For tech’s sake: Reconciling emerging tech and the GDPR

Innovate

VERB
[NO OBJECT]
Make changes in something established, especially by introducing new methods, ideas, or products.
‘the company’s failure to diversify and innovate competitively’

In the lead-up to ‘G-Day’, critics warned GDPR would have a chilling effect on innovation and called on regulators to abandon core GDPR principles in favour of emerging tech. But by pitting privacy against innovation they missed the mark on both. Ironically, their pleas revealed a striking resistance to change and a vigorous defence of ‘business-as-usual’. Tech and GDPR can do hand in hand.

Why, they asked, couldn’t regulators just let tech be tech? GDPR’s data-minimisation principle would starve data-hungry AI of its lifeblood, they cried. Its beefed-up consent rules wouldn’t work. And algorithmic transparency would make AI ‘less intelligent’ because the black box algorithms it often uses are difficult to understand let alone explain to consumers.

Actually, GDPR might make AI better. The asset-backed derivatives that precipitated the subprime mortgage crisis were difficult to explain and look where that got us. Do we really want a society of ill-informed consumers forced to unquestioningly accept AI decisions on faith? The reality is GDPR helps ensure AI benefits society by holding humans accountable for AI decisions. And rather than chill its development, GDPR is propelling its growth.

Blockchain enthusiasts bemoan the right to be forgotten and argue that GDPR’s stubborn insistence on storage-limitation makes it incompatible with blockchain’s fundamental immutability. They argue the law should be changed to accommodate the tech without stopping to consider why permanence might be a problem for personal data.

We made the same mistake in the happy days of Internet 2.0, before cyberbullying, a string of tragic suicides and a trail of damaged reputations spurred regulators to establish the right to be forgotten.

We risk a digital crisis in 2019 akin to the 2008 banking crisis, warns data privacy lawyer

The 2019 digital crisis, data privacy charlatans and the good guys with an ethical approach: data privacy will diverge in 2019 says privacy lawyer.

Tech writer Kara Swisher reminds us that Russian trolls who used platforms like Facebook, Instagram and Twitter to influence the outcome of 2016 US elections weren’t hackers, they were customers, who used the platforms exactly as they were designed.

Blockchain is touted as a great democratizer. So was the World Wide Web, until it became increasingly centralised, weaponised, and, as Tim Berners-Lee laments of his creation, ‘anti-human’. He describes a decentralized spirit and a feeling of individual control that was empowering but has now been lost.

Without pausing to consider possible risks and harms, blockchain could suffer a similar fate.

Left unchecked this tech-for-tech’s-sake mentality can cause a lot of harm and undermine technology’s innovative potential. In the words of Apple CEO Tim Cook, “Technology’s potential is and must always be rooted in the faith that people have in it…in the capacity to make the world a better place…We’ll never receive tech’s full potential without the full faith and confidence of people who use it.”

Online privacy concerns in a post-Cambridge Analytica scandal era

When the Facebook/Cambridge Analytica scandal emerged, the pursuant regulatory procedures indicated that something groundbreaking was going to happen in the area of online privacy

GDPR doesn’t regulate tech

GDPR wasn’t designed to regulate technology. It regulates the use of personal data by creating a framework for using it responsibly. GDPR’s drafters sought to right the wrongs of Silicon Valley’s ‘move fast and break things’ philosophy that had left so many trapped in ‘digital sweatshops’; bullied by an internet that never forgets; bombarded, profiled, surveilled; exposed to identity theft; disadvantaged and mystified by Weapons of Math Destruction. Regulatory speed bumps can help us ‘move slower and fix things’. Were it not for the GDPR blockchain enthusiasts may never have explored privacy-preserving ‘workarounds’ to GDPR challenges.

Privacy by Design (PbD), GDPR’s core obligation, forces us to ‘radically re-think’ our business models by making privacy a design requirement. It treats tech as a means to an end that serves greater humanity, not an end in itself. It lets us have our tech and our privacy too.

Just because technology is new doesn’t mean it should be exempt it from fundamental principles. We need to consider both benefits and risks of using a particular technology and choose the least harmful path. Sometimes this may mean choosing a less risky alternative or using it differently. This is what French regulator CNIL implores us to do in its recent guidance on blockchain and GDPR.

The Hub of All Things: Are you collecting personal data the wrong way?

Jonathan Holtby, Community Manager at the Hub of All Things (HAT), explains to Information Age why the way organisations collect personal data is fundamentally broken

PbD and Blockchain

Jason Cronk, author of Strategic Privacy by Design, trains companies globally on PbD. He doesn’t preach compliance or drown them in jargon. He speaks human: “I start talking about ‘here’s how people react when you surveil them or deny them services because of some data points.”

PbD is an art, not a science, Cronk observes. “It’s how you frame the question.”

The question here should not be “how can we use blockchain for personal data?” but “what is the problem we’re trying to solve, what’s the best way to solve it while respecting privacy right, and can blockchain help?” This is how leading Canadian identity and authentication provider, SecureKey, has approached the challenge of managing online digital identity. Verified.Me is a digital identity ecosystem that lets individuals verify their identity so they can access services like banking and utilities with minimal sharing and maximum control. It builds on the triple-blind privacy approach used for SecureKey Concierge, a single sign-on (SSO) service that connects Canadians to over 80 government services using existing, trusted banking credentials while ensuring no single entity sees the entire customer journey. This protects from the over-sharing now synonymous with SSOs offered by Google and Facebook. With Verified.Me SecureKey extends triple-blind privacy to identity verification, using a private, permissioned blockchain that provides “public proof of private secrets”. No customer data is actually stored on the blockchain. Rather the blockchain provides evidence of the integrity of distinct transactions. The transactions are designed to be unlinkable, and neither SecureKey nor the blockchain host see the data at rest or in transit, providing maximum privacy and control.

Like PbD, GDPR isn’t a stop sign on the road to innovation. It’s a yield, imploring us to ‘move slower, and fix things.’ Technology is supposed to benefit society. Not the other way around. If we can envision technology’s benefits, we can, and must, anticipate and mitigate its risks. Only then can we unlock its true innovative potential.

Abigail Dubiniecki is a  speaker and educator, and privacy specialist at My Inhouse Lawyer”?

Abigail Dubiniecki

A privacy lawyer from My Inhouse Lawyer, speaker and educator.

Related Topics

Emerging Technology
GDPR