Recently, Chinese digital technology company Didi has received China's cybersecurity scrutiny over a suspected data breach during its U.S. IPO. Digital technology giants such as Google, Amazon, Alibaba and others are actively or passively in possession of large amounts of user data in the digital age, what do you think of the impact of this phenomenon on the international cybersecurity ?
As we know, data is the richest asset in a company. Knowing customers’ behavior as well as what customers want can help a company provide products or services most fit to a specific customer. Therefore, a company today tries to collect customer’s personal data as much as possible to enhance a business intelligent feature. The outcomes of this feature may be divided into two aspects. First, a company analyzes the big data collected and comes up with a personalization data, exclusively provided to a specific customer to increase the customer satisfaction. Second, a company uses the big data collected to improve an artificial intelligence model for the company’s business purpose or other purposes. Most companies may claim that customers can gain benefit from this intelligent feature in which they can get what they exactly want, so collecting the customer’ personal data is not too bad or it could be indicated as a win-win situation. However, in the real situation, people believe that they are annoyed by some personalized information (e.g. advertisements in any form) sent to them. In many times, they would never know why they receive this personalized advertisement because they have never given their personal data to anyone. They also feel that their privacy is being threatened as a company is likely to collect personal data without permission.
We can accept the growth of digital transformation today, and it is unavoidable that a company needs to collect personal data to fulfil the business requirements. However, as the concerns are raised above, a government of many countries has attempted to protect customers as well as businesses. It is found in many media that a number of companies today have been negatively impacted by their government due to overly collecting personal data and violating data privacy laws. Typically, data privacy and data protection laws require a business to ask for a consent or permission from a customer. This must include everything the customer needs to know such as objective of data collection, duration of data usage, method of how to ask to remove the data collected, etc. Other important statements mentioning that data will never been sent to the third party and data will not be used for other purposes should also be added. Although these have been clearly stated, it must be fair enough to customers. Otherwise, it can be unethical business, or even it is violating the privacy law. Despite nothing breaking the privacy laws, the unethical business can lead to monopoly which is against competitive business.
It can be realized that collecting personal data in an ethical way while maintaining data transformation remains questionable. For example, it is unclear whether collecting facial data via CCTV for surveillance threatens privacy, although an exception for safety purposes is stated in the law. A question like “once I have asked a company to remove my personal data, can I ask the company to stop using any data model trained from the dataset which includes my data?” is always asked. In fact, there is no single answer, depended on the national setting, but the most important thing is that a company has to communicate to customers in relation to data privacy in the easiest and most friendly way. In fact, to answer the disputed questions above, a company only thinks like customers, then the company will be able to answer.
Besides the unethical practices above, the readiness from the business side is equally important. In some countries, businesses are not ready for the data privacy law. This limitation is related to budget constraint and cybersecurity issue. Most companies have shown awareness of how to modify the application to support law compliance, but the problem is budget and time constraints. In terms of cybersecurity aspect, a company has to put a lot of effort into hardening the computing system to avoid security threats and data leakage. Thus, this results in postponement of the law effective date. This is another challenge.
Editor Assistant Research Fellow: Xianglin Gu