If you use the internet then it’s certain that some organization somewhere is storing data about you. Indeed research shows that people are happy to share information in exchange for a better consumer experience.
However, that data is still yours, so how can you understand what information you’re giving away and how can you take better control?
We spoke to John Phantis, chief privacy counsel at ForgeRock and an experienced privacy lawyer, about the changing privacy landscape and what people’s rights are as digital consumers.
BN: Isn’t the battle to keep our data private already lost?
JP: That very much depends on how diligent people have been about controlling their personal data and (for example) using social media. The stakes are higher for online consumers who haven’t been discerning about who can access their personal data. These people are at most risk of having their data proliferated around the Metaverse, profiled for invasive advertising, exposed to data breaches or misused in a multitude of other ways. In certain circumstances that could become a big deal if the consumer’s identity is stolen. The Facebook-Cambridge Analytica scandal introduced many consumers to the realities of how personal data can be misused. Since then, highlighting personal details on social media could also impact employment opportunities.
Privacy savvy consumers avoid websites that are insecure, have questionable data practices, and/or bad user experiences, including not providing genuine choices on targeted advertising. They also tend to restrict their use of social media and actively look for websites offering additional levels of data protection like multi-factor authentication (MFA), which often involves proving that you control a particular mobile device in addition to providing a password. This blocks access to consumers’ accounts and lowers the overall risk of improper account access and/or data theft. This is especially important as instances of data breaches and related incidents grow more common, as seen in the most recent ForgeRock 2021 Breach Report, which revealed that attacks involving usernames and passwords increased a staggering 450 percent in 2020 from 2019, translating into more than a billion compromised records in the US alone. The goal of all these methods — including some new entirely passwordless ones — is to increase phishing resistance, so no one can trick you out of your password or steal it without your knowledge.
BN: What rights does legislation around the world give people to control the use of their information?
JP: Global data protection law provides privacy rights that are specifically designed to give individuals control over their personal data — including the rights:
To be forgottenTo data accessTo be notified of data processing terms and provided with a choice at the point of data captureTo have data processed in specific ways only after consenting to it.
In most cases the organization receiving the request has around 40 days to comply, with limited opportunity to push back on an individual’s rights applications. Compliance failures are likely to drive complaints to regulators, increasing the risk of regulatory intervention into an organization’s business and associated fines, costs and brand damage.
People tend to ‘reach’ for these rights when feeling vulnerable or powerless with respect to suspicious data practices, when personal data is exposed to a data breach or after receiving spam marketing. The threat of business damage is a powerful incentive for shifting enterprise culture back towards respecting consumer’s choices around personal data access.
Many nations and corporations are making great strides toward achieving clearer privacy protections, but there is a long way to go. The lack of data protection legislation in many countries and, frankly, most US states, is depriving people of the basic human right to privacy and driving data protection inequality, which deepens wider social inequality. To address this issue, we need to better educate consumers on their privacy rights in every facet of our society.
BN: How does the ‘right to be forgotten’ work?
Broadly speaking, the right to be forgotten, also known as the right to erasure, gives individuals the right to ask organizations to delete their personal data. There are specific exceptions to this right. For example, the organization may be required to hold the individual’s personal data to comply with specific legal obligations. However where these exceptions do not apply, the organization will be required to satisfy the request within 40 days, or earlier. Compliance failures will open up an organization to the risk of regulatory intervention into an organization’s business and associated fines, costs and brand damage.
Given competing interests and the hyper-connected nature of the Web and future Metaverse, the right to be forgotten is much more complicated than an individual simply requesting personal data erasure. The right to be forgotten dovetails with an individual’s right to access their personal information. An individual’s right to control personal data is meaningless if people cannot take action when they no longer consent to processing, when there are significant errors within the data, or if they believe information is being stored unnecessarily. In these cases, an individual can request that the data be erased and the organization should have technical and organizational measures in place to satisfy the request without undue delay.
BN: What should you do if your data is involved in a data breach?
JP: Breached companies are obligated to notify individuals of a personal data breach if the breach is likely to expose the individual to significant harm, including identity theft and/or financial loss. So, my advice is to take immediate action, which will vary depending on type of data that has been compromised. The steps you should take include:
Change your online login passwords and security Q&As linked to the breached accounts and other accounts carrying similar login information and passwords.Seek bank, credit card company or health insurance assistance to protect bank and/or credit card accounts and medical data as fast as possible.Contact the breached company to get confirmation of the type of personal data exposed to the breach or verify the information being provided from the company.Assess the assistance being offered by the breached company. Remediating a breach, protecting your personal data and recovering from an issue such as identity theft can be stressful, costly and time consuming to handle on your own.Monitor your accounts and credit records and take the appropriate action if/when signs of abnormal activity are identified.
Image credit: Lightspring / Shutterstock