What is the most important personal information involved in AI robot and facial recognition technologies, and what kind of efforts can individuals make to protect themselves from leaks?
Fumio Shimpo (Japan)
In the development of many technologies, I think collecting and processing multi-modal information such as biometric data that makes a template will be the critical issue. For example, when we use facial recognition technology, information is captured and used as a template to identify the features of a person’s face. This information can be searched on a database stored with the template information and can be used to instantly identify individuals.Consequently companies are required to recognize their responsibility when handling and take maximum efforts to prevent data leakage and unauthorized use. However, I think it is difficult to completely prevent security breach incidents. When they occur, it would be necessary to take appropriate measures to prevent other infringements of the rights of individuals by conducting security breach notifications. Also in the future, AI will not only be used by businesses but also in various situations in our daily lives. Accordingly, we will not be able to recognize that such information is being processed by AI, which is called information asymmetry. So, issues of personal information protection will become more important in an AI society, where we need to think about how we can protect the rights of individuals.
Mohd Afizi bin Mohd Shukran (Malaysia)
Universiti Pertahanan Nasional Malaysia
I think one aspect that we need to consider is the privacy laws for the specific data itself. For example, healthcare or any personal information is very sensitive when included in a dataset. Like Professor Fumio mentioned. one of the problems is that what we collect from facial recognition or AI robots is data exploitation. Most data is exploited by companies, and we need to have specific laws to govern these mishaps or misuse that we collect from users and to protect sensitive material, especially healthcare information. In Malaysia, during the COVID-19 pandemic, a lot of healthcare data was collected from organizations like pharmacies and the Ministry of Health. So this kind must be protected at all times. There should be laws or policies to effectively govern and protect users from being exploited by these companies.
Can you discuss data protection in the context of COVID-19?
Was there an increase in vulnerable data during the pandemic?
Claire Seungeun Lee (USA)
Professor, School of Criminology & Justice Studies, University of Massachusetts Lowell
An individuals’ COVID-19 related data is confidential because it includes not only personal but also health data. Whether the person has been in contact with COVID-19 and where they traveling from are very sensitive,and even more so in the context of South Korea where there has been a stigma and negative sentiment toward people who traveled outside of South Korea. The data is often politicized and can be used against self-quarantined people. Consequently it must be treated with caution.
Atty. Ivin Ronald D.M. Alzona (Philippines)
National Privacy Commission
COVID-19 forced the sudden shift to online platforms. Along with the digitalization and acceleration of the use of Internet and ICT technologies, the processing of personal information has become more prevalent. Classes are conducted virtually, and telecommuting has become the preferred work arrangement for many. Sharing of health information was done online through telemedicine and teleconsultation. As a result, the increasing vulnerability of personal data became evident not only within the health industry as well as others. Subjects have become more at risk of harm such as identity theft, surveillance, exposure, distortion, and intrusion. Consequently, data protection played a critical role in ensuring that the fundamental human right to privacy is reaffirmed, in the context of saving lives and facilitating economic recovery. Free flow of information is important, but we have to sustain an equilibrium so that we can properly address the pandemic's challenges. I’d like to emphasize that we believe in the commission that the data privacy app of 2012 does not prevent the government from doing its job. Public health entities may steal and process personal and sensitive information when necessary to fulfill their mandates during a public health emergency. However, we must also consider that we have to build trust in our institutions so that we can properly handle the health information of COVID-19 patients, which is crucial in stopping the spread of the virus. As government agencies are mandated to address the outbreak, we must have access to the relevant information.
Question 1 : What are some of the biggest issues related to personal information protection in Singapore? How is Singapore responding to the issues?
Question 2 : How is data sovereignty challenging to cross-border data flow?
Question 3 : When an individual receives a notice of personal information breach from a company, what is the first action or step to take to prevent any secondary damage from the data breach?
Zee Kin Yeong (Singapore)
Data Innovation and Protection Group of the Infocomm Media Development Authority of Singapore/Personal Data Protection Commission
I think one of the key issues that we are occupied with right now is the fact that COVID-19 as a pandemic has been acknowledged to be the most effective impetus towards digitalization. A lot of companies in the last 18 months or so have been digitalized, starting to use digital solutions. More companies moved online and are operating an omnichannel, targeting walk-in as well as online customers. Restaurants have moved online as well through launching food delivery systems.Many started to work as delivery drivers as their second job. We can see that the era of the proliferation of data has come and brings about two questions: how do we bring the message? Every time they have an interaction with a customer, the amount of data grows. How do we reach out to them and bring the message to them? Secondly, at the same time, they have the responsibility for their customers to make sure that the data is protected from unauthorized uses and data breaches. These two things, the use of data, as well as the protection of the data, go hand in hand. These are the biggest challenges for all of us right now and we are in the midst of developing the programs that will simplify this message into tools that can help other companies so that they are able to use the data while keeping it protected at the same time. We hope that consumers will continue to participate in the digital economy and it will eventually lead to a virtual cycle in the ever-expanding digital economy.
