by Lori Smith on January 10, 2019
13 minute read
In this interview, we talk with the world famous privacy expert Dr. Ann Cavoukian — distinguished expert-in-residence at the Privacy by Design Centre of Excellence — on why privacy matters now more than ever, how consumers perspectives about privacy are radically changing, and how to implement privacy into daily operations using the Privacy by Design framework.
About the Interviewees
Dr. Ann Cavoukian is recognized as one of the world’s leading privacy experts. She served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada where she created Privacy by Design — a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices. Ann is presently the Distinguished Expert-in-Residence, leading the Privacy by Design Centre of Excellence at Ryerson University in Toronto, Ontario. She is also the author of two books, “The Privacy Payoff: How Successful Businesses Build Customer Trust” with Tyler Hamilton and “Who Knows: Safeguarding Your Privacy in a Networked World” with Don Tapscott.
Ivan Tsarynny is the CEO and co-founder of Feroot Privacy. Ivan has centered his path on helping companies turn privacy compliance from a liability into a competitive advantage. As a member of the GDPR Advisory Committee at the Standard Council of Canada, Ivan is dedicated to helping companies and organizations build a cohesive standard for privacy management.
For the full experience, listen to the interview on Soundcloud: https://soundcloud.com/feroot-privacy
Question: Ann, why do you think privacy is front & centre right now? What led to the shifts that we’re seeing?
ANN: The General Data Protection Regulation (GDPR) came into effect in May of this year, and it dramatically raises the bar on privacy. For the first time, you have one overarching privacy law that puts control of one's individual data in the hands of the individual involved: the data subject. This adds much more additional protections and for the first time, it includes my Privacy by Design concept in it, which is amazing, and Privacy by Default — the second foundational principle of the seven principles of Privacy by Design.
So that has led to major changes and focus on these issues. For example, in Canada, in the past, our privacy laws have always been called essentially the equivalent to the European privacy laws. We've always had stronger laws than the United States. And we've enjoyed a wonderful relationship with the European Union in terms of exchanges of data and personal information, and engaging in trade without fear of reprisal because our privacy laws were just as strong as theirs.
No longer is this the case, for the first time ever. Our privacy laws do not have adequacy with the EU new law, the GDPR and our Privacy Commissioner has gone to the government last year and said, look, we need to upgrade our federal privacy legislation for PIPEDA. It was enacted in the early 2000s, it's dated. And we need to add privacy by design into it, because after all, it is a Canadian, myself, who created it. So that should certainly be part of our Canadian law.
In February of this year, the Standing Committee on Access to Information, Privacy and Ethics issued a report: Towards Privacy by Design. I'm very optimistic, that hopefully later this year, early next year we'll see upgrades to PIPEDA that will include privacy by design, which strengthens privacy dramatically.
Privacy as a default means that you, the user the consumer, you don't have to ask for privacy, you get it automatically as the default setting in our operations. We can only use your information for the primary purpose intended and then if the secondary use comes up later on, we have to come back to you, to get positive consent. It’s a total game-changer, it goes from night to day.
Question: Is privacy what consumers want now? Are you seeing a shift in public perception?
ANN: Yes, in fact, they're demanding it. I have never seen public opinion polls like Pew Internet Research, and others consistently, in the last few years, in the 90 percentile. For instance, I’ve seen 91% of those surveyed express a very strong concern about loss of privacy; 92% expressed concern about the loss of control over their personal data. And this is happening consistently. I've been in this business well over 20 years, I've never seen survey data in the 90% with respect to concern for privacy.
So clearly, there's a big, big concern over privacy and a loss of trust. There's such a trust deficit right now. And in order to address that you embed privacy by design into your operations. You lead by telling your customers how much you respect their privacy and the lengths you're going to, to protect it. And when you do that, they will reward you with a repeat business, their loyalty and it attracts new opportunity. You transform it into a win win operation, that's what we want.
Question: Ivan — can you comment quickly on what you're seeing in the tech community in regards to privacy? What are business owners saying?
IVAN: Definitely. I can echo what Ann just said, and what we are seeing is just over the last 12 months, very few people could spell GDPR, especially in the tech community. Now, everyone, over the last three, four months, everyone is coming and talking about privacy, how do we operationalize it? How do we embed it? And now, on a business side, they're asking, how do we make our product privacy-first, how do we differentiate on privacy? How do we attract consumers that value privacy?
