The state of data privacy in 2020 leaves many feeling resignation, but are there reasons for optimism?
The International Day of Data Protection dates back to 2007, originally conceived to raise awareness among businesses and people of the importance of protecting personal and sensitive information. Since then, awareness has grown indeed, but so has pessimism, and a sense that personal data privacy is the proverbial “tip of the iceberg” of technology risks.
A recent Pew study finds some 81% of Americans believe the risks of companies’ data collection outweigh the benefits. Yet, while study after study shows consumers around the world are increasingly wary of their data privacy, few companies have yet to heed their calls– for transparency, controls, data sovereignty, [self] regulation, or opt-out.
As technology and cybersecurity are transforming daily life, democracy, and markets, this day takes on new significance. In this spirit, we surface reasons for optimism on this International Data Privacy Day.
1. Global awareness has accelerated and widened.
More people across demographics are growing more aware of the ubiquity and risks of personal data collection and sales. Data protection tactics have grown more specialized, from Gen Z’s preferences to tools for the elderly to the growing anti-facial-rec market. On the supply side, the E.U.’s General Data Protection Regulation (GDPR) prompted thousands of businesses to re-think (if not re-configure) their practices, and dozens of countries around the globe to consider similar legislation. In the US, some 700 privacy bills have been introduced at the state level, according to Stacey Gray, Senior Policy Council at the Future of Privacy Forum. This growing awareness has emboldened users, empowered employees, sparked educational programs, new design thinking, and emerging marketplaces.
The widening scope of awareness is also part of the broader “techlash” of 2017-2019, a period in which the perils and protests of big tech manifested across diverse realms of society, from disinformation to digital disenfranchisement, from public health to environmental concerns, and beyond. The aperture of how we evaluate and govern emerging technologies has expanded far beyond personal data privacy. This is a critical step to naming, framing, and taming these risks, many of which are without clear precedent.
2. Market forces are filling the vacuum (slowly).
Another signal for optimism is the rising tide of companies– large and small, tech and legacy– emerging to meet the demands for greater personal data protection. The tech giants have struggled to enact meaningful change here, with some exception in Apple, which has poured millions into marketing its differentiated business model and designs to this end.
The rise of GDPR and other vertical-specific regulations have also prompted a burgeoning industry of related privacy and security management tools. Companies like OneTrust, Integris Software, and many others offer privacy management software to support efforts at scale. Meanwhile, privacy-friendly browsers, email, ad-blocking software, virtual private networks, messaging encryption, and all manner of related apps and data wallets have enjoyed double-digit growth in recent years. Particularly relevant to the trajectory here is Gen Z’s slant towards ephemeral media, private, multi or anonymous social networks, and “native” fluency in configuring settings. Compound this with a slew of “next-gen” models (see #3), and we can see a few scenarios in which tomorrow’s leaders grasp the new market opportunities that today’s leaders are too fearful or too arrogant to pursue. It certainly wouldn’t be the first time in history, or even in tech.
3. New techniques, tools, and designs are born everyday.
The third reason for optimism can be found deep in the tech stack (which is perhaps why it is harder to see!) Action-reaction: If daily revelations of massive data breaches and the groundswell of privacy and security concerns have done anything, they have prompted significant investments in technological solutions to address data protection. Kaleido Insights is tracking these diverse techniques in “privacy engineering” and designs, such as:
- Federated learning
- Differential privacy
- Homomorphic encryption
- End-to-end encryption
- Data deciphering
- Pre-emptive compliance
- Automated data minimization
- Attribute-based credentials
- Zero-knowledge proofs
- Side-chains, off-chain code
- Self-sovereign identity
- Privacy-learning agents
- Edge level processing and “local” AI
- Open data marketplaces
Technological solutions for both privacy- and security-by-design are critical enablers to shift unfettered data collection towards thoughtful and user-centric data stewardship. The emerging technologies and architectures of the future remain unclear. We see their outlines, but their impacts and applications are subject to emerging political, cultural, and economic forces. How will the growing purchasing power (and employee influence) of the next generation shape demand? How will practical enterprise needs adapt, and differentiate? What role will nation states play?
4. We’re shifting from reactive to proactive approaches.
One derivative, but critical impact of the above three trends is that organizations (commercial and government) are beginning to proactively address data protection upstream, rather than downstream reactively. Part of this is because few companies have a clear, up-to-date understanding or inventory of what data they even have, given the sheer volume and velocity of data, Hadoop as a “dumping ground,” the number of sharing agreements with third parties, unknown data from acquisitions, etc.. Part of this is because vendors and tools have emerged to support data compliance at scale, and because engineers are incorporating new techniques for “privacy by design” (which is all about starting upstream!). But this also signals “a shift in intention,” says Kristina Bergman, CEO of Integris Software. “A shift in intention translates to action, which translates into policies.”
Whether companies have dedicated data privacy expertise or not, everyone desires clarity. Governments are offering recommendations and best practices, business and consumer education, data mapping. GDPR has specific requirements for security and privacy-by design as well as automated decision-making. In response to companies begging for simplicity, desiring holistic oversight and compliance, Microsoft now offers a Privacy & Compliance Score designed for CPOs and CTOs. All of these are steps away from reactive fire drills in the event of a breach, and towards deeper and wider proactive data protections. We still have a lot of work to do, but we’re headed in the right direction.
Throughout my career, I have analyzed personal data collection through the lenses of social media, mobile, smart home, wearables, blockchain, machine learning, computer vision, voice recognition, virtual assistants, augmented and virtual reality. The volume, variety, and velocity of personal data to which companies claim ownership is growing exponentially. But we are entering a new decade, and a new era of technology characterized by the proliferation of intimate biometric sensors, AI-powered cameras, behavioral and health inferencing, and exponentially more connectivity.
There are plenty of reasons to be alarmed, even terrified by the erosion of personal data protection and its implications for self-determination and democracy. But now is not the time for resignation, it is the time for inspired action.