Privacy as the 21st Century luxury

Data is a new currency. In today’s ever evolving use of data – such as self-driving cars, mobile health apps, geo-location apps and the omnipresent smart phones – it has become the most prized asset. And everyone wants more information and more data which in most instances means more personal data, or as the Americans call it, more PII.
 
Data Breaches
 
The increase in data collected and processed by companies equally results in the increased risk of loss and unauthorised access. But the appetite for collecting more personal data has not decreased in spite of the large amount of fines applied. For instance, Alaska Department of Health and Human Services has signed a resolution agreement with the U.S. Department of Health and Human Services that included a $1.7 million settlement (because of a stolen USB drive potentially containing data on 501 Medicaid beneficiaries). The Federal Trade Commission and the state of New Jersey announced they have reached a settlement with smart TV manufacturer Vizio for collecting data on 11 million customers without the users' knowledge or consent, according to an FTC press release dated 6 February 2017, Vizio has agreed to pay $2.2 million.
 
On this side of the Atlantic the second largest ICO (U.K.) fine so far, £325,000, involved the sale on the internet of hard drives containing sensitive health information on tens of thousands of individuals.
 
Another well-known case involved Yahoo, in which the number of compromised accounts was about one billion. In this instance there has yet to be any fines issued.
 
This is an increasing trend and we are not even counting all those cases that are not made public, especially by banks, as this is seen as being able to compromise their “solid” reputation.
 
The Apple case (San Bernardino shooter)
 
Even the most powerful tech companies have issues relating to privacy. In a high profile action against the US Government, Apple refused to produce a code that would get around the security countermeasures on the shooter’s device. It ended in Court, as predicted, but later on with the alleged help of an Israeli company it was possible to break the security of the device thus allowing the FBI access to the device’s content.
 
Apple, in short, refused to do workaround code alleging that it would undermine Apple users’ privacy as it could not control whom, at the end, would have access to this “back door”.
 
This case forced public leaders from Barack Obama to Bill Gates to declare where they stood on the balance between privacy and national security.
 
Data Surveillance scandals (the post Snowden era)
 
On the same line of thought is the data surveillance activities carried out by the government of many countries. The US was portrayed as the one conducting mass surveillance on its citizens and on foreign leaders (such as on Angela Merkel in Germany) but the fact is that telephone call interceptions are made everyday everywhere. In Portugal, for instance, you can only do it if there is a suspicion of a serious crime and you have a court order authorising it. Now, it is this lack of judicial control that was present in the US case.
 
What Snowden uncovered was a scandal but we tend to forget that closed circuit television cameras in most of the European Capitals collect individual movements, which are tracked and stored for later analysis. Automated and real time identification of large numbers of people are now undertaken and the risk of further abuses is growing, according to Privacy International. Image is personal data and unless there are prevailing interests, then the right of privacy of the individual should prevail. Why? Because suddenly we are all suspects.
 
The European Court of Justice has had to take a look at this “presumption of guilt”. In fact, in its recent case, Digital Rights Ireland case, the Court of Justice was called upon to decide on the validity of a European Directive that obliged mobile and other telephone companies to collect and maintain for a period up to two years the metadata in relation to all telephone and mobile telecommunications. Origin of the call, date and time of the call, originating number, recipient number, duration of the call, amongst others, was systematically collected and stored. The only thing that was not collected was the contents of the call itself.
Now the Court considered that this, because of the large amount of personal data collected, enabled the drawing of a very precise profile of the individual and therefore would create a sense of being permanently under surveillance. When balanced with the public interest of fighting crime (the purpose of the collection of these vast amounts of personal data), the Court held that the right to privacy of the individual should prevail, and invalidated the Retention Directive.
 
Personal data as the currency of the future
 
When one creates a Gmail account or subscribes for free services one cannot expect that “Google gives you 15 GB free to use for each Gmail account” is really for free. Google is not Social Security, you must give them something in exchange. And this exchange is your personal data. Can we really expect that our privacy remains untouched when we hire a free service? Are we innocent enough to believe that companies provide services for free? No. These companies obtain most of their income from publicity. But untargeted publicity is a thing of the past. Nowadays only targeted publicity is valuable so Google creates (or allows others to create) profiles of its users so that the publicity it allows third parties to send to us is what we would like to buy. And for this they access your personal data. If we look at Google’s privacy policy we will see that “We and our partners use various technologies to collect and store information when you visit Google service, and this may include using cookies or similar technologies to identify your browser or device. We also use these technologies to collect and store information when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites.“ “We also use this information to offer you tailored content – like giving you more relevant search results and ads.”
 
