Our government affairs and legal counsel teams at Least Authority traveled to Washington DC in early April to attend the Global Privacy Summit 2023 hosted by the International Association of Privacy Professionals (IAPP). As Least Authority builds privacy-enhancing technology, we found it paramount to join, meet, and network with other privacy minded experts and companies at such an event. With over five thousand privacy professionals from all over the globe, attending the 2.5 days IAPP Summit to connect and learn about the latest developments in privacy and data protection, was a great opportunity.
The Challenging Landscape of Data Protection Between the EU and US
Although it is commonly known that the European Union pioneers the space of privacy, data protection, and digital rights, in particular by codifying the right to the protection of personal data as a Fundamental Right and with the General Data Protection Regulation (GDPR), it was encouraging to see privacy advancements in the United States, where US legal firms and consulting companies paid heed to the patchwork of state-based privacy legislature (recently, various US states such as Montana and Tennessee have adopted data privacy laws). Currently, the United States does not have an overarching data privacy law, although the initiative has been introduced in 2022 with the Americans for Data Privacy & Protection Bill H.R. 8152 by Representative Frank Pallone Jr.
Based on the existing discrepancies between US and EU data protection laws, one of the current challenges discussed at the IAPP Summit was the development of a valid framework for the transatlantic data transfer (Adequacy decision for the EU-US Data Privacy Framework). Max Schrems known for triggering the decision of the European Court of Justice that invalidated the Safe Harbor Agreement and the EU-US Privacy Shield, participated in a keynote panel discussion on the EU General Data Protection Regulations, where he expressed his concerns with the new framework.
The Potential Misuses of Data with Emerging Tech Trends
The challenges that persist in our evolving data landscape were widely debated, especially as it pertains to topics such as artificial intelligence “AI” and differential privacy. In his keynote, Alvarod Bedoya (Commissioner at the US Federal Trade Commission), vividly demonstrates his personal experience with DALL-E, an AI system that creates images and art. To avoid opacity and for a maximum of transparency and accountability, he emphasized the need to involve external researchers, civil society, and government in analyzing and stress testing AI models, and to think quickly about how these new dynamics map onto consumer protection law. Later, the author and historian Dan Bourk addressed in his keynote the use and misuse of census data in 1940 to “quantify” U.S. citizens, which resulted in the protest of thousands of Americans answering “0” to the questionnaire on income.
With the increasing use of tools such as generative artificial intelligence “GenAI” and other emerging technical tools, the need to utilize data that is considered “non personal” under GDPR presents itself. Viable options in the privacy protection toolkit is the usage of homomorphic encryption, differential privacy, or multiparty computation (MPC); all of which were discussed in the talk entitled “What do you mean by anonymization.” These options are part of a larger group of advanced cryptography tools that can protect privacy, including zero knowledge encryption, which we utilize in our products at Least Authority. However, one roadblock to implementing these privacy preserving technologies at scale within the EU and the US is the inconsistent and unclear terminologies used in designing these products. Also, the question whether encrypted data is personal data under GDPR is still debated. As the privacy space progresses, more dialogues between technologists, regulators, and lawyers need to present themselves.
Reflections on Least Authority’s Business Practices & Product Development
Throughout the conference, two things became apparent: (i) there is a stark difference between companies that center human and privacy conscious design and those that do not, and (ii) Least Authority’s commitment to human and privacy conscious design are rare in the privacy space. On the conference show floor, it seems as if the main objective was to sell governance, risk, and compliance, abbreviated to “GRC” software. Engaging on the conference floor with these companies that sold GRC software turned into the Least Authority team explaining why we refuse to collect unnecessary personally identifiable information “PII” or to use other than technical strictly necessary cookies – which was often met with a incredulity that we had embedded human and privacy conscious design into our business model.
As the conference progressed we began to see how companies can pass as privacy focused under the guise of privacy theater, a term derived from socio-economic discourse that refers to the idea that companies can achieve a feeling of improved privacy while doing little or nothing to actually improve privacy. The idea of privacy theater crossects with the field of transparency in algorithmic systems. As long as consumers are not privy to the working of algorithms , how can we expect consumers to know which products truly protect their privacy? As such, we would like to see more conversations about how the recent advancements in the AI field are or can be more privacy conscious, along with transparency efforts to help avoid privacy theater for AI.
At Least Authority, our commitment to privacy is paramount to our beliefs. Recently, our product team released PrivateStorage, an end-to-end encrypted data storage service, where only you have the ability to decrypt and read your stored data. In an attempt to solve some of the issues with privacy preserving payments, Least Authority created Zero Knowledge Access Passes (ZKAPs). ZKAPs are used in PrivateStorage to disconnect the payment and service data. To learn more about PrivateStorage and to get started, click here. You can read more about ZKAP’s in our whitepaper found here.
Watch for follow-up blogs on this subject or other privacy focused events Least Authority attends.