[00:00] Chris Delatorre: This is Digital impact. I’m Chris Delatorre.
Heather Noelle Robinson: And I’m Heather Noelle Robinson.
Chris Delatorre: And this is the third and final part of our special miniseries on the European General Data Protection Regulation — commonly known as the GDPR. If this is your first time joining us for this series, we recommend starting with part one.
Heather Noelle Robinson: In this episode, we focus on the future. What are the GDPR’s broader effects on privacy legislation, and what does the future of privacy look like?
[00:32] Chris Delatorre: There are many different opinions on whether the GDPR has had any lasting positive effect on data privacy and practice. Let’s hear what Tris Lumley at New Philanthropy Capital has to say about it.
Tris Lumley: I’m not sure it really has strengthened people’s rights, individual’s rights, at this point. So, but you know, there’s a lot of “yet” in that.
Chris Delatorre: Tris has seen organizations respond to GDPR in a very compliance driven way, even though the spirit of the law is about strengthening individual rights. The key principles set out by the regulation include fairness and transparency, data minimization, storage limitation and accountability, among others. The GDPR gives individuals the right to opt in to data collection, as well as the right to have their data permanently removed, something the law refers to as “the right to be forgotten.”
[01:24] Heather Noelle Robinson: But having those rights on paper and the regulation actually being enforced are two different things. It takes time for organizations to change their practices, for regulatory bodies to enforce fines for noncompliance, and for individuals to exercise the rights that the GDPR gives them — and it takes time for attitudes to change when thinking about privacy as a right.
Chris Delatorre: But there are also indirect ways the GDPR is affecting the landscape of privacy regulation.
Heather Noelle Robinson: We talked to California State Senator Robert Hertzberg about the California Consumer Privacy Act. Here’s what he had to say about the GDPR paving the way for legislation in other jurisdictions.
[02:02] Robert Hertzberg: In dealing with GDPR, so many companies over the last number of years have hired lawyers, have really geared up in a way, that they were much more comfortable with the privacy issues. If GDPR didn’t exist, I think it would have been near impossible for us to pass the privacy act in California. But so much of the privacy law had been developed over the last number of years in Europe and a lot of these companies, the major companies, certainly with whom we were dealing, were already comfortable with the privacy issue.
Chris Delatorre: It’s important to note that the California law differs somewhat from the GDPR. For example, the California law doesn’t require consumers to opt in to data collection, and it doesn’t impose the types of fines the GDPR does. But the connection is there.
Heather Noelle Robinson: There’s also the fact that the mere existence of the GDPR changes how individuals and organizations behave. Here’s Doteveryone’s Samantha Brown on that.
[03:00] Samantha Brown: And I think from that perspective GDPR has been massively effective in its overall aim, in that it really disincentivized people holding onto data for the sake of having that data. It was now a risk to simply be collecting things for the sake of it, with the thought that maybe sometime in the future I might need this data.
Heather Noelle Robinson: I think what Samantha is saying here is that for the first time, people are asking themselves, “do I really need to collect this data?” Because up until now, more has always been seen as better.
Chris Delatorre: Absolutely. Something we’ve heard a lot in response to the new regulation is whether organizations should be collecting data just because they can. Which seems to embed the question of ethics in the conversation in a way we haven’t seen before. It’s certainly a step in the right direction.
Heather Noelle Robinson: We also wanted to know how people envisioned the future of privacy, data collection and regulation. Let’s start with Kevin Conroy of GlobalGiving.
[04:04] Kevin Conroy: A worst case scenario is that each of the fifty US states adopts their own independent privacy law that has different requirements, expectations, exceptions, and permissions, which may or may not conflict with each other or with GDPR. I’m all in favor of privacy, but conflicting and complex regulations will hinder organizations from being able to implement the spirit of these laws. Standardization will help ensure smoother operations and privacy for everyone.
Chris Delatorre: That kind of scenario would be incredibly difficult for nonprofits to manage. If you recall our first episode, we talked about the anxiety that built up as the social sector prepared for the GDPR. Having to deal with a patchwork of legal protections across states and jurisdictions would be an absolute nightmare.
Heather Noelle Robinson: Senator Hertzberg had a response to that exact problem. Not only is there a challenge when dealing with multiple jurisdictions, but a lot of these privacy issues are difficult to write laws about because the landscape is constantly changing. Here’s what he said when I asked him about the future of privacy.
[05:06] Robert Hertzberg: What does the future of privacy look like? Well, it’s going to be change. Lots and lots of change. I don’t know if we can really determine what the future’s gonna look like, but I do think certain things are going to be the case.
One, is we’re hearing in Washington DC, and throughout even here in California, we’re going to have to have some sort of regulatory environment. Regulatory environment because it’s just too difficult to legislate all of these privacy issues. And secondly, create an environment where business community folks can determine whether or not their crazy ideas violate certain basic principles of privacy or not. So we want to create an environment so people can check and balance what they want to do without having to worry about getting sued every single day.
