Each week, TODAY’s long-running Big Read series delves into the trends and issues that matter. This week, we examine the issue of data privacy and how individuals’ personal data is being used by corporates and governments. This is a shortened version of the full feature,​ which can be found here.

• The issue of data privacy has come under the spotlight, with debates triggered by the police’s use of TraceTogether data and the privacy policy changes of WhatsApp
• Besides your name, age, gender, education and employment, data companies know what vehicle you own, the size of your home, your socioeconomic status, the websites you visit, your tendency to default on loans, and even your health problems
• The enormous use of personal data by corporates and governments have become part and parcel of today’s connected society and quality of life, but also risks being misused or falling into the wrong hands
• Data privacy law differs from country to country. Experts say Singapore’s Personal Data Protection Act is not designed to ensure data privacy as its chief aim, but was conceived to achieve a narrower goal of protecting personal user data
• The onus is also on the individual to keep asking questions about their personal data and not simply sign away their privacy, experts added

SINGAPORE — When messaging app WhatsApp’s new privacy policy sparked a global exodus from its services, Mr Darren Chin’s company — a local tech firm — decreed that its entire staff was to cease using the Facebook-owned platform for work.

“We’ve all been using WhatsApp for many years, but the company’s top management decided to ban it and we cannot say no,” said Mr Chin, 52. 

Around the same time, a similar controversy unfolded involving Singapore’s contact-tracing system TraceTogether, after Singaporeans found out earlier this month that their Bluetooth proximity data could be used for criminal investigations.

The dust has yet to settle on both controversies, but the incidents have led people to switch to alternative messaging apps, as well as to switch off their TraceTogether application altogether, as TODAY reported previously.

Still, the events of the past two weeks have stirred up intense interest among many in Singapore on the topic of personal data.

Singaporeans are among the most concerned about how organisations handle and exploit their personal data, studies have shown. A survey by accounting firm KPMG in 2016 found that Singaporeans were the most “defenceless” in Asia over the way their data is used.

Professor Simon Chesterman, dean of the National University of Singapore (NUS) Faculty of Law, said: “Something that has long puzzled those who study data protection laws is the wide gap between what people say and what they do.

“Everyone claims to care about privacy in theory, but then in practice they share the most intimate details of their life with telco companies, or through social media, the whole world.”

Experts said awareness of data privacy has grown among Singaporeans since the Personal Data Protection Act (PDPA) came into force in 2012, but there is still a lack of general understanding of how their digital footprint is being used by others.

THE BUSINESS OF DATA

To many people, it is a boon to get a customised, online experience without paying a single cent, because your device knows what you like and predicts what you want to see.

Ms Rachel Ler, general manager and vice-president of data protection firm Commvault, said: “Data has become crucial to providing enhanced user experiences, creating a more connected society and improving our quality of life.”

Data has fuelled business success stories since the dawn of the internet, allowing Big Tech firms like Google, Amazon and Facebook, as well as the multi-billion dollar industry of smaller-sized data brokers to flourish.

Besides your name, age, gender, education and employment, these companies know what vehicle you own, the size of your home, your socioeconomic status, the websites you visit, your tendency to default on loans, and even your health problems.

Associate Professor Lim Yee Fen said: “The amount of information about you held by private companies and governments is enormous — they know more about you than you know about yourself.

“It’s no question that an entity like Facebook can easily build a full profile about you, about where you live, where you work and also what you are,” said the business law professor at Nanyang Technological University (NTU)’s Nanyang Business School.

Associate Professor Terence Sim from the NUS School of Computing said: “Companies are willing to pay for such data to better target their advertisements, or to discern customers' needs, or simply to increase its base of customers.”

It is hard to pin down a dollar value on how much personal data is worth, Assoc Prof Sim said, noting that there is also a substantial degree of personal data being traded on the dark web.

Mr Alfred Siew, co-founder of tech-centric news portal Techgoondu, said: “The scary thing is the market power that some of these private companies have, especially when they expand into adjacent industries that they previously had no business in — like Facebook rolling out its own cryptocurrency, for example.”

There is a wide range of scenarios that such data collection can be misused, and the users would be none the wiser, said experts.

What is worse is when firms that collect data — whose business it is to know how their users’ data is handled — often do not know either.

Assistant Professor Reza Shokri, who is the NUS Presidential Young Professor of Computer Science, said: “(Such misuses) could have a severe effect, for example, a loss of trust, and having a hypocritical society where citizens feel that they need to always hide something from others due to this lack of trust.”

Assoc Prof Sim added that another danger comes from a phenomenon known as “function creep”, in which personal data is used for a purpose other than the one for which it was first given.

“Function creep is a breach of privacy, unless explicit consent is obtained from the person concerned for the secondary usage of his data,” he said.

