When a company agrees to pay $391.5m to settle lawsuits filed by dozens of US attorney generals around the country, is it a big deal?
What if the company in question is Google – one of the most recognizable brands in the world, with revenue exceeding $257bn the year before?
What if Google, even with its massive resources and reach, genuinely had trouble controlling its location-tracking data (which was the reason for the legal issues)?
These are not philosophical questions; They go to the very heart of data privacy challenges faced by virtually every company on the planet and put all of them in the same danger as Google. To put it bluntly, many organizations doing business in the digital arena are likely making similar mistakes.
How many of them can survive this kind of judgement?
For the record, the lawsuit stemmed from an article four years ago alleging that Google was recording consumers’ movements without getting explicit permission to do that. This is particularly sensitive information, and that’s why the ‘Location History’ function is off by default on many phones and apps. Consumers have the choice to turn it on, but until they do, this data is believed to be off-limits. However, a very different setting known as ‘Web & App Activity’ in Google accounts and devices seems to deliver similar information. That got attorney generals poking around, and the resulting litigation led to the current settlement. Moving forward, among other changes, Google will limit its use of location data and ensure greater customer transparency in the information it gathers from location-tracking features.
Informed Consent: An Elusive Goal
Let’s set the baseline properly here. Regardless of what Google did or didn’t do, we live in the era of informed consent. Flagrant violations of data protection regulations – such as companies acquiring personal information from and about consumers without those consumers’ approval or even knowledge – deserve to be punished. Unfortunately, there have been too many breaches and violations of personal privacy to tolerate any variations, deliberate or otherwise.
But there’s a larger question here that merits attention: Does any organization – even multinational conglomerates with virtually unlimited resources – truly have the ability to control the data in its possession? Sadly, even in a post-GDPR world where all the rules are supposed to have changed, the answer is quite clearly no.
It’s easy to use metaphors about data tsunamis, but even staggering volumes are not the greatest problem. The root cause of today’s data chaos is how apps and systems fragment data into app-specific databases, data warehouses and even spreadsheets. Even when personally identifiable information (PII) and other sensitive data appears to be stored securely inside one of these silos, there’s almost always unrestricted copying taking place specifically for the purposes of data integration. This ongoing replication not only drains the IT budget, thwarts innovation and amplifies compliance challenges, but again, makes the ability to meaningfully control the data almost impossible.
We need to approach this problem more conceptually. Data privacy doesn’t begin with particular technologies or processes; it has to do with defining control and access.
This big-ticket settlement with Google offers yet more proof that if we want real innovation without retribution and with genuine data protection for people and organizations alike, we need to accelerate the adoption of new technologies, protocols and standards that prioritize the control of data by eliminating silos and copies.
New Standards, New Tools
Fortunately, we have many rising to the occasion. For example, the partners of the Data Collaboration Alliance strongly advocate Zero-Copy Integration, a standard gaining traction in Canada and elsewhere that defines a framework for innovation that is fundamentally rooted in control. And in keeping with this standard, we’re seeing new technologies to match. One of the most interesting of these is an emerging category known as dataware.
Zero-Copy Integration encourages the decoupling of data from specific digital solutions, and the benefits of doing this are clear and quantifiable. The resulting elimination of copies enables one set of data to power unlimited applications with schemas enriched through genuine data collaboration. The elimination of copies also delivers the bonus of eliminating point-to-point data integration – as IT departments well know, this is a task that can drain as much as half the IT budget. And given the concerns over almost daily violations of data privacy, this ‘zero copy’ framework helps to automate data protections with a single set of universally-enforced access controls that are set at the data level, which do not get eroded by solution-specific controls or by copies resulting from traditional data integration. It also enables precision data auditability and decentralized data governance.
There’s a complex brew involved: New technologies, emerging standards, regulatory requirements, operating practices, legal enforcement, etc. But there’s also one logical starting point: all stakeholders recognize that meaningful data control can only begin with eliminating silos and copies.
European and state-level legislation – and massive fines levied as a result – have helped enshrine data privacy as an operating principle. But given that we live so much of our lives through digital channels, is it fanciful to go further? Increasingly, the data we generate as citizens and consumers creates a model that knows each of us even better than we know ourselves. This reality makes the control and ownership of our data an extremely good candidate for a modern human right.
Perhaps, with that belief as the foundation, we’ll hear less about privacy violations and more about good business.