10th APB Forum, 2021
Responsible Use and Effective Protection of Data during
● The UK experience of data protection during the COVID-19 pandemic Watch
Steve Wood (UK)
Information Commissioner's Office
Deputy Commissioner - Policy
Chair of the WPDGP
● The Importance of `Smooth` Data Usage and the Protection of Privacy in the Age of AI, the IoT and Autonomous Robots
Fumio Shimpo (Japan)
The emerging technologies of AI and autonomous robots are forcing us to consider not only improvements in the development of their industrial use but also further urgent research into the ethical and legal issues. In the future, autonomous robots equipped with AI will become more widespread in our society and such robot acquisition of data may lead to data confidentiality issues which we are not able to solve just by focusing solely on AI-data acquisition issues. This presentation focuses on the possibilities of privacy violation and the issues which should be considered related to handling personal data and focuses on an introduction to the Japanese Personal Information Protection Act, the mutual adequacy findings between Japan and the EU, the Data Free-Flow with Trust (DFFT) initiative and future legal discussions about the increasing use of AI. Finally, I will point out the need to both clarify and streamline any related future regulations.
● Using Image Processing as Security Feature in Information Retrieval
Mohd Afizi bin Mohd Shukran (Malaysia)
Universiti Pertahanan Nasional Malaysia
Until recently, IR was an area of interest restricted mainly to librarians and information experts. A single fact changed these perceptions—the introduction of the Web, which has become the largest repository of knowledge in human history. Due to its enormous size, finding useful information on the Web usually requires running a search. And searching on the Web is all about IR and its technologies. Thus, almost overnight, IR has gained a place with other technologies at the center of the stage.
● Contact tracing apps for self-quarantine in South Korea: Rethinking datafication and dataveillance in the COVID-19 age
Claire Seungeun Lee (USA)
Professor, School of Criminology & Justice Studies, University of Massachusetts Lowell
This study examines contact tracing mobile applications (hereafter, contact tracing apps) for those who were subject to self-quarantine through the lenses of dataveillance and datafication. Using an Internet ethnography approach, self-quarantined Korean individuals’ blog entries were analyzed. The research argues that the application functions as a datafication tool that collects the self-quarantined people’s information and performs dataveillance on the self-quarantined people. This research further offers insights for various agreements/disagreements at different actors (i.e. the self-quarantined, their families, contact tracers/government officials) in the process of contact tracing for COVID-19. This study also provides insights into the implications of information and technology as they affect datafication and dataveillance conducted on the public.
● Data Privacy in the Philippines & COVID-19 response
Atty. Ivin Ronald D.M. Alzona (Philippines)
National Privacy Commission
The National Privacy Commission (NPC) has been an active participant in the COVID-19 response of the Philippines as the data privacy authority of the country. The Commission believes that the fundamental right to privacy must always be upheld amid the pandemic, and data protection must not be sacrificed.The discussion will present the initiatives of the Commission, such as but not limited to NPC Public Health Bulletins, FAQs, policies, in ensuring data privacy and protection during COVID-19 response.
● Accountable and Trusted Transborder Data Flows by Building Convergence
Zee Kin Yeong (Singapore)
Data Innovation and Protection Group of the Infocomm Media Development Authority of Singapore/Personal Data Protection Commission
Singapore released a Model AI Governance Framework, a companion Implementation and Self-Assessment Guide for Organisations, and two volumes of Compendium of Use Cases to help industry implement trustworthy AI systems. As a logical next step, PDPC Singapore is developing a Minimum Viable Product (MVP) for AI governance testing. This MVP is a practical way forward to operationalise AI ethics principles, and it allows companies to be more transparent about their AI systems in order to build trust with their stakeholders.
● Introduction of Korea Internet & Security Agency (KISA)'s Global Personal Data Protection Regulatory Support Service
Jiyun Kim (Korea)
Deputy General Researcher, Korea Internet & Security Agency
Introduce KISA's Global Personal Data Regulatory Support Services that provide beneficial information and analyses concerning global personal data protection-related issues, laws, and systems for helping Korean companies enter into overseas markets.
