Speaker 0
0:10 – 0:13
Welcome to Tech Talk. Bye. CT.
Speaker 1
0:13 – 1:52
Tea. Three, two, one. Welcome to CDT's Tech Talk, where we dish on tech and Internet policy, while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. Europe's General Data Protection Regulation or the GDPR is finally here. We'll be talking about what it means for businesses both in Europe and The US, and what it means for your personal data. We'll also hear from a historian about how the meaning of privacy has evolved over time in The United States and how that changing notion of privacy has impacted policy and society. Some very real privacy protections are coming to Europeans this week as the General Data Protection Regulation or GDPR is set to take effect. The privacy regulation has companies that deal in personal data rapidly updating policies and practices to be in compliance. Our resident GDPR expert slash geek, Joe Jerome, joins us today to tell us everything we need to know about it. Welcome, Joe. Hi, Brian. You sound so excited about it. Don't you like my description? You introduced me as a GDPR expert, and no one is a GDPR expert, and no one ever will be. It is a company. I added a slash geek. Is that okay? Geek. Yes. Very much a geek. Alright. So we'll go with that one then. Alright. So if no one's an expert, I'm still gonna bill you as that. Let's start very top level. What is GDPR for those who don't know, and what's it supposed to do? So the General Data Protection Regulation Well done. It is a comprehensive,
Speaker 2
1:53 – 3:55
I would say, refresh of existing European privacy laws. European privacy laws. So privacy laws have existed in Europe, for about twenty years. They came out with this directive in the mid nineties, which sort of enshrined a lot of things that I think The United States was doing before then. Fair information practice principles and sort of putting that into a directive. If you are a European Union legal geek, you'll understand that directives are not the same thing as a regulation. A directive is sort of a I don't I don't wanna say proclamation, but basically directs all of the EU member states to put in place legislation that embodies the directive's aims. Okay. Regulations are a little bit stronger. They come from the, the European Union and sort of direct member states to do exactly x, y, and z. And so for twenty years, they had this directive. It had a lot of the same things that are in the GDPR, an emphasis on consent, balancing tasks of of legitimate interests of companies versus the rights of individuals. But, you know, there was a perception, I think, that a, twenty years is a long time in tech or just in, you know, society generally. Yeah. And it was well past time to update, refresh, and I think importantly give more teeth to the directive. So a lot of what we're seeing here is people scrambling to do GDPR prep when I think a lot of the European regulators will sort of say, why didn't you guys already do this? It was already the law. The difference here now, which everybody seems to be aware of, is that GDPR has these huge fines which, are, you know, 4% of global turnover. So if you are one of these big, big companies, that's billions of dollars, and that caught people's attention. You mentioned big, big companies. Is it just big companies that need to comply with this, or is it kind of everyone? Everyone. Everyone. Everyone. That's and this is what people this is what makes the GDPR so interesting. It is the general data protection regulation. It covers absolutely everybody. It covers big businesses, big tech companies, ISPs,
Speaker 0
3:57 – 4:18
healthcare companies, car companies, retailers, brick and mortar stores, absolutely everyone. Small, medium enterprises. When the thing was being crafted, there were some provisions to try and have what they're called derogations or exceptions for small companies. Most of those got largely minimized. So you know there there are record keeping requirements you don't have to do if you're under 250 employees, but
Speaker 2
4:18 – 5:25
no this sweeps in everybody, which I think is one of the real benefits of the law. You know in The United States we talk talk about is it health data? If it is health data, is it covered health data? Who has it? In the EU, it's if you've got data, you do things with it. Alright. That's the thing. And now does it apply to companies outside of the EU? It applies to everyone. Oh, there we go. That's that's saying perhaps too much. Article three of the GDPR is its territorial scope, which says that it applies to any information, collected in the union about EU residents. Yeah. So it you know, again, you could take a vacation, to Europe, go see, you know, the Louvre. You're an American citizen. You're covered by the GDPR while you're in Paris. The challenge, of course, is we live in a really global society. But there's a couple of provisions in article three that discuss, you know, whether you're you're targeting EU residents. So, you know, if your website has different languages or, if you're making materials that you're making accessible to Europeans or otherwise trying to bring European residents to your sites or services or platforms,
Speaker 1
5:26 – 5:40
that also means you're covered. Okay. So let's go to kind of companies or general everyone's impacted by this. What about companies with a lot of data? So you said this isn't necessarily new besides being now a regulation.
