Home & Office

Asia's lawmakers need not copy Europe

newsmaker Region's governments should focus on core data protection concepts of harm prevention and accountability, yet stay true to culture, says IBM privacy chief.
Written by Vivian Yeo, Contributor
Harriet Pearson, IBM

newsmaker Harriet Pearson was once part of a petition signed by Facebook users, urging the social networking site to do more in terms of privacy. But, the privacy specialist considers herself as one with moderate views when it comes to protecting her personal information.

IBM's chief privacy officer of nine years, Pearson says each person needs a mental model to assess the benefits or risks associated with providing personal data. In the same way, governments ought to be thoughtful when drafting policies and laws on data protection, she said. The IBMer last year also assumed the title of security counsel.

In town recently for Singapore's annual GovernmentWare conference, Pearson sat down with ZDNet Asia to discuss data protection legislation and the need for a balanced view regarding data breach notification, and to explain why Asian regulators should not "photocopy" European law books.

Q: How has the global privacy landscape evolved over the last one to two years? With the rise in social networking where people post a great amount of information about themselves online, is there a need to change the thinking around what constitutes as private?
Pearson: Let me go back a little bit longer. There was a significant shift in some parts of the world in how people thought about privacy after the September 11 attacks. The perceived need to address gaps in security became the single most important thing, and concerns about privacy and civil liberties in the United States, for example, for a period of time became much less important than the immediate reaction to try and secure national borders, and that sort of thing.

That was to me the single most significant and sudden shift, where the number of absolutist groups grew a little bit, because there was a reaction on the part of the people who were concerned with the government having too much power in information collection back then.

Today, there are at least two current issues that have emerged in the last two or three years. One is this phenomenon of social networking and Web 2.0 capabilities that allows us to post information and post pictures. The other one is the emergence of a new computing paradigm, cloud computing, along with its potential to increase efficiency and save money. All of that is also accompanied by some concerns about where the data about me is located, who has it and who gets access to it. Those two factors I think are going to put some pressure on people's expectations about privacy and the data they have.

There's been some momentum in countries like Australia and the U.K., in terms of implementing stronger data protection, to the point of actually wanting to make data breach notification compulsory. As a privacy guardian, what's your stand? How necessary is this?
Data breach notification requirements are a U.S. policy innovation, which actually is rooted in the environmental realm. This idea is based on the "right to know" laws, where if you have a chemical plant or facility, there were laws enacted in the 1980s that said you should need to disclose what you're putting out of the plant.

There certainly have been a lot of effort spent on the part of companies that have been having data breaches, to address and mitigate the risks of these happening again. This is good because it does increase information security. At the same time, as these laws are being implemented in the U.S., you could point to situations where there may have been some inefficiencies because organizations would spend too much money on a particular area, in order to fulfill the legal requirements, and not enough on something really important. Because when you suffer a data breach, you have to notify the authorities and some more important project may have to be held back as a result. You have to balance it.

Overall, the rule is a good incentive to get more secure. Other countries--and you mentioned a few--have noticed this effect and they said 'Oh, maybe we should try it in our own context.'

I think that it is a very easy policy model to adopt because it doesn't cost money, there're no taxes, there's no big regulation book--it's a very simple idea. It's already a de facto obligation in Canada, Japan has had it quite a while, and I think Germany just adopted their law on this. I expect it to happen in other countries. I think if it's thoughtful and the trigger for reporting is thoughtful, then it could be passed. But, they say the devil is in the details. If it results in over-reporting at some point, then the model may not be that useful.

Another concern is that over time, most people in the U.S. become immune to the fact that there's been a breach. The first few years it was a shock, and now it's almost like, 'Well, it happened again.' So for the individual, I think it's a little bit difficult now because you get these notices but there's really no harm so they say, 'Maybe it's not so bad after all.' There's a little risk, over time, of people getting immune to this but at the end of the day, reputable corporations will not want to be in the newspapers for having a breach, so that's a very good motivation.

Asia is generally seen as less protective of an individual's privacy, but countries like Singapore are looking at drafting their own data protection laws. What would you say are crucial ingredients in such legislation?
I think there's actually a way to think about this that allows each society and country to express its own unique values and culture. In a very global and connected world, it's not necessary that we all become the same. And so if you have more of a culture of the individual, it's really important that you have to protect the privacy, property rights and all that. That's a very different model than India or China, for example.

One aspect of privacy is you want to prevent information about you or me being used to harm you or me--you want to prevent harm. I think that's a globally accepted statement. Wherever you go in the world, you say 'I share my information with you, a store or government, but don't use it to harm me. Don't disclose it and have somebody now being able to come to my house and attack me because I made a mistake sharing it. Don't lose it and allow somebody gets into my bank account.' Those are security issues. 'Don't share it with inappropriate people that I don't want it shared with.' That's privacy.

