Exploring Emerging PE³Ts for Data Governance with Trust | IGF 2023 Open Forum #161

Knowledge Graph of Debate

Session report

Udbhav Tiwari

Mozilla Corporation, owned by Mozilla Foundation, is a unique organization in the technology sector. It operates without the typical incentives for profit maximization and prioritizes user welfare and the public interest. While initially having a strong policy against data collection, Mozilla had to make changes due to limitations in product development. They have since explored privacy-preserving ways of collecting information, separating the “who” from the “what” to protect user privacy.

Privacy-preserving technologies have become increasingly feasible with the proliferation of internet availability, bandwidth, and computational power. Privacy has emerged as a key differentiating factor for products, leading to increased investment in privacy-focused solutions.

Mozilla has taken a critical stance on Google’s Chrome Privacy Sandbox set of technologies, acknowledging improvements but asserting the need for technical validation. They are also exploring the use of Privacy-Preserving Technologies (PETs) like Decentralized Ad Delivery (DAP) and Oblivious HTTP (OHTP) for telemetry information collection.

While recognizing the value of advertising to support internet publishers, Mozilla deems the current state of the advertising ecosystem unsustainable. They have introduced features like Firefox’s “Total Cookie Protection” to enhance user privacy while still allowing essential functionality.

Mozilla has raised concerns about Google’s Privacy Sandbox standards potentially becoming the de facto norms, with the potential to impact privacy and competition. They advocate for responsible implementation of PETs to strike a balance between privacy and data collection.

Human involvement in data collection decisions is crucial to consider the risks to user privacy. Mozilla emphasizes the importance of accountability and responsible practices.

In summary, Mozilla Corporation distinguishes itself in the technology sector with its focus on user welfare and the public interest. They actively explore privacy-preserving technologies, criticize Google’s Privacy Sandbox, and advocate for responsible data collection practices. Through their efforts, Mozilla aims to foster a more privacy-protective and user-centered tech industry.

Wojciech Wiewiórowski

The European Data Protection Supervisor (EDPS) plays an essential role in safeguarding privacy within the European Union (EU). Their key priority is the effective implementation of privacy laws through the use of tools. The EDPS serves as a supervisor for EU institutions and offers advice during the legislative process, ensuring that privacy concerns are integrated into decision-making. Their ultimate goal is to promote a safer digital future by advocating for the use of IT architects and a comprehensive privacy engineering approach.

In line with the EDPS’s efforts, Wojciech Wiewiórowski, a prominent figure in the field, acknowledges and supports the work of non-governmental organizations (NGOs) in enforcing privacy policies. He recognizes the vital role that NGOs play and suggests that their work should have been undertaken by data protection commissions much earlier. This recognition highlights the importance of collaboration between regulatory bodies and NGOs in effectively safeguarding individuals’ privacy rights.

Furthermore, Eurostat, the statistical office of the European Union, has developed privacy-preserving tools such as trusted execution environments and trusted smart surveys. These innovative tools aim to ensure privacy while conducting official statistics. The United Nations has included these tools in their guide on privacy enhancing technologies for official statistics, further validating their importance and effectiveness in maintaining data privacy.

Overall, the European Data Protection Supervisor, Wojciech Wiewiórowski, and Eurostat are actively working to uphold privacy rights and create a safer digital environment. Their focus on utilizing tools and collaborating with NGOs demonstrates their commitment to establishing a robust framework for data protection. Embracing these initiatives provides individuals with greater confidence in the privacy of their personal information.

Clara Clark Nevola

Privacy enhancing technologies (PETs) are becoming increasingly important in today’s digital era as they enable data sharing while protecting privacy. The Information Commissioner’s Office (ICO) in the UK has recognised the significance of PETs and has released guidelines that outline how these technologies can support data minimisation, security, and protection.

The ICO’s guidelines highlight the role that PETs play in achieving data minimisation, which refers to the practice of only collecting and retaining the minimum amount of personal data necessary for a specific purpose. By implementing PETs, organisations can ensure that they are processing and sharing data only to the extent required, thereby reducing the risk of potential breaches or misuse.

Furthermore, PETs contribute to data security, addressing concerns about the potential vulnerability of shared data. Different types of PETs, such as homomorphic encryption, secure multi-party computation, and zero-knowledge proofs, offer various solutions for securing data in different sharing scenarios. Homomorphic encryption allows computations to be done on encrypted data without having to decrypt it, while secure multi-party computation enables multiple parties to perform a computation on their data without revealing any sensitive information. Zero-knowledge proofs allow the verification of a claim without revealing the supporting data. These technologies can help protect data integrity while allowing for collaboration and data sharing.

