2019 is frequently described as a “turning point” for consumer data privacy. If this manifesto proves true, it will be due to several events in 2018 which created a foundation for change. Throughout the course of the year, we saw the California Consumer Privacy Act come to fruition and GDPR enforce its presence, all while serious data breaches continued to take place — from Starwood to Facebook to Quora. In many ways, 2019 may be seen as the year when individuals begin to actually realize the vast amount of data, day in day out, that’s gathered on each of us. It’s not surprising that the public has started to become more concerned — According to a 2018 survey, 89 percent of people (in the study) do not think companies are doing enough to protect their data.
With an eye on the mechanical component of data privacy and consumer data privacy governance, I attended the Future of Privacy Forum’s Annual Privacy Papers event last week, where authors of the five winning papers presented their ideas — all of which are closely aligned with the focus at HealthVerity. As a component of our technology platform, we provide a solution for enterprises to overcome data privacy governance and consent management challenges — the key areas where corporations and consumers will interact within the bounds of these new regulations like CCPA, GDPR and upcoming federal legislation out of Washington DC.
In his opening remarks at the FPF event, FTC Commissioner, Noah Phillips, stated (in his personal, not professional capacity):
“This is the watershed moment for privacy where our private conversation about privacy has gone public.”
With this as the overall theme of the evening, I felt right at home as these papers address issues of consumer data governance, consumer data ethics, the privacy of intimate, sexual data, data surveillance and the right (or lack thereof) to an explanation of decisions made by algorithms — all critical aspects of what needs to be a broad data privacy discuss between policymakers and the public.
For me, ’17 & ’18 were spent in business development with a blockchain digital identity platform, where I interacted frequently with clients covered by the GDPR. At the end of 2018, I took a business development and sales position with HealthVerity — mostly excited by their foundation in HIPAA data privacy regulations. The company developed it’s platform within the constraints of HIPAA regulations, producing a robust, highly valuable platform for consumer data privacy governance applications — which from my perspective has great value to companies needing consumer data privacy governance tools.
My goals at the FPF event were twofold: meet other thought leaders in the consumer privacy space and more importantly absorb the ideas on the cutting edge of consumer data privacy. Thankfully, the Q&A was quite active during the presentations and there was ample time post-event to meet attendees and presenters.
I was surprised how often HIPAA was mentioned throughout the event, since health care data was not distinctly addressed. A number of speakers and presenters mentioned HIPAA as a great example of rigorous data privacy regulation, including data portability (the “P” in HIPAA doesn’t stand for “Privacy”) and acceptance by industry and the public. Several people pointed out that HIPAA is a data privacy regulation which Americans interact with on a daily basis — meaning it is a point of familiarity which may serve as an anchor for the broader consumer data privacy conversion.
All of the papers presented were illuminating — prompting me to bring new ideas back to our HQ in Philadelphia and into meetings with potential partners and clients. When we sit down with companies looking for help solving their data privacy and consent governance challenges, we need to be in the slipstream of the ideas presented last week.
I especially connected with the paper Shattering One-Way Mirrors. Data Subject Access Rights in Practice written by Jef Ausloos, Postdoctoral Researcher, University of Amsterdam’s Institute for information Law; and Pierre Dewitte, Researcher, KU Leuven Centre for IT & IP Law. As I stated, both the GDPR and CCPA allow citizens to request their data from companies which hold their data (such as your personal information including email, address, etc.). Since data portability is a novel concept, I was surprised to read in Ausloos and DeWitte’s paper about the sheer number of companies that had issues complying with these requests in the year before the GDPR went into effect (spoiler alert: when they did their research in 2017, most European companies could not comply with the request under the pre-GDPR laws). During the Q&A, they stated it’s their assumption the GDPR has pushed companies to comply and have functionality to respond to this new consumer ‘right’ of data transportability — but we’ll have to wait for their follow up paper to see if the numbers back this up.
The other key theme at the event was that corporate digital ethics are perhaps more important than the privacy laws being passed — which is clearly seen in Designing Without Privacy by Ari Ezra Waldman, Professor of Law and Founding Director, Innovation Center for Law and Technology at New York Law School. During the Q&A, Ari advocated that organizations include a privacy expert on the design and engineering teams of any product or feature in development, integrating privacy ethics as an equal stakeholder, with engineering and business, on decisions from the very beginning. This tactic builds on a bottom-up, rather than top-down, privacy compliance strategy that benefits both the consumer and company developing the software. Ari made the point that, in the absence of such an expert, many software design and development teams don’t have a clear understanding of privacy requirements and frequently don’t have a clear directive from their company on what is required. As we go forward, this level of interaction between privacy experts and engineers will educate the engineering and design teams and serve to deliver the best privacy experience for consumers.
I’ll keep posting from the events I attend in 2019 and see where the year takes us. At HealthVerity, we strive to provide data privacy and consent governance solutions to our clients through novel, highly sophisticated identity resolution and matching capabilities. Increasing transparency, forging interoperability and activating deeper insights for our clients will remain the mission, especially as consumer data privacy becomes more regulated.