“In October (2018), Ann Cavoukian, the Director of Privacy for Alphabet’s Sidewalk Labs smart neighborhood project in Toronto (an advanced smart city project) resigned after learning that not all data collected from residents would be de-identified at the source. In her resignation letter, Cavoukian likened the project to a “smart city of surveillance,” highlighting privacy concerns for smart cities as her reason for leaving. So, which is more important: creating smarter, safer cities, or keeping personal data safe?”[1] Or can there be no solution where all factors can be met at the same time?
Although whether privacy concerns halting smart cities may be the subject of another article, I will settle by saying that the same concerns surely resonate with the actors, who are leading the game for other (disruptive) technologies. It would not be wrong to say that every project that involves some type of data and its collection / processing is a potential privacy issue.
Privacy and technology are interwoven in an endless relationship with an ongoing clash. Citizens and users are interested in maintaining their privacy more than ever. While privacy concerns are on the rise, each technology comes with its own unique challenge of privacy. Privacy itself is becoming the real disruptive force in digital technologies.
On the other hand, even with privacy scandals bursting out every other day, and despite our ever-increasing awareness of privacy, there are still many cases, starting with Facebook that indicates our willingness in general to give up personal data, as long as we continue to believe that we receive some sort of a benefit. We like it when the GPS sends us directions to the place, we are likely to go at a certain time of the day, or when Netflix makes an educated guess that we would like to watch this new series. Sadly, we do so without questioning if we have the option to opt-out, if the data collection and processing are being carried out within lawful limits and on lawful grounds?
On 21 January 2019, the French data protection watchdog CNIL has fined Google a record €50m (£44m) for failing to provide users with transparent and understandable information on its data use policies. Investigation by CNIL was initiated upon group complaints the commission has received back in May 2018, which accused Google for not having a valid legal basis to process the personal data of the users of its services.[2]
The fine marked the first time that Google was fined per the Europe’s new data privacy terms, General Data Protection Regulation (“GDPR”). Under GDPR, the maximum fine for large companies is 4% of their annual turnover, giving us the theoretical maximum fine of €4 billion in Google’s case.
Of course, Facebook is not leaving Google’s bedside at times of hardship. It is known that the company is negotiating to settle with FTC, after it is revealed that Facebook inappropriately shared the information of 87 million Facebook users with the data mining firm Cambridge Analytica. Rumor has it that Facebook’s countless privacy invasions may result in a record fine from FTC; definitely exceeding Google’s fine of $22.5 million in 2012 for bypassing certain privacy controls.[3]
No doubt that record fines will come one after another, unless things change drastically, really.
Cambridge Analytica Scandal was eye-opening for many as to the intensity and seriousness of the situation and finally gave rise to a global concern of privacy and put technology companies in the lion’s mouth. Facebook even acknowledged concerns over Cambridge Analytica emerged earlier than reported. Facebook employees were aware of concerns about “improper data-gathering practices” by Cambridge Analytica before December 2015.[4]
The now famous book by Roger McNamee, Zucked, elaborating and analyzing the Facebook catastrophe and how things reached to this level gives great insight on the issue. Written by one of the early advisors to Zuckerberg, Zucked says, “Unfortunately the pioneers of the internet made omissions that would haunt us all. They thought the web could be adequately governed by its users without their need to empower anyone to police it.”
I believe it all comes down to regulation and we badly need authorities to police it. GDPR is an important piece of legislation intended to strengthen and unify a consistent personal data protection regime across Europe. The GDPR applies to companies that collect and handle personal data from EU-based individuals, regardless of where the data is processed. Personal data is defined as any information relating to an individual that can be directly or indirectly identified. The GDPR distinguishes between companies that act as data controllers and data processors. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. As per the GDPR and the principles of privacy by design and privacy by default, disruptive technologies are obliged to implement technical and organizational measures to ensure a level of security appropriate to the risks attached with the pace of the innovation.
Zuckerberg must be very troubled by these overwhelming issues of privacy that he decided to come up with his own solutions. In his recent blogpost, Zuckerberg calls for new internet regulation in four key areas to define clear responsibilities for people, companies and governments, including more GDPR-aligned data protection rules. Harmful content, election integrity, privacy and data portability all require new internet regulations, according to Mark Zuckerberg. [5]
“I believe it would be good for the internet if more countries adopted regulation such as GDPR as a common framework. New privacy regulation around the world, should build on the protections GDPR provides, it should protect individuals’ rights to choose how their information is used – while enabling companies to use information for safety purposes and to provide services – it should not require data to be stored locally, and it should establish a way to hold companies such as Facebook accountable by imposing sanctions when they make mistakes. I also believe a common global framework – rather than regulation that varies significantly by country and state – will ensure that the internet does not get fractured, entrepreneurs can build products that serve everyone, and everyone gets the same protections” Zuckerberg wrote. Even with uniform rules of privacy around the world, would he ever succeed to achieve what he claims to desire without altering the actual business model of the company?
Will privacy concerns against disruptive technologies create a roadmap for advanced regulation and their rapid implementation? Will it slow us down, as we are too interested in moving faster, smarter and easier? The challenge for the disruptive technologies is not only to innovate but also to provide feasible alternatives to protect privacy and to change the current status quo. In the meantime, perhaps we should just be careful with what we say, do and click on.
References:
[1] https://www.forbes.com/sites/danielnewman/2019/01/08/are-privacy-concerns-halting-smart-cities-indefinitely/#2ee5c81969ba
[2] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
[3]https://www.theguardian.com/technology/2019/feb/14/facebook-ftc-privacy-cambridge-analytica-fine
[4]https://www.theguardian.com/uk-news/2019/mar/21/facebook-knew-of-cambridge-analytica-data-misuse-earlier-than-reported-court-filing
[5] https://newsroom.fb.com/news/2019/03/four-ideas-regulate-internet/