The DataGrail team returned to the IAPP’s massive Global Privacy Summit (GPS) in Washington, DC. Over 4,000 privacy professionals gathered together, learned from dozens of experts, met hundreds of vendors, and took in DC’s summer-like weather with friends – some for the first time in person since the start of the COVID-19 pandemic.
The vibrancy of the international privacy community was on full display. Keynotes promoting democracy and diversity were delivered bilingually, and IAPP President and CEO J. Trevor Hughes encouraged privacy professionals to join the IAPP in supporting the efforts of the World Central Kitchen in war-torn Ukraine.
Hughes also noted a landmark for the IAPP itself. The association is a hair’s breadth from reaching 45,000 members worldwide.
Common threads
Topics at the conference ranged from the practicalities of running a collaborative privacy program to the challenges facing policymakers and technologists on the frontiers of digital innovation. Across the many keynotes, sessions and roundtables a number of connected themes emerged (and some were amplified from PSR 21).
Global Privacy Summit 2022 Themes:
- Theme 1: Privacy has become more complex. It is much less siloed than it used to be and has become an umbrella term for many related issues.
- Theme 2: Privacy is caught in the middle of a fight between Big Tech and competition regulators. Enforcers are urged not to conflate market power with privacy abuse.
- Theme 3: The U.S. is hurting its global standing by lagging behind the rest of the world on comprehensive privacy reforms. A US federal law is an urgent must.
- Theme 4: The privacy and regulatory communities are wrestling with new terms and their subjective implications. Uniform, sensible standards are needed.
Theme 1: Privacy is more complex and interdisciplinary thanks to accelerated digitization of our daily lives.
A rapid shift to remote work and education, and our seemingly irreversible dependence on home delivery services of all kinds, is accelerating the need for privacy professionals to go beyond compliance, and at times even beyond data privacy.
As Opening Session keynote speaker, FTC Chair Lina Khan noted, “Digital technologies have enabled firms to collect data on individuals at a hyper-granular level… The scope of information collected also becomes increasingly vast, ranging from one’s precise location and full web browsing history to one’s health records and complete network of family and friends.”
To go beyond compliance, professionals need to guide their organizations through increasingly thorny — and rapidly evolving — issues of data ethics, user safety, and economic stability.
In his account of the Bomber Mafia, Opening Session keynote speaker and best selling author Malcolm Gladwell surmised privacy professionals are well placed to temper the unintended consequences of an overidealistic tech future. The Bomber Mafia were a group of WWII era U.S. military men who believed that long-range precision bombers were the future of the U.S. military and could make war more humane. The group advocated for early pin-point targeting technologies. These early computers worked during tests but were stumped by real air combat conditions. As a result the U.S. military turned to new weapons of mass effect – napalm and nuclear bombs.
After telling the story Malcolm offered that in the intersection of innovation and human nature it is important to learn from the past and strive for a realistic future. In other words, privacy professionals should be ready to put their ‘historian’ and ‘skeptic’ hats on.
These are heavy issues to be sure, and the global conversation around privacy can be summed up by this overarching challenge: How can we best adopt new technologies in a way that is fair and ethical?
Theme 2: Enforcers should not conflate competition with privacy.
Policymakers and enforcers on both sides of the Atlantic look to address privacy abuses through competition and antitrust regulations. This approach is grounded in the theory that privacy violations are a symptom of market power and that the largest monopolies enable bad privacy behavior.
Europe, seemingly always one step ahead of the U.S. with its reforms, is rapidly advancing the controversial Digital Markets Act (DMA). The DMA aims to make the most prominent consumer platforms like Apple, Meta, and Amazon more open, interoperable and fair with respect to smaller market participants. The Open Markets Act (OMA) would do the same in the U.S. by focusing on app marketplaces. In the void of a comprehensive U.S. privacy law, the FTC is looking to adopt new rules to put the market power theory into greater practice.
