On April 10, students of Professor Urs Gasser’s Spring 2018 Comparative Digital Privacy seminar hosted a symposium on the subject of “Emerging Technologies: Privacy by Design.” Experts from government, private practice, industry, and academia gave their thoughts on all things privacy-related, from the difficulty of defining privacy to a comparison of the regulatory regimes in the United States and the European Union. The recent revelations about Cambridge Analytica’s appropriation of Facebook data and Mark Zuckerberg’s congressional testimony only hours before the symposium provided a topical context for much of the discussion.
Sara Cable, assistant attorney general with the Consumer Protection Division of the Massachusetts Attorney General’s Office, delivered the opening remarks. Cable began by identifying the two broad categories of privacy-related violations that her office prosecutes: unfair trade practices under state consumer protection laws, and data breaches under state data security regulations and breach notification requirements.
Cable enumerated the factors considered in deciding whether to allocate resources to prosecute any particular data breach, including the magnitude of the breach, the vulnerability of the affected population, and the size and culpability of the breached entity. Cable then discussed the difficulty of crafting a one-size-fits-all privacy law that can anticipate future technological developments and how that limits legislative action to being reactive. She elaborated her office’s role in setting clear guardrails for what companies could and could not do: Data and algorithms may be used to disrupt traditional business models, but not, for example, to skirt anti-discrimination laws that have been on the books for decades.
The symposium continued with a panel featuring three privacy experts with different backgrounds: Dipayan Ghosh, a former privacy and public policy advisor at Facebook and technology policy advisor in the Obama Administration, Mark Szpak ’84, a leading member of Ropes & Gray’s data breach and privacy group, and James Waldo, chief technology officer and Gordon McKay Professor of the Practice of Computer Science at the School of Engineering and Applied Sciences at Harvard.
Panelists began by grappling with the problem of defining privacy and then discussed the merits of designing regulation based on data usage instead of data collection to avoid hampering technological innovation. The panel concluded with a discussion on the regulatory regimes in the E.U. and the U.S. and whether different approaches like alternative business models and encouraging self-regulation might better incentivize companies to protect consumer privacy.