Bangkok has more Facebook users than any city in the world, and Thailand must begin privacy laws. (Main graphic clipped at slideshare.net)
Author: Sutapa Amornvivat, Ph.D.
Published in Bangkok Post newspaper / In Ponderland column 16 May 2018
Over a month has passed since the Facebook scandal which has sent shockwaves across the tech industry and around the globe. Facebook came under fire following an incident involving its user data exploited by Cambridge Analytica, a UK-based analytics company that was contracted in US President Donald Trump's election campaign.
Facebook, as a platform that allows data harvesting to happen, faced a strong backlash from the public and lawmakers. In its defence, the company does have terms of service that prohibited the actions undertaken by Cambridge Analytica.
Following the scandal, Mark Zuckerberg, the founder and CEO of Facebook, testified before US Congress. From a public relations standpoint, the Senate's lack of computer literacy seemed to give Mr Zuckerberg the upper hand. Many of the members did not understand the basic business model or functions of Facebook.
But regardless of the public outcome of the hearing, the fact of the matter is: Facebook did not go far enough in policing how companies were using data from its platform, an issue Mr Zuckerberg promised to address.
A month has passed since the hearing, so what has changed?
Facebook recently hosted the F8 developer's conference, where they announced one of their most socially ambitious projects, a dating app.
This could be interpreted as a sign of confidence. They are willing to bet on dating — one of the most sensitive and private activities people engage in. Perhaps Facebook believes they still hold users' trust over their data. In spite of the #DeleteFacebook movement, statistics have shown that very few people have actually deleted their accounts and left the network.
Cambridge Analytica has fared much worse, even filing for bankruptcy this month. It claimed the scandal has driven off its customers.
The public and legal spotlight should now return to these self-regulated platform-based companies. It has often been their prerogative to draw a line between what can be done with their users' data. Given how events have transpired, data companies will have to demonstrate greater transparency and accountability in order to uphold the public's trust.
To combat the issue of privacy, we should focus on protecting the public against abuse as in the case of Cambridge Analytica, rather than prohibiting data collection itself.
In the near future, we will see more data protection laws like the EU's General Data Protection Regulation (GDPR). These are designed to protect consumers from organisations that process their data by ensuring greater controls and transparency. For example, the GDPR enforces the "right to be forgotten" whereby an individual can demand that their data is deleted after fulfilling the purpose when consent was given.
What are the implications for Thai businesses?
Once the GDPR comes into effect, Thai companies involved in the handling of data with EU partners will have to ensure compliance if they are to continue their business activities.
The issue of data privacy is particularly relevant for Thailand. Bangkok now has the highest number of active Facebook users in the world at 30 million. The country has over 46 million registered Facebook users, with the average Thai spending almost three hours a day on social media (the discrepancy in user numbers is partly attributed to a trend of people opening multiple accounts).
Either way, Facebook is undoubtedly an integral part of everyday life for many Thais. The three most popular platforms here — Facebook, Instagram and YouTube — all collect masses of data on their users.
Despite that, Thailand has no specific data protection law in place. Legal enforcement can only be taken when damage is inflicted on a victim as a result of a data breach. Moving forward, the government should strike the right balance between an internationally-accepted data protection regulation and one that does not impose any unnecessary burden on businesses.
Meanwhile, the government has drafted the Personal Data Protection Bill (PDPB), which has been revised over many years. The amended 2018 PDPB is still pending review by the cabinet this month, with no official timeline announced. It is clear that social media penetration has occurred quicker than the privacy laws can keep up. The Facebook scandal signals the need for such protection now more than ever.
But will legal measures alone be sufficient?
After all, it's the users who consent to giving up their data. In fact, a university campus study in the US has shown that 98% of college students were willing to relinquish their private data in exchange for a free pizza. For many, giving up some personal information is a small price to pay for a free service or smooth user experience. Regulation alone may not be sufficient.
Promoting web literacy can provide another layer of protection as it helps people understand when their data is being collected and how it can be used. The public will become more aware of the implications when registering for Facebook quizzes such as "Which character are you in [the hugely popular Thai soap] Love Destiny?". While seemingly harmless, some of these popular Thai Facebook apps have the same data harvesting capability as those used by Cambridge Analytica.
Web literacy should make people pause before taking that online quiz, or posting their national ID and bank account numbers as Facebook comments to online merchants — all practices that are common in Thailand.
The complicated issue of data privacy demands an equally comprehensive response from all parties involved. It will take time for the data industry — companies, regulators and consumers, come to terms with the right balance between privacy and better services.