Consumers are asking for a Bit of Privacy

Stephen DeAngelis

November 7, 2018

New legislation enacted by the EU and California — respectively the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018 — will significantly impact how organizations can gather, store, and use personalized consumer data. Pulitzer Prize-winning author Louis Menand writes, “The reason you’ve been receiving a steady stream of privacy-policy updates from online services, some of which you may have forgotten you ever subscribed to, is that the European Union just enacted the General Data Protection Regulation, which gives users greater control over the information that online companies collect about them.”[1] Enormous fines are possible if companies violate provisions of the GDPR and companies are open to lawsuits (including class action lawsuits) if they violate provisions of the California law. Additionally, the California law “allows consumers (defined as natural persons who are California residents) to demand access to all of the personal information that a company has collected relating to them, along with a full list of third parties with which the company has shared that data.”[2] Since big data, including personal consumer data, is considered the lifeblood of business in the Digital Age, many analysts are wondering what the future holds.


Calls for data protection are increasing


As corporate data breaches become more frequent and better publicized, issues involving data collection, storage, and usage have made their way on to consumers’ radar screens. Menand observes, “It has become apparent in the past year, we don’t really know who is seeing our data or how they’re using it. Even the people whose business it is to know don’t know.” Since issues involving big data are global, a big data Guidance Note has been developed for the United Nations Development Group. Among other things, the note states, “Data should be obtained, collected, analyzed or otherwise used through lawful, legitimate and fair means, taking into account the interests of those individuals whose data is being used. … Any data use must be compatible or otherwise relevant, and not excessive in relation to the purposes for which it was obtained. … A risks, harms and benefits assessment that accounts for data protection and data privacy as well as ethics of data use should be conducted before a new or substantially changed use of data (including its purpose) is undertaken. … Stricter standards of data protection should be employed while obtaining, accessing, collecting, analyzing or otherwise using data on vulnerable populations and persons at risk, children and young people or any other data used in sensitive contexts.”[3]


Clearly, interest in data protection is on the rise and organizations involved with collecting, storing, or using such data are in the crosshairs of privacy advocates. Matthew Nelson, Associate General Counsel and Vice President of Advisory Services at DiscoverReady LLC, asserts, “Most organizations face fundamental challenges when it comes to privacy and security compliance. … The fundamental challenges are the result of the explosive growth and mismanagement of company data over two decades. Organizations simply don’t know how many company files include personal data, personally identifiable information, personal health information or other types of sensitive data or where all those files are located. In order to comply with the wave of new privacy and security laws, organizations need to establish a process to identify, secure, delete or otherwise manage files containing sensitive data. Most organizations don’t do this well because it requires a combination of skills, including legal analysis, establishing new standard operating procedures and policies and using technology. Only then can organizations identify consumer and employee information so that it can be properly managed.”[4] One of the technologies available to help with the data integration and identification challenge is cognitive computing. Because cognitive computing systems employ natural language processing, they are better able to identify personal data whether it’s stored in structured or unstructured databases. Nelson notes, “Finding your critical data in a sea of company data can feel daunting. Start by creating a data inventory to help identify potential ‘data hotspots.’ Gaining visibility into these hotspots will help you prioritize protecting, retrieving or deleting consumer, employee, trade secret and other confidential data based on the level of risk.”


The future of big data


The World Economic Forum believes data is a resource, like oil and gold, which means companies will continue to collect data. So what does the future of big data look like with so many restrictions being placed on its collection, storage, and usage? Naomi Eide (@NaomiEide) reports, “One concept is making it easier to understand how data should be treated, injecting more privacy along the way: handling data as a currency.”[5] She explains, “The concept of data as currency is the successor to a more physical representation found in the phrase ‘data is the new oil.’ A concept [Michelle Dennedy, VP and chief privacy officer at Cisco], coined 20 years ago in Europe, … because it flowed throughout systems and was more valuable than gold or other currencies. If data was the new oil, then companies would only need security to manage it, ensuring it does not leak and spark fires. But if, instead, data is seen as a currency, it is ‘wholly dependent on time, cultural understanding, conditions and context,’ Dennedy said, in an interview. … Organizations achieve success when they learn to value assets. If data is treated carelessly, and internal or external factors make an impact, organizations could find themselves in the crosshairs of regulators.”


Sir Tim Berners-Lee, best known as the inventor of the World Wide Web, wants to pass control of personalized data from tech giants to users. Along with entrepreneur John Bruce, Berners-Lee has started a company called Inrupt. Inrupt hopes to accelerate adoption of a decentralized web project called Solid. John Leonard (@_JohnLeonard) explains, “Solid builds on existing web protocols to allow users to keep their own data on the cloud service, server or other platform of their choice in personal online data stores or ‘pods’, rather than having it stored on centralized servers. This is a reversal of the current situation where applications such as Facebook effectively own users’ data by locking it down in their own walled gardens and using it as they see fit. In the Solid model, each user’s data — including identity, posts, photos, likes, comments and the rest — resides in pods and it is up to the user whether and to what extent to grant access to it.”[6] Attempts to put consumers in charge of their personal data is not new. Over a decade ago, Doc Searls started a project the Berkman Center for Internet & Society at Harvard University known as Project VRM. The Project VRM site states, “In commercial contexts, VRM tools provide customers — that’s all of us — with ways to operate with full agency in the marketplace. This includes the ability to control and permit the use of personal data, to assert intentions in ways that can be understood and respected, and to protect personal privacy.” Other privacy advocates have encouraged the creation of Personal Data Vaults. It’s unclear whether consumers will ever be put in charge of their own data to the extent it becomes a resource for them. What is clear is that privacy will remain an issue in the years ahead.


[1] Louis Menand, “Why do We Care so much About Privacy?The New Yorker, 18 June 2018.
[2] John C. Eustice, “Is California’s new data privacy law a sign of things to come?Information Management, 30 August 2018.
[3] Global Pulse, “Data Privacy, Ethics and Protection. A Guidance Note on Big Data for Achievement of the 2030 Agenda,” LinkedIn, 14 May 2018.
[4] Heidi Maher, “How the new California data privacy act could impact all organizations,” Information Management, 4 October 2018.
[5] Naomi Eide, “Privacy is dead, long live privacy,” CIO Dive, 9 August 2018.
[6] John Leonard, “Berners-Lee launches startup to commercialise his Solid decentralised web project,” Computing, 30 September 2018 (registration required).