make or break a person – and a corporation – is a factor of the digital age governments are aggressively factoring into their legislation.

Just 12 years since the launch of the iPhone, billions of people across the world now carry the internet, quite literally, in the palm of their hand.

Their digital interactions have created a vast footprint of data which businesses have scrambled to monetise in the quest for consumer insights, product personalisation and tailored marketing outreach. Over the coming decades, as the Internet of Things permeates every aspect of our lives and autonomous vehicles transform the way we move, this torrent will turn into a deluge, with the size of the global datasphere predicted to more than triple2 over the next five years.

As technology providers collect and process an ever-increasing trove of information reflecting who we are and how we live our lives, growing concern around how that data is used – heightened dramatically by the Cambridge Analytica scandal of early 2018 – has driven governments across the globe to re-evaluate their privacy regimes.

Governments have generally accepted the premise that the balance of power has shifted too far away from consumers to the collectors of data, and across jurisdictions a number of common features are recognisable in those comprehensive reform packages introduced over the past five years. They include greatly increased requirements for notification and consent, the consumer’s right to opt-out, the right of an individual to access their own personal data and the right to be forgotten.

Companies are required to limit data collection and processing to those uses for which they have a legal basis. Users of websites belonging to GDPR-compliant businesses are likely to have noticed significantly elongated and more detailed consent pages introduced in the wake of the regulation.

The final element of the reforms were vastly increased penalties for non-compliance – up to 4% of global revenues or €20 million,6 whichever is higher. Prominent global businesses have already been issued fines7 running into the hundreds of millions of euros.

By taking a look at the rapid pace of change in both technology and regulation, in a relatively short period of time and on a global scale, it’s clear that this is merely the beginning of a new world order in life and work online.

Europe: The General Data Protection Regulation

With Europe’s previous privacy regime dating back to 1995, and implementation varying between each member state, the European Commission embarked upon the process of data protection reform back in 2012, seeking to make regulation in the space 'fit for the digital age'3.

The principal outcome of the reform was the General Data Protection Regulation (GDPR), which entered force on 25 May 2018, following years of consultation and negotiation between member states. Described as a 'loaded gun' in the hands of regulators by Vera Jourova, European Justice Commissioner4, the new regulation marked a turning point in the evolution of a right to privacy in the online era.

However, for many, the advent of GDPR will primarily be remembered for the flood of emails announcing updated privacy policies that overwhelmed inboxes across the world on the eve of its introduction.

That this flood of communication was also experienced by users outside of the European Union underscores how influential GDPR has been. In an online world, only partially delineated by national borders, many companies adopted GDPR compliance as the standard for their global operations5, and the EU model has been used as a benchmark for subsequent reform in other jurisdictions.

Described as a ‘loaded gun’ in the hands of regulators by Vera Jourova, European Justice Commissioner1, the GDPR marked a turning point in the evolution of a right to privacy in the online era.”

Companies are required to limit data collection and processing to those uses for which they have a legal basis. Users of websites belonging to GDPR-compliant businesses are likely to have noticed significantly elongated and more detailed consent pages introduced in the wake of the regulation.

The final element of the reforms were vastly increased penalties for non-compliance – up to 4% of global revenues or €20 million,6 whichever is higher. Prominent global businesses have already been issued fines7 running into the hundreds of millions of euros.

Did you know?

66% of businesses attacked by hackers aren't confident they can recover.

Source: Fortune

 
Capital -Edition Image Alt

The United States: The California Consumer Privacy Act

Following the withdrawal of a ballot initiative8 that would have yielded much stricter protections, the California Consumer Privacy Act (CCPA) was passed by the state legislature in 2018, coming into force on 1 January 2020.

As with the GDPR, the CCPA was a dramatic step forward for consumer privacy not only within its own territory, but in adjacent jurisdictions, with many companies extending measures taken to comply with the CCPA across all their US operations.9

CCPA does not grant consumers the right to correct erroneous data, object to or restrict processing, nor prevent automated decision-making. It also does not insist that firms have a 'legal basis' for collecting and using personal data or restrict the processing of held data in other countries, whereas GDPR places strict requirements around the conditions under which the data of EU nationals can be stored or processed offshore.

California was the first US state to institute such sweeping reform to privacy laws, and a number of others are now following suit. This has led to calls for overarching Federal legislation10 to minimise the cost of compliance to US businesses, although a number of companies, including Microsoft and Apple, are instituting CCPA compliance across the country.11

The 'eight rights' – key elements of the GDPR
Fundamental to the consumer protection elements of the GDPR, are eight rights, many of which had not been formally established under previous regimes:
  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to be forgotten
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. The right to request that significant data-based decisions that affect the consumer be made by a person, rather than automated.

Did you know?

Hackers steal 75 records every second. 

Source: Breach Level Index
Capital -Edition Image Alt

Other initiatives to consider

A number of other jurisdictions are undertaking reform in the area of privacy and data protection.

Following the report of the recent Digital Platforms Inquiry, the Australian Government has committed to a review of the country’s Privacy Act,12 intended to strengthen requirements around notification and consent, increase penalties for breaches, and allow a right of direct action for consumers whose privacy has been breached.

Brazil’s own version of the GDPR also comes into effect in 2020. The legislation largely mirrors its EU counterpart,13 with further exemptions carved out for credit assessment and a somewhat less punitive schedule of penalties.

