Dear, privacy pros.
Time flies, and we are now on the cusp of a new year and, indeed, a new decade.
As I look back at the crystal ball–gazing exercise we did at the end of 2018, I realize there were really no big surprises in terms of the privacy developments that hogged the limelight this year.
Cyberattacks continue to grow in sophistication, and we are seeing an increasing number of advanced hacks that appear to be politically motivated or state sponsored. At the same time, companies continue to suffer data security breaches due to the simplest of human errors, which could have been easily avoided if appropriate data management and cybersecurity practices had been adopted. A few recent examples include the TransUnion data breach incident and the data leaks associated with the WebSAMS application in Hong Kong.
Similarly, the Singapore Personal Data Protection Commission recently penalized an IT vendor of the Ministry of Education after the personal data of almost 48,000 students, staff and parents of various schools in Singapore was exposed due to an inadvertent error. To troubleshoot an issue with the attendance-taking system of a school, the IT vendor modified the configuration of the school’s firewall and disabled the password for the site but neglected to restore the original parameters after troubleshooting was completed. This loophole was exploited by a local hacker who managed to gain access to and exfiltrate large amounts of personal data from the system.
In terms of the anticipated increased regulatory scrutiny of big tech companies, one needs to look no further than the recent articles on Google’s controversial “Project Nightingale.” Following an expose by The Wall Street Journal, which suggested Google is processing personal health information of millions of Americans as part of its partnership with health care group Ascension, a number of U.S. lawmakers have queried Google and its parent company Alphabet on its data-collection practices. The Office for Civil Rights in the Department of Health and Human Services has also opened an federal inquiry to determine if there has been any violation of the Health Insurance Portability and Accountability Act.
Battles continue to be waged over the conduits through which data is transported. As an extension to this trend, we are also seeing an increasing number of companies deploy technology or solutions that attempt to give individual users more control over how their personal data is used and monetized, often utilizing blockchain-based or distributed ledger technology.
And, finally, in terms of continuing education for privacy professionals, I would simply point to the Singapore PDPC’s excellent DPO Competency Framework and Training Roadmap, which was recently announced in July.
I would certainly expect these trends to continue in 2020. In addition, based on a quick scan of the topics that feature frequently on the dashboard this year, I would expect there to be more issues arising from the large-scale deployment of facial-recognition and artificial intelligence technologies. One recent example is the implementation of a payment system that allows commuters on Chinese city Zhengzhou’s subway to board and exit through a quick face scan. Singapore has an even more ambitious plan to allow citizens to pass through immigration at Changi Airport without so much as taking out their passports, using iris and facial-recognition technologies to screen and verify their identities instead. Likewise, Australia is considering using biometrics as a mechanism for age verification for certain online services, such as gambling and explicit content.
What other privacy developments do you think will dominate in 2020? I would love to hear your thoughts in the comments below.
While we wait to count down to the new year, I wish you and your family a wonderful holiday season.