Anonymisation or de-identification is another key aspect of PETs. By applying these techniques, organisations can remove or alter personal identifiers, making it more difficult to link shared data to specific individuals. This helps to protect privacy while still allowing for data analysis and research.

Despite the clear benefits of PETs, challenges remain. Technical standards for PETs need to be developed to ensure interoperability and ease of implementation. Additionally, the costs associated with implementing PETs can be high, posing a barrier to adoption for some organisations. Awareness and understanding of PETs also need to be improved, particularly among lower-tech organisations that could greatly benefit from them.

Data sharing itself poses challenges beyond legal considerations. Organisational and business barriers, such as concerns about reputation and commercial interests, can hinder data sharing efforts. Stakeholders often express reluctance to share their data due to uncertainties about how it will be used or what the outcomes may be.

To overcome these challenges, the ICO advocates for partnerships and collaborations between PET developers, academics, and traditional organisations like local governments and health bodies. By bringing together experts from different fields, these partnerships can elevate awareness and understanding of PETs and facilitate their adoption by traditional organisations.

In conclusion, privacy enhancing technologies are crucial tools for enabling data sharing and protecting privacy in the digital era. The ICO’s guidelines demonstrate how PETs can support data minimisation, security, and protection. While challenges exist in terms of technical standards, costs, and awareness, partnerships between PET developers and traditional organisations can help overcome these obstacles. By promoting the adoption of PETs, organisations can achieve a balance between data sharing and privacy protection, fostering innovation and collaboration while safeguarding individuals’ personal information.

Suchakra Sharma

The speakers in the discussion present different perspectives on privacy in software development. One speaker argues in favour of considering Privacy Enhancement Technologies (PETs) from the software perspective. This involves examining how software handles data, as it can provide insights into developers’ intentions and identify potential privacy violations. The speaker highlights the importance of evaluating the software in order to predict and prevent privacy breaches. As a solution, Privado is developing a tool that can assess how software handles data.

On the other hand, another speaker focuses on the significance of technically verifiable Privacy Impact Assessments (PIAs) in ensuring proactive privacy. They note that during software development, the necessary information for PIAs is already available. By incorporating PIAs into the development process, privacy regulations can be adhered to right from the design phase to deployment. To facilitate this, a tool has been built to perform verifiable PIAs, identifying potential privacy violations in advance. This approach is seen as a guarantee for proactive privacy.

The third speaker explores the possibility of certifying software for privacy compliance. They highlight the importance of evaluating the data processing and handling intentions of software. By doing so, privacy compliance checks can be conducted before the software is deployed. They suggest that regulatory laws such as GDPR and CCPA can be translated into fine-grained checks and tests for compliance. This certification process is considered a potential solution to ensure privacy in software development.

In conclusion, the speakers all emphasize the need to evaluate how software handles data and ensure compliance with privacy regulations throughout the entire software development lifecycle. By considering PETs, performing verifiable PIAs, and certifying software for privacy compliance, proactive measures can be taken to protect privacy. These perspectives highlight the increasing importance of addressing privacy concerns in the software development process.

Maximilian Schrems

NOIP, an organisation, has developed a system that automates the generation and management of complaints about General Data Protection Regulation (GDPR) compliance. This system has proven to be effective in achieving a 42% compliance rate by proactively sending guidelines to companies.

The system operates by performing an auto-scan of websites to identify potential GDPR violations, which is then followed by manual verification. Once a violation is detected, the system auto-generates a complaint, which is then transferred to the violating company for action. Additionally, a platform is used for companies to provide feedback and declare their compliance.

Interestingly, the system has observed a domino effect, wherein even companies that were not directly intervened with have shown improved compliance. This suggests that the awareness and actions taken by some companies have influenced others in the industry to improve their GDPR compliance as well.

Data protection authorities recognise the potential for efficiency that new technologies can bring, but they also express concerns and high levels of interest. They acknowledge that utilising new technologies, such as the automated GDPR compliance system, can increase efficiency by eliminating trivial tasks and increasing the quality of work through the use of well-proven templates.

However, implementing new technology poses certain challenges. The adoption of new technology requires technical infrastructures, such as programmers, to support its implementation. Additionally, a culture shift is necessary for organisations to focus on specific tasks related to the new technology and adapt to the changes it brings.

