Data Protection and Privacy

– Perspectives from
Facebook, Google, Apple
Full house at the Beyond the GDPR: A Global Approach to Privacy and
Data Leadership discussion between Stephen Deadman, DPO Facebook
and Simon Chesterman, Dean, Faculty of Law, National University of
Singapore. Photo Credit: IAPP Twitter.
The digital era of the modern world means that there is a lot more data being collected, processed and stored by organisations.

Where data relates to personal sensitive information, the loss or misuse can be devastating, as we can see from the July’s Sing Health
data breach that led to the leak of 1.5 million patients' personal data, outpatient prescription information of 160,000 people, including
Prime Minister Lee Hsien Loong and a few ministers.

At the IAPP Asia Forum 2018 held on 23rd – 24th July, Mr Tan Kiat How (Commissioner of PDPC) highlighted in his speech:

”Progressive policies are key enablers of data-driven innovations. Stringent data protection laws may earn a country the reputation of
consumer empowerment, but this may be at the expense of business friendliness and may stifle innovation. Too laisse faire an attitude
is not conducive either. Consumer adoption of emerging technology may be slow, if silence from the data protection authority results in
low public trust and confidence.

Singapore believes that there is a viable middle ground. Our assessment is that AI as a technology is still developing but more
importantly, businesses have only just begun to explore how AI can be used to enhance their products and services.

We need to give both technology and businesses the room to explore and grow. However, consumer concerns must be acknowledged
and addressed.

The PDPC is not ignorant about these issues nor can we ignore consumer concerns.”

Data protection principles devised to reflect these concerns include the US Privacy Shield, UK Data Protection Act, and EU General Data
Protection Regulations (GDPR) which came into effect on 25th May 2018.

GDPR famously grabbed headlines with heavy fines for non-compliance (up to €20 million, or 4% of the worldwide annual revenue of
the prior financial year, whichever is higher).

At the IAPP Asia Forum, we gathered some perspectives from Facebook, Google, Apple in the role of privacy in continuous innovations.

The Cambridge Analytica Crisis

Just weeks ahead of the new European Data Protection law (GDPR) came into effect on 25th May 2018, Cambridge Analytica filed
applications to commence insolvency proceedings, following wide spread media reports that it harvested personal data about Facebook
users as far back as in 2014.

Since the crisis, the priority, Facebook said, is making its privacy settings more accessible and providing clearer explanations about how
data tools are used.

Beyond the GDPR: A Global Approach to Privacy and Data

Leadership.

How Facebook approached the challenge of providing a

consistently high level of privacy protection across the world
from its new DPO, Stephen Deadman, and why innovation needs
to play a central role in supporting regulation to ensure that
efforts to derive economic, social and individual value from data
are successful and pursed in a responsible and sustainable
manner

(Left) Stephen Deadman, DPO Facebook. Stephen Deadman,

who is currently the company’s global deputy chief privacy
officer, will step in as Facebook’s data protection officer starting
on Friday. He’ll also be DPO for Facebook-owned Instagram and
WhatsApp.

(Right) Simon Chesterman, Dean, Faculty of Law, National

University of Singapore

Facebook CEO Mark Zuckerberg has since apologized and agreed to testify before Congress about the controversy.

“We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep
people informed. So in addition to Mark Zuckerberg’s announcements last week — cracking down on abuse of the Facebook platform,
strengthening our policies, and making it easier for people to revoke apps’ ability to use your data — we’re taking additional steps in the
 coming weeks to put people more in control of their privacy,” ,” Facebook vice president and chief privacy officer, Erin Egan, and vice
president and deputy general counsel, Ashlie Beringer, said in a statement.

What changes have been made?

Stephen Deadman (Facebook’s global deputy chief privacy officer, stepped in as Facebook’s data protection officer (DPO) in May. He is
also the DPO for Facebook-owned Instagram and WhatsApp), set out some of these changes at the IAPP conference.

These included privacy shortcuts menu “where you can control your data in just a few taps”; new menus for users to more easily access
and delete their data; and features to allow users to securely manage information and posts shared on the platform, downloading this
data or deleting it from the site altogether.

Facebook added it is also reworking its terms of service and data policy to “better spell out what data we collect and how we use it.”

“These updates are about transparency,” Facebook had said in a statement, “not about gaining new rights to collect, use, or share data.”

Facebook had also suspended hundreds of apps in the first stage of its review into apps that had access to large quantities of user data.

