The most common question I get asked by engineers.
Data privacy has an explanation crisis.
Too often it's described in broad statements. Data privacy is about respect. Data privacy is about human rights. Data privacy is about ensuring trust. Data privacy is about safety.
And while these aren’t wrong, Benedict Evans bluntly pointed out this problem in 2021:
“We say ‘privacy’ a lot, but we lack any coherent, systematic sense of what that would mean, or even quite what we’re trying to achieve, and there are lots of unresolved questions. We are confused.”
Some of this is unavoidable, as privacy is multifaceted, involves complex systems, deeply subjective and personal, and a space with nuanced and competing business interests.
But we could use stronger metaphors.
Think data protection, like environmental protection
Pundits have been saying “data is the new oil” for years.
Usually people say this in relation to the positive impacts of data—how data can be refined, cleaned, and transformed into increasingly valuable products, similar to how crude oil can be refined to gasoline, and naphtha to plastics.
But, it’s accidentally a great metaphor for the negative impacts, too.
Just like we see oil drilling accidents, poisoning, and pollution in the environmental space, we see recurring data breaches, doxxing (even accidental), and incorrect life-altering automated decisions. And similar to how in the we have environmental protection laws like the Clean Air Act and regulators like the US Environmental Protection Agency, we’ve evolved a set of data protection laws like the EU General Data Protection Regulation (GDPR) and regulators like the Irish Data Protection Commission (IDPC)
In short: data protection is our practical toolbox to achieve data privacy, just as environmental protection gives us the practical tools to save the Earth.
The lens of data protection captures that data is immensely valuable, but consumers might not prefer all parts of it, and if mismanaged, data processing can create widespread damage. And in addition, it gives us concrete, day-to-day practices that we can implement to for the fairly abstract outcome respecting individuals' privacy.
This is the lens that European lawmakers have used for years.
There’s more consensus than you’d think
For many engineers in Silicon Valley, the data privacy age started with GDPR.
Companies suddenly shifted from collecting every piece of data they could and storing as long as possible in case there was future business value, to newly rigorous world of needing clear legal bases and defensible retention periods.
And folks in Silicon Valley sometimes shrug this off as a “European point of view”.
But, the ideas in GDPR aren’t new — and many were proposed by the Nixon administration in a 1973 report from the Department of Health, Education, and Welfare, as a response to the rise of computerized record systems. They called these “Fair Information Practices Principles”, and even proposed a comprehensive law echoing today’s GDPR:
While the law didn’t come to fruition in the US, many of the concepts influenced the OECD Privacy Framework, which influenced the GDPR.
Data protection is older and more American than many would guess.
And this bears out in modern attitudinal surveys. The Global Data and Marketing Alliance in 2022 ran a classic privacy survey methodology — bucket respondents into “Unconcerned” (gives data freely), “Pragmatic” (gives data based on cost/benefit), and “Fundamentalist” (avoids giving data).
You’d expect with all the talk about the “European point of view” that America would have more far “Unconcerned” and far fewer “Fundamentalists”.
Nope. If anything, Americans are more concerned:
So why haven’t we seen more comprehensive privacy legislation in the US? As the study continues, Europeans view the government as responsible for security, and Americans view it as a personal and brand responsibility.
What does data protection look like?
The GDPR is extremely readable, and many of the US state laws like the California Consumer Privacy Act are modeled after it, so I'll focus on examples from there.
It’s standards for the unavoidable
You don’t usually have a choice on the air you breathe outside, or how the chemical plant down the street operates. Environmental laws and standards solve this with safeguards like vehicle smog tests, environmental impact assessments, and minimizing the inventory of dangerous chemicals on site.
Data protection includes solutions like:
Legal bases for processing - companies must have a defensible reason for processing data, for instance the consumer’s consent.
Data Protection Impact Assessments (DPIAs) - like environmental impact assessments for data processing operations.
Data minimization & storage limitation - companies should process only data that is necessary to meet the intended purpose; erase personal data when you don’t need it anymore.
It’s transparency and consent for the personal
There’s other environmental standards that impact you the most — do you eat GMOs? Organics? Sugar? Environmental laws solve this with labeling requirements, enabling consumers to choose what’s best for them.
Analogues in data protection include:
Consent - companies have more leeway to perform data processing if they can demonstrate they’ve gotten consent.
Right to be informed - companies must provide communication about the data they collect, and how they process it.
Right to access - consumers get visibility of their data, and know what the company knows about them.
It’s accountability, including for the edge cases
And last but not least, edge cases happen — and they can be deeply damaging, even if it’s just one person.
Data protection give tools for this, such as:
Right to rectification - companies must correct inaccurate data.
Right to erasure - consumers can ask companies to delete their data.
Automate decision making - for certain high-stakes applications, like employment screening, companies must offer appeals through a human.
Isn’t this bad for business?
Similar to environmental protection, it depends on the timescale you’re considering, and the law that you’re looking at.
In the short term, sure. There’s costs to compliance.
But if you take a longer-term view, for example in the GDMA’s study, the rise in consumer awareness of privacy protection laws like GDPR has coincided with a decrease in concern about data privacy. The rigor around data processing can lead to data quality improvements and financial efficiencies. And especially given American attitudes around brand and personal responsibility, companies like Apple are leveraging privacy as a differentiator, just like Patagonia with the environment.
This is all ultimately good for businesses long-term.
Subscribe for updates below, and I'd love it if you'd share with colleagues you think would find it helpful. See you at the next post. 🙌