Now in its 17th year, Saturday 28th January is Data Protection Day (also known as Data Privacy Day), and is a good time to reflect on the fast-changing regulatory landscape, and what developments we might expect to see in the coming months.
Regulators and businesses face fascinating challenges in the coming year. Record fines are being levied for some of the biggest names in Tech, we are witnessing a rapid expansion in the capabilities of AI, the release of ChatGPT and DALL-E being just two examples, and regulatory and legislative changes will continue at pace. There are also competing interests and values that need to be navigated by lawmakers, regulators and businesses. One such tension is between privacy and online safety. Obligations to implement appropriate age verification tools are detailed in the UK Online Safety Bill, and debates between anonymity vs verified identity in Web 3.0 technologies are ongoing.
Before we turn to look at forthcoming regulatory changes, it is important to take a step back and acknowledge some of the challenges that are inherent in certain privacy related areas. As in other areas of life, there’s a balance between safety and efficiency. For example, low speed limits are known to increase road safety, but are not universally limited to the lowest speeds — as a society we’ve found an acceptable trade off.
Fairness and data minimization
An example of this is ensuring that algorithms are free from bias. Here there is a conflict between fair performance, and privacy’s requirement to minimize data collection and storage. Collecting some additional data is often the only way to check that certain classes of individuals are not discriminated against by an algorithm's performance. This is a challenge we at Onfido have worked hard to balance working with the UK Information Commissioner’s Office — and publishing a white paper on our approach and results.
Our whitepaper covers best practices for defining, measuring, and mitigating biometric bias — and outlines our performance.
Privacy and protection
A similar tension can be seen in the forthcoming UK Online Safety Bill. Designed to keep vulnerable internet users safe by restricting access to harmful content, the bill raises a number of privacy vs security vs safety dilemmas. For example, incentivising services to not use end-to-end encryption in order to monitor for illegal and harmful content may increase safety, but could also jeopardize users’ privacy and security. Likewise services that host user-generated content or allow users to interact with each other will need to consider if children are likely to access their sites and take steps to protect them from legal but harmful material and prevent access to pornographic content. Any such protective or preventative measures will need to carefully balance the data protection obligations to minimize data collection with the requirements to provide effective age verification checks on such sites.
These are fascinating times in the world of privacy and data protection, but one thing is for sure — trade offs must be well informed, reasonable, proportionate and balanced.
Privacy regulation in the UK
Following withdrawal from the EU, the UK has the opportunity to develop a custom data protection regime designed for British businesses, while maintaining a high standard of data protection rights and preserving data flows with international partners (including the EU).
With the EU set to review its own GDPR (General Data Protection Regulation) in 2024, the UK is in a unique position to become a global leader on data governance and set a progressive new standard for data protection — GDPR 2.0.
This is manifested in the Data Protection and Digital Information Bill (DPDI), which is currently going through the legislative process. This will mean making changes to our data protection regime, but also upholding the key principles of the GDPR which the UK was instrumental in creating as part of the EU. For example, ensuring individuals can access their data when required, and have reliable avenues to seek redress.
At Onfido we take privacy extremely seriously, and adopt a privacy-first mindset in all that we do. We also recognise the scope to improve GDPR — and with the rest of the industry we are working to help the UK government strike a sensible balance between the changes needed to enable data-driven innovation (such as artificial intelligence, biometrics, and digital identity) while preserving crucial data protection rights.
Getting this right will help the UK unlock the full value of data across the economy, provide regulatory comfort that supports bold investment decisions, and help deliver on the government’s desire for growth in the digital economy.
Privacy legislation in the US
With the 117th Congress unable to get data privacy legislation over the finish line before the end of 2022, we can expect continued activity in state capitals around the country, which will result in an increasing patchwork of privacy laws. Since 2018, 133 comprehensive privacy bills have been considered across 43 states, including 10 bills filed so far in 2023. With sessions just kicking off, we can expect this number to grow. Only time will tell what states will join California, Colorado, Connecticut, Utah, and Virginia and how many of these bills will become law.
House Energy and Commerce Chair Cathy McMorris Rodgers has said data privacy legislation is a top priority for her committee in the new Congress and President Biden has called for federal data protections. In 2022, we saw bipartisan movement on key issues — preemption of state laws and private right of action — that must be agreed in order for meaningful federal data privacy legislation to become law. With new Members of Congress, new leadership at key Committees, and a new Majority in the House, we will see how discussions evolve and whether a deal can be made.
Over 900 businesses trust the Real Identity Platform to navigate global compliance requirements, stop fraud, and maximize customer acquisition.