Some of the evidence we're seeing is the rise of privacy-first products, like DuckDuckGo search engine. They do not collect all the data that other giant search engines do and it's definitely making a shift on purchasing decisions. Personally, I can also attest to my kids. They are a lot more aware about privacy than I was even a couple years ago. I’ve noticed they choose not to buy apps or choose to buy Apple versus Google or Android because of privacy concerns. It's impacting their decisions a lot.
Question: Ann have you seen privacy impacting purchasing decisions as well? Are you hearing this from clients or seeing this in the market?
ANN: Absolutely. People are now asking — how do you protect my privacy or are you using my data for any other purpose other than this thing that I just bought now, or what I ordered online — people are asking questions now instead of just assuming that there's nothing they can do about it. There are things you can do about it.
And I just want to pick up a point on what Ivan said in terms of of young people. It's such a myth that kids don't care about privacy. Young people care enormously about privacy. If you look at some of the public opinion polls and the surveys that have been done. For instance, Dana Boyd at New York University, Professor Turo at the University of New Hampshire, they've done studies on this repeatedly showing great interest in privacy on the part of young people. Professor Turo calls it the trade-off fallacy. It's a fallacy that if someone gives you a website, that they can in exchange use your information for whatever purpose they want. 91% of the people he surveyed said, No, they can't just use my information for whatever they want. I want to know how they're going to use it. And I want to see what I'll get in return if I decide to disclose it to them. So there is such a heightened awareness now of the privacy issues. And it's really beginning to unfold.
Question: One of the biggest challenges we've seen in the tech community is how do you control what happens when that data is spread across multiple third-parties? What do you suggest companies do?
ANN: Exactly, that's the problem with the model of the existing model of centralization. It's virtually impossible to control the data being used by third-parties. Now, if you're dealing with a company, you have a trusted business relationship with them, then hopefully, you can trust that they're going to respect your privacy, they're only going to use the information for purposes intended, and they're not going to share it with unauthorized third parties. And you make that clear. And I'm not saying that you can't do that. There are many companies with whom you have that trust, but the majority of them, you don't know if the information is being exchanged with third parties unknown and how they're going to use it. That's what we're looking at. We're going the direction of these decentralized models where individuals can exert greater control over their data. It's not shared with everybody. And just look at Tim Berners-Lee, inventor of the worldwide web, he came out last month and said that we've got to get in different different business model. This isn't working, and he's pushing decentralization because he had no idea that the web he created would end up being an engine of surveillance. That was never his intention.
Question: Ivan, I know you've been working on this notion of PrivacyOps, specifically how people can start managing consent over all these different applications or departments, or even third parties. Can you explain how PrivacyOps fits into the issues Ann just raised?
IVAN: Absolutely, personally, I'm a big fan of Privacy by Design, not just the framework, but the culture. The transformation of culture in companies and startups in the tech community is shifting from thinking about data as a given, that they can collect as much data as they want and use it for whatever purposes they choose in the future, towards thinking we have obligations around the data. We can only use the data for the intended purpose. And in terms of privacy operations, they start thinking in terms of collecting data in marketing, sales, HR, customer service departments and customer success departments, back office financial records. The data is currently fragmented, highly fragmented and not holistically viewed as a sole responsibility or corporate responsibility of managing the data. Breaking down the silos, getting a full, holistic view of why we have the what obligations we have around it, and how do we control it in the database?
Question: Ann, when it comes to practically implementing the Privacy by Design framework, how should companies approach it? Especially when the data is scattered all over the place — what is the first step they can take?
ANN: I always start by asking companies, do you have a data map? And they look at me quizzically and I say, by that what I mean is, do you know, once the data enters your organization — and usually the first interaction is fully consented when someone purchases something or orders something online, they know that they're giving their personal information, their home, address, their credit card, etc to purchase this product so it has to be delivered to them and that exchange is consented to — but what happens after that? That's why I ask people to do a data map. To navigate all the potential flows of that personal data once it's entered into your operations, into your company legitimately. Are there any secondary uses made of that data? Is there any other data going to third parties that have not been consented to by the data subject? You've got to navigate and really draw out where the information is going, and that will alert you to whether you need any additional consent for the information that was collected. You've got to have an awareness of who's getting what in your company relating to this personal data. And once the data has been used for the primary purpose intended, theoretically, you shouldn't keep that data around anymore, not in plain text, you should at the very least encrypt all data at rest, because that's when, the hackers, you're an easy target if the data is not encrypted, if the data is encrypted, the hacker will go and find another easy target. So you've really got to spend a lot of time managing and securing the data and finding out the flow of it.
Question: On that note, you have a new certification called Privacy by Design. Can you share what that is exactly? Who it is for, who should take it and does it address everything we just talked about?