Speaker 2
5:41 – 6:44
How hard will compliance will this be? What are the real changes beyond the fines? So that's a really good question, Brian. And I think it really depends on where you originally came from. I think the GDPR can be really hard if you're, say, a brick and mortar store that have never really thought about these things. Oh, no. Suddenly I gotta do all of these risk assessments and documentation and legal bases for processing. So I think that's sort of overwhelming. I think the big tech companies, there's been a lot of sort of stories out there that suggest that they're pretty well prepared. They could stack up on lawyers. They've been doing this stuff for a long time. They're at the margins. There are provisions in the GDPR that people just don't really know how to address, but they seem pretty well equipped to do things well. So if you're if you're a big tech company, you're also, I think, in a good position to comply with this. If you're a tech company and you've just sort of been cavalier with data, maybe not. In which case, then I think the actual provisions in the GDPR are a net privacy improvement. And then I think, you know, the challenge is these companies that are in the middle that want to be data companies, increasingly wanna be collecting more information, but haven't traditionally,
Speaker 1
6:45 – 6:57
been as consumer facing as, you know, the Googles and Facebooks of the world. Sure. Well, let's talk about some of those companies. One that kinda jumps or one kind of group that jumps to mind are those dealing in AI. How does GDPR
Speaker 2
6:58 – 7:13
impact AI and companies trying to offer AI services, products, whatever? Well and I imagine your listeners won't find this funny, but the joke has been that the the biggest way that the GDPR is impacting artificial intelligence is that automated tools are being used to help with GDPR compliance. Yeah.
Speaker 1
7:14 – 7:17
I mean, it's kinda funny. Yeah. Yeah. I I tried.
Speaker 2
7:17 – 8:27
So what makes the GDPR really interesting and challenging for AI is that, basically, so much of the GDPR is about providing people with more information about what data you're collecting, how you're collecting it, and what you're using it for. And, you know, if you're paying attention to artificial intelligence, big data, all of this stuff in general, answering those questions can be really tough because the idea in some respects with AI is we're gonna collect all this data to do really interesting things. And that is in some respects intention and sort of opposed to existing privacy laws. So there's a tension there. There are also provisions in the GDPR, and this is the sort of the right of access that's embodied in a couple of the earlier provisions. And then the article 22 discussion on, restrictions on automated processing that I think put some really good controls on artificial intelligence. If anything, it's gonna force companies to sort of declare what they're doing a little bit more. Okay. And there's this thing called the it's it's the alleged right to explanation, which is getting people all up in arms about whether people have the right to know exactly what's going into an automated decision. And that gets into conversations,
Speaker 1
8:29 – 8:53
algorithmic transparency versus accountability, which are beyond the scope of the GDPR, but the GDPR has put those front and center of a goal. Of those. Yeah. Well, let's talk about people now. We've kinda talked about companies and people that what will this actually mean for just your average person? You know, someone who whose data is out there while, you know, in a lot of different ways. You know, will will I see a different in difference in how I interact with companies? I'm sure you've seen ample amounts
Speaker 2
8:54 – 10:26
of emails in your inbox saying that people care about your privacy and what they do. That is very true. I've seen a ton. So that's that's the, I think, the most outward expression of this. I I don't know if people are gonna see a whole lot of difference on the surface. I mean, really what this is is there are a component the GDPR really is is two main things. A set of individual rights and then a bunch of accountability and compliance measures that companies need to do. Those individual rights have always been there and will be strengthened and can be exercised. So you can access your data. You can have your you can you have a right to access your data. What does that mean? How do I access my data? Well, it depends on the company. It depends on what your what the business model is. Really, I think what the GDPR is hoping to facilitate our automated tools to do this where, you know, it's gonna be much easier. Ideally, we'll see how this gets implemented for a user to go to any company, tech company, brick and mortar company, any company and say, what data do you have on me? Access that. And then take that data elsewhere, ask them to delete it. Those are firm provisions in the GDPR that hopefully people take advantage of. Even if people don't take advantage of them, what I think where I think the GDPR will be helpful is that it's really requiring all sorts of organizations to think about what data they collect, why they collect it. And they have to they have to document that. Yeah. Some people say that's a huge and huge onerous burden. But if you're in the business of collecting a lot of data, I think it's sort of a just basic responsible data practice.
