Data Privacy Day 2023
Michael Brennan, Data Protection Officer at Profusion
Happy Data Privacy Day (28 Jan) everyone. Not to be confused with International Lego Day or Reducing CO2 Emissions Day. One of those sounds a lot more fun than the other two, so feel free to carry on building while we discuss where we are and where we’re going with Data Privacy.
UK/GDPR
By coincidence this week saw the first GDPR awareness session of the year at Profusion. Always a high point in the company calendar (!) this week’s session was no exception. One of our themes was around just how much the world has changed since 2016 when GDPR was first passed into EU law.
The most immediate landmark event was the UK Brexit referendum, as a result of which the government is today grappling with a revised approach to data protection and potential divergence from the main body of the EU GDPR. As we discussed there is a need to tread a fine line here if we are to protect our time limited adequacy agreement with the EU- allowing for the free flow of data between to the two jurisdictions.
The technicalities of GDPR aside there can be no doubt that the mood music surrounding data protection and privacy has changed forever. As Econsultancy reflect in their recently released Digital and Marketing Trends 2023[1] it’s startling to see how the AdTech industry has pivoted toward first party data solutions while brands have been busy aggregating their first party data and connecting with media partners.
Generative AI
From the technology and data side of the equation the biggest trend since GDPR was conceived and went live is the growth of artificial intelligence, highlighted by the launch of Chat GPT by Open AI last year and complemented by a range of image generation tools, all falling under the umbrella of Generative AI.
Clearly there are issues surrounding these large models, including their scraping of data from across the internet with little regard for privacy, copyright or intellectual property. It was only last year that the UK regulator, the ICO, issued a £7.5m fine to Clearview AI for their use of UK citizens personal data (images), together with an order to destroy all images sourced from the UK.
Apple
In terms of the global picture, with so much noise around data protection and privacy it can be difficult to separate what has been called privacy theatre from serious moves to enhance and protect personal privacy. Apple for example have been a high profile leader of the privacy agenda, including the launch of their App Tracking Transparency tool. Very welcome on its own but failing to address how Apple uses personal data within its own ecosystem[2]. Surely the negative impact on Facebook and other social platforms was unintended collateral damage and not by design or intent?
Similarly one of the key drivers of the new privacy agenda has been Google’s long promised, and now scheduled for (the end of) 2024, deprecation of third party cookies, one of the fundamental building blocks of what has become known as Surveillance Capitalism. The fact that this plays into the hands of a business with a uniquely vast data ecosystem full of invaluable first party data is surely incidental to their quest to support our privacy?
Meta
As for Meta (the company formerly known as Facebook) it really is hard to understand where they sit in this new landscape. Casting our minds back to the first half of 2018 and the dash for GDPR compliance its incredible how powerful a driver of change was the whole Facebook- Cambridge Analytica data sharing scandal[3].
Astronomical fines
In fact, as we discussed in our awareness session, Meta has been hit with a series of fines over the five months alone, sufficient to sink most businesses and probably many exchequers. Since just last September they have received four fines with a cumulative penalty of 1,285,000,000 EURO[4] for non-compliance with general data processing principles, insufficient technical and organisational measures to ensure information security, and insufficient fulfilment of information obligations.
By contrast the timing of the Cambridge Analytica scandal meant that Facebook only received the then maximum penalty of £500,000 that the ICO was able to levy under the previous Data Protection Act.
The latest fines go to the very heart of the Meta advertising business model[5] with the rulings making clear that the EU believes that burying data processing activities (in support of targeted advertising) within the fine print of service agreements is an unacceptable bundling of consent with service delivery. Therefore, in the terms of GDPR, the performance of a contract is not an appropriate legal basis for data processing. The implication being that Meta will be forced to ask for user consent to their data processing activities[6].
There are significant implications for the many apps that bury (and bundle) their data sharing practices within their terms of service agreements rather than as a standalone (optional) proposition. The ideal scenario is that there is no functional or service deficit experienced by those who choose not to opt-in to data processing for advertising or for data sharing with third parties. The reality is that many apps wouldn’t be viable without these revenue streams.
Privacy Panic
Given all of this it’s perhaps not so surprising that Econsultancy cited The Privacy Panic Takes Over as one of their four marketing and advertising predictions for 2023[7]. In their own words
“2023 will be the year that the privacy panic sets in as marketers face mounting privacy laws and the approaching deprecation of cookies.”
Econsultancy go on to highlight that new privacy laws went into effect in five US states (California, Colorado, Connecticut, Vermont and Utah) as of the 1st January 2023 with a federal privacy law ‘pretty much just a matter of time’.
Time to Act
We completely agree with the Econsultancy advice to marketers that now is the time to act on these challenges, for businesses operating in the USA ensuring compliance with state privacy laws will prepare you for the inevitable federal legislation, while the end of cookies will come sooner than you might think, and you need to start testing and planning for alternative approaches.
But there is more than a legal requirement in play. Consumers today are far more educated and informed about data practices than previously, something we should give GDPR some credit for, and privacy should be considered as part of a suite of values now positioned under the umbrella of ESG.
Brands are keen to differentiate through purpose and values, not least in the battle for talent, with Econsultancy also highlighting the continuing challenge of sourcing data and analytics staff and skills.
Beyond compliance
Within the UK and the EU, after almost five years of GDPR enforcement, you would hope that most organisations are by now largely compliant with the key requirements of GDPR.
With the acceleration of AI capabilities and the growth of automated decision making capabilities now is the time to commit to an ethical approach to data analytics and technological innovation in the round.
We need to learn from and build upon the best elements of GDPR in terms of privacy by design practices and processes to create approaches that are ethical by design, by which we mean that we have fully interrogated our projects and initiatives to identify and mitigate risks arising, to identify and mitigate data biases and to ensure that we are acting with integrity at all times.
We should be clear that the ethical approach is an enabler rather than a blocker of responsible innovation, baked into organisational cultures, it can play a vital role in the early identification of risks as we develop ever more sophisticated analytical capabilities.
With great (computing) power comes great responsibility, while data and technology are far too important to be left to the professionals. As we argue in the soon to be published Good Data Guide it is vital that data teams and projects are fully integrated with all aspects of the organisational culture and that projects are exposed to challenge and scrutiny from multiple, diverse, perspectives.
Concluding comments
So the times are certainly changing in terms of data privacy. It will be fascinating to see where we land, not least as so much hype and hope is invested in new approaches including web3, blockchain and the metaverse, while the hyperbole surrounding AI has only gone up another level.
Am I confident in terms of the bigger picture surrounding the protection of personal data and individual privacy from unwanted intrusion and processing by state and commercial actors? No, not really, at least not under the current system of economic relations.
But we can only change the things that are in our power, and if we want to build trusted businesses and organisations, to create sustainable brands, then it’s imperative that we act responsibly today.
And quite possibly move a little more slowly and try not to break too many things.
Is that too musk to ask?
[1] https://econsultancy.com/marketing-digital-trends-2023/?
[2] https://www.wired.com/story/opinion-apples-privacy-mythology-doesnt-match-reality/
[3] https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook
[4] https://www.enforcementtracker.com/
[5] https://techcrunch.com/2022/12/06/meta-gdpr-forced-consent-edpb-decisions/
[6] https://dpnetwork.org.uk/meta-fine-takeaways/?
[7] https://www.insiderintelligence.com/content/4-marketing-advertising-predictions-2023