: Concerns of data sovereignty revolve around the underlying recognition that all data has value. Data sovereignty does not necessarily lead to the conclusion that data should be kept within our borders because I think that we need to realize that data by nature is very different. Data is not the same as oil. Oil can be used only by one company or one nation. Once it is consumed, no one else can use it. On the other hand, data can exist in multiple copies and different companies and different countries can access to copies of the data and benefit from them. Therefore, the conversation on data sovereignty should shift towards “how do I ensure that my workers, companies, citizens are able to benefit from the technology and attract inward investment to build the skills necessary for my workers to be able to work with the data?” I think this will be a proper conversation around the concept of data sovereignty rather than to think of it as a commodity that should be kept within ones’ borders. I think it all begins by recognizing the nature of data, its value, and having a conversation to make sure that there is sufficient attention put on building the necessary infrastructure and capability.
Jiyun Kim (Korea)
Deputy General Researcher, Korea Internet & Security Agency
When individuals are informed by the company that their personal information has been breached, they need to take measures to prevent secondary damage. They need to contact the company and ask them to de-activate their accounts. In addition, they should use the e-Privacy clean service provided by KISA to check their website subscription and usage records. If an unknown activation of accounts occurs, individuals must delete the accounts through the service. Afterwards, they should demand appropriate measures from the company that caused the damage and consult with the company about compensation if the damage is severe. If the company does not take appropriate action despite such individual’s compensation and the action in demand, individuals should file a complaint with the KISA’s Privacy Report Center or with the Privacy Dispute Mediation Committee. KISA’s Personal Information Violation Reporting Center receives reports through various channels such as phone calls, emails, and websites. Even foreigners who are not able to access services in Korean can get help via email. In the case of personal information leakage related to financial information, individuals can report it to the Financial Service Commission and request fcompensation. If individuals’ personal information is violated or damaged by hacking or for other malicious purposes, they can report it to the National Police Agency Cybercrime Reporting System. In such cases, they should submit evidence that can prove damage.
Question 1 : What is the technical impact of the COVID-19 pandemic on data breach notifications?
Question 2 : You have said that most of the countries have adopted risk-based approaches and that it also needs to assess the risk of harm for to individuals. That means that regulations require notification be made immediately or very quickly. However, the assessment will take some time in contrary to the notification that should be made immediately. How can we compromise between the requirements for both assessment and urgent notification?
Question 3 : What strategies can competitors take when a data breach occurs in similar industries? Is there any way to reduce the damages caused by information breaches in the same industry?
Policy Analyst, Science, Technology and Innovation Directorate at the OECD
In terms of data breach notification regulations, while there are technical differences, many countries commonly take risk-based approaches and adopt short time frames to provide notification of data breaches and assess potential harm. However, during the COVID-19 pandemic, the capacity of data controllers of detecting breaches has been mitigated because of remote work and irregular patterns, so it is important to collect more information from various channels to detect data breaches including enforcement collaboration with other related authorities within the same country, as well as in other countries.
I think the incentive of the authority would be to collect information about data breaches especially when the data has a large risk to affect data subjects. At the same time, there are different incentives for the data controllers. They want to have more explicit regulation to notify data breaches because if the regulation is a bit vague, there might be larger risks to violate compliance. Therefore, cooperation is needed to clarify what the regulation requires.
Jaeyoung Park (Korea)
Graduate School of Information, Yonsei University
There are several data breach response strategies. For example, compensation can be leveraged as a response. The compensation strategy will have a positive effect on customer outcomes. Managers need to carefully consider the relationship between the compensation and the breaches’ severity because meeting the customers’ expectations are critical. Recent studies suggest that managers should measure customer’s priority expectations regarding compensation in response to data breaches. Also, firm reputation is an important asset in protecting firm value when data breaches occur. Recent studies also demonstrate that firms with a better reputation would experience less negative market reaction to breaches than firms with a lower reputation. Therefore, it is important to deliberately build the reputation of a firm, as well.