Conversations in sessions and hallways turned to Apple CEO Tim Cook’s landmark General Session keynote speech. Cook expressed deep concern with “regulations that would undermine privacy and security in service of some other aim.” He worried about competition rules creating workarounds to Apple’s strict app review policies through a process called sideloading, allowing “data-hungry companies” to weaken the App Store’s comprehensive security and privacy protections.
Cook defined this as a “pivotal moment in the battle for privacy,” appearing to speak as much to policymakers tuning in to the live stream as to the forest of iPhones held up to memorialize the live event.
For me, the message struck close to home. As I put down my own ‘guess-what-phone’, I was reminded that before we are privacy pros, we are ourselves ‘users’. One more hat!
Theme 3: The U.S. must pass a comprehensive federal privacy law.
Echoing the growing impatience of the privacy community, Cook also called for “a strong comprehensive privacy law in the United States.” While the U.S. has a long history of privacy thought-leadership, lawmaking, and rigorous enforcement, in a post-GDPR world, the U.S. is perceived by many as lagging behind.
Microsoft President and Vice Chair Brad Smith amplified Cook’s call with his own Closing Session keynote address. Taking it up a notch Smith criticized Congress for letting the U.S. stay alone and frozen in time on the global stage. “The failure of the U.S. to legislate doesn’t stop global regulation. It doesn’t even slow it down. It just makes our country less influential in the world.”
Sitting down for lunch with fellow attendees, we ruminated on the same question – but will we actually see a comprehensive US federal privacy law any time soon?
We will likely not. As we packed up and headed off to our next sessions, we chewed on a growing patchwork of overlapping, progressively weaker State laws in the next 2 years. One or two may even pass by the end of the year. Still, with trans-Atlantic data flows becoming a critical issue for EU and U.S. trade relations, pro-privacy actions are on the horizon.
As we watch the ebb and flow of politics we must put on our ‘pragmatist’ hats and ride a fresh wave of inconsistent, piecemeal solutions.
Theme 4: Privacy is subjective. Uniform, sensible standards will help all.
There are few terms in the privacy lexicon as hotly debated on these grounds as “dark patterns” and “surveillance economy.”
As I was sitting for a talk between the Future of Privacy Forum’s Jules Polonetsky and FTC Commissioner Noah Phillips, news of the US Consumer Financial Protection Bureau dinging credit reporting agency TransUnion for “digital dark patterns” was circulating. The CFPB explained dark patterns as “hidden tricks or trapdoors companies build into their websites to get consumers to inadvertently click links, sign up for subscriptions, or purchase products or services.”
Yet, a well-known critic of regulatory overreach, Commissioner Phillips quipped that “dark patterns” – like “surveillance economy” – is just name-calling. He cautioned that enforcers already have clear legal norms for what is unfair, deceptive or just misleading. And that the community is better off dropping “scary words” and engaging in open dialogue around subjective business practices that are “endemic to the digital economy”.
For professionals navigating complex questions of manipulative design, whether in advertising or with now-ubiquitous cookie banners, this question begins: Where does influence end and manipulative design begin?
For me the answer seems to be another useful hat: ‘designer’.
Lessons and takeaways:
I sat in privacy engineering guru, Jason Cronk’s, ethics roundtable where we puzzled over privacy harms and thought experiments like the Trolley Problem. What is a privacy harm? Are there tradeoffs that must be understood? Would effects be immediate and tangible to an individual, or intangible and slowly influencing society at large? To reason through these challenging questions roundtable participants were challenged to try on ‘ethicist’ and ‘harm modeler’ hats.
As companies are spurred to deliver on the promises of tech innovation, privacy finds itself at an interdisciplinary crossroads. The thorny questions of freedom, fairness, dignity and equal participation in our rapidly digitizing society challenge #privacypros to rise to the challenge – to continue learning and preparing for what comes next.
Coming back to the DG booth to catch up with the crew and grab a cup of Grail & Grounds coffee, I added a final hat to my list: ‘learner’ – perhaps the most important hat of all. See you at the next IAPP summit!
Political Cartoon: Shawn Cordeiro, Art Director