Anne Toth is the head of data policy at the World Economic Forum’s Fourth Industrial Revolution Center in California. She formerly worked as head of privacy for Google’s social products, as Yahoo!’s head of privacy and chief trust officer and as vice-president of people and policy at Slack. She recently agreed to be interviewed by The Innovator on the potential impact of Europe’s GDPR legislation.
Q: Europe’s new General Data Protection Regulation (GDPR), which took effect on May 25, grants individuals expanded rights over how their personal information is collected and used, and companies that don’t respect those rights will be subject to potentially huge fines. But much remains uncertain about how it will be implemented by businesses and enforced by authorities. How should companies deal with the uncertainty?
AT: The large companies will take some steps forward and then wait to see if those steps are sufficient. Everyone is doing their best to interpret the rules but the costs may be disproportionately higher for smaller and medium sized companies.
Q: Do you think that the rest of the world is going to end up embracing GDPR?
AT: The underlying assumption is that the European model is more protective because it grants greater privacy rights in principle. There are other approaches that are different but not necessarily significantly less protective in practice.
Q: What bumps in the road do you foresee for GDPR?
AT: It is still very early days but GDPR as a general rule gives data subjects more control over their data and one of the ways is the right to erasure. This isn’t new, Google in particular has had to comply with this requirement for some time. But blockchain technology is based on a decentralized ledger which stores data in a decentralized and secure way. Information stored on the blockchain is immutable and secure. Because there is no one central authority and because the data is encrypted, you basically cannot delete data from the blockchain. This is a stark example of how an individual’s right to privacy runs up against the nature of the technology. It is not clear if any organization storing personal data on the blockchain will be compliant with GDPR as it’s currently written.
Q: What about the Internet of Things (IoT) and connected devices?
AT: By the year 2020 there will be at least 20 billion devices connected to the Internet and a large percentage of these will likely be collecting personal information, including your autonomous vehicle and devices in your home. A lot of things will be collecting “ambient data” because we exude data everyone we go. The question we have to ask is how do we collect consent in that world and how meaningful is all of this consent anyway? The Cambridge Analytica example really demonstrated that there are issues with the way we frame consent for an individual. People might have understood that they were sharing their social graph and their personal information with an application developer, but they clearly did not expect it to be used the way it was, even if they technically consented to it. The nature of consent will become more complicated the more advanced technology becomes because we are testing the limits of people’s ability to understand technology itself.
Q: So what, in your mind, is the solution?
AT: These are hard problems. The intent of GDPR is to give people more control, more accountability, more enforceability and that is a good thing, but how do we achieve this? Is GDPR a workable solution? It is not so clear right now. Not just government but all stakeholders, including civil society, the private sector, academia, need to engage in conversations about this together to see how can we protect our information while not losing the benefits of the technology. Traditional regulatory processes are often too slow to match the pace of technology and the worry is that they will stifle innovation. When it comes to GDPR what we are questioning is whether there is a different or complementary regulatory model that we can deploy that is more flexible to accommodate the rapid changes we see coming with technology.