THE AMORPHOUS CONCEPT OF DATA PRIVACY

While data privacy is a concept that originates in Western countries and is protected by their respective constitutions, the laws in Singapore, namely the PDPA, are not designed with the chief aim to ensure data privacy.

In general, data privacy concerns the right of a person to be “left alone” by data firms, though its definitions are still amorphous and being debated by scholars, said Mr Steve Tan, a partner at law firm Rajah & Tann.

Mr Tan said the notion of privacy is intrinsic in Western societies, hence internet laws in these jurisdictions prioritise data privacy, such as European Union’s General Data Protection Regulation (GDPR).

On the other hand, the PDPA was conceived to achieve a narrower aim of ensuring data protection, which is about safeguarding personal data from misuse and unauthorised access. Data protection is a subset of data privacy, Mr Tan added.

Around 2010, the authorities here had recognised that there was no such law at the time, and sought to find a balance between giving companies the ability to harness personal data for business innovation purposes and giving individuals the right of consent.

While the PDPA does not apply to the Government, Mr Tan said that even if it did, there will still be an exception when it comes to crime and security. This is similar to GDPR exemptions for law enforcement and national security.

The use of aggregated personal information and public surveillance data to fight crime and deter security threats is a growing trend around the world.

One oft-cited example is China’s social credit scoring system, which uses a combination  of personal data and state surveillance to reward or punish behaviours, and has attracted the ire of privacy advocates.

In the Netherlands, police are trialling a data project that uses a network of sensors to measure noise levels and emotional tones in voices in order to divert police resources to areas with the most risk.

And in Singapore, Second Minister for Home Affairs Josephine Teo spoke in 2019 about the potential of using data analytics to make “predictive policing” a reality, though she gave few details of what this entails.

Some of those interviewed said more privacy safeguards are needed — a tenet of data legislation is that personal data belongs to the person who generates it, and not the organisations that collect and compile them.

“Ensuring privacy is a way to establish trust and balance the power between individuals and organisations,” said Dr Shokri from NUS.

And although societies have not agreed what is the right path to take, analysts noted that the rest of the world is gradually moving towards Singapore’s version of data protection laws, rather than continue to beat the drum of protecting users’ privacy above all else.

NUS’ Prof Chesterman said: “I think the world has largely shifted away from privacy — in the sense of being able to isolate yourself from the public gaze — to data protection.

“Rather than wanting to be ‘left alone’, what most of us want is some measure of control over how information about us is collected, used, and disclosed. It’s telling, for example, that not only the PDPA but also the EU’s GDPR don’t really use the word ‘privacy’ any more.”

SAFEGUARDS ARE A WORK-IN-PROGRESS

Giving individuals some control means putting in place better safeguards that can give them greater confidence over how their data is being used and ensuring that companies that hold data are transparent.

But while the governmental organisations may have the muscle and know-how, many businesses that handle customers’ data lack resources or still “don’t get it”.

NTU’s Assoc Prof Lim said that many firms still see data protection as a practical compliance burden or cost, without realising that it is a cybersecurity issue with large consequences.

Another issue is that Singapore’s PDPA does not consider anonymised data as personal data, the experts noted.

Data anonymisation is a way to strip out any personal identifiers such that the person where the data comes from cannot be identified. But anonymised data is easily re-identifiable, said experts.

Dr Shokri said: “On average, it is enough to know the five locations that you routinely visit during a day — your home, your workplace, the gym you go to, the restaurant you go for dinner, the school where you dropped off your child — to identify you among everyone on Earth.

“Knowing eight friends on social media also makes you unique. The same is true about your medical record, the people you call or message regularly, the movies you watch, the websites you go, the people that you meet and have contact with on a daily basis.”

Prof Chesterman added: “One thing that we’re increasingly realising is that even small amounts of information can be pieced together to build a pretty accurate picture of you as an individual.”

Amid the furore over the TraceTogether data and WhatsApp privacy policy, some experts disagreed with the position some people took — comments such as “I have nothing to hide, therefore I have nothing to fear” are a fallacy that comes from wilful ignorance.

But this does not also mean that people should quit technology altogether, out of an inordinate fear that their personal data will be abused.

Rather, experts said the onus is also on the individual to keep asking questions about their personal data and not simply sign away their privacy.

Techgoondu’s Mr Siew said: “We’ve come to get used to the conveniences of things like Google Maps that it will be hard to give it up. But you also do not have to make a binary decision between having to stop using the service completely, versus using it blindly.”

Faced with consumer pressure over privacy concerns, Google has become more transparent about its privacy policies and the type of personal data that it holds, he said.

“That is why it is a good thing that for the past two weeks, people are asking questions about WhatsApp and about TraceTogether, and are holding people and organisations accountable,” said Mr Siew.