J. Trevor Hughes: “Privacy is like social rights emerging from the Industrial revolution”

Trevor Hughes is the president and CEO of the IAPP: International Association of Privacy Professionals. He was in Luxembourg to promote IAPP initiatives. We met him to discuss the privacy challenges of tomorrow.

The IAPP is a not for profit organization of 55,000 members. Its purpose is to federate and support privacy professionals around the world (120 countries). The IAPP is NOT a lobby organization and stays politically neutral, underlined Mr. Hughes.

“The IAPP writes and distributes numerous newsletters, including our Daily Dashboard which has over 50,000 subscribers. We have a research and editorial team publishing new content daily. We create resources to help the privacy community be more successful at their jobs. We organize large events around the world and networking opportunities like we did today in Luxembourg for our KnowledgeNet chapter. Significantly we run a training and certification program for data protection professionals globally”.

The IAPP members are diverse in terms of profile. Only 40% of them are lawyers. Many IT and cybersecurity professionals have also joined the association, as well are marketing or HR professionals. “The common point that brings them to us is data protection.”, explains Mr. Hughes.

“That’s the reason why we like to say that privacy and data protection is a hybrid profession because it involves many different disciplines: law, technology and process management. These domains are critically important in privacy”, he adds.

Privacy is also a political and diplomatic hot topic. But the IAPP is not a lobbying organization. “We try to cover all the debates about privacy in the world and build relationships with different organizations, policy makers, regulators, advocacy organizations and the civil society. What we don’t do is choose a side. We want to show our members the full width and dimension of the debate”, he explains.

The awareness and the interest of the citizens for privacy is increasing. GDPR and the California Consumer Privacy Act have played an important role. Some big players are using privacy arguments to promote their product. “It’s a new dimension in our field. Privacy is moving from a legal and compliance issue to a much broader societal issue. Citizens are demanding more privacy”, said Trevor Hughes.

But there is a paradox somehow between those concerns and many behaviors or new consumer trends… How can you explain that?

“First we have to remember that the current revolution is not the first. Technology has always disrupted privacy. Think about photography, the telephone or computers. Now we have facial recognition, genetic testing and the internet of things, all of which will disrupt privacy.

The action of people can be inconsistent with the desire of privacy. We want technology to serve us, but we expect technologies to protect our privacy. There may be a lack of transparency about how the data is collected and used. We can compare it with electricity supply: people know that a switch makes the light turn on and off. They don’t want to know everything about wire standards and security regulation. It’s the same with privacy. People want to benefit from digital services, and to know that their privacy is protected while they are using them. It creates an obligation for regulator, legislator and government to ensure a reliable privacy protection system working behind the wall.”

But sometimes we have to make compromise between our comfort and our privacy? Are we enough aware of that?

“We will need trust in a digital economy. In parallel, if we look back to the first industrial revolution in the 19th century when factories and machinery began to emerge… At the start, we had no real control of these new tools and processes. We needed those controls. That’s why engineers started to standardize. But also, things like workplace laws, child labor laws, public education… All of these emerged because of the industrial revolution. So, I think it will be the same with the digital revolution, even if it takes time. The challenge is to build a trust framework that will allow us to rely on the digital economy, knowing it works with the human interest and not against it.”

These last years, Cloud computing has been an irresistible evolution. Some new American laws are causing fear in Europe. How to deal with the different regulations in a globalized digital world?

“We need to look at cloud computing broadly because the complexity of it will increase. There is a general move away from localized processing to cloud-based processing. In this context, we immediately raise the question of how data is secured, how it is stored and what jurisdiction applies. Because cloud often means that data has to cross borders. I think we have to look at cloud process as a directional indicator for the future… And what that suggests is the complexity of risk will only increase for all organizations in the digital economy. We have already seen efforts to have localization of data in Russia and Brazil. We have also seen efforts around back-doors to encryption solutions in India and other countries… I don’t have very good answers for those problems. What I can tell you, is that the environment will become more complex. Organizations have to understand and assume the risk they take while transferring data to the cloud.”

Which policy and regulation framework will emerge of this competition? Trevor Hughes has no crystal ball to predict it, but “GDPR has an influence outside of Europe and has become a model for many countries across the world. Even in the United States”.