The second day at the 49th APPA Forum consisted of discussion sessions with various presenters from the state sector, academia, private legal practice and the global technology companies. 

Privacy class action

Litigator Michael Sobol represents parents suing Walt Disney, Viacom, and the makers of the very popular online game Subway Surfers, for allegedly collecting children’s personal information without parental consent in violation of federal law.

Mr Sobol did not mince his words, saying there was no way other than consumer advocacy, collective action and collaboration with government agencies, to meet the real risks to society from the digital age – which he described as the fourth industrial revolution. Mr Sobol has led class actions involving large data breaches, and said these should be a thing of the past, since companies have a responsibility to protect consumer information. He described the need to drill down to the technical level and how the courts will issue strict and detailed injunctive terms so that safeguards are put in place.

Toys that listen

“Toys that listen” was the subject of the second session presented by academic Emily Reynolds, from the University of Washington. Ms Reynolds’ research explored the privacy expectations of parents and children when using internet-connected toy devices.

These toys are marketed with an emphasis on their educational and developmental benefits and their interactivity and open-ended, dynamic content to attract parents and children’s attention. These toys are always on and connected to the internet - similar in nature to devices such as Amazon’s Echo speaker. Toys are particularly problematic as the users are children and are uniquely vulnerable online. 

Besides concerns about companies collecting data, these toys also raise potential ethical concerns, such as parents spying on their children. 

Ms Reynolds gave as an example the My Friend Cayla doll that is capable of listening to children’s conversations and responding in real time. The doll was banned in Germany as it was considered an espionage device. She noted also the hack on digital toymaker Vtech Holdings databases for Learning Lodge app store and Kid Connect messaging system exposed personal information of millions of children and adults; and the leak of data from CloudPets teddy bears. 

Her research found that the toys’ interaction models are not yet sufficiently sophisticated and flexible for children’s expectations; and that children are already frequently exposed to devices that listen and interact but are not designed as toys (e.g. Siri, Alexa).

Open data initiatives in San Francisco

The next session was presented by Joy Bonaguro, Chief Data Officer at the City of San Francisco, discussing the city’s open data initiatives to allow the use of government data for public interest purposes, while also maintaining privacy safeguards. The City of San Francisco has produced an Open Data Release Toolkit to help manage the release of sensitive or protected datasets on their open data portal, noting the likely inadequacy of simple de-identification. 

Privacy challenges of tech start-ups

A panel discussion with tech start-ups and small business owners emphasised the difficulties in getting start-ups to consider privacy issues and the need for privacy to be incorporated early on – especially if the security of the data is seen as essential to the project. One panellist tells clients – “it’s expensive, vs more expensive later”.  

A number of panellists noted how start-ups and smaller companies (which don’t usually have a security engineer or sufficiently expert legal counsel) are not equipped to deal with the privacy regulations that many see as designed for global technology companies. All noted however that this was changing with the growing public awareness of risk, the GDPR and consumer trust being increasingly important for companies.

Panel insights: hardest GDPR issues for companies?

• Getting companies to focus on knowing who they are sharing with and what they are doing with it (eg Cambridge Analytica)
• Getting start-ups to do a datamap and convincing them to do privacy by design early on (engineers need to be talking to someone about privacy)
• Not appreciating the definition of what personal data includes
• Being slow to realise GDPR may apply (in particular for data processors) and realising why it matters,
• Developing a culture of privacy so it is thought of as an advantage.
• Getting executive decisions (eg on the need to collect information and resource allocation).

Google, Microsoft, Apple and Cisco roundup

The day ended with a session with senior representatives from Google, Microsoft, Apple and Cisco. The companies represented all rely on global data transfers and need to navigate myriad global transfer requirements. Panellists discussed their views on the elements of accountable and interoperable cross-border data flows.

The APEC CBPR Cross Border Privacy Rules were supported by the panellists, one noting they are high level, with lots of flexibility providing for interoperability and do not require full harmonisation.

The Google representative emphasised that Google is extraordinarily ambitious and now an “AI first” company and requires an interoperable framework. Google has been actively involved in discussing CBPR and the need to recognise that not all economies are the same. The representative commented that the GDPR creates a legal framework that reflects the tradition of Europe.  

Panellists emphasised the importance of AI (that requires lots of data), the benefits AI can bring, and the need to ensure rules allow AI to flourish.

Image credit: View of San Francisco skyline at night by Joshualeverburg1 (Wikipedia Creative Commons Licence)  

Asia Pacific Privacy Authorities (APPA), International