Happy Data Privacy Day! Of course every day ought to be Data Privacy Day, but 28 January has been deemed to be the main day to focus on the topic, a date currently observed by the UK, the US, Canada, the European Union and dozens of other countries around the globe.
At last week’s World Economic Forum gathering in Davos, privacy, its implications and the need (or otherwise) for regulation, was among the recurring questions asked of speaker after speaker. Against the scandals of recent years, there was predictably enough a consensus point of view that there is a need for the tech sector to be seen to take a proactive stand.
For example, PayPal CEO Daniel Schulman insisted that it’s not good enough to wait around for regulators to take action, the ‘passing the buck’ policy of the likes of Facebook (which did at least have the self-awareness not to field CEO Mark Zuckerberg to discuss privacy or ethics at this year’s meeting). Schulman counselled:
We should not abdicate our responsibility waiting for regulators to create data privacy and data protection for consumers and for businesses.
There was also much praise for the success of the EU’s General Data Protection Regulation (GDPR) and a lamentation that the US, for example, doesn’t have a national equivalent. As Keith Block, co-CEO of Salesforce, put it:
You have to applaud the European Union for coming up with GDPR and hopefully there'll be a GDPR 2.0. In my personal opinion there's no question there has to be some sort of regulation. I think citizens deserve it, consumers deserve it, corporations deserve it, governing bodies deserve it. In the United States it would be terrific if we had a national data privacy law; instead we have data privacy by zip code which is not a good outcome.
Microsoft CEO Satya Nadella echoed this call to arms from both Block and Schulman, supporting GDPR and focusing on actions that individual corporates can take in the absence of a US avatar:
Data, and privacy around data at an individual level needs to be thought of as a human right. In some sense Europe has taken the lead with GDPR and has effectively regulated that. We are in fact, hoping to see a more of a federal standard in the United States and around the world over. In fact we have taken some of the subject rights of GDPR and made it available worldwide. We believe that data and privacy around data is a human right and has to be protected.
It was the same party line from Sundar Pichai, CEO of Google parent Alphabet, who enthused:
GDPR has been a great template. It gives a standardized privacy framework. Often when we are in other countries and when we are thinking about privacy regulation, we point to GDPR as a template. I'm glad Europe took the lead on it and I think that it gives a good framework for all of us to work on.
For us, privacy is at the heart of what we do. Users come to Google at very important moments, ask us questions. We deal with people-sensitive information in Gmail , Google Photos and so on and so we have to earn that trust. Today we do it by giving them control and transparency and choice around [privacy]. Over time AI actually allows us to do this better and we can do more for our users. Most of the data today we deal with is to help users with their information needs and we can do that with less data over time.
It's important that products need to work for everyone. It's a foundational principle. Today if you take a product like YouTube, we allow users to pay for it and get it in an ad-free basis or you have an ad-supported product. It’s what allows us to take information and provide many services to billions of people around the world. Privacy cannot be a luxury good. We need to make sure we develop services in a way that works for everyone, but puts them first and is privacy enhancing. That's the journey we are all on, but ultimately it's up to users to choose.
It is important to keep the value of digital tech for the greater good in mind, Pichai added, and not over-regulate:
The value of Internet comes in connecting the world and to do that you need a free open Internet to work. At the same time, [privacy] is a big big topic in Europe and other countries around the world. Politicians rightfully are charged with protecting their citizens and as part of that data sovereignty is an important topic. But it is inherently a balance. I think countries need to focus on the highest risk areas and maybe add protections around it, but you want to help preserve a common Internet.
At present, India is working on a new set of data protection regulations that some non-domestic tech providers fear are too prohibitive and protectionist in nature. Pindar used India as a case in point to support his argument:
Even in India, for example, if you take a product like YouTube, for many creators in India more than 50% of their views come from outside of India. The Internet is essentially an export product. You can build a service and regardless of where you build it, you can reach people around the world. That's what's great about the digital economy It creates new opportunities.That’s the balance countries have to strike but I think there are good regulations - GDPR is a good framework. But as we think about how you can protect privacy for your users, for your citizens, it doesn't always mean data has to be siloed in a particular way .
For his part, Nadella also had an interesting caveat to add to the basic premise around the importance of privacy:
You have to be transparent, but here's the interesting thing - I think that this term that I like, which we use, called data dignity goes one step further than privacy. Data that you contribute to the world has got utility - utility for you, utility for the business that may be giving you a service in return, and the world at large. How do we account for that surplus being created around data, and who is in control around giving those rights? That's the next level of work we all need to do, where it's not just, ' Oh I have privacy. And I just give away my data'. I should be able to in fact control in a much more finer grained way how I do that.
That’s going to mean exploring new business models and concepts such as ‘data wallets’, he said:
I think that these are the kinds of mechanisms, we should be experimenting with. Today, if you think about the exchange - what is an ad funded business model? Ad funding is not a bad business model, because in some sense you're getting a free service, but that's the only data driven business model purely where there is value exchange. You could even say that the value exchange is not fair because the middleman, in this case the ad broker, makes all the profit. What if this thing was split a lot more evenly, so the consumer benefited a lot more than just [getting] the free service?…I believe some of the best economics work should happen around data dignity and that new business models in the 2020s will hopefully allow us to get there.
For example, how do you do price competition in a second price auction? In some sense, you could say, 'Hey let me lead the price and who gets what for data.’ What needs to happen is real business model innovation around the ad funded business model of today. I don't want to say that any one business model is problematic The world needs all business models. That's the point. You can't have just one business model be the only business model. That's I think what's not great for the world.
And it’s the consumer space that needs to pay catch-up, he stated:
The enterprise market is one where there is data dignity. No enterprise wants their data just to be [data]. It should create surplus for themselves. Why is that not true in the consumer space? Today the [consumer] value exchange is a weak value exchange because you're giving away valuable data for what is considered a free service. But is the free service you're getting really all of the value you should be getting for your data? That is what I think is the question that needs to be asked.
Nadella’s call for a rethink of value exchange around data and privacy in today’s business models is an interesting longer term idea. That said, the day-to-day practicalities of encouraging other countries to take up a GDPR avatar at national level is the immediate priority. Sadly there’s still precious little chance of the US taking action at federal level, although the fight goes on, while the tortured progress of India’s thoughts on this matter provides a reminder of the challenge in striking a balance between vested interests and the greater good.