Day Three of the International Conference of Data Protection and Privacy Commissioners (ICDPPC) marks the beginning of the so-called “Open Session”. The openness reflects the conference welcoming attendees from industry, academia, civil society and human rights institutions.

Attendee numbers grew from some 120 regulators, to somewhere in the region of 700. The Prime Minister of Albania, Edi Rama, welcomed delegates to the session – electing to speak in (very proficient) English rather than risk having his eloquent Albanian mangled in translation.

Prime Minister Edi Rama

A highlight of the morning was the panel, “Addressing the global privacy challenge of data driven business models”. The panel included journalist Carole Cadwallader, featured in the recently released documentary about the Cambridge Analytica scandal – The Great Hack. Other panellists were Sally Hubbard of the Open Markets Institute in the US; Simon Hania from Uber, and New Zealand Privacy Commissioner, John Edwards.

Carole Cadwallader underlined the opaque nature of the digital technology platform, and the fact that there is still much we don’t know about what went on throughout the Cambridge Analytica link up with Facebook, commenting that we know nothing about how voters were targeted, and who was served what ads.

Carole Cadwallader

In commenting on the New Zealand situation, John Edwards noted that the country was a taker of technology, and that the technology is pre-coded with cultural values sourced from somewhere else. We were witnessing a mad rush to market where “innovation took precedence over precaution”. Taking the Christchurch mosque shootings as an example, Facebook had been challenged by Congress on why their artificial intelligence (AI) had not picked up on the shootings. The response was that the technology had been trained on other behaviours and the shootings were, as a result, not perceived as gory enough to prompt concern. Edwards made the point that what we were witnessing was a co-opting of some human rights, such as freedom of expression, because it suited the business model of those platforms.

Sally Hubbard, Director of Enforcement Strategy from US organisation the Open Markets Institute, echoed this, noting the growth of “permission-less” innovation, coupled with a failure of enforcement. She noted regulation and competition as the two key constraints available.

Reputational damage was also an effective constraint argued Simon Hania from Uber. He commented that the #deleteUber hashtag had a greater effect than any fine would have. The analogy he drew was of food safety – consumers don’t read the detail of the labelling on food packages, we just expect that the food will be safe to consume. The same needed to happen with privacy – consumers shouldn’t have to read the privacy policy.

Sally Hubbard described it as “a massive fraud on the public”; consumers shouldn’t have to be constantly vigilant. To extend the food analogy – consumers trust that food doesn’t have poison in it. A business model, she said, was a choice.

There was discussion of the extent to which regulators needed to work together, or find ways to be more effective. John Edwards readily acknowledged the benefits of regulators coordinating their efforts but said that internationally, “we are still minnows” against the big monopolistic platforms.

Microsoft - The 2020s

Microsoft President Brad Smith outlined what he described as the 1st, 2nd, and 3rd waves of privacy. While the 1st wave in the 1990s focused on notice and consent requirements, the second wave included moves to the GDPR and enabling individuals to have better control over their data. The 3rd wave over the next decade will see an increase in rules and regulation that protect against data abuses, that apply to data brokers and to companies that collect information. Other developments that Brad Smith anticipates:

• rules for new technology
• a recognition that privacy needs to be integrated with other laws – eg anti-trust / competition
• a global privacy pact
• new breakthrough technologies eg differential privacy.

Microsoft President Brad Smith

Brad Smith’s 2019 book, co-authored with Carole Ann Browne, is Tools and Weapons: The Promise and The Perils of the Digital Age.

Data protection and competition as converging digital regulation

Convergence of regulatory practice was the focus of panel 3. Orla Lynskey, Associate Professor of Law at London School of Economics, stated that data protection needs competitive markets in order to operate properly.

Federal Trade Commissioner Rohit Chopra picked up on the intersection of competition and data protection law: “It’s about abuse and misuse of power. We will have to address the fundamental structure of some of these companies.” Privacy should be a point of competition; the economy should be innovating.

What are the remedies? Chopra acknowledged this as one of the toughest things to work through. He noted the need for clear, bright-line rules, and the need for investigations across privacy and competition law. And ultimately, “we have to look at individual liability.” Breakups would always be one of the potential tools for a competition regulator. The remedies must take into account both the motives and the incentives of these business models.

Rohit Chopra urged that we “bring [privacy] into competition law – look at data protection as an element of product quality.”

Quick takes

• Jamie Bartlett, author of People vs Tech, and BBC series presenter on the Secrets of Silicon Valley - foresees a “privacy premium” – an increasing gap between rich and poor because the rich are buying goods at a premium that do not collect data about them. He describes it as a new inequality in society. It is the opposite of the digital divide. In this context, the job of the regulator, Bartlett maintains, is to make sure people don’t turn against technology.
• Future challenges for regulators - Simon McDougall from the Information Commissioner’s Office in the UK talked about being a “horizontal regulator in a vertical regulatory world”. Our perimeter [as a regulator] is growing and is very wide. We are in a data soaked world - we are having to engage with other regulators much more eg competition authorities. We have become much more data-driven. We now have to find new ways of working; become more expansive.
• Acceding to Convention 108+ - Sophie Kwasny, from human rights body, The Council of Europe, described convention 108 as the “grandmother” of the GDPR, and the “mother” of Directive 95 - which formed the basis of the GDPR. The modernised Convention 108+ covers public and private sectors, and includes transparency obligations and the rights of the subject to object to automatic processing. New Zealand is currently an observer. More information is available here. 
  

 Image credit: Tirana monument

International