Speaker 1
10:26 – 11:07
And in the long run, I think that's really really good good and useful. Yeah. It seems like something where you it helps you think about your kinda data hygiene as an organization. That's a better word. Let's you think through that a little bit and think through what data you have, what data you really need to do business, and what you don't. And having some of that data that you don't need is a risk. So perhaps it's a very good thing. You could do the GDPR stuff. See, I'm drinking the Kool Aid here. I've got this. Alright. So you alluded to this a little bit earlier, you know, kind of the fragmented privacy laws in The United States. Is there any movement in The US on more of a comprehensive privacy law? Is GDPR coming to The United States or no?
Speaker 2
11:07 – 12:30
I do not think the GDPR is coming to The United States. That said, I think there has been movement to certainly, there's been questions. What is this GDPR? What what about it should be made available here? The GDPR at minimum so for a very long time, I think there was a debate of you're either gonna have this EU approach to privacy or this American approach to privacy. And one is, you know, top down all these harsh laws and ours is sort of freewheeling and promoting innovation. I think the GDPR has won that debate. Other countries around the world are adopting data protection frameworks that are modeled after the g d p r. And so if you're a global company, if you're really any company, you're gonna be doing some element of the g d p r. And you know, that means that some of these protections or at least some of these processes, data hygiene if you will, are gonna be done here too. Obviously, I think you know it's CDTs a belief that you need to legislate that. It's one thing that hope companies do it. It's another thing for, you know, our Congress our president to say as a matter of federal policy, yeah, let's do that here too. But I actually think there's momentum there too. Certainly, GDPR has been a catalyst to get states to do a lot of stuff. We've seen a lot of action in Congress to do various privacy laws. It's probably not gonna happen tomorrow, but it'll probably happen in our lifetimes. Alright. Well, that's
Speaker 1
12:30 – 12:43
optimistic. I try to be sometimes. I love it. I love it. So let's, fast forward a bit. How do you gauge whether GDPR was, is, or and was a success? You know, what does success look like for this?
Speaker 2
12:44 – 14:15
That's a really great question. And I think we're gonna have to wait six months to a year to see what happens. So I think success is, one, when individuals choose to exercise those individual rights I was rambling about earlier, they can do so easily. And and those individual rights are able to sort of be harnessed by other companies to build interesting new business models, compete on privacy. So that's one. Part two is companies stop grumbling about how onerous the GDPR is and sort of just embrace it. If in six months to a year, that sort of tone has changed significantly, I think that suggests that the GDPR didn't bring about the end of the world. And then finally, I think and this is really key. So much at least in The United States of of what drives our consumer commercial privacy discussions is the role of the Federal Trade Commission, so the actual regulator. And one thing that the GDPR really tries to do is empower these European data protection authorities of which there are many many many data protection authorities in Europe. There's the UK information commissioner's office, there's the CUNYLE in France, Germany because it's a federation has individual state, data protection authorities. And these authorities are they've they've been existence for the past twenty years, but there's been a lot of debate about how effective they've been. If they are out there doing enforcement, putting out guidance, convening companies and others to come up with, you know, codes of conduct and best practices around artificial intelligence, automated decisions, IoT, all of that stuff.
