Privacy invites Law, Tech, and Business — what a dinner party

The world is becoming increasingly data-centric. Actually, one might even argue that the world is already heavily so. Nevertheless, caution is advised since roughly half of the world’s population does not even have Internet access [1]. Yes, dinner has just started.

Multiple topics of interest could potentially captivate these distinguished guests. Privacy has, however, one specific topic in mind: gaps. Each guest is knowledgeable in their specific area, each guest effectively contributes to the same society, and all are interconnected, interdependent yet each one speaks its own language. There are, in fact, huge gaps between the way each one perceives the world and, consequently, how they interact with Privacy. The ubiquity of Tech, the inevitability of Law and the drive of Business were due a friendly dinner to spark the conversation around one of today’s hot topics: individual privacy in a heavily data-centric society.

Business: Privacy, you know I am fond of you but, to be honest, from the point of view of the numbers, the advantages of data collection, processing, and the intelligence that is possible to gather from those, greatly outweighs any of the downsides. Actually, most people do not even care about you. They have nothing to hide.

This is a strong statement by Business. It is undeniable how an historical disregard for privacy has enabled the growth of many businesses [2] and how sometimes this results in beneficial applications [3]. Is it all only about numbers? Exploitation of individual’s data has become common even in some of the most sensitive domains. Finance is one of the key sources of juicy information [4].

Law: No, no, no! Please do not use the ‘nothing to hide’ argument. It is clearly a fallacy and very misleading [5]. If you play that card, I need to play the Snowden one: “Arguing that you don’t care about privacy because you have nothing to hide is like arguing that you don’t care about free speech because you have nothing to say.” [6]. What we need is stronger legislation and continue the path of improving our law frameworks. GDPR is a good example! Privacy is a fundamental right! [7]

Important points made here. In fact, Privacy goes well beyond having something to hide. It is closely related to our freedom [8]. Without privacy, there is no freedom. However, legislation cannot answer this challenge on its own. There is an immense gap between what is stated, for instance, in the GDPR and the actual technology landscape of our days. What is possible to do in the areas of AI, machine learning and business intelligence goes greatly beyond what the lack of an explicit consent can impede [9]. How can this fantastic potential and fast evolution pace can still contribute to a free and plural society?

Tech: Law, I’m with you but how can you cope with things that most people cannot understand? How can you legislate over technology or processes that only a few people in the world actually fully master?

We hit a critical point. There is indeed a gap between business goals that might get too number-driven and the quest for solutions that might improve people’s lives. There is a gap between the principles the Law aims to protect, the praxis and actual capacity of enforcement when dealing with technological contexts. There is a gap between technology advancements and privacy requirements of individuals. However, arguably, the largest of gaps is the one separating what is technologically possible, what is understood to be possible, and how data-driven businesses actually work.

It is our claim that solutions should begin at the technological level. Technology should become increasingly transparent. Being technologically savvy or holding and engineering degree should not be a requisite for understanding what exactly is being done with one’s individual data. The design of an application, a device or product should clearly indicate how it manages data processing flows and the nature of such flows. Even in the case where code cannot be disclosed. This is a huge but key challenge.

This idea, in fact, is not new. The concept of privacy-by-design is present in the GDPR [10] and is extensively used in many contexts. Some companies are also pushing for a model where sensitive data is processed on device instead of populating large data lakes, which privacy-wise is an interesting alternative. The fact is that, independently of the model chosen, there is still a long way to go in terms of the actual technological tools available for providing truly private services and applications. Without further investment and technological advances in privacy-preserving systems it will become terribly difficult to manage Business drivers, write suitable Law and ensure a truly free society.

It is of critical importance to prevent bad things from happening and, on this topic, prevent any misuse of personal, sensitive, and private data. However, we believe it is even more important to come up with technical solutions that make those behaviours simply impossible and unnecessary.

References:

[1] https://www.internetworldstats.com/stats.htm
[2] https://www.theguardian.com/commentisfree/2018/dec/20/facebook-violating-privacy-mark-zuckerberg
[3] https://www.wired.com/story/google-location-tracking-turn-off/
[4] https://thefinancialbrand.com/74854/fintech-mobile-banking-app-data-privacy/
[5] “I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy”, Daniel J. Solove, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
[6] https://www.businessinsider.com/edward-snowden-privacy-argument-2016-9
[7] “The right to privacy in the digital age”, Human Rights Council,Thirty-ninth session, Agenda items 2 and 3,Annual report of the United Nations High Commissioner for Human Rights and reports of the Office of the High Commissioner and the Secretary-General, 3 August 2018
[8] https://privacyinternational.org/blog/1111/two-sides-same-coin-right-privacy-and-freedom-expression
[9] https://www.engadget.com/2018/06/27/google-duplex-ai-phone-call/
[10] https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en