Winning trust is core to success, Stephen Deadman emphasized. Concerns about businesses use of data and trustworthiness will stifle
people’s ability to want to use the services.

And it is important to get the basics right, in designing and implementing infrastructure and tools to demonstrate compliance.

Closing General Session - Keynote Panel: Incentivising Accountability & Certifications as Enablers for Global Data Flows. Whether in Asia or around the world, ‘accountability’ is on the lips of every regulator.
These global organisations will tell you what it means to them and how it works in practice.

Moderator: Bojana Bellamy CIPP/E, President, Centre for Information Policy Leadership, Hunton Andrews Kurth

Keith Enright, CIPP/G, CIPP/US, Legal Director, Privacy, Google

David Alfred, CIPP/A, CIPT FIP, Chief Counsel, Personal Data Protection Commission, Singapore
Huey Tan, APAC Senior Privacy Counsel, Apple
Hilary Wandall, CIPP/E, CIPP/US, CIM, FIP, General Counsel, Chief Data Governance Officer, TrustArc

Photo Credit: TrustArc Twitter

Privacy and Artificial Intelligence

Last year, Google announced that it will stop scanning the emails of Gmail users to personalize advertising.

“Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line
with how we personalize ads for other Google products,” Diane Greene, CEO Google Cloud, wrote in a blog post.

While this decision indicated that Google addressed the privacy intrusion concern, another question arose this year: is the using of
personal data, including key words in emails for training artificial intelligence a breach of privacy?

In response, Google clarified in a July blog (Suzanne Frey, Director, Security, Trust & Privacy, Google Cloud) that: “The practice of
automatic processing has caused some to speculate mistakenly that Google ‘reads’ your emails. To be absolutely clear: no one at Google
reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as
investigating a bug or abuse.”

Google’s Privacy Policy further explains:

“We use different technologies to process your information for these purposes. We use automated systems that analyze your
content to provide you with things like customized search results, personalized ads, or other features tailored to how you use
our services. And we analyze your content to help us detect abuse such as spam, malware, and illegal content. We also use
algorithms to recognize patterns in data. For example, Google Translate helps people communicate across languages by
detecting common language patterns in phrases you ask it to translate.”

Inevitably, as artificial intelligence (AI) advances, privacy concerns become increasingly important - and the announcement by Google
allegedly leaving the Project Maven AI program reflected these concerns.

From Compliance to Accountability

Google’s CEO Sundar Pichai announced in a June

blog, seven objectives for its AI research and
applications that “we will not pursue”.

Amongst these objectives is an explicit reference

to “Incorporate privacy design principles – “We
will incorporate our privacy principles in the
development and use of our AI technologies. We
will give opportunity for notice and consent,
encourage architectures with privacy safeguards,
and provide appropriate transparency and control
over the use of data”.

Increasingly seen as a practical way of moving

beyond compliance to designing and Delegates at the IAPP Asia Forum 2018
implementing the core privacy principles in the Photo credit: IAPP Asia / RSA APJ 2018

organisation is the concept of accountability,

At the IAPP conference, Keith Enright (CIPP/G, CIPP/US, Legal Director, Privacy, Google) said that Privacy is “a value conversation”.
Accountability means that the organization must be able to confidently demonstrate it is operating consistently with its values and
provides transparency on what these values are.

First Trillion Dollar Public Company

The San Bernardino case raised the question of whether technology companies should be compelled to build software to break into its
own devices (or programs or infrastructure). And Apple defended its philosophy: that no one, not even Apple, should be able to look
inside your phone.

Apple’s Privacy page states that ““Apple products are designed to do amazing things. And designed to protect your privacy”, and
“privacy is a fundamental human right”:

“And so much of your personal information — information you have a right to keep private — lives on your Apple devices.
Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit.
Who you call, email, or message.

Every Apple product is designed from the ground up to protect that information. And to empower you to choose what you
share and with whom.

We’ve proved time and again that great experiences don’t have to come at the expense of your privacy and security. Instead,
they can support them.”

Huey Tan (APAC Senior Privacy Counsel, Apple) emphasized that Privacy is an enabler and moving beyond regulatory compliance to
accountability – commitment to think about personal data the organization has to deal with, building the controls into the programs
which stand up to scrutiny is “another feather in your bowl”. Or in other words, a competitive advantage.

This mindset is clearly winning support from many, as Apple became the world’s first trillion-dollar public company on Thursday, 2nd
August 2018, 42 years after it was founded.