Ever experienced getting a phone call from a stranger trying to sell you something? What if you decided to apply for a frequent flyer program of one airline and one month later you receive a phone call from a credit card company that this airline has made a deal with? The salesperson at the end of the line asks you whether you have a plan to travel in the next few months with this airline you recently became a member of, because there is a special promotion for the credit card he is offering. We know that it is not hard to guess where the credit card company got your contact information from (and perhaps your other personal information too). Do you think that this is right?
The answer lies within one word. It’s called “consent.”
Forced Consent ≠ Consent
Sometimes, however, things are more complicated. Recently, Thai authorities ordered all people living in the three southernmost provinces and four districts in a nearby province to register their SIM cards with a facial recognition application. As the area is known for an ongoing insurgency, the authorities said that the registration is for public safety and national security proposes. Those who fail to register will not be able to use their phone numbers. This also applies to those from outside the area who pass through. Since phones are so essential in everyday life, people have chosen to obey the order. It is not known how secure the database is, where the personal information is stored, who can have access to it and for what purpose the information is allowed to be accessed or processed. Even though people provide the information themselves, this should not be considered as consent — since consent should be given freely without any pressure.
Another example is the case of Facebook on personal data and privacy of users. Many of us use Facebook these days as a primary channel for us to connect with people. As Facebook’s revenue depends so much on advertisements, our personal data is harvested heavily on the site before being monetized for ads. Facebook Messenger is also a messaging platform where information is heavily harvested. Facebook offers a Term of Service to their users. However, this Term of Service regarding how the data is collected and used by the company is not usually read by people, and the link to it is also not easily found on the site. In this case, Facebook can do more in terms of gaining data consent by simplifying their Term of Service and makes it easier to be found and read by users.
We need to understand that data is a personal asset. No one should be able to take it away from us without our consent. What if someone just came up to you and took away your nice new shoes, your cute little puppy or the bag of apples you just bought from a store without even asking? In the analog world, that would be considered as a wrongful action and most would consider it illegal. In the digital world, however, channels that take our personal data are more complicated. It is not a physical thing, so it does not feel like an immediate loss to us. However, that does not mean it is not important.
According to the General Data Protection Regulations (GDPR), consent has to be freely given, specific, informed, and unambiguous. In order to qualify as free consent, it must be given voluntarily. It should not be forced or extracted under any inappropriate pressure or influence that can affect the outcome of that choice.
Sometimes we can protect ourselves, but that is often beyond our reach because comprehensive data protection requires cooperation between different stakeholders. A country that respects human rights should enable a mechanism of data protection in which personal data is automatically protected. The issue of personal data protection has gained more attention in many Southeast Asian countries since the European Union adopted its General Data Protection Regulation (GDPR). None of the existing laws in Southeast Asia, however, offer equivalent protection. This is because state actors are usually exempt from respecting personal data privacy when they claim that public safety and national security are at stake. The regulation on data protection should apply to all sectors that deal with personal information and privacy regardless of who should be held responsible. We need a GDPR-equivalent regulation on personal data protection that applies to all countries in Southeast Asia and clearly defines what constitutes “personal data.” People have a right to privacy in both the private and public sectors. Given the political situation in countries throughout the region, however, it looks like we still have a long way to go.
This article is published under Creative Commons license CC-BY-NC-ND 4.0.