Security language is often used in the context of protecting privacy, but what precisely is privacy and why does it need protecting? Most people have an intuition that privacy is somehow associated with personally identifiable information (PII), but it is deceptively difficult to concretize that link. The divulgement of something as seemingly innocuous as a birthdate, rarely considered a breach of privacy in personal face-to-face conversation, can be synonymous with a breach of privacy and attendant sanctions in business. Birthdates are certainly not uniquely problematic. Sometimes the disclosure of a name alone in connection with a website can be fairly consequential, and yet I freely disclose my name in association with this website.
Privacy is largely an individualized concept. It varies from person to person and business to business. According to Ruth Gavison in Privacy and the Limits of Law, privacy is related to:
…our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others’ attention.
Privacy in the Internet Age
A global internet raises new privacy challenges along with opportunities. At present, internet advertising is among the most lucrative business models in existence, and it hardly appears to be slowing. PwC’s 2019 IAB Internet Advertising Revenue Report describes aggregate internet advertising revenue in excess of $107 billion for the United States in 2018, a greater-than 20 percent increase over 2017. It is self-evident that the efficacy of advertising is highly correlated with its targetability and salience. It should therefore not be surprising that companies whose business model centers around selling internet advertisements rely heavily on gathering as much data about users as possible, betraying an incentive structure inversely related to individual privacy.
The Internet of Things (IoT), a mobile computing paradigm that sees value in making just about everything internet-connected, has accelerated advancements in areas such as healthcare, the benefits of which are apparent to, among others, the Food & Drug Administration. Portable health technology, such as a wristwatch with cardiological capabilities or a wearable insulin management system, improves individual health and well-being tremendously.
However, it also raises important questions concerning privacy risk. When it comes to data collection in tech, it is often easiest to collect everything possible because ostensibly all data has value and storage is cheap. The risk associated with collecting and storing data indefinitely is less conspicuous.
The time when devices are able to detect medical conditions before a formal diagnosis is made by a health professional is now, albeit in a primitive form, and data continues to fuel technological improvement. It follows that ownership over one’s health information is increasingly being ceded to the creators of these devices. Sharing aggregated health information can lead to further advancement yet, but it is important to recognize its potential to cause harm to an individual.
The Rise of a Science of Data
Data science is [perhaps too] simply the study of data and its relationships. It is at the intersection of artificial intelligence (AI) and machine learning (ML), mechanisms by which new information can be learned by machines with superhuman computational power from patterns in disparate data. It describes things like how men who buy diapers on Friday evenings also tend to buy beer on the same trip. It is the reason why it sometimes seems online retailers know what a customer wants before the customer does as reflected by online advertisements.
A full treatment of data science is outside the scope of this article, but suffice it to say advancements in computer hardware, cloud computing, AI and ML are revolutionizing the way data science is used to find patterns in data and patterns about people. It can even potentially be used to deanonymize individuals in HIPAA-compliant deidentified data sets, which has already led to privacy lawsuits.
New Regulation and Proactive Privacy Architecture
In response to the changing zeitgeist, modern privacy regulations like the European Union’s General Data Privacy Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have been effected to give individuals more control over their data. These regulations extend beyond borders in light of a far-reaching internet, and it is reasonable to anticipate that more privacy regulations are on the horizon. Proactive privacy governance can help businesses more easily adapt to evolving regulation while also serving as a competitive advantage.
In the 1970s, the United States government commissioned a comprehensive privacy study that resulted in the creation of Fair Information Practice Principles (FIPPs). In spite of its age, FIPPs form the foundation for many privacy laws developed even today and can inform a highly adaptive proactive privacy governance architecture for any organization. FIPPs encompass eight tenets:
- Collection limitation, concerned with lawful and fair data collection;
- Data quality, concerned with data relevance, completeness and integrity;
- Purpose specification, concerned with ensuring the purpose for the collection of data is clear and consented to by a data subject (i.e. a user, customer or client);
- Use limitation, concerned with the destruction of data when it is no longer necessary;
- Security safeguards, concerned with the establishment of procedures protective against corruption, destruction, misuse or loss of data;
- Openness, concerned with data subjects’ access to information about the collection, storage and use of personal information;
- Individual participation, concerned with data subjects’ ability to access and challenge data associated with them; and
- Accountability, concerned with ensuring data controllers, those who control the collection and use of personal data, comply with privacy principles.
Conclusion
The cost of compliance with new privacy regulation can be an existential challenge for small to medium size businesses due not only to heavy fines. Berkley Economic Advising and Research (BEAR), for instance, estimates that becoming compliant with the CCPA could cost small and medium size businesses up to $100,000 initially. Establishing an organization-wide privacy culture in advance of new privacy regulation may help mitigate some of the risk through a sort of amortization of the investment in privacy, while also conferring a marketable benefit to consumers.
About the Author
Roger Jimenez is a certified information systems security professional with more than 15 years of experience in information systems and security management. He serves as DLD Lawyers’ director of IT and security. Roger has a BBA with concentrations in management information systems and marketing and MS in information technology. Two of his favorite pastimes are making things like sensor-laden, raspberry pi-remote-controlled rovers and applications (full stack); and legally breaking [into] things like algorithms and applications. He can be reached at roger@dldlawyers.com.