This is Part I of a two-part series that explores the rise of Privacy by Design (PbD) from the basic framework, to its inclusion in the GDPR, to its application in business practices and infrastructure especially in the wake of Artificial Intelligence.
We had the pleasure of sitting down with Dr. Ann Cavoukian, former 3-Term Privacy Commissioner of Ontario, and currently Distinguished Expert-in-Residence, leading the Privacy by Design Centre of Excellence at Ryerson University in Toronto, Canada to discuss this massive shift that will upend current business practices. This article includes contributions from Scott Bennet, a colleague researching privacy and GDPR implications on emerging technology and current business practices.
I call myself an anti-marketer, especially these days. My background has predominantly come from database marketing and the contextualization of data to make more informed decisions to effectively sell people more stuff. The data that I saw, whether it be in banking, loyalty programs, advertising and social platforms – user transactions, digital behavior, interactions, conversations, profiles – were sewn together to create narratives about individuals and groups, their propensities, their intents and their potential risk to the business.
While it was an established practice to analyze this information in the way that we did, the benefit was largely to businesses and to the detriment of our customers. How we depicted people was based on the data they created, based on our own assumptions that, in turn, informed the analysis and ultimately, created the rules which governed the data and the decisions. Some of these rules unknowingly were baked in unintended bias from experience and factors that perpetuated claims of a specific cluster or population.
While for many years I did not question the methods we used to understand and define audiences, it’s clear that business remained largely unchecked, having used this information freely with little accountability and legal consequence.
As data becomes more paramount and as AI analyzes and surfaces meaning at greater speeds, the danger of perpetuating these biases becomes even more serious
and will inflict greater societal divisions if measures are not put in place and relentlessly enforced.
Recently, I met my maker. Call it atonement for the many years I manipulated data as a marketer. We had the honour of talking Privacy with an individual I had admired for years. Ann Cavoukian, in my view, will drive a discussion across industry that will make business stand up and listen.
Remember when Canada’s Privacy Commissioner took on Facebook?
Ann Cavoukian has been an instrumental force in spreading awareness of Privacy, which brought her front in centre on the world stage, pitted directly against Facebook in 2008. Back then the federal Privacy Commissioner alleged that 22 practices violated the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). This eventually led to an FTC settlement with Facebook that mandated an increased transparency with its users, requiring their explicit consent before “enacting changes that override their privacy settings.”
Ann Cavoukian is a household name in technology and business. As a three-term Privacy Commissioner of Ontario, Canada, she has jettisoned the privacy discussion for a few decades. Today that discussion has reached a fever pitch as the EU General Data Protection and Regulation (GDPR), which came into effect May 25, 2018, includes Cavoukian’s long-advocated creation, Privacy by Design (PbD). This will raise the bar dramatically and any company or platform who does business with the EU, will need to comply with these standards. At the heart of GDPR are these guiding principles when collecting, storing and processing personal consumer information:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Privacy by Design’s premise is to proactively embed privacy at every stage in the creation of new products or services in a way that’s fair and ethical. Cavoukian argues that by implementing PbD, companies would, in effect, be well on their way to complying with the GDPR.
What Makes this Moment Ripe for Privacy by Design?
In the 90’s the web was growing exponentially. Commerce, online applications, and platforms were introducing a new era that would dramatically change business and society. Ann Cavoukian, at this time, was in her first term as Privacy Commissioner of Ontario. She witnessed this phenomenon and was concerned it was going to grow dramatically, and in an era of ubiquitous computing, increasing online connectivity and massive social media, she surmised that privacy needed to be developed as a model of prevention, not one which simply “asked for forgiveness later.”
Imagine going to your doctor, and he tells you that you have some signs of cancer developing and says, “We’ll see if it gets worse and if it does, we’ll send you for some chemo” . What an unthinkable proposition! I want it to be equally unthinkable that you would let privacy harms develop and just wait for the breach, as opposed to preventing them from occurring. That’s what started PbD.
In 2010, at the International Conference of Data Protection Authorities and Privacy Commissioners in Europe, Cavoukian advanced the resolution that PbD should complement regulatory compliance, to mitigate the potential harms. It was unanimously passed. The reason?
Everyone saw this was just the tip of the iceberg in identifying the privacy harms, and we were unable to address all the data breaches and privacy harms that were evading our detection because the sophistication of perpetrators meant that the majority of breaches were remaining largely unknown, unchallenged and unregulated. As a result, PbD became a complement to the current privacy regulation, which was no longer sustainable as the sole method of ensuring future privacy.
