Southeast Asia can expect to see more specific privacy breaches attributed to continued pandemic conditions this year, according to the Data Protection Excellence (DPEX) Centre, the learning and research arm of Singapore-based Straits Interactive.
First, as the impact of the Omicron variant is being felt worldwide, digitisation and surveillance efforts are expected to continue at government and organisation levels. This will create more privacy issues and breaches due to the following factors:
- Verifying and monitoring vaccinated individuals and those with Covid-19 for a legitimate purpose, but with privacy impacts on individuals;
- Stricter contact tracing requirements through vaccinated travel lanes, including mandatory requirements to download contract tracing mobile apps at travel destinations;
- Digitisation and transformational activities of companies with little regard to security and privacy requirements at the design level.
- In addition, in light of continued lockdowns and work-from-home requirements, the DPEX Centre expects continued breaches of data protection laws to result from:
- Increased spamming activities from companies;
- Software for monitoring employees becoming more prevalent and the use of new intrusive technologies (including artificial intelligence), especially in mobile apps;
- Continued cyberattacks, as well as identity theft and phishing, involving sophisticated technologies (for example, deepfakes).
“Expect to see more sophisticated breaches created by the pandemic situation in 2022 — whether it involves a data breach in a contact tracing app, unauthorised use of Covid-19-related personal data, or via the use of new privacy-intrusive technologies to profile or perform surveillance of individuals,” said Kevin Shepherdson, chief executive of Straits Interactive.
“Combine this with newly updated or newly introduced data protection laws — such as China’s Personal Information Protection Law — as well as the upcoming laws in the region, in India, Thailand and Indonesia, we expect demand for data protection expertise and data protection officers to continue to grow.”
In November 2021, the DPEX Centre reported that dedicated DPO jobs in Singapore increased by 54% from 2020, with an estimated 3,700 data protection-related jobs created in 2021.
One trend the centre noted last year was towards third-party management of personally identifiable information (PII) due to automation, digitisation and WFH initiatives.
Amid continued disintermediation and diversification of supply chains, PII processing has become more challenging, especially from a third-party management perspective. There are also requirements for cross-border data transfers and extraterritorial applications.
Organisations and their data processors/intermediaries need to be clear with their respective roles under data protection laws, said the DPEX Centre. It points to some notable breaches in Singapore arising from third parties, including one involving a Fullerton Health vendor, Volkswagen and Audi vendors and a Singtel third-party vendor.
More cases of privacy breaches involving intrusive mobile apps as a result of Covid and ongoing automation were also seen in 2021. One example was WhatsApp’s privacy policy update controversy, and numerous breaches related to mobile apps included Babylon Health, Flo, Line and Indonesia’s contact tracing app.
As public awareness of privacy grows, the importance of certification both at the corporate and individual level will continue to gain momentum, driven by local data protection authorities.
Authorities in Singapore and the Philippines are leading the way in the region in encouraging local data protection officers and professionals to be certified, the DPEX Centre said.