News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | ICO's McDougall: 'We're losing a battle for trust,' but there's a solution Related reading: New ICO project aims to facilitate privacy and innovation

rss_feed

""

""

His opening statement was unequivocal: "We are losing a battle for trust." That is, people are losing trust in modern business and innovation. 

The reason? "Every time we create something cool, we are not bringing people with us. This trust deficit widens and widens."

In his keynote address here at the IAPP Data Protection Intensive in London, U.K. Information Commissioner's Office Executive Director for Technology Policy and Innovation Simon McDougall, CIPP/E, CIPM, CIPT, presented a clear warning to players in the current digital ecosystem.

On the one hand, "we're living in a really exciting world with innovation that brings huge changes to how we live and work," he said. Personalized medicine is extending lives. Smart cities are curbing air pollution and organizing traffic flows. 5G telecommunications networks are about to "radically change our interaction with our phones and devices." 

But at the ICO, he warned, "we're seeing issues around this trust deficit." For example, the agency's annual track survey found only 15 percent of those surveyed have a high-level trust in social media. "Only 10 years ago," McDougall said, "tech firms could do no wrong." The wow-factor era for the latest smartphone or online search capability has gone the way of the dodo. 

For McDougall, people are now living in an "age of unhappiness" and are not feeling empowered. With large tech companies, the balance of power has shifted, and "people are feeling unhappy about that." But at the same time, he observes, "people are still using their devices because they don't feel like they have a choice," and "acquiescence does not equal trust."

To illustrate, he pointed out that the "agree button is one of the biggest lies on the internet. This is not consent. This is not notice."   

Ultimately, what this means is that the digital economy is heading toward a crisis point. "There's an express train heading toward the privacy community. If we don't react, we will reap the consequences." 

But all was not doom and gloom for McDougall, who believes this is also a time for opportunity. In his new role at the ICO, he gets to offer stakeholders the "carrot" while being on the front lines of innovation. And this means working with innovative companies, thought leaders, privacy pros and other organizations. 

Citing a recent ad tech event hosted by the ICO, McDougall said the agency aims to work with the industry and innovators. Though, he said, "We're not happy with what we're seeing in ad tech," a debate and conversation are going here. 

To help work with industry on several fronts, McDougall said the ICO is also focusing on artificial intelligence by working with the Alan Turing Institute to help develop and enhance its expertise in the growing AI field. This would include learning how to make the technology's decision-making capabilities more explainable to people. To help, the ICO has set up an AI regulators' group "with as many regulators as possible," and hired AI expert Reuben Binns to build out an AI audit framework. This would include finding out how an AI is developed, built and tested and how training data is used, as well as how to address black-box algorithms. 

Similarly, the ICO has launched a grants program to help promote and support innovative research and solutions for privacy problems. It has also built a "regulatory sandbox" — a safe space of sorts in which startups and innovators can work with the ICO to figure out ways to create innovative services and products that use personal data while simultaneously protecting it. Continuing, the ICO has named the first two members to its new ICO Technology Advisory Panel: Luciano Floridi and Emiliano de Cristofaro, long-time experts in the data ethics field. 

Significantly, the ICO is working on new and updated guidance on anonymization. Its last guidance came out about 2013, McDougall said, so it's due for an update. Cookie guidance may also be on the docket, and blockchain was in the queue ... that is, until French data protection authority, the CNIL, came out with its own guidance in 2018. The CNIL's guidance was good enough, he said, that the ICO decided it didn't need to put out its own. But, he added, the ICO is working to engage further with the blockchain community. 

The amount of work the ICO is doing with technology and the front line of innovation gives McDougall hope. 

"My key message," he said, "is that the ICO is nothing without the help of the people in this room. As privacy pros, you are on the front lines at your organizations. You make decisions about compliance and ethics. These are the real decisions, and you are snuffing out the issues along the way. We at the ICO want to ensure you that we support you." 

The "innovation discussion is critical," McDougall said, so that privacy pros and regulators are not the people who are always saying "no." 

"This is personal for me," he said, pointing out his years as a privacy pro working to advise chief privacy officers. "We want to make sure the ICO is helping privacy pros do the right thing like the IAPP helps privacy pros do the right thing." 

And it's by doing the right thing and working together that will help people regain the trust that has been lost in recent years. "That makes me optimistic," he said. 

Author
Headshot Jedidiah Bracy IAPP Staff Contributor
Tags
Europe
Enforcement
Ethics
Privacy Community
Privacy Law
2 Comments

If you want to comment on this post, you need to login.