That, I think, is one essential element of any data protection and privacy legislation. Seek to protect the individual against harm that might come to them from inappropriate use of their data.

The second concept is about accountability. If an organization--government or private--has responsibility to manage information, they should be accountable for what they do with the information. If they mismanage it, lose it, share it, do something bad to it--whether it causes you harm or does something else--they should be accountable. Another essential element in a national law should be some accountability, some enforcement.

The third element, which does not have to be the same in all countries, is what I call the cultural aspect. In Germany, the right to privacy is a human right that is formed from experiences in that society that go back to World War II and the use of information to track down Jews and to persecute people. That's a very different history and ethos than in the American Wild West, where the romantic ideal of the individual being a rugged individualist exists. And then you come to China and India, where there's a lot more comfort in very pervasive sharing. In India, somebody came up to me and asked 'How old are you? How much money do you make?' They wanted to know, but you don't ask people that in the United States.

Speaking of India, you have been involved in the steering committee for the Data Security Council of India (DSCI). What was that experience like?
Several years ago, the government of India was looking at how to strengthen the data privacy and data protection practices to ensure it continues to remain a viable and attractive place for business process outsourcing and IT outsourcing. A number of organizations were asked to provide input. What the government requested of the industry was to try and build capacity in the IT and BPO (business process outsourcing) industries around data security and data privacy.

I joined the steering committee initially to try to give them advice on how to set something up to try to build that capacity. Recently, we have a new data security and privacy officer in IBM India, Nandita Mahajan, and she took my place on the committee.

I would say that the effort is proceeding. The government of India actually enacted in February 2009 a new data security law, and it's very comprehensive. It has a couple of key components. One is an obligation that handles information about people to keep it secure, and I think it has a notification provision in it. There's a substantial part of it that talks about government's access to information in order to protect the nation--the idea is to create more powers for the government to be able to get information to pre-empt further attacks. The motivation for enacting it quickly was in part due to the Mumbai attacks that happened in late-2008.

They have begun implementing the law, though it has not been fully implemented yet. The DSCI is one of the main business entities that is providing inputs into that implementation process to ensure that as the statute is implemented, the economic competitiveness of one of the key engines of growth in India--even in this downturn--remains viable and is indeed enhanced in its standing.

As you mentioned, the IT outsourcing and BPO industries are growth engines for India, but I think some years back there were some data security lapses that were widely publicized. Have things improved? I'm not hearing a lot of such complaints of late.
Yeah, isn't that interesting? I haven't heard of any either, in the last year or so, and I believe we would have heard about them otherwise. I would say the focus in data security practices in the last couple of years is resulting in a steady, continued progress in the companies that had to build the capacity and capability.

Every organization is fallible. For many years IBM had a very mature and comprehensive security program in all of our operations, but we continue to improve. We've seen other organizations improve as well, and I think that's to India's benefit as a destination for outsourcing. I think Egypt is going through similar thinking. We've been engaged in the Philippines a bit over the last couple of years, because they were also interested in implementing laws to position their IT and BPO industry sectors as mature and attractive. And our input to all of these countries has been the same--be thoughtful, look at the core concepts of preventing harm and accountability. You can achieve these objectives in a lot of different ways, and you ought to do it in a way that's useful to your society.

We've also said it is not necessary to photocopy European law books. That idea is not the only way to achieve a perception that you have strong data privacy. That point I think has been readily understood because even the European model has been criticized. There was a Rand report that was requested by the U.K. Information Commissioner, which was published earlier this year. It was a study of how effective the European Union directive has been in protecting privacy and how is it positioned to adapt to changing models of business and technology like cloud computing. The conclusion of the Rand study was that the model of the European directive was based on mainframes and having control over batches of data, but things aren't like that anymore.

If you're going to be enacting laws, policies and practices in countries that are high-growth or don't have legacy legal systems like the European models, then wouldn't you want to leap ahead, anticipate the direction and then enact laws and policies that try to support growth while protecting people? Why would you want to photocopy a model that has been the subject of a lot of study about how it does not necessarily keep up?

I've learnt over my career that laws work backwards, where lawmakers always look at the problems and then try to fix them. When you make policies you're looking at the current; it's very hard to imagine the future. As a result, policies and laws will always be behind what humans and technology are doing. Having the humility to understand that, and to figure out how to at least be neutral so that you can embrace changes with technology and still be relevant with your laws, is a very important practice that many government leaders in Asia understand.

Editorial standards