Why the difference between data privacy and data protection matters
“The minute you surprise your users, you screwed up.”
That’s how Denelle Dixon, chief operating officer at Mozilla, described the work of the company’s policy group, which is largely responsible for what happens to user data–and responsible for ensuring that users are not surprised by any of it.
Dixon, speaking on a panel at the Fast Company Innovation Festival, was partially referring to the alarm generated by the recent Mr. Robot-branded plug-in installed in the Firefox Quantum browser. It was disabled by default and no data was collected, but Dixon said Mozilla took a lot of flak for it, which proves that data privacy and protection are continuously evolving as new tech gets adopted and more information flows through it.
That sentiment was echoed by Kate Black, 23andMe‘s global privacy officer and senior counsel. In healthcare and biotech, she said, data collection can power personalized care and medicine. “You want to make sure it is a learning healthcare system that grows with you,” she cautioned.
Black said she sees 23andMe’s role, as well as that of other health tech companies, as stewards of data. “You have to be brutally honest about where the data is going, and make sure the user has enough choices and control over their data and information,” she said, “but are not confused by too many choices.”
Black, Dixon, and John Borthwick, CEO of Betaworks, all discussed the changes that have led up to the “data industrial complex,” and how the EU’s new General Data Protection Regulation (GDPR) law contrasts sharply with the U.S. free-market approach. The difference, they said, is that the EU looks at data as something to be protected, while the U.S. is concerned more with privacy. “You could argue that GDPR at its core is so much further ahead,” said Black, who added, “I’m hoping over the next few years there will be American reckoning of the same kind.”
Until then, it’s on companies to ensure they are doing all they can to protect user data and keep it private. For Borthwick, who works with startups, that is a discussion that happens around the life of the company. He says he can tell right away whether a founder is basing their mental business model on how much data can be collected and leveraged. “The most important thing you can do for a company,” he argued, “is to start building [policies to protect user data] in the culture.” As more companies derive revenue from user attention, Borthwick maintained, “That is the durable bit that gives you guardrails. Attention economics needs guardrails.”
Dixon said Mozilla went from not collecting data to assiduously determining what to collect and how to communicate it. Unfortunately, she said, “[In the U.S.] the word privacy means nothing. We tried to put the word data in front of it, but it still doesn’t mean anything.” However, she continues to believe that individuals have the power to change the way companies use their data. “Kids stop using products all the time when they don’t like them,” she said as an example. “That’s empowering.”
Each panelist agreed that the U.S. government should be creating laws to regulate the way companies can gather and use data, in addition to giving people the agency to control their own personal information. “Data is the new gold,” said Borthwick. “The new oil.”
(22)