BLOG: “It’s like preaching to the converted” one participant tells me when I arrive one day into the CPDP 2015 conference. And so it is. The meta narrative of the conference is so univocally clear and concurred that the Twitter feed #CPDP2015 is almost at a stand still. Expect from occasional ill received peeps from US representatives about compliance with EU data protection standards and so on and so forth, privacy is generally viewed as a business opportunity, an EU competitive differentiator and a legal right (yes, one still need to emphasise that).
Some key points from the conference (please excuse this very simplistic walk through, which is ONLY summarizing a few of the many many themes of the conference):
Privacy is not just one thing
Privacy is not just for lawyers and tech developers. It is a total solution that needs to be addressed with an interdisciplinary approach when campaigning, developing legislation as well as new businesses, systems and services. Thus, to quote Hewlett Packard’s Chief Privacy Officer Scott Taylor (learning from experience): It is more than just compliance, it is also ethics.
Security by itself is not privacy. Encryption is pivotal, but it does not alone ensure privacy. Privacy needs to be integrated holistically into product development, design practices, CSR and even marketing. As the notorious Silent Circle and Black phone Phil Zimmermann put it: Don’t hire a marketing person who doesn’t understand privacy.
Privacy is a business and a competitive advantage
Privacy is a business opportunity and a competitive advantage particularly for EU businesses. CPDP2015 was guested by a number of representatives from the “privacy” industry. Silent Circle, Wickr, Protonet, Blackphone to mention a few. Evidencing the fact that there’s an emerging market demand for easy to use services that provide users with control and privacy. Protonet, which was marketed as ‘NSA-proof’, e.g raised 1 mn dollars in 89 minutes via its crowdfunding campaign and the Blackphone’s sales exceeded sales expectations by five.
But there are a number of issues emerging from these ‘privacy as business’ discussions: What principles should be in place to call a service truly “privacy preserving”? E.g. Black phone’s Phil Zimmermann insisted that the source code is open for review and Wickr gave a vague answer as to why they don’t publish their source code. What business models? Right now most privacy businesses are based on payment for premium services, but as pointed out several times at the conference, when privacy becomes a luxury good a new digital divide will emerge.
(I’ve written about privacy as an emerging business before in the Danish newspaper Politiken and discussed principles at the privacy as innovation sessions at IGF and in this network. Right now writing and documenting the topic with Pernille Tranberg who has worked with this for years)
The role of the tech industry as revolutionaries
It’s not a new thing to emphasise the role of tech developers as “game changers” that can disrupt the state of affairs and build the tools that will protect the individual within a system of unequal power relations. But it’s the first time, I’ve heard someone call themselves (although with a bit of self irony) “Chief Revolution Officer” (the representative of Protonet).
In general I missed Indie at these panels. A European based company that completely rejects the state of affairs down to a basic rejection of taking venture capital, because it implies an exit strategy where data of users most often will be compromised.
Drones once again challenge established frameworks
A new emerging field that once again challenges the things we take for granted in regards to privacy protection is the emerging use and industry of drones, which according to one panellist is expected in the future to be a 90 billion dollar industry in the US. (I have summarized these challenges in this post).
The issue of drones had one session all by itself, but the privacy implications of these were generally only mentioned as side remarks on the various agendas. In general, the drone debate was similar to the early “internet publishing discussion”. Concerned with device as medium and user as publisher.
Discussions about the use of drones for different security purposes as e.g.”neighbourhood watch” were also to some extend disregarding the implications of yet another recording device in our lives.
Alway the gap between policymakers and industry
The gap between policymakers and industry is almost a cliche by now. One accuses the other for impracticality and impeding innovation, the other accuses the first for simplistically interpreting matters to support own economic interests. The two are both right and wrong at the same time.
The European Court of Justice’s Judgment in Case C-131/12, the “right to be forgotten” case e.g. does indeed have heavy practical implications for the industry as well as implications for FoE that need to be carefully reviewed, but at the same time it is crucial to study the details of the jurisprudence of the case law that .e.g emphasise the careful balancing of rights.
Most important factor to take away from this case is that Google is defined as a data controller and has a responsibility as such. Private companies today have unprecedented powers and it is time their role and responsibilities are spelled out.
The Data Protection Reform
The EU Data Protection Reform seems to be at a stand still with vague promises as to when it will go through and what it will go through with. Till then it seems that the call from policymakers is that it is “up to innovators to come up with practical privacy sollutions” as one EC panellist formulated it. Generally the policy discourse at these type of events still suffer from a specific privacy discourse: “accountability”, “compliance”, “bunny points”, “protection”, and “regulation”, not so many words to describe privacy as innovation, opportunity and evolution.
Users/individuals are using systems they have no general control over. An increasing sense of lack of control is competing with a need for convenience and lack of skills and competences in compliance with the data age. An interesting finding from the EC funded study Surprise among citizens in 12 EU countries is that young people are more willing to oppose the introduction of surveillance techs (which is in correspondance with the results of our studies among youth from 2013). Do-it- yourself privacy tools are one type of response for users in the data driven networks. But perhaps also a temporary solution that evidence the lack of action from states and industry regarding data protection, outsourcing their responsibilities to the citizen. Till then be creative with privacy tools, use alternatives, check out tools on #privacyasinnovation (with no guarantees. Do your own research).
The omnipresent ghost of the NSA, the status of EU citizens as second grade citizens in their global systems of surveillance, and in general the conduct of intelligence agencies outside public review. These were of course key themes, but cannot be summarized in any simplistic manner. There were however no compromise to trace in the closing remarks of the European Data Protection Supervisor Giovanni Buttarelli: Europe must lead the way on Data Protection and speak with one voice.