Data privacy: looking back, moving forward

By Jamael Jacob

Change is one of life’s many constants. And in the field of data privacy, 2022 turned out to be one of those years where it was not in short supply. News of relevant laws being enacted came out with as much frequency as those regarding massive data breaches and record fines being imposed by data protection authorities all over the world.

This year, the trend will likely continue, as countries try to close the gap between technological advancements on the one hand, and regulations that offer control and protection on the other. Having now seen what January was like, this prediction is certainly on course.

Let’s take a moment and review what exactly went on last year and then list down some of the things to expect this 2023.

Abroad, the European Union (EU) passed their Digital Services Act which imposes new legal duties on internet companies, including the protection of children from profiling. There was also the Data Governance Act which, among other things, establishes the conditions for re-use of certain categories of protected data held by public sector bodies, whether it be for commercial commercial purposes or otherwise.

Another notable development was the establishment of the Global Cross-Border Privacy Rules Forum, which is an expanded version of the Asia Pacific Economic Cooperation’s (APEC) cross-border data transfer mechanisms. The Organisation of Economic Co-operation and Development (OECD) also released guidance on globally-recognized principles for access to personal data by governments for national security purposes.

In the United States (US), the states that produced their own data protection laws were California, Virginia, Colorado, Connecticut, and Utah. In terms of jurisprudence, none is perhaps more relevant than the overturning of the landmark case, Roe v. Wade, which now allows states to pass laws that criminalize abortion. It could also weaponize the personal data of reproductive health app users and permit their use in the prosecution of women.

Meanwhile, the US and EU launched their third attempt to relax legal requirements for trans-Atlantic data transfers, after US President, Joe Biden, signed an executive order meant to implement the applicable rules. For its part, the European Commission released a draft adequacy decision that, if adopted, would create the Trans-Atlantic Data Privacy Framework.

A number of countries also updated their data protection regimes, like China, Australia, UAE, Switzerland, Oman, and Sri Lanka.  Our neighbor, Indonesia, passed its own data protection law, while Argentina and Australia are currently in the process of reforming theirs. For a few others, it continues to be a struggle. India, for instance, scrapped its original proposal and replaced it with a new one that is undergoing public consultations. Back in the US, a proposed American Data Privacy and Protection Act only managed to clear the committee level in 2022.

The number of cyberattacks last year was reported to be 38% greater than that in 2021. This was attributed to a surge in intrusions against healthcare organizations, which experienced a 74% increase. Threat actors capitalized on security gaps exposed by the shift to remote working and studying during the global pandemic.

Among the more notable hacking incidents in the private sector involved password manager giant, LastPass, which has already dealt with data breaches the past few years. This most recent one led to the unauthorized access of users’ encrypted password vaults and other personal data. Twitter was also said to have compromised the personal data of millions of its users due to an API vulnerability. In November, WhatsApp was all over the headlines as one hacker uploaded a dataset, he claimed, belongs to 487 million users from 84 countries. There was also Australian telecommunications giant, Optus, and the data breach it experienced wherein the details of 11 million customers were accessed unlawfully. All the while, ransomware gangs, many of Russian origin, continued their disruptive ways by targeting vulnerable and vital social institutions, including healthcare providers and schools.

With the prevalence of security incidents, the imposition of fines by authorities no longer came as a surprise. Among the more prominent ones was by the Irish Data Protection Commissioner which levied a €405M fine on Meta for violating GDPR rules on the processing of children’s personal data, and another €265M fine in connection with a data leak that exposed the personal data of approximately 533 million Facebook users worldwide. In the US, Epic Games agreed to settle with the Federal Trade Commission (FTC) and pay $275M in connection with the charge that it committed children’s privacy violations. The FTC also fined Twitter $150M for using account security data for targeted advertising.

In the domestic front, there were plenty of developments as well.

2022 began with a reported data breach involving the Commission on Elections (COMELEC). In September (but disclosed only this January 2023), the National Privacy Commission (NPC) cleared the electoral body and its service provider, Smartmatic, of any wrongdoing. The initial claim that hackers had infiltrated the Commission’s servers was debunked when an investigation revealed that a Smartmatic employee had merely given unauthorized access to the company’s network in exchange for cash.

As far as new laws are concerned, the most prominent was the passage of the SIM Card Registration Act, which has languished in legislative limbo for more than a decade already. After being vetoed by the former President in April—on human rights grounds, of all things—it was promptly refiled by the new Congress and signed by the current President in October. A few days before the elections, the Financial Products and Services Consumer Protection Act was also signed into law. It explicitly affords rights favoring consumers, such as the right to data privacy and protection. The Bangko Sentral ng Pilipinas issued its implementing rules in November.

The NPC, as the country’s data protection authority, also released a number of issuances, the most important of which was its much-awaited Circular on administrative fines. It lists down the DPA-related administrative infractions covered entities might commit and their corresponding penalties. Other Circulars included a set of guidelines for online businesses, another set of rules targeting private security agencies, and a pair of amendments of its existing policies on registration of data processing systems, and loan-related transactions. The agency had a lone Advisory detailing guidelines for requests involving personal data of public officers. Unlike Circulars, an Advisory’ directives are merely recommendatory.

Significant developments involving the NPC also included major personnel changes. In March, lawyer and former Dapitan City Councilor, Dug Christopher Mah, was appointed to the vacant Deputy Privacy Commissioner post. His stint, however, was short-lived as he resigned just four months later and was replaced in October by another lawyer, Nerissa de Jesus-Lazaro. The newest member of the Commission was mostly recently a partner at M & Associates, the law firm founded by the current First Lady. Other new officials introduced last year were the agency’s new heads for its Privacy Policy Office and Data Security and Compliance Office.

In April, the Commission also launched its Data Breach Notification Management System, which is an online platform meant to facilitate easier and faster submission of data breach notifications and annual security incident reports. This was followed by agreements in September and December with Singapore’s Personal Data Protection Commission and our own Cybercrime Investigation and Coordinating Center to facilitate cooperation and collaboration in various data protection initiatives.

All in all, 2022 proved to be a watershed moment in data privacy, going hand in hand with the world’s gradual return to business as usual after more than two years of suffering the worst the COVID-19 pandemic had to offer.

(To be concluded)

Jamael Jacob (@jamjacob) is an IAPP Fellow of Information Privacy. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.