Wednesday, April 11, 2018


High Tech Privacy Regulation Dilemma

With Mark Zuckerberg testifying in front of congress this week, there is a lot of talk about adding additional regulation on the high-tech industry. It would be great if we could solve the problems with regulations but I see three major problems.


1.      We have a Data Driven Economy and economic drivers that will never let us go back to a place where we can truly and fully protect privacy. We all see the targeted messaging online and even in low-tech US mail that we receive every day. Companies depend on this type of targeted marketing and it is crucial for the bottom line. Even the largest businesses can no longer afford large scale, high impact marketing campaigns that can be seen by a majority of the population. When there were less channels and less alternative entertainment options, TV used to be an effective place to advertise. What percentage of people would see an add that is run on the major TV networks – my guess is way less than 5% unless you do this during an event like the Superbowl. Many small to medium businesses would never have a chance without a little glimpse into your privacy to create targeted marketing. If we were to protect all information, it would have a disastrous effect on our economy.

2.      How do we define the Gray Areas? So, if it is not economically feasible to bring back full privacy and personal information absolutely required to support our data driven economy, where do we draw the lines of privacy and data use? The black and white issues are simple. No one wants compromise on protection of high risk information like social security information or credit cards but what about the gray areas. There will be several opinions on this. There will be people that want complete and constant anonymity and there will be others that enjoy getting targeted information about things that interest them or have no objection to getting geographic based push couponing. It is not feasible or even possible to regulate this. Companies that want the consumer’s business must provide simple, easy to understand options or privacy settings.

3.      People who don’t understand technology can’t make laws to efficiently or adequately regulate it. (Speaking from a US point of view.) For the most part, US legislative branches (or state legislative branches) have no idea the power, capabilities and complexities of today’s technology. I remember an early comment by President Trump “You can’t review 650,000 emails in eight days,..You can’t do it”. Obviously, he has no clue about technology, and he is certainly not alone. Some will assume my comment reflect some ageism here. To a degree age is a factor. The average American is 20 years younger than their representative in Congress. Average age of representatives are 57 and senators are 61. However, it is not just age. Most people, in the world, regardless of age, have no idea what can be done now with technologies like AI, Analytics, IoT and Blockchain. If we allow governments to craft regulatory legislation, the real authors of this legislation will be the lobbyists who throw the most money at our legislators.

The European Union is offering regulations to try to protect privacy. GDPR – General Data Protection Regulation is a new law that goes into effect next month that mandates that all companies dealing with EU residents must guarantee privacy. Highlights include:

a.      Permissions - Companies must gain explicit permission to use personal data (not hidden in small print user agreements) and must disclose how personal information is being used.
b.      Right to be forgotten - Companies must delete personal information that is not being used and anyone can request complete deletion and a company must comply.
c.      Data breach notifications must be communicated within 72 hours.

Although this sounds like data privacy Nirvana, the creators of the law have no idea what a Herculean task this really represents for large companies that have been around and have been collecting data for decades. The intent is great. The implementation is complex and costly.  Even companies that think they are in compliance will likely never be unless, they dismantle every legacy system and burn the company to the ground and start over.
The most effective protection will come from knowledgeable consumers who reward businesses that provide them with the level of security, privacy protection and transparency that they want.  Of course, there will be a minimum standard (regulated or not) but companies that want my business need to do much more.

2 comments:

  1. The key value of GDPR is that the consumer is presumed correct until the company proves otherwise. The fines are levied first and at €2,500 per data element, mistakes are costly. This would never fly constitutionally in the US, but it will be a great experiment to watch Europe. My company does 1/3 of it's business there. But in an effort to better target customers, we have always asked for opt-in and had explanations of how we use PII, so our privacy folks are fairly confident.
    Another big question is what to do with "passive identity" sharing, like your phone's MAC address. A smart group of retailers will gather device MAC addresses from store access points and watch where that person goes in their store, and when federated, a group of stores can watch that person go from store to store and gather behavior data. Nothing truly "personal" is gathered (unless they happen to actually connect to your WiFi - which creates a goldmine) but suddenly you have piles of customer behavior data. No one "opts-in" to that kind of tracking either.

    ReplyDelete
  2. It is a fine line. Passive identity is a concept which I personally approve and there is some good that can come out of this type of tracking although, many would object. It helps improve customer service and relevancy of what we are seeing. It ought to be interesting what happens. My company, OpenText, has some ECM, Discovery and AI tools which are being used to tackle some of the GDPR issues. What I have read is that everyone is waiting to see who gets fined first. I read a bit about the fines and did not see the per element fine you reference. I shave read about fines up to 4% or a companies revenue. I guess at $2500 per pop it could easily add up. Enforcement ought to be interesting - the EU can't even get all the countries to pay their bills :).

    ReplyDelete