ANN: It addresses most of what we talked about and it goes much farther. Privacy by Design certification, and I'm doing this in partnership with KPMG, is to respond to the fact that when people are doing privacy by design, they want to be certified now, so that they can go to the EU, for example, and show them that they're acting in good faith. In the States, for example, or in Canada now, our laws are no longer adequate to the EU GDPR. So companies are getting certified, so they can show that they are doing everything they can to comply with the GDPR in terms of Privacy by Design, and we’ve actually gotten certified make to show you good faith. Because for Privacy by Design is, you know, you don't need a law, you need to follow the seven foundational principles. And the reason I partnered with KPMG, is once a company comes to me and wants to get certified and with their consent, I send them KPMG to visit them and they work out a protocol so that KPMG can do an assessment of whether they're doing it properly. You have to look under the hood, you have to really see how the data is being used. And if it's consistent with the seven foundational principles. So we had just a flood of requests for this kind of certification, because everyone now wants to get on side with the GDPR. And this is one of the best ways to do it. So I'm very optimistic that this is going to go well. And companies already have told me that when they get certified, they shout it from the rooftops, they put it on their website, on all their materials — they want their customers to know the lengths they are going to show them respect for their privacy.
Question: That's fantastic to hear. The last question, you bring this up a lot in your presentations. You say that privacy is not about secrecy, it’s about giving customers or people more control over their data. Can you explain?
ANN: It's so true. You know, people often think privacy is all about secrecy, and that couldn't be farther from the truth. Privacy is about control, personal control over the use of your personal data. And one of the reasons this is so important is that only the individual knows the sensitivity associated with certain data, because context is key. And only the individual knows the context associated with the data, whether it's sensitive to them or not. Or if they want to disclose it or not, you have to get direction from them. It's critical. The Germans have a wonderful term for this called informational self-determination. Big term, simple concept, that should be the individual who determines the fate of his or her personal information. And it was considered to be such an important value in Germany, that in 1983, they enshrined it in our Constitution as a Right, absolutely critical. And again, it's no accident that Germany is the leading privacy and data protection country in the world. It's no accident that during the third right, they were stripped of all of their privacy and all of their freedom. And when that ended, they said, never again, never again, will we allow the state the government to rob us of our privacy and our freedom. So yes, control, it's all about personal control.
Question: Absolutely. As soon as that control is taken away from you, you realize how important it actually is. And because we're all about practical privacy at Feroot, how do companies give control to their users? What is the first step they can do?
ANN: If I had a company or website or something where I was selling things, the first thing I would say to people is, I want you to know that once we've completed this purchase, and obviously you're giving me your credit card and your home address, so that I can deliver the product to you, etc, payment, we will not make any additional use of that information, full stop. We will respect your privacy, we will only use that information for the primary purpose intended, namely to enable you to purchase this product and have it delivered to your home. Beyond that, privacy is the default. We will automatically protect your privacy, not use it for any other purposes. And down the road, if a secondary use arises that we might like to use your information for, we will come back to you and obtain your positive consent. Win-win. It builds such trust when you do that. People have told me when there is this trusted business relationship, there's no problem, because if there is a secondary use that comes up, companies have told me that their customers always say yes, they can use the data for additional uses, because that fundamental trust is there. They don't want the information flowing out to third parties unknown, but within the trusted business relationship within that company, they are very happy to have the data used for additional purposes. It makes it a true win-win operation.
Question: Right. It’s really about creating a culture shift or changing how we think about the data we collect. Ivan, any final thoughts from you about consent management and/or control over data?
IVAN: In addition to consent management, I really resonate with the comment about the Nazi regime in Germany because I was born in a communist regime, which involved a similar stripping down of privacy. I remember living under a communist regime and not being aware about privacy or that privacy can exist. To your comment, you only realize the value of something you lose, I realized the value of privacy gaining it because I remember not having had the concept of privacy in my mind, or control of the data, so I can definitely attest to that. It's giving control back, it's giving control to self-determination to the subjects, to people over their data,
Question: To summarize, giving control or privacy back to the users doesn't have to come at the expense of anything: it's just a shift in how we talk, how we treat it and think about it.
ANN: Exactly. And that's growing. That mindset is growing, people are getting more respectful of privacy and the public is demanding it. So make it a win-win. Give your customers very strong privacy and they will reward you and you will gain a competitive advantage.
IVAN: I love it, we’re combining commerce and rights together.
ANN: Yes! Make it a win-win.
Thank you Ann and Ivan for joining us today. This is just the first of many discussions on this topic and I can't wait to see how the story of privacy continues to unfold with all these new events happening all over the world.