So Google collects our personal data and uses it to offer tailored content, which is another way of saying personalised ads. But it is not only Google who does this. This has become a widespread practice. So I opened a free email account and my payment is made via the personal data they receive. That is the trade nowadays.
 
This leads me to big data. It is now time to reclaim our privacy. Massive amounts of data are (and have been) collected via our online activity. This is used by companies to create our consumer profiles and, again, offer us the products and services that the algorithm has decided that we need or desire. We are profiled and targeted publicity at the cost of our privacy.
 
There are pros and cons to this methodology but there is also a way of balancing privacy. For instance, the European General Data Protection Regulation has accomplished this by requiring some sort of involvement in automated decisions. When we are being subject to a credit score we have the right to have a person taking the decision and not only the result of the automated process.
 
Gartner, Inc. has predicted that by 2018, 50% of business ethics violations will occur because of improper use of big data.
 
However, one of the bad things about big data is the sheer size of the information that companies collect and store. According to Gartner, 50% of the business ethics violations will occur because of improper us of big data. Analytics present a risk of failure and not mitigating risks present a risk of loss of reputation, amongst others. And what analytics do is analysing the vast amount of data, most of the times personal data in order to create a profile of the user with its preferences. Is there a real privacy right that the concerned subjects may call upon?
 
In fact again the Regulation helps us by giving new rights to individuals such as the right to oppose and the right to be forgotten.
 
Privacy as the 21st Century luxury
 
“Data is transforming society — some call it the Fourth Industrial Revolution”. The World Economic Forum’s view couldn’t be more accurate. We are in an era which has surpassed the third industrial revolution where the fuel is now data, personal data. This revolution is, as the WEF defines, a revolution in velocity, scope, and systems impact.
 
“It is characterised by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres”. In fact we have autonomous cars, artificial intelligence and bionic hands. And when the lines are blurred, the issues from one side of the line sometimes cross to the other side.
 
We live in an era in which the internet of things will be consolidated, where there are intelligent houses, intelligent cars and biotechnology, amongst others. They collect personal data because it is needed for their purpose. But we are only beginning to realise that this data may (and certainly will) be used for other purposes that we cannot even think of at this moment. And they are much easier to hack into because the companies that manufacture them do not have privacy as one of their top priorities. They are manufacturers with an add on, and digital security is still an unknown concept to them. Personal data is being collected without the appropriate security safeguards and this means someone who should not be able to access it can easily access them. And this is a problem.
 
Closing remarks
 
As we have seen, privacy is a growing concern and is struggling to remain as a fundamental right of the data subjects. The loss of control over our data will only intensify in the years ahead but companies are required to high levels of transparency and this will enable them to maintain their competitive edge.
 
As the World Economic Forum puts it “In the end, it all comes down to people and values. We need to shape a future that works for all of us by putting people first and empowering them.” This applies entirely to protecting our personal data. At the end we tend to believe, like others, that privacy will be luxury of the 21^st century. Companies that are compliant with Data Protection Laws, such as the ones resulting form the GDPR, have a competitive advantage towards the non compliant ones. This will be particularly important if we acknowledge Portugal as a start up hub as most of the new companies will have a strong digital presence in the future. On the side of the individuals, Portugal can be seen as a safe haven for those seeking more privacy in their lives. Portugal is already fully protective of the right to be forgotten and of all of the other rights that empower individuals to control their private life. All in all privacy is the new luxury and Portugal is fully aligned with this.
 
Ana Menezes Monteiro, CIPP-E/CIPM
ana.monteiro@caetanodefreitas.com
00 351 213 170620
Linkedin: https://www.linkedin.com/in/anamonteiro/
Ana Menezes Monteiro is a lawyer specialising in IT Law and Data Protection. Her experience include 10 years of experience as in house Counsel and Compliance Officer in an IT Consulting multinational Company and advising on Data protection matters for several clients. She holds two certifications from IAPP, CIPP/E and CIPM, which demonstrates a profound knowledge in Data protection matters.