With the advent of laws like the EU’s GDPR and California’s CCPA, which are sure to be portents of things to come (i.e., more and better data privacy legislation), companies with a global presence are starting to think about whether they should implement different user data privacy protection regimes for each region or whether it would be easier to globally comply with the strictest of the existing laws.
Microsoft, for example, chose the latter course of action. In May 2018, the company announced that it will extend the rights that are at the heart of GDPR to all of their consumer customers worldwide. More recently, it decided to honor California’s digital privacy law all through the U.S.
For companies like Microsoft, who offer services to enterprise clients, the decision is a no-brainer: they are getting a leg-up on competitors as organizations look for solutions that have compliance to the most progressive data privacy laws baked in by default.
Data collection balancing act: Privacy and trust
More and more companies are using privacy as a selling point by offering products that are privacy-friendly, says Cassandra Moons, Data Privacy Officer at TomTom, the Dutch multinational company developing location and navigation technology for both the consumer and business market.
Apple has, for example, made every effort to stand out from the competition in all arenas by incorporating privacy-preserving features from the get-go in many of their products.
Take Apple Maps, for example: in summer 2018, the company detailed its efforts to rebuild and improve the web mapping service and explained how, even though it collects navigation data from iPhone users, it manages not to intrude on users’ privacy.
Apple Maps also still uses data collected by third parties like TomTom but, as Moons notes, anonymizing location data is the foundation of their relationship with their customers.
“It’s crucial that we retain our customers’ trust. For example, we need them to know that we only use their data to deliver meaningful improvements, not to sell them ads or direct them past a sponsor restaurant. That’s why we anonymize all data by disconnecting the link with the customer and their GPS traces,” she told Help Net Security.
“TomTom internally performs Privacy Impact Assessments (PIA), a framework for deciding what data we truly need to gather and how to prioritize user privacy (privacy-by-design). The PIA also governs our data-sharing relationships with third parties, ensuring we’re not just compliant with GDPR but that we’re being truly transparent with (and protective of) our users by vetting third-parties.”
What’s the right amount of data collection?
The “right” amount of data depends on the sensitivity of the data, the volume and what you want to use the data for.
“GDPR recognizes the principle of data minimization, which means one should only collect personal data ‘adequate, relevant and limited to what is necessary in relation to the purposes for which the personal data are processed’. In the end, though, it’s on the individuals who had their data collected to determine the ‘right’ amount. If a company is able to explain to individuals why its data collection is in line with this principle, it’s fair to assume you have collected the ‘right’ amount of data,” she pointed out.
But the issue of privacy should never be addressed in the Terms and Conditions, she feels, because no one ever reads those.
“Privacy should always be a standalone communication. It should be completely clear what a user is signing up to. A user should be well-informed about which data is being collected, should have control over which data can be used and be aware of the purposes for which a company uses their data,” she opined.
True ethical data management can be a business practice for a company that relies on user data in order to run and improve their products, she says. “When a company has embedded ethical values such as preventing user discrimination and putting the user first when it comes to privacy, ethics and big data collection will align and move together in the same direction.”
How will the collection of data for driver apps evolve?
As apps move from phones to cars and power the connected driving experience, driving apps will rely much more on the community to keep them updated, she says.
“To be successful, driving apps need to be trustworthy and reliable, they must protect user data, and they should be completely transparent about how this information is being used. Moving the traditional data gathering and use model from mobile apps to driving apps simply won’t work,” she added.
“In order to maintain reliability, app developers need to work with the community to be sensitive about their legitimate concerns, and show that they are using their data securely and wisely to bring services that add real value to drivers everywhere. The collection of data always needs to comply with relevant privacy laws, including appropriate user control standards, no matter the type and volume of personal data.”