by Madi Solomon
In 2010, I was an invited delegate to a private conference in Singapore for Global Leaders of Information to discuss the theme of Meta: The Rise and Governance of Information about Information. It was a gathering of around 20 international professionals from legal, technology, business, public policy, and metadata specialists like myself, who were to explore the themes of privacy in the ever increasing data-driven world and how it might be used, or misused, in the future.
At the time, the 1995 Data Protection Directive was in place, but we soon learned that “directive” was loosely interpreted and consent was being obtained in oblique ways. We heard from large data companies who were selling time from their backend data “fire-hoses” by the minute to young start up companies who needed a baseline for their business prototypes. We heard from entrepreneurs who similarly bought “used” data wherever they could get it, and from game designers who monetized anonymity online but monetized their customer data in other ways, and from lawyers who were trying to understand if boundaries could be placed around data that was already wild. Metadata was the new frontier and businesses were mining it with abandon: could this wild west be tamed?
Conference room at the 2010 Global Leaders in Information, taken with author’s iPhone.
One month before the conference, the European Commission set out a new strategy on data protection in response to a paper they commissioned from the Article 29 Working Party entitled the “Future of Privacy”. They caught site of the wilds in 2009 and had already dispatched surveyors to scope the landscape. That same month Julian Assange published 400,000 Iraq War Log documents bringing attention to the fact that even government agencies were not exempt from advantaging the lack of oversight on the collection of personal data.
So what did we recommend at the end of the conference? A Creative Commons-like badge that would express the different gradations an individual could express for data privacy and/or portability. That was it, a simple little badge. Even at the time it sounded naïve, but Joi Ito was among the delegates and as the founder and Chairman of Creative Commons (he is currently Director of the MIT Media Lab) we all wanted to be his best friend.
Jump ahead to today, and one of the key indicators for monitoring privacy compliance to the new General Data Protection Regulation (GDPR) will be the display of certificates. Very similar to badges but issued with examination by a Data Protection Authority, not the individual. In retrospect, we weren’t that far off.
General Data Protection Regulation (GDPR)
Last week, on April 14, the European Parliament approved the General Data Protection Regulation (GDPR) after four years of work and deliberation by the European Commission and Council of the European Union. The GDPR introduces new rules that will impact the way businesses process, store, and transfer personal data and is the most powerful statement for data privacy we have seen in a generation.
In reaction to the reality of massive data centres, the revelations of data breaches around the world, and escalating terrorist attacks, the GDPR positions a closer coordination with member state law enforcement to battle cybercrime and shifts accountability for consent from the individuals to the data controllers and data processors themselves.
There are hefty penalty fees involved should companies fail to adhere to these new laws which will come into action in two years. The GDPR plans to use Codes of Conduct to help guide companies in obtaining Certificates of compliance which will be valid for a maximum of 3 years, and demonstrates that the company is past the risk of penalty.
Some might argue that when it comes to data privacy the “horse has already left the barn” due to the slow reaction of regulators in the past to grasp, well enough monitor, the many ways data were being used to gain market advantage. It was, in fact, the whistle-blowers who brought a sense of urgency to the matter, and while no one would call four years of deliberation a quick response, the GDPR is historic in its pursuit.
The new GDPR brings a rigor to its mandate of protecting individual rights in data privacy and imposes strict boundaries on the use and transport of personal data. The Data Protection Authorities will be looking for demonstrated efforts, not completion, when awarding certificates of compliance. Through a series of consultations, they will be monitoring efforts in the following:
- Establishing accountability and embedding Privacy by Design
- Appointing a Data Protection Officer
- New website consent forms and statements (Opt-out is not longer sufficient)
- Establishing statements of “legitimate interests” for data collection and usage
- Preparing for the processing of the Right to Object and the Right to Erasure from data subjects
- Preparing data breach notifications that can be communicated within 72 hours
- Demonstrated compliance prohibiting the use of personal data for profiling or targeted marketing
- Pseudonymization measures that prevent data re-aggregation that could lead to re-identification
- Understanding that joint controllers, no matter where they are outsourced, are equally liable.
The new privacy regulations are also serious about penalties for non-compliance. With the threat of imposing a EUR 20 million, or 4% of a company’s total worldwide annual turnover, whichever is greater, the GDPR has teeth to communicate their intent. But who will enforce these new regulations? Who, exactly, are the authorities that will be responsible for issuing penalties or awarding certificates?
Conference delegates contemplating privacy and metadata on Segways touring Sentosa Island.
The GDPR is currently in the process of forming an EU Data Protection Board. This board will be the restructuring of the The Article 29 Working Party, an existing data protection platform which is composed of representatives of each EU member state. The Data Protection Board will be responsible for the dissemination of guidelines, certificates and impact analysis for controllers and processors and is currently led by the European Data Protection Supervisor, Giovanni Buttarelli. The Article 29 Working Party also has two years to prepare and form the Data Protection Board. At present, their current priority is to articulate and agree on new data portability rights with the US. With their recent rejection of the EU-US Privacy Shield, they will be responsible for finding an acceptable compromise.
While the Regulators are occupying themselves with policy rather than policing, a number of steps have been taken to gather forces across the union. A Data Protection Board Chair and Vice-Chairs have been set up, Mr. Buttareli (EU Data Protection Supervisor) is expected to appoint a Secretariat to manage administrative affairs, and new IT systems and databases will need to be acquired and implemented before enforcement can be enacted.
It is impossible to measure the totality of how far-reaching data has become in our daily lives. In order to limit access to this sea of data and control re-identification, or any other possible data combinations that we haven’t conceived of, the General Data Protection Regulation plans to limit diving to the shallow end. Regulators are now in intensive training and multiple subgroups are forming to ensure that everyone, from governments, technology, borders, law enforcement, financial, health & medical, and international transfers, stay within the limits of what the GDPR finds acceptable for the protection of their citizens.
Published with permission from Ruth Corney: http://www.ruthcorney.com/
Whether these laws will be able to control the tide is yet to be determined, but the firm step that the European nations have taken will no doubt send a strong message to the rest of the world that post-internet economies should be built on mutual consent between processors, controllers, and the individuals who provide their data. As Jaron Lanier so eloquently states in Who Owns the Future?, “A market economy cannot thrive absent the well-being of average people, even in a gilded age.”
The 2010 conference in Singapore galvanized many of us. The conference chairs co-wrote a book, the game developer joined Facebook, another became Chief Scientist at IBM, while others returned to their government posts and began writing new policies. I wanted to learn more about privacy and earned two certificates from the International Association of Privacy Professionals (IAPP), which I proudly display on my LinkedIn profile.
Geographical boundaries may be difficult to map in cloud computing and the notion of true privacy may prove a myth as recombinant data can reveal more than we intend, but our fundamental right not to be exploited is a battle worth fighting for. Each company that can display a certificate of compliance to the General Data Protection Regulation will be contributing to the belief that trust is a value worth striving for.
Madi is a Senior Manager and brings over 20 years of knowledge and experience from a range of sectors. She is a creative technologist and specializes in business intelligence initiatives and semantic technologies that bridge the technical with social and cultural constructs. She has held executive roles in large multi-national companies and has initiated and led business transformation programs from the ground up. With the unique approach of combining soft skills with hard data, she has successfully introduced innovative products and new processes into operation.