Who owns data? How should data privacy be defined and protected? And what is the potential for regulation to support or impede the growth of digital data businesses? Those were among the tough questions panelists at the Techonomy Policy 2015 event in Washington last week grappled with during a session headlined “Privacy Collides with Data in a Transparent World.”
Federal Trade Commissioner Julie Brill offered a contrasting perspective to those of AT&Ts federal regulatory and chief privacy officer Robert Quinn and Microsoft’s deputy general counsel Horacio Gutierrez. And Brad Burnham, managing partner at Union Square Ventures, shared an investor’s point of view on data, which he said many view as “the asset that fuels the digital economy,” but fail to see what a huge liability it can be.
USA Today Editor David Callaway, who moderated the panel, credited Brill with “leading a dramatic increase in the scope of how government regards data and its role in protecting consumers,” and asked how her agency will balance regulating the “wild west” data market to “make it less of a consumer problem,” without overregulating the booming industry.
Brill described a challenge that has expanded dramatically since data privacy laws were drafted in the 1990s. Sectoral-specific laws, such as those dealing with health information in the hands of hospitals and insurance companies or financial data in the hands of banks or credit reporting agencies, are “great as long as the data stays in the silos that were envisioned in the 1990s.” The problem, Brill said, is that “data does not respect those silos. Data is flowing everywhere. You can have as sensitive health information appearing on Web MD or through a Google search or perhaps in Apple Watch as you would have in a doctor’s office.”
AT&T’s Quinn said the flow of data today makes some existing regulations nonsensical. “For example,” he said, “who you call or send a text to is protected CPNI (Customer Proprietary Network Information). Yet, if you have a smartphone in your pocket, and a Google app is capturing who you’re calling and texting, that data collected by Google is not subject to the CPNI rules.”
Brill said, “The trick is to figure out how we can [extend] these sectoral-specific laws, which are deeply protective and represent a consensus that we’ve achieved … that certain types of information needs to be protected … to the way data is actually flowing.” Brill said the FTC Act, which disallows unfair and deceptive acts and practices in commerce, has been effective for defending consumers. By applying that tool with sectoral-specific laws, she said, “We’re trying to find some of the outer boundaries where companies can act, and then as long as they’re within the space of what is not impermissible there is a lot they can do to innovate.”
Microsoft’s Gutierrez said he jokes that underregulation or overregulation could “kill the Internet,” and explained why industry is highly motivated to self-regulate. “At the end of the day, you need products that people are going to perceive as trustworthy. At Microsoft we realize, when it comes to our customer data, our business model is becoming more like a bank’s because our reputation for how we deal with that data is what’s going to allow us to be successful in the future.” He said the company strives to use customers’ data in “a responsible and transparent way, but also in a way that can deliver a magnificent set of benefits and features.”
Tech investor Brad Burnham suggested that regulators are putting the cart before the horse—defining policies without an understanding of or consensus about who owns data. “We’ve had 2,000 to 3,000 years to develop our notion of what physical property is and we’ve stumbled around a little bit recently on what intellectual property means, but we have never even started the conversation on what rights in data means,” he said. “I believe if we start that conversation it will lead us to a different conclusion than if we try to remedy all the symptoms of a misunderstanding of whose data that is and how it’s being used by any individual party.”
Gutierrez agreed: “There are some aspects of data that [let you] clearly say, ‘this is customer data,’ and then there is data you derive from customer data and it gets complicated after that. There’s a lot we need to understand better and be careful about regulation before there is more clarity there.”
Gutierrez also reminded listeners to consider the global point of view. “We’ve been talking about the U.S. regulatory regime and how it’s evolving, but we have to have a discussion in the context of the whole globe because these services and technologies are global in nature and the approach that different countries and regulators have around the world are very different informed by different societal values.”
He said his team that is creating and offering products in Asia, Latin America, and Europe frequently faces the collision of data privacy rights with rights such as human rights, freedom of expression, religious freedom, freedom of political association. “It is clear and obvious to say that these emerging technologies cannot be in a bubble that’s exempt from laws and regulation, [but] one needs to be careful that the resulting apparatus is so disjointed that it’s impossible to offer product or service,” Gutierrez said. He warned that contradictory data residency requirements, censorship, and content moderation requirements could make it “impossible to have a global product or service.”
But Brill said her interactions with foreign regulators gives her confidence in a global cooperation. “There are lots of issues when we are working toward a similar role globally,” she said. “One of the best examples is with respect to Internet of Things and with data brokers.”
Ultimately, Brill argued, the onus is on companies to know what is happening to their data, where it’s going, and whether it is being used in an appropriate way. “We can’t put so much of the emphasis on the consumers. It is going to be way too much burden on consumers to try to navigate this system. Companies need to start doing this from the get-go: Privacy by design, security by design, and building these into their products and services.”
Added Gutierrez, “We talk about protection from companies and hackers. How about unauthorized access to data by government?” That, concluded Callaway, was a topic for another panel.