His goals are laudable. He wants to give consumers more rights to control and protect their information. Yet his comments do not fully consider an often-invisible group in the world of data regulations. These are small- and medium-sized enterprises (SMEs), such as startups. Without armies of lawyers to hire, they struggle to follow complicated laws. Some even shut down. States that stifle SMEs lose out on innovation, jobs, and inclusive growth.
I urge lawmakers to not forget about this group. Data leaders should learn from conversations happening around the world, not just the E.U.
Look at the Asian Pacific Economic Cooperation (“APEC”), for instance. Its Business Advisory Council’s Data Expert Roundtable, at which I participated a few weekends ago, evinced a stark concern for SMEs. As one discussant asked, “How do we help not just the big banks, but also the fintechs?”
There, I listened to how SMEs were struggling — just like the companies I work with through Immuta, where I help scale compliant, ethical data analytics. (“Ethical” is a mouthful. Ethical companies, I believe, look out for their customers’ best interests even when they’re not looking — by weaving data protection principles into the very fabric of their infrastructure and business strategies).
Three takeaways stood out. While I draw these lessons from the roundtable, they can apply to any effort to impose new data regulations:
- Amplify existing efforts to make compliant, ethical data governance cheaper;
- Promote a data sharing standard; and
- Embrace privacy-enhancing technologies.
Amplify efforts to make ethical data governance cheaper
Right now, companies with the largest compliance teams — not SMEs — are set up to win, as I discuss in TechCrunch. Citigroup, for instance, reportedly hired 30,000 lawyers, auditors and compliance officers in 2014.
New technologies help companies navigate rules embedded in text. Technology easing regulatory compliance is “regtech,” while those helping with contracts and litigation is “legaltech.” These embed best practices into their design, no longer relying on static word processing tools. For instance, Turbo-tax-like forms or drop-down menus help SMEs make good corporate policy or contract decisions. Natural language processing highlights risky provisions quickly.
APEC has an amazing opportunity to amplify leaders in its own backyard. Singapore, for instance, announced a nationwide “Legal Tech Vision Roadmap.” Even the country’s Chief Justice has called for lawyers to further embrace technology. Due to such efforts, experts have named Singapore and Hong Kong leaders in the space.
Forums, ecosystem investments, techsprints, sandboxes, and pilots to share and test best practices are a few ways APEC can amplify existing efforts. This is regulatory innovation that both boosts its smallest players and protects its citizens.
Promote the adoption of a data sharing standard
SMEs, as participants highlighted, struggle with ambiguity. They desire specifics, often because they lack the lawyers to guide them. Yet, being too specific risk policies becoming irrelevant or misused.
Instead, APEC can lead by working with industry professionals to develop standards. This policy model is called “co-production” or “co-regulation.”
In highly-technical fields with big money at play, such models may be necessary. For instance, the Environmental Protection Agency (“EPA”) used this model in the late 1970s. The EPA could not meet stringent testing requirements for toxic substances. Congress’ failure to define “unreasonable” toxic risk, furthermore, paralyzed the EPA. To protect consumers, the EPA had to rely, perhaps dangerously, on corporate voluntarism.
The state, instead, can lead. Learning from the U.S. Core Data for Interoperability (“USCDI”) for healthcare data, APEC can invest in discussions about a “Core Data” standard. It may identify data to share, key metadata, and protective measures, such as deadlines for data breaches. These standards evolve as technologies and new risks do. To promote adoption, APEC might provide a limited safe harbor for SMEs who comply. Healthcare data experts advocate the same for the USCDI.
These are broad sketches on a very complex topic. But with APEC’s leadership, SMEs can start getting the guidance they’re looking for — and safely serve their customers better.
Vet privacy enhancing technologies (“PETs”)
As participants discussed, best practices for protecting data should not be binary choices — encrypt your data or not at all. In fact, privacy practices like these hurt SMEs the most, who lack data. To keep up, SMEs want to share, collect, or use lots of data. But binary tools tempt SMEs to remove protections. And SMEs that leak unprotected sensitive biometric data may go bankrupt soon after.
Instead, SMEs can also gain more data by using PETs like differential privacy. Differential privacy limits users’ access to summaries of data, such as averages. It then injects noise into those summaries to create provable guarantees of privacy. Ethical SMEs can use differential privacy to pool and share data safely, helping them overcome data scarcity. Yet, they can also prevent scenarios where malicious parties reverse-engineer sensitive data. For these reasons, it’s a staple of Apple’s toolkit.
APEC can consider incentivizing PETs, perhaps as part of its standards. If all a company’s data was differentially private by default, stolen data would hurt consumers less. Noisy data summaries are difficult, if not impossible, to link to specific individuals.
Once APEC vets these tools, innovators will spend more to put such PETs into practice. And as the use of PETs becomes more common, more SMEs will understand how to use them — and, ultimately, escape Catch-22’s that harm innovation and privacy alike.
An opportunity for data leaders to lead the pack
APEC can ensure SMEs thrive, and not become stifled, in the emerging data ecosystem.
So amplify existing efforts. Promote data standards. Vet PETs.
APEC has an exciting opportunity to distinguish itself in a rapidly changing landscape.
It must protect its citizens and boost its smallest, often-forgotten, players — who help their economies thrive.
To stay ahead of this rapidly changing data landscape, take a look at our white paper “GDPR Is Just The Beginning: 7 Principles To Stay Ahead of the Curve,” in which I compare regulations not just from the EU, but also from California, China, and India to sketch trending data protection principles.
Dan Wu is a Privacy Counsel & Legal Engineer at Immuta, a leader in Data Management for Data Science. He holds a J.D. from Harvard University and is a Ph.D. candidate for Social Policy and Sociology at The Harvard Kennedy School.