When the International Association of Privacy Professionals recently released Visions of Privacy, a future-looking anthology of contributions from privacy thought-leaders around the world, we got to thinking about our own response to the big questions:
- How far has privacy come in the past 20 years?
- Where do we see privacy and data protection in 10 years’ time?
- What will privacy mean to—and for—organizations and individuals in the year 2030?
Here are our thoughts …
Privacy risks and responsibilities were ill-defined for much of the past 20 years
The sun rose on a new millennium and few people were focused on privacy unless they’d made a career out of it. Back then, and in the years since, privacy was largely seen as something companies had to do on their customers’ behalf. The companies bore the cost, and the consumers received a benefit. As a result, companies either did the bare minimum or didn’t know what they were doing and did little-to-nothing—and consumers generally thought they had more privacy than they really did. When consumers did finally see the issue, most quickly became overwhelmed by the enormity of it and apathetic or inert to trying to fix it—all the while feeding their personal information to the Internet with increasing alacrity, in exchange for products and services.
In the meantime, analytics and cloud services grew and quickly made possible what we now know to be creepy tracking by big tech companies. Gradually more people woke to the notion that what we were doing online was being watched and traded and our Internet free will was fast disappearing, if not already long gone.
Privacy regulations didn’t solve the problem. In the US, for example, privacy was seen not as a right but as a factor to be balanced with other considerations—and we’re still trying to get that balance right.
So here we stand only nine months into a new decade and smashed by a global pandemic and its varied consequences, many of which—contact tracing, remote working, and online learning—raise hard questions about privacy and our right to protect our personal information. Most of the world’s four billion internet users lack the privacy control they require and deserve—and a massive majority are rightly concerned about how best to protect their personal information online. There’s a shared sense of lack of control, and a great deal of fear. More than half of Americans are too afraid to buy online for fear of data abuse.
From this somewhat precarious vantage point, where do we think privacy and data protection will be in 2030?
The privacy landscape will change, but how much?
We agree with other pundits who say data privacy will be a defining issue of this decade and we’ll all live in an increasingly privacy sensitive world. But, while there’s plenty of scope and impetus for change, we question the speed of that change: What might change gradually and what might change rapidly? Therefore, we have a largely optimistic vision of privacy out to 2030 but with some sobering caveats. Among other things, 2020 has shown us just how difficult it is to accurately predict the future, and none us has perfect vision of what lies ahead. Plus, change isn’t always as quick as we hope. So, while we’ve outlined our vision of the ideal privacy state in 2030, some of it may not come to pass in this decade.
Our ideal privacy future is bright
Privacy will be driven by business benefit and mutual obligation, not compliance obligation.
Companies that currently misuse consumer data will self-regulate better. They will finally realize that collecting and processing less data and being an honest steward of data they do collect makes good business sense. More businesses will see it’s no longer enough to think only about breach prevention. It’ll be clear that users want products and applications that have privacy at their core and delivering them boosts the bottom line.
Businesses will understand that consumers want their product and their privacy and giving it to them is as simple as building privacy by design and embracing the enabling technologies. At Anonyome Labs, we’re already making it possible for businesses to engage, onboard and continually interact with their customers without collecting, managing, or risking their customers’ personal data.
Consumer rights will be balanced with business viability.
Data ethics will be a differentiator. We’re not there yet because all consumers aren’t sufficiently aware of the issues and therefore few large companies are motivated to change their practices. Over time we will see a trend towards privacy preserving analytics, and greater use of technologies such as homomorphic encryptionand differential privacy. Consumers will feel like they’ve regained their Internet free will.
Most consumers will be proactively protecting their personal data.
Using privacy preserving tools will become as easy as using the privacy invading ones. There will still be challenges to overcome the inertia of complacency, but they will be fewer. Consumers will proactively protect their personal data, either in lieu of better regulatory protections and company behavioral changes or alongside them. Consumers will use tools like our MySudo app, which is the only app on the market that gives users private phone, text, email, browser, and virtual cards all in one app, packaged into secure digital identities called Sudos that make it possible to discretely manage and secure communications online and off.
Opt out won’t mean miss out.
At Anonyome Labs, we’ve never subscribed to the notion that being private means opting out of online services or hiding from the world. People should be empowered to determine what, where and with whom they share their personal information. We believe by 2030 “opt out” won’t mean “miss out” and big tech will have abandoned the mantra that if you are not charged for the product, you are the product.
