“It’s no longer just about privacy” hero graphic

“It’s no longer just about privacy”

Posted On

By Team Intertrust


January 28th is Data Privacy Day. To mark the day, we’re featuring an interview with Tomas Sander, data protection officer and senior researcher in computer security at Intertrust. 

– Tell us a bit about your work at Intertrust and how you became interested in data privacy issues?

In my role, I create and oversee Intertrust’s privacy program. This includes compliance with regulations such as the GDPR (General Data Protection Regulation) and the CCPA  (California Consumer Privacy Act) and ensuring our business activities follow privacy best practices. I also make sure that our products are built with privacy in mind, which has a lot to do with implementing privacy by design

Of course, I also get to do some fun stuff like participating in some of the discussions around data privacy at leading conferences such as the ones sponsored by the IAPP (International Association of Privacy Professionals) as well as work in standards groups. 

My interest in data privacy started about 20 years ago when I came to the U.S. from Germany and became a post-doctoral student at the International Computer Science Institute affiliated with U.C. Berkeley. Coming from a theoretical mathematics background, I started work on cryptography and its applications in computer security and data privacy. There have been many fascinating things to discover in the privacy space and it has become a main part of my research work. Some of this work has been more theoretical but after decades of the whole community working on it, we’re seeing that some protocols that are enabled by third-generation cryptographic primitives and protocols are actually being deployed for real.

– Over the last couple of years, there has been quite a lot of policy activity around data privacy, notably the GDPR in 2018 and now the CCPA in 2020. How is this trend affecting the way organizations handle personal data?

Historically, regulations have been rather limited in the U.S. With the CCPA, a fairly strong and broad data privacy law has finally reached the U.S. and made data privacy an issue that organizations have to address. . Previously if a company wasn’t providing services to EU citizens, it could avoid work that needed to be done for GDPR. Under CCPA, organizations operating in the U.S. who serve California consumers have to understand what their data privacy risks are and act accordingly by implementing a systematic data privacy program and, ideally, privacy by design. Organizations that ignore this risk getting into trouble, not only from regulatory action, but also becoming yet another data privacy scandal and becoming front page news. 

– What should organizations do about the CCPA? 

While it is not my place to give legal advice, generally there are several things they should do. Of course, you should determine whether the CCPA affects you. If so, some of the things organizations should do includes updating their privacy policies to make them CCPA compliant. A major point is determining whether you are selling personal information as defined under California law. If you are, you have to put a “do not sell my personal information” button up at the point of data collection to allow opt out. This is one of the major impacts of the law. There is discussion that if you automatically add third-party cookies that collect visitor information to your website, that may be considered selling. In the EU, there are data controllers and data processors where the processor only processes data  on instructions of the controller. There is a similar concept in the CCPA, so you may want to review your vendors and update your contracts accordingly. Another important one is the CCPA gives consumers (defined very broadly) the rights to access their data and delete their data. You need to make sure to have documented processes to honor these rights. 

If you already work with the GDPR, you may have already done a lot of work you can adopt for the CCPA. But don’t wait too long. While enforcement won’t be in effect until July, customers and other companies are already starting to evaluate websites to see whether you have done your homework.

– Speaking of the GDPR, one of its provisions is requiring privacy by design (PbD). You have done some work on PbD, so can you tell us what it is and how it has been received?

More specifically, the GDPR requires data protection by design—privacy by design is one way to achieve that. PbD is about including privacy considerations in all phases of the product or service life cycle, particularly in the beginning. The approach that I am suggesting helps organizations create a PbD program using existing, typically limited, resources. First, decide the privacy goals your organization is designing for. An example of a goal could be GDPR or CCPA compliance. The PbD process should be set up to ensure you are achieving these goals. The privacy team should create a form where the product team describes their product and includes a data flow diagram. The form should document the personal data involved, the purposes for which this information will be used, how long it will be kept, etc. It should also show how data subject rights will be addressed in the product. The privacy and product teams will conduct a review to assess this, identify privacy risks to the organization and individuals, and develop mitigations. The output will be a series of requirements that are fed into the development process. 

It’s important that the privacy team has a verification step built in to make sure the product team has actually implemented the requirements and done so correctly. You should document this in case regulators question whether  you or your customers are doing privacy due diligence. You can then point to having taken these steps.

So far, this proposal has been received very well. Along with Justine Young Gottshall, a colleague with whom I have been working, I had a chance to share this at the Privacy Security Risk conference. We spoke to a full room even though it was near the end of the conference, so I think that demonstrates that there is a real interest by companies to move forward with PbD.

– In 2019, Intertrust and our partner LINE held a summit in Paris focused on privacy. Any thoughts on that event?

The event had an amazing group of diverse attendees including a human rights expert and a representative from the World Economic Forum in addition to academics, business people, technologists, regulators, and privacy activists. It’s valuable to discuss data privacy with the diverse group of stakeholders that this meeting brought together. We were able to have valuable discussions about topics that are not always addressed at privacy-themed events, such as whether privacy should be considered a property right, whether it can be addressed through rights management mechanisms, and how different cultures view privacy. 

– Anything else you would like to add?

One thing I would add is a trend we’ve been seeing for a while. Many new technologies, such as machine learning and AI (artificial intelligence), raise other ethical issues such as discrimination and bias. It’s no longer just about privacy anymore. Again, organizations need to take a risk-based approach and determine to what extent these issues are relevant to them. The next step would be to create ethical review  committees and other processes to address these issues appropriately. The organizational experience of addressing privacy will be very helpful when starting this journey.

Note: The information provided in this post does not, and is not intended to, constitute legal advice; instead, all information is for general informational purposes only.