Thoughts on Privacy Day
January 27, 2021
Thursday, January 28 is Data Privacy Day, and I am reminded that roughly 25 years ago I wrote a chapter for a book in which I tried to imagine how what was then clumsily described as computer-assisted information collection (CASIC) might evolve in the decades ahead. I had just read Nicholas Negroponte’s fascinating little book, being digital, in which he described a future in which all information, including all of our personal information, would be digital and the many ways in which that might make our lives better, especially with regard to personalization of products and services. At a time when the practice of market, opinion, and social research was dominated by surveys, the implications seemed enormous: the day was coming when we no longer would need to do surveys because all the data would have already been collected. We would just need to analyze it.
The book’s editors, all long-time friends and colleagues in the journey from paper and pencil data collection to automated systems, were not kind in their reaction to my first draft. The key criticism was that the future I imagined was a massive invasion of personal privacy. The public would not stand for it, and strong legal privacy protections that would prevent us from accessing all that data were inevitable.
Their criticism caused me to have a look at what people paying attention to technology and privacy back then were thinking about the future. I learned that there were discussions about technical solutions involving encryption algorithms and personal keys that would give individuals complete control over who can and cannot access their personal data, something that now sounds like blockchain. In his book, Slaves of the Machine: The Quickening of Computer Technology, Gregory Rawlins wrote, “Today’s encryption technology could, if use widely enough, make us the last generation ever to have to fear for our privacy.”
Fast forward to 2015 when I was part of a team charged with updating the ICC/ESOMAR Code on Market, Opinion, and Social Research and Data Analytics. The OECD had just finished updating their global privacy principles and as part of that effort had solicited input from academics and the business community. I was especially struck by a paper written by Peter Cullen, who was then Microsoft’s Chief Privacy Strategist, and two academics, Fred Cate and Viktor Mayer-Schoenberger. In it they argued that the burden on individuals to manage their own privacy was unsustainable. Privacy policies had become undecipherable, often not read, and in too many cases data was being collected without any formal notice at all. Their bottom line was that we could no longer rely on the notice and consent model when collecting personal data. They proposed that we “shift responsibility away from individuals and toward data collectors and data users, who should be held accountable for how they manage data rather than whether they obtain individual consent.”
That made great sense to me then and still does, but we are a long way from getting there. The GDPR was a good start, especially in terms of laying out a set of data protection principles and processes that place a greater burden on data collectors and data users. Many of these same principles are gradually making their way into privacy regulations worldwide. But progress has been slow, data collectors have often resisted, and enforcement has been weak. The call for giving people more control over how their data is used has been long on rhetoric, but short on person-friendly ways of doing so. Mostly they just add more burden.
And so, we need a Data Privacy Day to raise awareness and encourage businesses to develop and maintain data protection practices that shield individuals from the privacy infringements that have become all too commonplace. For its part, ESOMAR has launched its #BeDataSmart initiative with the simple call to recognize that behind every piece of data there is a person, and that person deserves our respect. It really can be just that simple.
In theory at least, those of us who work in the insights sector should not require these sorts of reminders about our responsibilities to those whose data we rely on. A central, long-standing principle at the core of our claim to be a self-regulating industry is that those individuals who participate in research must not suffer adverse consequences as a direct result of that participation. Adapting that principle and inventing the practices to enforce it in a world not unlike what Negroponte imagined is the central challenge of our time.