Speaker 1
14:15 – 15:14
That suggests that at least the GDPR has given them a little bit more oomph, and I think that's really good. Awesome. Well, it's obviously an exciting time for the privacy community. Thank you for being our resident expert in this even if you fight the term. And we'll have you back on soon to see just how well this is working out. Thanks. We shall see. Thanks for joining, Joe. Privacy. It's a word most of us hear daily, especially in the wake of Facebook and Cambridge Analytica. It also pops up regularly after the countless data breaches from Equifax to Target. But what does privacy really mean? And how has its meaning evolved over time? Today's guest is the author of The Known Citizen, a History of Privacy in Modern America. In her book, Sara Igoe takes us through the era of instantaneous photography to today's age of big data to uncover surprising ways the shifting debate around privacy has influenced US policy and society. Welcome, Sara.
Speaker 0
15:16 – 15:18
Thank you. I'm glad to be here. Congratulations
Speaker 1
15:18 – 15:24
on your new book. I hear it was a a lot of work, but, beautiful cover and it's out now.
Speaker 0
15:25 – 15:27
Yes. I believe.
Speaker 1
15:28 – 15:39
And, of course, it's quite timely with, everything in the headlines right now, especially the Facebook and Cambridge Analytica story. Has privacy always been such an important topic for Americans?
Speaker 0
15:42 – 18:35
So it's a great question. One would certainly think so given the headlines, and the scandals that are all around us at the moment. Cambridge Analytica, as you mentioned, and Facebook, and Equifax, and, those Ancestry and DNA databanks that implicated the Golden State killer. We are, as a society, consumed with privacy right now. I'm trying to make a debate. But in fact, you know, one of the surprises to me was to discover that, our debates about privacy are relatively new, at least, in a historian's terms. They really originated in the late nineteenth century. Before that time, privacy had, of course, arisen as an issue. You could think about, the quartering of soldiers during the American Revolution, for example. That's not what first comes to mind when I think about privacy, but tell me why. Maybe maybe not you, but for an American historian, this is a sort of a typical beginning point. Right? Okay. Institutional, protections of the fourth amendment and, the securing of one's person and papers and this kind of thing. But I would argue that it was really in the late nineteenth century that personal privacy would become a contentious political issue for the first time, and really also a continuous one. The cause was, new media, the new media of the nineteenth century, things like, the an aggressive commercial press, instantaneous photography, which you mentioned, the ability that is to capture people's images unaware, by amateur photographers. Also, the telegraph and the telephone that made communications much more porous. All of these things combined to make privacy suddenly, an issue on many people's minds, for the new ways that technologies and the social practices around them, allowed, virtual invasions. So not the invasions of one's property lines or, one's physical space so much Right. But invasions into one's life and details, image, reputation. And like today, there were issues very much about the circulation of people's information and image without their consent, or, sometimes even without their knowledge. Right. So after that point, attention to privacy would certainly wax and wane in American life, raised by all kinds of new issues, political as well as technological, but it never really disappeared from public attention after that. And the reason for that, I think, is that privacy and privacy talk captured really a key tension of modern society, a kind of clash between greater aspirations, for personal inviolability and dignity, and on the other hand, more sophisticated techniques of invasion, which, you know, we're still seeing the fallout of today, of course. Yes. And they get more and more
Speaker 1
18:35 – 18:49
sophisticated. It was interesting as you're thinking about the the images that circulate that people don't even know about. My mind went instantly to some of the memes that are even created about people based on images that they may not even know about. So it goes the next level of crazy there.
Speaker 0
18:50 – 19:23
So let's That's right. Although, again, there are some really interesting analogs to the late nineteenth century. So for instance, one of the first right to privacy cases was a woman who discovered to her horror that her face, her her, profile had been used, without her knowledge on flower advertisements, which might not sound like a big deal to us. Scandal. Women's images and respectable Yeah. Woman would not be want her image in the flow of commercial traffic. And the way that she discovered this was that she saw her face on a neighbor's bag of flour. Wow.
