Privacy Paths

The Apple AirTag debacle shows that there is a need to diversify privacy to protect people and brands. Diversifying privacy means more than diversifying product development and privacy teams. It means looking outside the compliance bubble and centring marginal voices, including those that challenge the status quo. 

Abigail Dubiniecki talks to Stewart Dresner and Tom Cooper and explains what went wrong with the Apple AirTag. 

Apple is usually regarded as the company at the privacy friendly end of the spectrum.  The latest consumer tech products are promoted as offering convenience. But developers ignore, understate or underestimate the possibility for harm. Harms to individual users as well as communities.

Some products and services are intended to vacuum up masses of data to monetise it. But even if a company rejects the outright monetisation of data as its main purpose, and instead is trying to create a product with privacy protections, some unforeseen problems can occur.

Apple and other companies can learn lessons from the AirTag story to avoid damage to their reputation.

This podcast is based on Abigail's article in PL&B International Report April 2022.

Resource referred to in the podcast: Just Tech

 Abigail Dubiniecki is a privacy lawyer and consultant based in Canada who helps clients in the UK and Canada implement GDPR and other privacy and data protection laws. She specialized in operationalizing Privacy by Design and is a privtech and  emerging tech enthusiast. 

Age verification and estimation by companies to protect the privacy and safety online for young people

Stewart Dresner talks to Iain Corby, Executive Director, The Age Verification Providers’ Association (AVPA) and Project Manager, euCONSENT. 

There is consensus that young people should be safe online. But how should organisations behave in an ethical way? How to reconcile the commercial objectives of data acquisition and retention, and the legal objective of data minimisation and data protection by design?

There are many international and national initiatives on online safety for young people. All are trying to protect “the best interests of the child”. How are companies engaging with them?

There is a continuum as children mature into teenagers and then into adults but regulations impose specific ages when content should be restricted. This is the issue at the core of attempts at regulation to better protect young people from online content of a violent or sexual nature, or increasing the risk that they will be led to the consumption of tobacco, alcohol, gambling and other dangerous and inappropriate content.

Iain Corby discusses with Stewart Dresner how companies are working together to achieve a credible method of age estimation and verification.

Privacy Laws & Business will cover this subject in more depth in our free webinar on the afternoon of Wednesday 16 March:  Helping young people to better protect their privacy and safety online. 

In addition to Iain Corby, participants will include the Acting Head of Children’s Policy at Ireland’s Data Protection Commission, a representative of the games industry, academics, and a Privacy Policy Manager for Meta.

Justin Antonipillai, Founder and CEO, WireWheel, discusses with Helena Wootton and Stewart Dresner the privacy laws most likely to be adopted in the US. His experience of leading President Barack Obama’s attempt to have a federal privacy law adopted by the US Congress enables him to explain why he considers such a law in the next five years as unlikely. The new Chair of the Federal Trade Commission, Lina Khan, is more energetic on privacy issues. Stronger sanctions are likely but the FTC is constrained by its narrow scope and lack of a comprehensive federal privacy statute.

Meanwhile, the initiative is being taken by the states, with California in the lead once again as it was some 20 years ago with a data breach law, later copied by the other 49 states over the next 20 years. Virginia and Colorado are now the first states to follow California’s lead in adopting new state privacy laws but each one is different from the others, making life difficult for companies doing business across the country.

Antonipillai, having led the US negotiations with the EU on the EU-US Privacy Shield, is aware of the commonalities and differences between the two sides. Companies need to map their collection, storage and disclosure of personal data against the many different privacy laws around the world and take steps to manage the personal data in their systems is a consistent way taking into account the interests of the data subjects.

Canada leads on applying privacy law to sales of recreational cannabis.
 
Michael McEvoy, Information and Privacy Commissioner for British Columbia (BC), Canada, explains why and how he has applied the BC privacy law to the legal retail sale of recreational cannabis. To coincide with the legalisation of recreational cannabis, he published in October 2018, Protecting Personal Information: Cannabis Transactions, the world’s first guidance on this subject. This was updated in a revised version in August 2021. He explains the main privacy issues common to the retail sale of other products in general and alcohol in particular, and the impact of the pandemic on trends which impact privacy. This guidance has additional benefits of attracting the public’s attention to their data rights, and retailers about their responsibilities.

We discuss how this world leading BC guidance is now having an impact across Canada and several other countries where the law on the sale of recreational cannabis is being relaxed to fulfil a mainstream need.