These days the issue of data security has gotten equal, if not more, airplay. Cavoukian argues:
When you have an increase in terrorist incidents like San Bernadino, Charlie Hebdo attacks in Paris, and in Manchester, the pendulum spins right back to: Forget about privacy – we need security. Of course we need security – but not to the exclusion of privacy!
I always say that Privacy is all about control – personal control relating to the uses of your own data. It’s not about secrecy. It drives me crazy when people say ‘Well, if you have nothing to hide, what’s the problem?’ The problem is that’s NOT what freedom is about. Freedom means YOU get to decide, as a law-abiding citizen, what data you want to disclose and to whom -- to the government, to companies, to your employer.
Pew Research conducted an Internet Study post-Snowden to get a consumer pulse on individual privacy. Key findings cited:
There is widespread concern about surveillance by both government and business:
• 91% of adults agreed that consumers had lost control over their personal information;
• 80% of social network users are concerned about third parties accessing their data;
• 80% of adults agreed that Americans should be concerned about government surveillance.
This data corroborated Canadian Privacy Research. Cavoukian notes she has never seen concern for privacy consistently in the 90th percentile, with strong public support for individual privacy. Worldwide, people are very concerned about their privacy and the loss of control over their personal information.
Context is Key:
And while there are those who understand they are trading their information for an expectation of value, they should be fully informed of how that value is extracted from their data. Cavoukian cautions:
Privacy is not a religion. If you want to give away your information, be my guest, as long as YOU make the decision to do that. Context is key. What’s sensitive to me may be meaningless to you and vice versa... At social gatherings, even my doctors won’t admit they’re my doctors! That’s how much they protect my privacy. That is truly wonderful! They go to great lengths to protect your personal health information.
The importance of selling the need for privacy includes persistent education. Unless people have been personally affected, many don’t make the connection. Does the average person know the implications of IoT devices picking up the “sweet nothings” they’re saying to their spouse or their children? When they realize it, they usually vehemently object.
Context surfaces the importance of choice. It is no longer an all-or-nothing game subsumed under a company’s terms and conditions where one click, “Accept” automatically gives full permission. Those days are over.
And while some can object to analyzing and contextualization for insurance purposes, they may allow their personal health history to be included in an anonymized manner for research to understand cancers endemic to their particular region.
Context is a matter of choice; freedom of choice is essential to preserving our freedom.
Privacy Does Not Equal Secrecy
Cavoukian emphasizes that privacy is not about having something to hide. Everyone has spheres of personal information that are very sensitive to them, which they may or may not wish to disclose them.
You must have the choice. You have to be the one to make the decision. That’s why the issue of personal control is so important.
I extracted this slide from Ann Cavoukian’s recent presentation:
The Chinese Social Credit System was created to develop more transparency and improve trustworthiness among its citizens. It’s a dystopia we do not want. China is a clear surveillance society that contradicts free society’s values. Cavoukian crystalizes the notion that privacy forms the foundation of our freedom. If you value freedom, you value privacy.
Look at Germany. It’s no accident that Germany is the leading privacy and data protection country in the world. It’s no accident they had to endure the abuses of the Third Reich and the complete cessation of their privacy and their freedom. And when that ended, they said, ‘Never again will we allow the state to strip us of our privacy -- of our freedom!’ And they have literally stood by that.
Post Snowden, I wrote this: The NSA, Privacy and the Blatant Realization: Nothing You Do Online is Private and referenced a paragraph written by Writynga in his response to Zuckerberg’s view at the time 2012 that privacy was no longer a social norm:
We like to say that we grew up with the Internet, thus we think that the Internet is all grown up. But it's not. What is intimacy without privacy? What is a democracy without privacy?… Technology makes people stupid. It can blind you to what your underlying values are and need to be. Are we really willing to give away our constitutional and civil liberties that we fought so hard for? People shed blood for this, to not live in a surveillance society. We looked at the Stasi and said, 'That's not us."
The will of the people has demanded more transparency.
But we don’t want a state of surveillance that eerily feels like we’re living in a police state. There has to be a balance between ensuring the security of the nation and the containment of our civil liberties.
Stay tuned for PART II of this Series: Why Big Business Should Proactively Build for Privacy: Perspectives from Ann Cavoukian