Speaker 1
19:23 – 20:07
That would that would still be disturbing. Yeah. I I might be flattered, but I also probably want compensation if people were making money off of this crazy. Exactly. I don't know that they would. But, anyway, so let's let's talk about the narrative around privacy a little bit. So right now, you hear terms around data ownership, possession, and people even saying that data is an extension of themselves. You know, it this seems relatively new based on what you're saying and, honestly, relatively new, I think, even in the the advocacy space where we live. Now how do you think this kind of definition and and terminology around privacy is influencing policy and and the society we live in?
Speaker 0
20:08 – 23:16
Yeah. It's a great question. I mean, what's interesting to me looking backwards as I just mentioned, you know, Americans often first thought of privacy as a kind of property. Right? Yeah. Their physical surrounds, their, their their home, their curtilage, the legal term for the space for the space around their home. And in interesting ways, we have left that behind as we've, become more virtual, I suppose, in our, sense of privacy, you know, in the sense that our biography and our data and our, you know, the scattered bits of information about us that are sitting in, file cabinets and, hard drives. Right? We we sort of become distributed in a certain way, which would lead you to think that, property is not the right framework for thinking about, our data. But, in interesting ways, that kind of language or conceptualization persists. One of the things I was really interested to learn more about about as I I got into research on privacy was the way that debates about, early data banks, unfolded. Mhmm. And one of the things that becomes clear in the nineteen sixties and seventies is that Americans are suddenly aware, right, that all kinds of record keeping institutions are keeping records on them, are serving as gatekeepers based on the information about them in their files, from insurance companies to credit bureaus, to the federal government, in various administrative programs. And there's a move in the nineteen seventies to, gain access to those files in a in a way to become, for people to become co owners of those files through the privacy act of 1974 or through, the family privacy records act, of the same year. And so, so there's this kind of interesting, longer running, I guess, relationship, between data and, property claims. What is, fascinating, to think about, although it's a really difficult problem for policymakers, is to think about, whether in fact we do own all that data about ourselves or who owns it if we don't. Right? Because data isn't isn't out there. It isn't something that just occurs naturally until someone takes it from you in a way, expropriates it, right, for another use. And so, so I think the really challenging, dilemma for, for privacy policy going forward, and, forward, and, of course, the Cambridge Analytics scandal just makes this so clear, is to clarify, number one, who owns all this stuff? Yeah. And number two, is ownership even the right way to think about, all of that data sloshing around? Or is it better to think about something more like a public good, or something like that, given that, even if we believe that we own our data, we clearly don't, at least if, we believe that that means having some control and autonomy in the way that it gets used by others.
Speaker 1
23:17 – 24:12
Yeah. No. It was interesting as I was, kind of going through parts of your books. One of the things that did pop out is, you know, how people did want their records, like, the records that were collected, from them by, like, the FBI at certain points. And some people were able to get access to those and were disappointed there wasn't more or something more interesting in there. Great. Great. You know? But, obviously so when you think about data, a lot of times you think about government ownership or use of data, and, obviously, that's incredibly, concerning. But I do think, you know, the the Facebook and Cambridge Analytica story and, you know, some of the other data breach stories that we've we've seen out there or incidents, you know, make it clear that the the data that corporations have about individuals could be equally harmful, or influential. Is this something that's kinda popped up through history as well? The the difference or the tension between government's, use of personal data and corporate use of personal data?