India also has a new Personal Data Protection Bill before Parliament, which is notable for mandating storage of information on local severs and raising concerns about the considerable latitude given to government agencies14 under the pretext of national security and public order.

As with the GDPR, the CCPA was a dramatic step forward for consumer privacy not only within its own territory, but in adjacent jurisdictions, with many companies extending measures taken to comply with the CCPA across all their US operations.”

Ongoing complications

Despite the progress made over recent years to empower consumers in relation to the use of their personal information, it is likely that these reforms will be an ongoing process. Not every aspect of these measures has been straightforward to implement; data portability, in particular, is a work in progress for many jurisdictions.

In addition, despite the additional requirements around notification and consent, it is difficult to imagine that, given the volume and complexity of such information served at consumers on a daily basis, consent is truly informed and freely given. It is more likely that very few of us are reading each of these statements in detail, and that the average data subject is not significantly more informed about the ways in which their personal information is being used than was the case before these reforms were implemented.

Solutions to these issues may be more likely to come from the private sector than for government, and many tech companies are already staking out positions on privacy as part of their USP.15 Under this paradigm, users place their trust in a brand to protect their right to privacy rather than understanding every detail as to how their data is used.

Regardless of whether the answer lies in regulation or in reputation, the 'wild west' era of unfettered use of online data is well and truly over, and as our lives become ever-increasingly connected it will be essential that consumers can be more confident of their rights in this space and the measures being taken to uphold them. People in their various capacities – as private citizens, company directors, business owners – and the like – will not escape the far-reaching net of change.  

 Exploring the GDPR's impact
Using a cross-section of consumers and organisations across 11 countries inside and outside the EU, Deloitte conducted a survey to gain insights into attitudes towards privacy six months on from the GDPR being enforced. Some observations included:
  • Privacy is a global concern: Results indicate attitudes align with the GDPR’s position that privacy is a cross-border issue.
  • Trust is key: Individuals will share data more openly with organisations they trust. They are also less likely to leave, challenge or exercise their rights against an organisation they trust in the event of a breach.
  • Talent matters: Many organisations have recruited or trained people to increase their capabilities in managing privacy compliance, with challenges in headcount and capacity contributing to a shortage.
Source: A New Era for Privacy, Deloitte, 2018

1 Gordon S. & Ram A. (2018), Information wars: How Europe became the world’s data police, Financial Times, 20 May 2018
https://www.forbes.com/sites/tomcoughlin/2018/11/27/175-zettabytes-by-2025/#3bd8e39b5459
European Commission (2019), General Data Protection Regulation: one year on, Media Release, 22 May 2019
Gordon S. & Ram A. (2018), Information wars: How Europe became the world’s data police, Financial Times, 20 May 2018
https://www.wsj.com/articles/techs-pickup-of-new-data-privacy-rules-reflects-eus-growing-influence-1525685400
https://www.wsj.com/articles/5-questions-about-what-to-expect-when-gdpr-takes-effect-1527154200
https://www.bbc.com/news/business-48905907
https://www.washingtonpost.com/technology/2019/09/25/privacy-activist-california-launches-new-ballot-initiative-election/
9 https://www.nytimes.com/2020/01/15/technology/data-privacy-law-access.html
10 https://www.nytimes.com/2019/10/14/opinion/state-privacy-laws.html?auth=login-google
11 California gets tough on data privacy breaches. The Australian, December 2019
12 https://www.smh.com.au/technology/government-to-evaluate-right-to-be-forgotten-but-privacy-reforms-still-years-away-20191212-p53je0.html
13 https://gdpr.eu/gdpr-vs-lgpd/
14 https://asia.nikkei.com/Business/Business-trends/India-s-tech-industry-up-in-arms-over-proposed-data-privacy-law
15 Yahoo Finance, Apple card privacy security. August 2019

Important Notes

While every care has been taken in the preparation of these articles, AMP Capital Investors Limited (ABN 59 001 777 591, AFSL 232497) makes no representation or warranty as to the accuracy or completeness of any statement in them including, without limitation, any forecasts. Past performance is not a reliable indicator of future performance. Performance goals are merely goals. There is no guarantee that the strategy will achieve that level of performance. The information in this document contains statements that are the author’s beliefs and/or opinions. Any beliefs and/or opinions shared are as at the date shown and are subject to change without notice. These articles have been prepared for the purpose of providing general information, without taking account of any particular investor’s objectives, financial situation or needs. They should not be construed as investment advice or investment recommendations. An investor should, before making any investment decisions, consider the appropriateness of the information in this document, and seek professional advice, having regard to the investor’s objectives, financial situation and needs. This document is solely for the use of the party to whom it is provided and must not be provided to any other person or entity without the express written consent of AMP Capital.

Click for previous article
Investech strategies
Why a global fund manager hired a gamer
Dr Alistair Rew
Click for next article
Ideas
Fast forward to the future of data storage
AMP Capital

Cookies & Tracking on our website.  We use basic cookies to help remember selections you make on the website and to make the site work. We also use non-essential cookies, website tracking as well as analytics - so we can amongst other things, show which of our products and services may be relevant for you, and tailor marketing (if you have agreed to this). More details about our use of cookies and website analytics can be found here
You can turn off cookie collection and/or website tracking by updating your cookies & tracking preferences in your browser settings.