Pii2011 – Data Protection As Entrepreneurial Task
Last week I visited Pii2011 in San Jose with our Chief Privacy Officer (aka @horax). Pii2011 is the second of its kind, an exciting conference dedicated to exploring privacy, identity, and innovation. The conference was founded by (among others) Natalie Fonseca (@techpolicy), a well-known technological and political activist from the US.
The name of the conference alone sparks interest; the acronym PII is already in use in the data protection world, and generally stands for “personally identifiable information”. I assume that this was not deliberate, but seeing data protection treated in conjunction with identity and in particular with innovation is inspirational – after all, it is a concept more usually associated with security and prevention.
This was the second fascinating aspect of the conference: it is clearly directed not just at policy and data protection experts, but also at entrepreneurs. Not to read them the riot act and determine what they may and may not do, but instead due to the profound (and probably very American) conviction that significant innovations will stem from businesses, not from law makers (”free markets will usually find a better solution”).
There were thus several start-up presentations in which companies could introduce themselves. The talks ranged from start-ups aiming to use fingerprinting and – warning, hold tight – DPI for targeting (in a data protection-compatible and user-friendly manner), to those developing identity solutions which create mini trust networks in order to secure digital identities using social networks. One of the start-up round winners was personal, which has developed a comprehensive data management solution for users. The idea is that the user organizes and administers their personal information into different dimensions (e.g. health, travel, music…) and then unlocks it on a targeted basis for other parties to use.
Do We Need Clearer Legal Frameworks?
This question was hotly debated, despite the enthusiasm which touted companies as universal sources of innovation. It is important to note at this point, however, that the legal framework in the USA is not defined as clearly for many internet-related questions, meaning that the discussion is not necessarily relevant when applied to Europe. On the one hand, there was general agreement that the government should keep out of most areas, working from the theory that they would only make things worse. On the other, there were talks which called for a type of digital framework in order to create basic models concerning identity, data sovereignty, etc. The debate is summarized quite nicely in this article at Good Morning Silicon Valley.
What Needs to Change about Data Protection?
A big topic of discussion was something that has long been in operation here in Germany – data minimization. This long-standing basic principle (used, for example, by the ULD – the Independent Centre for Data Protection Schleswig-Holstein – when issuing certificates), is increasingly viewed as an important building block for appropriate data protection in the USA. Data minimization means only saving that data which is really necessary, and only for as long as it is really needed – and doing so only for purposes consented to by the user in a way which they can understand.
Another concept also heavily promoted by data and consumer protection services here in Germany, was introduced by Michael Fertik, the founder of reputation.com – Fertik spoke on a type of “free data report”, known in Germany as a ‘Datenbrief’. However, the Yahoo representative rightly pointed out that there are many practical problems behind this idea. For example, Yahoo has certified approx. 250 3rd party networks, and a person using Yahoo’s sites would have to receive this data report from each of them…
It was, by the way, impressive to see, in this context, how personal.com answered the question “who does the data actually belong to”: as one of the first companies in this sector, personal.com has developed a “data-owner agreement”, a type of licensing contract between the data owner (=the user) and the data user (=the service).
The fantastic Esther Dyson, however, spoke about what users should actually expect from a good data player on the internet. That is, that they constantly inform the user in real time which data is currently being downloaded and used – of course within context and with control capabilities. And why shouldn’t that be possible? Dyson also made it clear that users are prepared to share even highly sensitive health information if enough transparency, control and trust prevail in data preparation (and security). She should know – one of her favorite projects is the 23and me[U1] … She also pointed out that, in her opinion, the main problems with data use occur “backstage of a website”, in particular when data is traded and exchanged with third parties without the user finding out about and/or being able to control the transaction.
Fertik of reputation.com made the point that, as data is increasingly becoming the fuel for most online business models and their administration, monetization and control should increasingly be turned over to the users, and we will thus need a sort of Paypal for personal data…
Of course the good old privacy policy will also have a role to play. In addition to sufficient jokes about readability and quality (a fun comparison – Facebook’s privacy policy contains more words than the Bill of Rights…) there were many exciting ideas for drastically improving privacy policy quality. Shorter, more visual, more interactive and better contextualized were the buzz words, and several initiatives were introduced which aim to display central privacy policy declarations with standardized icons, which could, perhaps, even be designed to be machine readable. There seems to be a great deal of room for improvement and innovation…
Here we would like to mention a great statement by a representative from Consumer Protection, in response to a question on how to separate good players from bad: “the good ones have a CPO (=Chief Privacy Officer) and you can reach him on the phone”, simple as that.
The Pii was – pretty amazingly for a data protection event – also a huge data-love and geek event. Esther Dyson determined that good service always has to be predictive, Tara Hunt (CEO from Buyosphere @missrogue) declared “I am a data geek”, and each and every discussion was somehow also filled with a fascination that seems inherent in all data-driven businesses and services – if they’re doing it right, that is.
Two further aspects of data protection and regulation are, by the way, also worth mentioning, one being the question “will regulation kill business?” On the one hand, it was correctly remarked that sensible legal frameworks do not necessarily destroy business potential, but can in fact create new markets (the deregulated telecommunications market, for example). Most notably, however, Marc Davis (Microsoft) uttered the conviction that “we will do better business when people have control over their data”. This may indeed be one of the main drivers for sustainable innovation in data protection – companies that act not just out of fear of bad PR, but rather from the profound social conviction that solutions which take the user seriously on the subject of data protection by delivering technologically mature solutions will, in the end, generate more revenue.
All in all a wonderful, very inspiring conference. There was not a single boring panel, participants discussed controversial subjects and opinions, and above all there were huge amounts of euphoric and forward-thinking energy in play. It would be incredible to have a conference like this in Europe… We could even add a nice post-privacy or open vs. closed track (the only thing that I really felt was missing from Pii, @jeffjarvis would have done a great job to fix that…) and attempt to discuss data protection in connection with questions about digital identity. Of course, we would need to make sure it focuses just as much on innovation and therefore on business. That would be amazing.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