Listeners to this podcast can obtain the related article published in the August 2021 edition of PL&B International Report by emailing: [email protected]

Guernsey is an independent island jurisdiction located between the United Kingdom and France. In this podcast, Emma Martins, Guernsey’s Data Protection Commissioner, speaks to  Valerie Taylor and Stewart Dresner about this Channel Island’s adequacy declaration from the EU, and its importance for its digital economy of retaining free and safe data transfers between Guernsey, the UK and the EU. 

The Commissioner does not see privacy and innovation as a zero sum game and is confident that it is possible to incorporate both values into products and services. She deploys fines and other enforcement tools when necessary but has recently launched Project Bijou, a human-centred method for incorporating privacy values into both everyday personal life and work. Find out how Guernsey balances the gravitational pull between the UK and the EU.

Laura Linkomies talks to two privacy experts, Marta Dunphy-Moriel, Partner at Deloitte, and Alexander Dittel, Associate Director  at Deloitte about privacy issues with adtech. Learn what companies using adtech can do to be transparent and comply with the UK Data Protection Act. 

Do app developers gather information in a legally sound way? Apps often involve trading one’s personal data for a usually free useful or entertaining service. Data privacy laws apply to apps so how can developers navigate this legal terrain?

We explore Clubhouse, the audio meeting app which is on a rising trend, and the privacy laws which apply to it, as they do to all apps.

The key legal questions we ask in this episode: do users understand the process? and do they know how much data the app developers are using or “harvesting”? These issues are heightened because of mobile devices’ small screen sizes; the complexity of the opt-in or opt-out process; and the use of persuasive techniques by deploying colour and design to persuade users to consent or ‘opt-in’ to use of their personal data. We all know that app developers want access to one’s contacts and location – but is this lawful? Companies want to monetise valuable data by analysing it and sharing it with other parties. This happens largely because the individuals desire the essential and attractive (at least in the mind of the prospective user) service provided by the apps. 

Are the regulators keeping up? These app companies seem to live in a different world from more conventional companies, and we ask how hard the law will have to work to catch up?

Participants:

• Richard Nicholas, Partner, Browne Jacobson LLP
• Helena Wootton, Correspondent and Data Lawyer, Privacy Laws & Business
• Stewart Dresner, Chief Executive, Privacy Laws & Business

Laura Linkomies talks to Jenai Nissim, Director of HelloDPO and James Young, Legal Counsel for the Frasers Hospitality Group, the global hospitality company which includes Malmaison Hotels. They cover what is included in the role of Data Protection Champions, how they won top executive buy-in, made Data Protection Champions work on a win-win basis, and how  benefits have rolled out across the group in many countries.

China issued a draft law on the Protection of Personal Information in October 2020. Now that the consultation period has closed and the law is expected in 2021, Yan Luo, Partner at Covington & Burling’s Beijing office explains some of the key aspects of the draft and what it will mean for companies doing business with China. 

Opt-out rights are enshrined in many national privacy laws and regulations, which provide individuals with a right to opt-out of unwanted marketing. But this is a time-consuming process and often requires know-how and commitment. Global Privacy Control (GPC) is a new mechanism which enables anyone to easily opt out of website-based marketing. 

Rob Shavell, Founder and CEO of Boston-based Abine (which includes DeleteMe and Blur), explains the organisations, websites and major media groups behind GPC. They include the Washington Post, the New York Times, the Financial Times, browsers, including Mozilla’s Firefox, DuckDuckGo, Brave and Consumer Reports. They are working together to develop GPC. 

We discuss with Rob how GPC’s web-based opt-out works and how it could enable website users to implement their opt-out rights around the world. The opt-out right for individuals has gained traction in the USA as a result of California’s Privacy Rights Act of 2020 but the principle applies wherever the GDPR ripples around the world. 

How has the attitude of major tech companies to opt-out technology developed in recent years? The new US federal political landscape in January 2021 could provide fertile ground for a federal privacy law which might include these rights. Will privacy regulators in other countries start to recognise the value of GPC and will the mass of consumers take up GPC?

Participants:

• Rob Shavell, Founder and CEO, Abine; DeleteMe and Blur
• Helena Wootton, Correspondent and Data Lawyer, Privacy Laws & Business
• Stewart Dresner, Chief Executive, Privacy Laws & Business