- Link to video on the Liberty ITCG YouTube channel: https://youtu.be/KTbnhn4tlV8
Is there sufficient oversight and enough regulation for data privacy in the context of Cybersecurity?
Brian Hay explains the difference between compliance and safety in data privacy, the challenges of regulation but particularly how challenging it is to apply these regulations to international companies like Facebook and Google, whether privacy is dead, and whether privacy needs to be redefined in the digital age.
Data protection regulations such as the Privacy Act from 1988, in New South Wales, there’s the Privacy and Personal Information Protection Act from 1998, Consumer Data Right, which is relevant to #OpenBanking. Many more… but are they enough to protect the end user?
There is an apparent lack of transparency and readability issues in the Terms and Conditions when one consents and chooses to use an app or use an online service. The need for more education and awareness on data protection rights and risks is evident.
John Dimitropoulos:
Let’s talk a little bit about, regulatory compliance for data privacy. Organizations must comply with data protection regulations such as the Privacy Act from dating back to 1988. Here in New South Wales, there’s the Privacy and Personal Information Protection Act from 1998. We also have … to bring it closer to home … to banking and finance, which is the industry that we focus on… there’s the Consumer Data Right, which is relevant to open banking. These are just some regulations to name a few, there are others.
Failure to comply may have serious legal ramifications for an organization. Do you believe we’re adequately regulated here in Australia, domestically? And if so, is it okay just to comply for an organization just to comply, or should they be thinking beyond what the regulators are asking them to do?
Brian Hay:
I think you should always be looking beyond what the regulators ask you to do. I mean, it begs the question, is compliance your floor or your ceiling? Now, if you only strive to achieve compliance it’s your ceiling and therefore you’re always going to be failing in my view. You may be compliant but you’re not going to be as safe as you can be. You think about it the regulatory process can take years for something to be enshrined in legislation be regulated and then it can take years for an amendment to the legislation to finally go through parliament to catch up with the technology is evolving every single day so therefore you’re always going to be high so if your ideal position is not higher than compliance you’re losing you’re losing ground rapidly. But also, the other question is… Privacy.
Okay, from a regulatory perspective, we’re regulating for the domestic environment. What about the regulations for the international players? What about the regulation for the Facebooks and the Googles of the world to take the data from Australian citizens and apply it in any way they see fit? Now, that’s where I’ve got a problem with because they basically can operate with impunity. And in fact, for Facebook, for example, you look in the T’s and C’s, we’re giving them our consent, even though we have no idea we’re doing it, to do whatever they want with that data. And the other thing, John, it begs the question, I think it’s valid asking, is privacy dead? Do we actually need to reassess what privacy means in a digital world? For example, I was on a stage and I was talking to an audience recently and I asked about who was affected by the recent data breaches in this country. And most of the people, once you go through all three would put up their hand. And I said, how do you feel about your identity being taken by these and by the crooks? And they weren’t happy about it.
Then I asked the question, okay, can you put up a hand who’s got a Facebook page in your real name? Of course, the ring, pretty much the entire ring puts up its hands. You’ve surrendered your personal identity details to the internet, to the billions in the world. Of course, you could see that, oh, goodness, I’ve never thought about that before. It’s our perception of what privacy is. If someone takes it from me, they’ve invaded my privacy. If I’ve given it away, well, that’s okay, but you’ve possibly given it to the same people anyway. What is it? It should be reevaluated to harmful information that could be used against us. You can go back to the old days. If you wanted to notice the name of someone where they lived, their date of birth and their full and complete name, middle names included, every library had a copy of the electoral rolls. The electronic white pages used to often say, John Smith, this is their address and this is their phone number. We’ve got a skewed view of, I believe, on what privacy is, and it begs the question, is privacy attainable anymore in the modern digital age?
So, then I asked the… So more questions than perhaps answers, but I think. it’s how the data is used by what consents is some of the issues. There is this expectation of course that these organizations will secure that data. But I think we need to accept just like getting in the car and driving somewhere when we move and migrate to a digital landscape there is a risk associated with everything. We our job is to understand that risk so we can better manage the risk.
John Dimitropoulos:
It is actually remarkable how, for the sake of convenience, a lot of the users will be presented with terms and conditions and they quickly accept the terms and conditions to move on to the next stage so they can use the application online. No one bothers reading it these days, which is a shame, but in not doing so, you’re actually giving consent for a lot of your private information being recorded by those corporations and then used for whatever purposes they feel like.
Brian Hay:
100% yeah and to that point John I think that’s where I’d like it to see perhaps some regulation that that is a clearly stipulated and b required to be in a simpler format that people can understand what is happening but it’s deliberately elongated so people don’t read it and let’s face it they put it in what size 0.2 of font yeah so I say you couldn’t read the damn thing anyway but it’s got to a point where it’s manipulated deliberately to discourage people from reading it cool and that’s how how can that be just I agree. That’s all I’ll say.