Speaker 0
24:13 – 26:59
Yeah. I mean, what I'll say is that, I think going into this research, I was expecting Americans to be much more because we associate American culture, right, with this kind of reflexive worry about big government and state surveillance. But in fact, the state was not particularly good at collecting information about people in the nineteenth century and even through much of the early twentieth century, was far far behind, the credit industry, for example sir. Which I would say was, one of the most important and influential, and thoroughgoing, aggregators of citizens' information Yeah. In the nineteenth century. And so it's a little unclear. I mean, I think it's true that Americans have been very wary of, state intrusions into their personal lives, but they've also been quite, wary when given the opportunity to to voice their, protests or dissent, you know, against, commercial intrusions. Although in certain ways that that has, I would say, lagged behind, the debate in Europe where, there's there's been much more, of a lid on the collecting of, commercial and maintaining of commercial information on, on citizens. So, so this has changed over time. One of one of the discoveries, that I made in in doing this work was that, often, especially in the moments where data became a really big issue, often Americans didn't really, distinguish between the state and corporations. Thought of them as all sort of all part of the same problem. And that's partly because, you know, an intrusion by a credit bureau or the, Social Security Administration could feel similar, I suppose, to people. But I think there's also, an awareness at points and fits and starts that there was also a lot of collaboration Sure. Between the federal government and corporations in, housing, information about people. So we think of that, the kind of shocking revelation, right, after Snowden of the NSA working with telecommunications companies, but also the government and the telegraph companies were working together in some instances in the nineteenth century. So that line between state and private entities has always, I would say, been blurrier than we have, imagined. Yeah. And, it has, opened up, similar kinds of questions and and debates, I suppose, about who really is entitled, to, to know things. Yeah. No. That's an incredible point. Nature and to deal with sensitive information on, on Americans.
Speaker 1
26:59 – 27:46
Absolutely. No. That's a really important point. And we obviously keep just keep seeing it more and more, the blurring of the line a bit. And one of those things, the more data you have, it's the the more points that different people can have access to it, whether it's government, corporations, or other players in the mix, obviously. So before I let you go, I kinda wanted to just go a little bit deeper on, you know, the the notion of privacy itself itself as we do, try to to address issues around privacy and and data usage, data ownership, you know, maybe data control, autonomy, however we wanna talk about it. We're struggling with the right words to do it. Any any histories or histories or any lessons from history that we can pull to maybe talk about this and create some policy and societal changes for the better?
Speaker 0
27:48 – 29:59
Yeah. It's it's, obviously an important question in on lots of people's minds, just now. I think it's important to recognize, first of all, that privacy has been quite historically variable. It's something that changes, and it changes quite radically sometimes, in dialogue with new technologies and scientific questions. But we but we shouldn't let those developments, right, decide for us what privacy is and what rights we as, citizens of, this nation of the world, right, should, how we should think about those questions. So I think we need some guidelines or markers in place to help us think really critically and preemptively in a way about what we want our privacy to look like. One of the things we learned from the past is that many of the changes to our privacy and our expectations about privacy have been, unanticipated. So no one was really prepared to guard against new kinds of threats or even really to think through the consequences of new inventions or new means of communication or scientific practices? So I think, one lesson, from this history is that, we might want to adopt more vigilant approaches to new practices and technologies that have any implications for implications for individual privacy, which means, you know, these days, really almost anything. Everything. Yeah. Right. And and trying to build protections and safeguards in from the very beginning. And I think that's it's a legal and regulatory question. It's a question of norms and practices and ethics as well. It's a question of design. And, it's it's it's they're all thorny, questions and Right. Really hard to work out. But we obviously haven't, worked them out very well up to this point. And and one thing I hope from these kinds of periodic crises that now seem to be part of our landscape is that they, if nothing else, you know, will prompt us to come up with some of those,
Speaker 1
30:00 – 30:30
more creative solutions to what is now really an endemic problem. Yeah. I am hopeful of that too. And I do I do think, you know, certainly here, we're seeing some momentum to to create some positive changes on the privacy front and and the policy landscape. Well, Sarah, thank you so much for joining Tech Talk. Obviously, you have proven that there is much we can learn from history, and we appreciate that. And for all our listeners, be sure to get a copy of Sarah's book, The Known Citizen, a History of Privacy in Modern America. Thank you, Sarah.
Speaker 0
30:31 – 30:32
Thanks so much, Brian.
Speaker 1
30:37 – 30:51
That's it for this episode of Tech Talk. For the very latest on what CDT is doing on privacy and data issues, follow us on Twitter, like us on Facebook, or visit us at cdt.org. I'm Brian Waslowski. Thanks so much for listening.