Navigating the Murky Waters of Data Policy Innovation in 2019 and Beyond

Written by

Tech-enabled social credit system with ‘trustworthiness points’? Check. Microscopically accurate personal location data? Check. Mass facial recognition in public spaces? Check. These are a mere snapshot of the thorny privacy issues which we are beginning to comprehend today. The thicket of problems which we will face tomorrow will be like unlike anything we have ever seen.

From a regulatory perspective, there are no easy answers to who owns the data pervasively gathered through these technologies. While undoubtedly setting a high bar for compliance, GDPR is attempting to address a chasm that has opened up over the last twenty years in the way personal data is captured and used.

The question we take into 2019 is how applicable current and planned legislation is for the hyper-personal information being captured by smart infrastructure - devices, sensors, cameras, microphones and appliances then shared with a potential array of third parties.

Although the proposed ePrivacy regulation will provide some foundation of trust for the next generation of disruptive technologies, the dependencies and potential ambiguities as two expansive data protection laws are integrated, already serves to highlight the complexities of future compliance and enforcement.

Rather than viewing regulations such as ePrivacy as completing privacy frameworks, regulators across jurisdictions globally must continue to widen the angles and sharpen their focus on emerging technologies.

Connected and Autonomous vehicles: Give up driving, give up your data?
The autonomous vehicle market is decades away from maturity. However, 2018 saw milestones which will fuel investment and growth: Waymo, the current market leader in automotive vehicles, launched the world’s first commercial self-driving car service Waymo One, to directly challenge Uber and Lyft. According to CB Insights, 46 other corporates including Apple, Amazon, Tesla, and Ford, have ongoing AV programs.

Autonomous vehicles rely on myriad sensors and devices such as specialized radar, GPS, LIDAR, and in-car cameras and infotainment systems. These touchpoints provide new ways of collecting personal data. While they are critical for the safety and service consumers demand, this doesn’t mean they can’t be inadvertently or deliberately misused or exploited. As the industry develops, consumers and regulators must define the extent of the data collection they will tolerate in the name of safety and convenience.

Car manufacturers are already collecting personal information, but mostly for vehicle analytics. Their policies are explicit: Car data belongs to the consumer. New efforts to tailor and enhance the driving experience, like General Motors’ ecommerce Marketplace, require affirmative consent to share personal information with retailers. These privacy protections might not apply when riding in an autonomous vehicle operated by a fleet company. Without effective regulation, giving up driving could mean giving up control of personal data.

Facial recognition: 1984 in 2019?
Facial recognition is the archetypal privacy bogeyman, popularized by Orwell’s 1984. Systems have existed since the late sixties, but the underlying tech has improved exponentially with recent advances in AI. Seeing the potential to make security measures faster and more sophisticated, law enforcement agencies like the NYPD and FBI have been early adopters.

Recently the Metropolitan Police and Secret Service both announced trials of live facial recognition systems to identify wanted persons in Central London and around the White House.

However, companies also see the potential of facial recognition technology - for their bottom line. Facebook already uses powerful facial recognition technology to suggest photo tags. Amazon has been pitching it’s Rekognition system to law enforcement, although both Google and Microsoft have so far refrained from similar commercialization and called for more regulation.

This commercialization is likely to continue in 2019. Amazon recently patented a doorbell which uses facial (and scent!) recognition software to track ‘suspicious’ people, which was criticized by multiple civil rights groups. Regulators must bolster privacy protections to prevent the abuse and improper monetization of data harvested from this technology. However, this will likely be an uphill battle. Facebook, for example, is attempting to weaken Illinois’ Biometric Information Privacy Act which prohibits companies from monetizing user’s biometric data without their informed opt-in consent.

Smarter cities, same privacy issues
The ‘neighborhood of the future’ regeneration project offers a glimpse at major privacy obstacles. Sidewalk Labs, a subsidiary of Google’s parent company Alphabet, is partnering with the city of Toronto to create a futuristic community of affordable housing and intelligent transport infrastructure. However, it faces intense opposition from local community groups, directed at both Sidewalk Labs and Waterfront Toronto - the regulator ostensibly overseeing the project.

The primary concern is that Sidewalk Labs could allow third parties to use the data collected from the project. Residents are also concerned about the lack of guarantees regarding anonymization of personal information. Jim Balsillie, a former co-CEO of Blackberry, has questioned who would own this data and any resulting IP, given that a single company could have unfettered access.

Recently, the Ontario Infrastructure Minister stepped in to remove three Waterfront Toronto board members for a lack of scrutiny on the project and the privacy issues raised by residents.

The bottom line? Embrace privacy and consent
Countries like Argentina, Australia and Brazil have already moved to implement privacy legislation to ensure parity with the GDPR, but to avoid stagnation these regulations must continue to be adapted and innovated to meet the challenges of disruptive technologies. Regulators and businesses should focus on the future demands of delivering personalized services across government, healthcare, education and commerce.

In 2019, stakeholders with responsibility for the protection of personal data must build on the momentum of GDPR to ensure that the rising tide of privacy regulations has a common goal: Empowering consumers with visibility, choice and control over their data.

What’s hot on Infosecurity Magazine?