Data Privacy Day, held every year on January 28, is meant to raise awareness of as well as best practices in data privacy. This day in 2019 is, in my view, a good occasion to take stock of what the stakes of data privacy have become. In short: the stakes for data privacy have gone up. Now it seems, data privacy is a key factor to protect fundamentals of our society such as the autonomy of individual decision making and democracy.
10 years ago, in the U.S. at least, data privacy was generally considered an issue of consumer protection. Identity theft, annoyance with direct marketing, and the creepy feeling of one’s web browsing being followed around by online behavioral advertising were the dominant concerns of the day. Fast forward to today and it’s clear the Cambridge Analytica scandal has changed this perception.
The ever-increasing costs of the abuse of personal data
Examples of how personal data and the user interest profiles built from them have been abused to manipulate electoral behavior are now almost routine. Russian actors have identified and targeted vulnerable demographics with misinformation campaigns in the U.S. national elections of 2016 and 2018 as well as the UK’s 2016 “Brexit” election. Much of the activity by these campaigns leveraged Facebook and other social media outlets.
The use of Facebook’s user profiling for dubious political purposes isn’t limited to the Russians. In 2017, the German nationalist party “Alternative for Germany” (AfD) expanded its group of sympathizers by leveraging Facebook’s “lookalike audiences” feature. This feature allows advertisers to identify and reach out to users similar to their existing customers or supporters. This tactic is one of the reasons the AfD successfully expanded its base of supporters to become the most successful right-wing party in post-war Germany. The examples brought up so far are associated with right-wing politics. In the U.S., it has come out that an organization used similar tactics in support of a Democratic candidate in a 2017 Senate race. So, it seems safe to say that abuse of personal data and profiles is not endemic to any particular political ideology.
Other surprising findings are changing how we view the privacy debate. Machine learning and artificial intelligence technologies now allow the creation of highly sensitive inferences about us from the ordinary data we generate in our online and offline activities. Research studies show that machine learning algorithms using social media data privacy can predict the onset of a depressive episode prior to the individuals themselves knowing, of sexual orientation, or of our personality traits. Data privacy is proving to be an important factor in preserving our control of many factors about our lives.
Regulators are beginning to act
As the German poet and philosopher Friedrich Hölderlin once said, “But where the danger is, also grows the saving power.” Warnings about the possibly catastrophic impacts on society of the loss of privacy and control of our data privacy are not only coming from a small group of privacy experts. Concerns are also reaching Main Street and the good news is it is beginning to have an impact. In California, Alastair Mactaggart and two other citizens started collecting signatures for a ballot initiative for a state privacy law. Despite formidable opposition from the state’s big tech firms, the end result was the state legislature passed The California Consumer Privacy Act of 2018. The law grants California residents important rights such as the right of access to the data a company holds about them, a right to delete data, and a right to object to the selling of their data. Mactaggart noted that the Cambridge Analytica scandal provided the boost needed for the success of the effort.
The other major privacy development of 2018 was the General Data Protection Regulation (GDPR) going into effect in the European Union. The GDPR grants Europeans a number of rights including rights of access to their data, the right to be forgotten, and to data portability. The GDPR also sets high standards for transparency to individuals about data processing and for obtaining consent.
2019 will be the year to see how effective the GDPR will be at addressing privacy concerns. Expect a major fight between European regulators and big tech! Already, a 50 Million Euro (approximately $57 million) fine was levied against Google for violations of the GDPR’s transparency and consent standards. Will the European Union strictly interpret and enforce the GDPR’s emphasis on specific, informed opt-in consent, data minimization, and data usage purpose limitation? If so, it would limit the aggressive and opaque data privacy handling practices of tech companies that underlie many of the privacy challenges noted above.
It’s complex but not impossible
This is a complex subject technically, economically, and politically, but not impenetrable. The impact on society and our lives suggest a call to action for us to become educated and engaged. We need an effective societal debate on how we want data privacy and control of our data to be addressed. There are concrete avenues where an informed citizenship can make a tangible difference. An important debate will be around a potential Federal privacy law in the U.S. A Federal privacy law will be much contested. It could significantly strengthen privacy protections U.S. citizens receive, but also perversely, weaken them as well. A Federal law would presumably preempt state laws, so it is seen as an opportunity by anti-privacy lobbyists to rollback state-mandated privacy protections such as those granted in California.
The empowering message for this Data Privacy Day is that privacy is not necessarily lost. We as a society can decide on the rules governing how our personal data privacy is to be collected, shared and used. Companies, even the most powerful ones, will have to play by those rules, and if they try to evade them, we can hold them accountable.