● Promoting comparability in personal data breach notification reporting
Policy Analyst, Science, Technology and Innovation Directorate at the OECD
● Does a Data Breach Harm Industry Peers? Evidence From the U.S. Retail Industry
Jaeyoung Park (Korea)
Graduate School of Information, Yonsei University
This study demonstrates that a data breach that occurs due to an industry-wide problem is likely to decrease the shareholder value of industry peers. Additionally, it has been shown that the data breach risk contagion effect is stronger for industry peers that have visibly disclosed data breach risk in their 10-K report before the data breach.
What is the most important personal information involved in AI robot and facial recognition technologies, and what kind of efforts can individuals make to protect themselves from leaks?
In the development of many technologies, I think collecting and processing multi-modal information such as biometric data that makes a template will be the critical issue. For example, when we use facial recognition technology, information is captured and used as a template to identify the features of a person’s face. This information can be searched on a database stored with the template information and can be used to instantly identify individuals.Consequently companies are required to recognize their responsibility when handling and take maximum efforts to prevent data leakage and unauthorized use. However, I think it is difficult to completely prevent security breach incidents. When they occur, it would be necessary to take appropriate measures to prevent other infringements of the rights of individuals by conducting security breach notifications. Also in the future, AI will not only be used by businesses but also in various situations in our daily lives. Accordingly, we will not be able to recognize that such information is being processed by AI, which is called information asymmetry. So, issues of personal information protection will become more important in an AI society, where we need to think about how we can protect the rights of individuals.
Mohd Afizi bin Mohd Shukran (Malaysia)
I think one aspect that we need to consider is the privacy laws for the specific data itself. For example, healthcare or any personal information is very sensitive when included in a dataset. Like Professor Fumio mentioned. one of the problems is that what we collect from facial recognition or AI robots is data exploitation. Most data is exploited by companies, and we need to have specific laws to govern these mishaps or misuse that we collect from users and to protect sensitive material, especially healthcare information. In Malaysia, during the COVID-19 pandemic, a lot of healthcare data was collected from organizations like pharmacies and the Ministry of Health. So this kind must be protected at all times. There should be laws or policies to effectively govern and protect users from being exploited by these companies.
Can you discuss data protection in the context of COVID-19?
Was there an increase in vulnerable data during the pandemic?
An individuals’ COVID-19 related data is confidential because it includes not only personal but also health data. Whether the person has been in contact with COVID-19 and where they traveling from are very sensitive,and even more so in the context of South Korea where there has been a stigma and negative sentiment toward people who traveled outside of South Korea. The data is often politicized and can be used against self-quarantined people. Consequently it must be treated with caution.
COVID-19 forced the sudden shift to online platforms. Along with the digitalization and acceleration of the use of Internet and ICT technologies, the processing of personal information has become more prevalent. Classes are conducted virtually, and telecommuting has become the preferred work arrangement for many. Sharing of health information was done online through telemedicine and teleconsultation. As a result, the increasing vulnerability of personal data became evident not only within the health industry as well as others. Subjects have become more at risk of harm such as identity theft, surveillance, exposure, distortion, and intrusion. Consequently, data protection played a critical role in ensuring that the fundamental human right to privacy is reaffirmed, in the context of saving lives and facilitating economic recovery. Free flow of information is important, but we have to sustain an equilibrium so that we can properly address the pandemic's challenges. I’d like to emphasize that we believe in the commission that the data privacy app of 2012 does not prevent the government from doing its job. Public health entities may steal and process personal and sensitive information when necessary to fulfill their mandates during a public health emergency. However, we must also consider that we have to build trust in our institutions so that we can properly handle the health information of COVID-19 patients, which is crucial in stopping the spread of the virus. As government agencies are mandated to address the outbreak, we must have access to the relevant information.
Question 1 : What are some of the biggest issues related to personal information protection in Singapore? How is Singapore responding to the issues?
Question 2 : How is data sovereignty challenging to cross-border data flow?
Question 3 : When an individual receives a notice of personal information breach from a company, what is the first action or step to take to prevent any secondary damage from the data breach?