In conclusion, NOIP’s automated system for GDPR compliance has achieved a significant compliance rate and has demonstrated the potential for technology to enforce and improve GDPR compliance in a more efficient manner. While there are challenges associated with implementing new technology, the benefits of increased efficiency and quality are substantial. It is noteworthy that the system has also influenced compliance improvement among companies that were not directly addressed, highlighting its positive impact on the industry as a whole.

Nicole Stephensen

The analysis explores different perspectives on privacy-enhancing technology and data protection. One argument presented is that privacy-enhancing technology should not replace good decision-making. It is emphasised that governments and organizations have a positive duty to ensure that their information practices accord with relevant privacy and data protection laws and community expectations. This suggests that while privacy-enhancing technology can be beneficial, it should not be solely relied upon to make ethical and responsible decisions regarding data privacy.

Another argument highlighted is the struggle faced by organizations in identifying and mitigating risks, particularly when dealing with large volumes of data or complex vendor relationships. Data leakage is mentioned as a common occurrence that often happens without the organization’s awareness, and it qualifies as a personal data breach. This indicates that organizations may face challenges in effectively managing and protecting data, especially in situations involving extensive data sets or intricate vendor arrangements.

However, the analysis also acknowledges the utility of privacy-enhancing technologies in controlling data leakage. Specifically, the example of Q-Privacy is provided as a tool that allows organizations to audit for data leakage and enforce rules about data usage. This suggests that privacy-enhancing technologies, particularly those focused on data accountability, can play a valuable role in preventing and controlling data leakage incidents.

Furthermore, the importance of prioritizing purpose specification and collection minimization in data protection practices is highlighted. The argument put forward states that these are the building blocks for a culture that limits the use and disclosure of personal data as much as possible. This implies that organizations should be cautious in collecting only necessary data and clearly defining the purposes for which it will be used. By doing so, they can actively contribute to a privacy-conscious environment.

Lastly, the analysis identifies several barriers to the implementation of privacy-enhancing technologies. These include the privacy maturity of the technology suppliers, their geographical location, and the budget of the organization. Additionally, it is noted that decision makers in the privacy domain tend to be more in the legal space and have a less technical focus, which could also be a barrier for adoption. This suggests that a multifaceted approach is necessary to address these barriers and promote the effective adoption and integration of privacy-enhancing technologies.

In conclusion, the analysis provides an overview of various perspectives on privacy-enhancing technology and data protection. It emphasizes the importance of good decision-making, compliance with privacy laws and community expectations, risk identification and mitigation, data accountability tools, purpose specification, and collection minimization in ensuring effective data protection practices. Moreover, the analysis sheds light on the challenges and barriers associated with the implementation of privacy-enhancing technologies, highlighting the need for a comprehensive approach to overcome these obstacles.

Christian Reimsbach Kounatze

In the realm of technology and privacy, it has been established that these two areas can provide scalable solutions to effectively address problems. Maximilian Schrems, a prominent figure in this field, emphasizes the advantages of implementing efficient systems that can eliminate trivial work and enhance the overall quality of work. By using proven templates and carefully selecting cases to work on, these systems greatly improve efficiency and productivity.

Privacy tools, in particular, are seen as indispensable in supporting the work of agencies involved in data protection. These tools enable agencies to effectively navigate the complex landscape of privacy management. However, barriers hinder the widespread adoption of privacy-enhancing technologies. Factors such as low budgets, a lack of technical focus in decision-making teams, and the prioritization of larger organizations impede the adoption and implementation of these technologies. Addressing these issues is crucial to fully benefitting from the advantages offered by privacy-enhancing technologies.

Automation is widely regarded as a crucial component in privacy management. It allows for scaling efforts and addressing the challenges posed by the ever-increasing scale of privacy concerns. However, human involvement should not be replaced entirely. Speakers agree that a balance must be struck between automation and human decision-making. While automation can streamline processes, human oversight and decision-making play an integral role in ensuring ethical and responsible practices. Striking this balance is key to realizing the full potential of automation in privacy management.

In conclusion, the speakers at the event highlighted the significant role that technology, privacy tools, and human involvement play in addressing problems and supporting the work of agencies in the realm of privacy and data protection. Scalable solutions, efficient systems, and the adoption of privacy-enhancing technologies are essential in tackling the challenges at hand. While automation is critical, it should not replace the human touch. By acknowledging these factors and working towards effective implementation, privacy can be ensured in an increasingly digital world.

Speakers