Privacy Talk with Vivian Zhou, Co-founder at Karlsgate: What are the challenges for privacy-enhancing technology in general?

Kohei Kurihara
Privacy Talk
Published in
6 min readMay 21, 2024

“This interview has been recorded on 6th May 2024 and discusses privacy technology, and data management”

  • What is the difference of privacy legislations?
  • What is the current status of healthcare privacy?
  • Message to listeners
  • What is the difference of privacy legislations?

Vivian: Oh, yeah, it’s very different, this is very interesting. I’d say if we look at the region like North America, US and Canada, usually Canada is more conservative. It’s more conservative compared to the US right.

So then think about the APAC having Japan, Australia and China, they are all different Asian countries with different privacy laws. I’d say if we talk about privacy, Europe, it is the region really focusing on privacy protection.

And we have actually seen a lot of new use cases and the PETs adoptions started from Europe. It is very interesting. The US is completely opposite. Data is a commodity in the United States.

You can easily buy and sell data. Even though there is CCPA, CPRA, but it’s just in California. We have seen the other states having their own privacy laws but it’s like a patchwork.

Overly conservative about privacy protection will impact data innovation to a certain extent. I can see why the US interest is less concern about privacy, but more about data utility.

So if we go to the APAC, let me take Australia for example. Australia was similar to the US, I say several years ago. The two data breaches two years ago, one was the biggest telco here and then followed by a big insurance company, so that the privacy protection really had the attention from the government side and took the immediate action.

Now everyone is talking about the new Privacy Act that is highly possible to be effective t, by the end of this year. Some organizations are still lobbying and trying to influence the government’s decision, but I’d say it’s very hard for them to pull this train back.

So I can expect a very similar law as the GDPR in Australia. So then there’s a massive impact on the organizations, and they need to really start to rethink how to better manage PII. It is time for them to think about change.

So, in short, you will see like the EU or Europe sets the standard. The US is still underway, like the Wild West, still focusing on data innovation and data utility. Countries like Australia is taking it own approach getting closer to the GDPR, but eventually ] the overall trend is that everyone is moving in the same direction, it just takes time.

Every region is slightly different. So that is why in the US we actually have more hurdles in terms of adoptions if you just sell privacy protection. And to be honest, it’s not that easy in the US. You always have to focus on the business.

But if you go to the EU, and privacy protection becomes the first priority. In Australia they just started. That is my view for the difference across different countries.

Kohei: That’s very interesting. Maybe Japan is one of the Asian countries where we are more neutral from the industry that requires new solutions.

The healthcare industry is one of the promising years to apply new solutions because we have been trying to assimilate the similar level of protection in Europe.

So which is a transition moment, but maybe it takes time. So take some more convincing in the level of the years of the industry, I suppose your analysis is very informative for the people doing the business in different regions. So thank you for sharing.

  • What is the current status of healthcare privacy?

Vivian: Yeah, I just want to add one thing because you mentioned health care, I find it’s very interesting. In the US. Healthcare is regulated by HIPAA. So HIPAA has been in the market for decades. But you’d see, that is my personal view, HIPAA is not as strict as GDPR.

So, for example, HIPAA has a very clear defined scope of guidance for the de-identification. So basically, as covered entities, if you’re able to de-identify your data, follow that instruction, you’re able to monetize data without patient consent.

So basically, they give you a rule like if you do this 1,2,3,4. Okay, you check all the boxes!

Now, you can sell your data without patient consent. And that is why you see there is a huge healthcare data market, which I think is important, right because you share that data for clinical trials to develop drugs, and it’s all for a better life. right?

But that’s HIPAA. However, if you look at privacy regulations, The data subject rights are important. The patient might not agree and say “you can’t use my data for this purpose, and you still need to get my consent”. In Europe, there is no separate law for healthcare.

It’s all under GDPR. So that means even data is pseudonymized. And you still need to get a patient’s consent

I believe it was the last month, Washington State had its own Health care privacy rule, which is very similar to GDPR.

And it is very interesting that I asked a question about current sharing practice in the United States, if a covered entity or a BA (Business Associate) in Washington, de-identified data based on HIPAA rules, and shared in the big ecosystem without consent, with the new law, when patients opt-out/request to delete data.

They need to pull out all those shared data from the de-identified datasets. How they can manage to even do it. So you can see that even in the US is changing along the way.

Then I can see there is a challenge when the law standards increase for certain states that will cause some challenges for organizations to stay compliant nationally.

Kohei: I heard from the US colleagues then they said it’s in pre-exemption, it’s the one of the big challenges, especially for the set the law is in federal level of privacy against some states just like in California is much more stronger than any other basic level of federal regulation.

That means they are against of the setting the new laws. So this kind of be controversial. Law setting is when this happens in the US that actually is not agreed to set the federal level privacy rules. So that’s very important in the next decades. But they can set the law at a basic level.

Vivian: So yeah, I think there are a lot of conflicts of interest, right? You can have lots of industries and organization benefits viadata monetization activities, and when when the regulations start to change, there is actually a huge impact on the business.

So definitely it’s always a balanced game. And sometimes it is not just about technology pure privacy. I’ve seen the same thing in Australia as well, a lot of organization, tried to leverage the business reason, convince the government to take a different approach toward privacy protection.

I’m pretty neutral and I am a data person, I hope organizations and consumers could have found a right balance in the end. Eventually, I believe the responsible way to use data is the only approach to build trust and create a better world for everyone.

  • Message to listeners

Kohei: Thank you for sharing all your thoughts. So finally, I would like to ask you to share the message for the listeners. We have a king on the answers to the balances of the utility and privacy, some very important insights that we can receive from your message so could you share with us about it?

Vivian: Yes, the last word. I’ll just say because I know today everyone’s talking about AI. So in the era of AI I believe the future belongs to the organizations that can harness the power of data responsibly.

Let’s build a word. Data empowers us all while respecting individuals’ privacy. It’s my last word, thank you.

Kohei: Yeah, thank you for taking a great interview today. I’m so privileged to have a conversation with you and share your very important insights from your voice. So that’s a very great way to have our conversation today. Thank you for joining.

Vivian: Yeah, it’s my pleasure to join this conversation. Thank you.

Kohei: Thank you.

Thank you for reading and please contact me if you want to join interview together.

Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!

--

--