I think one of the key issues that we are occupied with right now is the fact that COVID-19 as a pandemic has been acknowledged to be the most effective impetus towards digitalization. A lot of companies in the last 18 months or so have been digitalized, starting to use digital solutions. More companies moved online and are operating an omnichannel, targeting walk-in as well as online customers. Restaurants have moved online as well through launching food delivery systems.Many started to work as delivery drivers as their second job. We can see that the era of the proliferation of data has come and brings about two questions: how do we bring the message? Every time they have an interaction with a customer, the amount of data grows. How do we reach out to them and bring the message to them? Secondly, at the same time, they have the responsibility for their customers to make sure that the data is protected from unauthorized uses and data breaches. These two things, the use of data, as well as the protection of the data, go hand in hand. These are the biggest challenges for all of us right now and we are in the midst of developing the programs that will simplify this message into tools that can help other companies so that they are able to use the data while keeping it protected at the same time. We hope that consumers will continue to participate in the digital economy and it will eventually lead to a virtual cycle in the ever-expanding digital economy.
: Concerns of data sovereignty revolve around the underlying recognition that all data has value. Data sovereignty does not necessarily lead to the conclusion that data should be kept within our borders because I think that we need to realize that data by nature is very different. Data is not the same as oil. Oil can be used only by one company or one nation. Once it is consumed, no one else can use it. On the other hand, data can exist in multiple copies and different companies and different countries can access to copies of the data and benefit from them. Therefore, the conversation on data sovereignty should shift towards “how do I ensure that my workers, companies, citizens are able to benefit from the technology and attract inward investment to build the skills necessary for my workers to be able to work with the data?” I think this will be a proper conversation around the concept of data sovereignty rather than to think of it as a commodity that should be kept within ones’ borders. I think it all begins by recognizing the nature of data, its value, and having a conversation to make sure that there is sufficient attention put on building the necessary infrastructure and capability.
When individuals are informed by the company that their personal information has been breached, they need to take measures to prevent secondary damage. They need to contact the company and ask them to de-activate their accounts. In addition, they should use the e-Privacy clean service provided by KISA to check their website subscription and usage records. If an unknown activation of accounts occurs, individuals must delete the accounts through the service. Afterwards, they should demand appropriate measures from the company that caused the damage and consult with the company about compensation if the damage is severe. If the company does not take appropriate action despite such individual’s compensation and the action in demand, individuals should file a complaint with the KISA’s Privacy Report Center or with the Privacy Dispute Mediation Committee. KISA’s Personal Information Violation Reporting Center receives reports through various channels such as phone calls, emails, and websites. Even foreigners who are not able to access services in Korean can get help via email. In the case of personal information leakage related to financial information, individuals can report it to the Financial Service Commission and request fcompensation. If individuals’ personal information is violated or damaged by hacking or for other malicious purposes, they can report it to the National Police Agency Cybercrime Reporting System. In such cases, they should submit evidence that can prove damage.
Question 1 : What is the technical impact of the COVID-19 pandemic on data breach notifications?
Question 2 : You have said that most of the countries have adopted risk-based approaches and that it also needs to assess the risk of harm for to individuals. That means that regulations require notification be made immediately or very quickly. However, the assessment will take some time in contrary to the notification that should be made immediately. How can we compromise between the requirements for both assessment and urgent notification?
Question 3 : What strategies can competitors take when a data breach occurs in similar industries? Is there any way to reduce the damages caused by information breaches in the same industry?
In terms of data breach notification regulations, while there are technical differences, many countries commonly take risk-based approaches and adopt short time frames to provide notification of data breaches and assess potential harm. However, during the COVID-19 pandemic, the capacity of data controllers of detecting breaches has been mitigated because of remote work and irregular patterns, so it is important to collect more information from various channels to detect data breaches including enforcement collaboration with other related authorities within the same country, as well as in other countries.
I think the incentive of the authority would be to collect information about data breaches especially when the data has a large risk to affect data subjects. At the same time, there are different incentives for the data controllers. They want to have more explicit regulation to notify data breaches because if the regulation is a bit vague, there might be larger risks to violate compliance. Therefore, cooperation is needed to clarify what the regulation requires.
There are several data breach response strategies. For example, compensation can be leveraged as a response. The compensation strategy will have a positive effect on customer outcomes. Managers need to carefully consider the relationship between the compensation and the breaches’ severity because meeting the customers’ expectations are critical. Recent studies suggest that managers should measure customer’s priority expectations regarding compensation in response to data breaches. Also, firm reputation is an important asset in protecting firm value when data breaches occur. Recent studies also demonstrate that firms with a better reputation would experience less negative market reaction to breaches than firms with a lower reputation. Therefore, it is important to deliberately build the reputation of a firm, as well.