Data privacy is an esoteric, faraway concept – until you start seeing strange ads pop up every time you get onto the Internet. Those of you who browse the World Wide Web may have noticed a change in some of the websites you visit: You’re getting to know your cookies. In particular, there have been more notices popping up, asking you what kinds of cookies you want and whether you want to disable them.
“Cookies” on the Internet are not the nom-nom-nom variety, of course. Cookies are little files that a website will give your computer to keep hold of. The objective of these files is to identify your computer so the website can recognise you when you visit it again. The cookies metaphor comes from the idea that your Internet cookies generate a trail of “crumbs” to identify you.
So, for example, if you go to a website and set the language to “Malay”, it may generate a cookie that will remember your preference. The next time you visit the website, you don’t have to set the language again. Or it can just remember the page you were at, so you don’t have to navigate all the way there again the next time you visit.
I mean, this is pretty cool in itself. It means the website has a “memory” of who you are, and your browsing experience becomes a bit more personal.
Of course, there is a dark side to all of this. Some cookies, like the apple given to Snow White, may look fine but may not be good for you. For example, they might be cookies that are run by a third party that tracks you not only at that particular website you’re visiting, but also any other website that the third party works with.
These kinds of cookies are made to build a profile of you. To know what hobbies you might have, what medical problem you may be looking up, or even if you support Manchester United or Liverpool football clubs. (Fortunately, I support neither.)
By now perhaps some of you are thinking, “cookie bad”. And, indeed, the negative side of web tracking has long been identified. When you visit a website, should the expectation be that anything you do could be sold as information to third parties?
Well, you can’t trust the companies. They can say whatever they want – “Don’t be evil” is one famous (now infamous) example – but if they do become evil, there might not be anything you can do about it.
It is a well-known saying: When a service on the Internet is free, then the product is you. And when the service is Facebook, it tracks you in a multitude of ways. Have you ever visited a website that has a Facebook “Like” button on it? If you have logged into Facebook at any time before that on the same computer, then it’s possible for Facebook to know that it’s you.
What can you do about this? Not much, unfortunately. You can try all sorts of little tricks like “anonymous browsing” and using multiple log-in aliases for different online “identities”. But at the end of the day it’s you doing a lot of the hard work, and that’s assuming if you’re technically competent enough to do it.
Wouldn’t it be better if it was illegal for websites to use your personal information if you haven’t agreed how and when they can use it?
That’s what was done in the European Union (EU). The General Data Protection Regulation (GDPR) was established specifically so that it is the individual that has rights over his/her personal data – not the companies you give data to.
Companies take GDPR seriously because the penalties in some categories begin at €20mil (RM95mil), and rise depending on the income of the companies.
One example of how users have more control is that they must actively give consent. Previously, if you filled in a form on the Internet, some boxes would be “pre-ticked” for you – for example, indicating that you want marketing e-mails from them. Now, the GDPR mandates that websites can’t make predetermined choices for users.
Another example is that users need to know how they are being tracked as they move around a website, and have to give explicit consent. This covers things like cookies.
And this is why you are now finding websites that ask you questions about which cookies you want.
It may seem unusual that a website in Europe offers this feature to Malaysians, but the regulation protects individuals and EU citizens could be accessing websites from anywhere around the world.
In fact, a Malaysian website offering services to somebody in the EU also falls under the regulation. True, how cross-border enforcement will work has yet to be seen, but it means any Malaysian company serious about offering services and goods to EU citizens needs to look at its obligations.
The GDPR is now recognised as the “gold standard” for safeguarding an individual’s right on how his/her data is used (a lawyer’s words, not mine). EU companies are now including clauses in their service and supply contracts with other companies outside Europe so that they continue to comply with GDPR.
Mainly, much of the talk about compliance is focused on companies. But what about countries? Why shouldn’t Malaysia strive to achieve this gold standard when it comes to personal data protection?
The truth is, we developed the Personal Data Protection Act back in 2010 and it hasn’t kept up with the times. Perhaps the most glaring omission is that it doesn’t apply to the government (because since when did governments collect and maintain personal information about you, right?).
But it’s clear we’re missing opportunities. In July, Japan and the EU agreed to recognise each other’s data protection systems as “equivalent”. Japanese companies can now easily share data with companies in Europe.
But if we continue to fall behind on this front, because we don’t see the value in moving forward – well, I guess that’s how the cookie crumbles.