  • comment Gary LaFever • Mar 13, 2019 
    <p>AVOID THE TRUST DEFICIT WITH AI</p>
<p>Focusing on data breaches, subject access requests (SARS), and consent is distracting and confusing when it comes to AI. What the industry needs is clarity on what is necessary to lawfully POSSESS and USE personal data for AI. This must be clarified NOW before AI design implementations become widespread and significant investments are made. Once made, companies and countries will resist changes because – from an economic return on investment perspective only – it will be more cost effective to engage in regulatory arbitrage than retool AI technology.</p>
<p>TRUSTWORTHY AI FAQs</p>
<p>Q1: How Can Personal Data Be Unlawful to POSSESS Under the GDPR?</p>
<p>A1: Data Controllers Must Take Affirmative Action to Transform Data Collected in Noncompliance with the GDPR for it to be Lawful to Possess.</p>
<p>Q2: What Is Necessary for Lawful USE of Personal Data In AI?</p>
<p>A2: An Alternate (Non-Consent) Legal Basis with Technical and Organization Safeguards Is Required to Protect the Rights of Data Subjects.</p>
<p>CLARITY ON DATA AND USE</p>
<p>It’s great to see the ICO taking action to address the “trust deficit&quot; with AI, including working with the Alan Turing Institute and AI expert Reuben Binns. [See https://iapp.org/news/a/icos-mcdougall-were-losing-the-battle-for-trust-but-theres-a-solution/]. While attention is rightfully paid to the enormous potential benefits from AI, this IAPP article highlights the need for AI to be “trustworthy,” “ethical,” and “non-discriminatory.”  However, whether a car is driven in a “trustworthy,” “ethical,” and “non-discriminatory” manner is irrelevant if the people in the car don’t even have the legal right to use the vehicle. Data controllers must take action to ensure that both their Possession and Use of personal data for AI comply with the requirements of the GDPR as well as other evolving data protection regulations. If this message is not widely publicized before AI processing is put into wide spread practice, data subjects will suffer as billions are invested by both countries and commercial enterprise in AI using illegal personal data and the rights of data subjects will continue to be sacrificed on an ongoing basis with no reversal as organization (i) elect to fight in court rather than change the AI processes in which they have invested, and (ii) decide that the most cost-effective course of action is “regulatory arbitrage” given the low risk and cost of enforcement action.</p>
<p>POSSESSION –The GDPR changed the nature of personal data so that it became highly regulated data. The last paragraph on page 31 of the WP29 April 2018 Guidance on Consent [See https://iapp.org/resources/article/wp29-guidelines-on-consent/ ] makes it clear that data controllers must take one of four specifically enumerated actions for data collected in noncompliance with the GDPR to be lawful to possess - doing nothing means the data is unlawful to possess since the GDPR does not have any “grandfather” or savings clause:</p>
<p>1.	Re-consent the data in compliance with required specificity, un-ambiguity and voluntariness, together with a separate non-consent legal basis for data subjects who do not re-consent so that consent is truly voluntary.</p>
<p>2.	Anonymize the data (in the true sense of the word) so that it cannot be used to infer, single out or link to data subjects.</p>
<p>3.	Delete the data (in the case of financial services firms and other regulated industries this could mean keeping a copy of data solely to comply with reporting obligations but not providing access to the data for any other processing).</p>
<p>4.	Transform the data to a non-consent legal basis while ensuring that continued processing is fair and accounted for.</p>
<p>PROCESSING – Certain data processing activities – like AI – are incapable of being described at the time of data collection with sufficient detail to support GDPR requirements for consent to serve as a valid legal basis. And, Legitimate Interest, as an alternative legal basis, requires technical and organizational safeguards that truly mitigate the risk to data subjects so that the legitimate interest of the data controller survives a balancing test of the interests of the parties. These safeguards must protect against unauthorized re-identification of data subjects via both direct identifiers as well as indirect identifiers that can be linked together to re-identify a data subject - the “Mosaic Effect.” Traditional technologies developed before increasing volume, velocity and variety of data - like encryption and static tokenisation - are incapable of combating the Mosaic Effect. The IAPP first published my article on this issue in 2014 - What Anonymization and the TSA have in Common [ See https://iapp.org/news/a/what-anonymization-and-the-tsa-have-in-common/ ].</p>
  • comment Dale Smith • Mar 13, 2019 
    In pursuit of enhancing trust in the privacy world, perhaps repurposing existing trusted notice and consent paradigms could be useful as well as developing new ones.  Consider the ubiquitous and widely-trusted Nutrition Facts label where consumers are offered clear, concise, easily accessible detailed information which they can fully digest, cherry pick, or completely ignore, at their option, and fully under their control.
Adapting this paradigm to Privacy can provide a foundational de facto standard supporting enhanced trust and future technical innovation.  An Interactive Privacy Facts Notice might look like this:
http://model.consentcheq.com/PFIN/min/
Dale Smith, CIPT
Related Stories
ICO FOI shows pre-GDPR reporting averages
A freedom-of-information request showed that prior to the enforcement of the EU General Data Protection Regulation, businesses waited an average of three weeks between the time they discovered a data breach to the point when they reported the breach to the U.K Information Commissioner’s Office, Info...
Read More queue Save This
ICO releases Brexit resources
The U.K. Information Commissioner’s Office has set up a guidance and resource page on Brexit. The ICO has created a checklist and guidance for British companies to follow should the U.K. leave the EU without a data protection deal in place. The agency also has an FAQ section on data rights and Brexi...
Read More queue Save This
ICO releases updated DPIA guidance
The U.K. Information Commissioner’s Office has updated its guidance on data protection impact assessments in response to an opinion released by the European Data Protection Board. The guidance includes an overview of a DPIA, a checklist for when a company conducts an assessment, and a rundown of the...
Read More queue Save This
Related Stories
Tags
Europe
Enforcement
Ethics
Privacy Community
Privacy Law
Recent Comments