Everything you need to know about this growing practice, where companies harvest personal data from the web and create an online profile that can put a value on everything - while you know nothing about it.
Before the introduction of data protection laws in various ASEAN countries, including Malaysia and Singapore, operating as a data broker was generally thought to be a lucrative business.
After all, in today’s highly digital world, the number of data points that exist and can potentially be capitalised on for each and every one of us is staggering. Data, clearly, is the new oil, the new gold, or whatever valuable commodity you prefer. It is estimated that there are up to 4,000 data brokers worldwide today, with the global market valued at more than US$200 billion in 2019 and up to US$350 billion in 2026.
What a data broker does, in short, is gather information, including personal data, from various sources and sell it as many times as possible. The purchasers clearly have a profit motive and want to use the information to market goods and services to individuals, including using high-pressure sales tactics to achieve their ends.
In Singapore, for example, anecdotes have circulated of individuals being invited to so-called “seminars” for financial advisory services and property timeshares, with the organisers practically locking them in seminar rooms until they agree to invest or purchase.
Where data brokers get their information
Data brokers gather information from two main sources to fuel their lucrative businesses.
First, they gather information from public registers made available by the government for specific purposes. For example, registers of company directors are published so that individuals cannot hide behind corporate facades, registers of land title holdings, registers of court proceedings, and so on.
Second, they gather information from businesses that agree to sell the information to the data brokers. For example, these could be retailers with information about individuals in a loyalty or rewards programme, businesses that maintain lists of individuals for their own sales and marketing purposes or other business purposes.
The common thread here is that this information, including personal data that could identify individuals and, for example, their shopping habits and preferences, was not published by governments, or provided by individuals to businesses, with the expectation that it will be sold to data brokers without the permission of the individuals themselves.
Nor do individuals expect that this information will be used by potentially numerous businesses to attempt to sell them goods and services without the individuals agreeing to this happening.
How data protection laws impact data brokers and individuals
Data protection legislation, such as the Personal Data Protection Act (PDPA) in Malaysia and its namesake PDPA in Singapore, curtails the activities of data brokers substantially because they give individuals the power to control the use of personal data.
The outcome is that the majority of data brokers have either gone out of business entirely or now operate only in countries that do not have comprehensive data protection laws. This has come about for two reasons.
First, generally speaking, there are rules in the data protection laws that make it illegal for data brokers (or any other business) to tap into public registers to gather information for purposes, such as marketing, that is not intended by the governments that publish these registers. These data protection laws complement long-standing terms of use and intellectual property laws that seek to prevent the misuse of information that is published in public registers.
The reality is that these bad practices have not been stamped out entirely by either data protection laws or by terms of use and intellectual property laws.
Some data brokers, as well as some organisations or marketers who buy information from data brokers, either do not understand the legal restrictions or choose to ignore them in the expectation that they won’t get caught by the authorities. As consumers, there is little or nothing we can do individually about these bad practices; collectively, however, we may be successful in urging government regulators to clamp down on them.
Second, the data protection laws generally require businesses that collect personal data about or relating to individuals to notify the individuals of the purposes for which they are collecting, using, and/or disclosing such personal data and to get their consent for doing so. To be clear, businesses are not allowed to sell personal data to data brokers unless they get consent from individuals.
What data subjects can do to safeguard personal data
Here, as consumers and data subjects, we do have power both individually and collectively to determine what happens to personal data about or relating to us.
- As individuals, we can read the privacy notice published by a business to see what they intend to do with our data. If we see that they may sell it, we can decide not to deal with them and to take our business to one of their competitors who do not sell personal data.
- As businesses and organisations, we can engender trust among our customers and stakeholders by publishing a privacy notice that is concise and easy to understand, and making it clear that we would assuredly not sell personal data.
- As businesses and organisations, we can also limit the amount of personal data that we collect, so that we only collect what is necessary for the purpose or purposes for which we notify individuals that we are collecting it.
- As individuals, we can encourage businesses not to collect personal data excessively by taking our business to one of their competitors that is more selective about what personal data it collects: we should avoid businesses where we are left to ask ourselves “What could this business possibly want [X piece of personal data] for?”
The central theme? Trust
Businesses and organisations should work hard to earn the trust of individuals by telling them what they will do with personal data that they collect either directly from the individuals themselves or third-party sources, such as government and other publicly available registers.
And individuals should be vigilant in protecting themselves from the risk of their data being shared more broadly than they expect and/or is acceptable to them, by dealing with businesses that they trust, after ascertaining what these businesses will and will not do with their data.