And a regulatory environment that makes sure we’re watching out for consumers, and that they’re protected in the process. So I think that a much greater regulatory and administrative role going forward, an active role, both to protect consumers and to promote innovation is what we’re going to see. And I do think there’s going to be some level of data dividend in one form or another.
Heather Noelle Robinson: So his first point, a regulatory environment (as opposed to a lot of conflicting laws) could solve some of Kevin Conroy’s concerns But there’s all the details of which regulators would have power over which kinds of actions. The distributed nature of digital media and the Internet makes that a tricky thing to determine.
Chris Delatorre: And his second point, a way for companies to determine if a new technology violates privacy principles — that means a framework of privacy norms, but also cooperation from companies to evaluate technology that’s in the early stages of development.
[06:46] Heather Noelle Robinson: He makes one point at the end about a data dividend. This is something California Governor Gavin Newsom proposed in his most recent state of the state address.
Chris Delatorre: There are many ways to go about implementing a data dividend, but the basic idea is this: if a company used or sold your data to another company, or otherwise profited from that data, they would have to compensate the state, or you directly, in a dividend. A California data dividend is still just an idea, but we may see it implemented in the near future.
Heather Noelle Robinson: Whatever the actual policy looks like in the end, the core point is to acknowledge that the data a company holds about an individual has real value.
Chris Delatorre: That’s helpful for establishing a climate of accountability. Which brings us back to the social sector and this emerging idea of personal data charters for nonprofits. Cynics may disagree here, but the mere act of articulating where you are on data privacy and responsibility could make a real difference. Tris Lumley of New Philanthropy Capital recently shared his ideas on an industry certification.
[07:50] Tris Lumley: We’re actually interested in — and I’ve talked to Lucy [Bernholz] about before — developing a personal data charter for nonprofits, which says we’re not just any other organization, we’re here for our primary constituents — it says so in the governing document. We do want to use data because we want to be effective, we want to give people what they want and need, we want to be accountable and transparent. So, this is how we think we need to turn those values and principles we have as charities into practices. So, we are talking to people about developing a personal data charter for nonprofits, that could possibly — one of its roots — could be to become an industry certification for GDPR.
Heather Noelle Robinson: So that’s one change that nonprofits might expect to see in the future. But there’s also an opportunity for individuals to step up and say, “this is what we want the data landscape to look like going forward.”
Chris Delatorre: I’m curious to see how the GDPR (as well as any regulations that are forming stateside) will encourage everyday people to voice their opinions on how their personal data are used. And how in turn that will help to shape digital civil society going forward.
Heather Noelle Robinson: Samantha Brown at Doteveryone talked to us about GDPR’s influence on public opinion.
[09:05] Samantha Brown: And so many people don’t actually even understand the business models that underpin the digital technologies that they use within their everyday lives. And now that GDPR has come in and kind of called attention to that, I think it’s going to be a natural next step that people start to demand new ways of doing things and demand greater understanding and greater control.
Chris Delatorre: Let’s see how this all translates in the United States and elsewhere in the coming months.
Heather Noelle Robinson: I asked State Senator Hertzberg what he thinks about what to expect for the regulatory landscape in the future.
Robert Hertzberg: We are in a moving target, that’s moving at breakneck speed. Certainly it’s challenging, the technology is changing. As I said earlier, what privacy is today is very different than what it was years ago. Anytime you want a regulation, whether it’s through the European Union or whether it’s through California, trying to meet these kinds of goals where we still don’t stifle innovation, [where we] try to create as much innovation as possible, balance that with consumer rights, balance that with consumer tastes – consumers want a lot of things that are here, that’s the reason why the initial Google platform of things for free proliferated this idea, and it turns out now it’s not so much for free. So I just think it’s more reasonable to understand that we’re in this highly highly changing environment. And I think that we will continue for the next number of years to be deeply involved in trying to refine, and further refine, a framework for privacy.
[10:46] Chris Delatorre: From what the Senator said, we should expect this landscape to keep changing – just like the rest of the digital world.
Heather Noelle Robinson: And that wraps up our GDPR miniseries. Remember to visit digitalimpact.io/toolkit for more resources on using data responsibly.
Chris Delatorre: If you have an idea for another podcast episode, or special miniseries like this one, or you want to leave a comment, visit us at digitalimpact.io, or on Twitter @dgtlimpact.
Heather Noelle Robinson: Thank you, Chris.
Chris Delatorre: Thank you, Heather. And a special thanks to Tris Lumley at New Philanthropy Capital, Samantha Brown at Doteveryone, Kevin Conroy at GlobalGiving, and California State Senator Robert Hertzberg. Thanks for joining us, and we’ll see you next time on the Digital Impact podcast.
Digital Impact is a program of the Digital Civil Society Lab at the Stanford Center on Philanthropy and Civil Society (Stanford PACS). Follow this and other episodes at digitalimpact.io and on Twitter @dgtlimpact with #4Q4Data.