In fact, the regulatory environment will support these changes.
Consumers will demand to have their data collected but forgotten and we’ll see legislated, widely available ways to make this possible. We’re already seeing evolution in this space, and it could be easily accelerated with legislation. By 2030, we will see a simplification of the current patchwork of privacy regulations. A US national privacy law will provide a common set of requirements for US businesses, rather than state-by-state laws that are mostly similar yet subtlety different.
Privacy will be a ubiquitous and nuanced career option backed by solid education.
On the jobs front, privacy careers will be more plentiful and nuanced than they are today. We’ll see specializations by geography/jurisdiction, as well as privacy roles grounded in fundamental skills such as law, compliance and audit, user interaction design, data analytics and systems engineering. Privacy education will be multidisciplinary, just as many cyber security courses are now.
Decentralized identity will be widely adopted for privacy.
Decentralized identity technologies are a holistic solution to privacy and they will be widely embraced. Decentralized identity will reduce the need for centralized databases to the absolute minimum and thus give consumers complete control and ownership over their personal data, make businesses less vulnerable to data misuse, and limit cyberattacks, fraud and other financial crimes. The compliance burden will lessen within an open, trustworthy, interoperable, and standards-based identity management ecosystem, and new business alliances based on secure communication and information exchange (e.g. in medical or education) will emerge.
People will migrate geographically to a better ‘privacy climate’.
Just as people move for jobs, lifestyle, or weather, by 2030 we may see people moving for privacy. The EU is generally at the leading edge of personal data protection, so people may see migration to the EU or other privacy-first jurisdictions as attractive options. Another possibility is that people will move their choice of application and data providers to EU-based systems.
We won’t be arguing about cross border data transfers between modern economies.
The regulatory challenges around ensuring protection for EU to US data transfers will get simpler. This may be due in part to changes in government policy, helped significantly by privacy preserving technology. We will not end up with highly localized data kingdoms.
Corporate social responsibility for data processing will be codified into systems design.
By 2030, customers’ collective feedback has an immediate effect on a business’ use of personal data. Data protection is explicitly part of system design and elements like data retention and uses of customer data are well controlled. Those controls can be tightened or loosened more easily based on changes in regulation, punishments by regulators for failing to do the right thing, or feedback from customers on how they think their data is being treated.
Of course, the reality doesn’t always match the vision, and that’s true for privacy too.
Given life is unpredictable and change can be slower than hoped, we’re compelled to pour warm water on some of these bright ideas.
Despite the nine-year runway to change, by 2030 we could easily still have companies claiming data is anonymized, but that not being entirely accurate. It’s an imperfect solution, and techniques to link the data puzzle back together are improving all the time and may stay ahead of the wave.
Further, even if by the end of this decade business generally has made solid strides towards data minimization and be deriving significant benefit from responding to customer calls for greater data control, some very powerful companies (Google, Facebook) may still be being dragged kicking and screaming to the privacy table since their primary revenue source is based on invasive advertising. Big ships can take a long time to turn.
On the regulatory front, it is possible, given privacy professionals and regulators are often seen to be debating over details instead of enacting real change, that we’ll be no better off with the regulatory environment in 10 years. Big tech will relish this outcome. Let’s hope the pursuit of a perfect privacy law does not prevent the creation of something better than we have today.
The tussle and confusion over cross border data transfers between modern economies may well continue too, which would be disappointing and not in the best interests of privacy globally.
Perhaps most uncertain of all is the answer to the COVID-19 question. Privacy lost during actions such as informal or poorly implemented contact tracing will be difficult to claw back, and some governments may only reluctantly relinquish the data collection powers the pandemic has afforded them.
A lot can change in 10 years, but then little can change too. On balance though, at Anonyome Labs we’re bullish about the future of privacy over the coming decade. Where will we be in 2030? We believe in a much brighter place, where companies, consumers, and regulators are all singing from the one song sheet. That’s our vision of privacy. Let’s see where the future takes us.
See Anonyome Labs’ market-leading privacy solutions in action:
Sudo Platform – The complete privacy toolkit for enterprise. Rapidly integrate privacy into
new and existing applications and collect customers, not their personal data.
MySudo – The world’s only all-in-one privacy solution. Talk, text, email, browse and pay with privacy all in one app.