Jules Polonetsky, Future of Privacy Forum Self-Driving Cars, Personalized Medicine and the Internet of Things




Self-Driving Cars, Personalized Medicine and the Internet of Things: Technologies that Will Bridge the Transatlantic Privacy Divide?

Germany and the United States are leading examples of two very different approaches to articulating data protection safeguards, particularly when it comes to the private sector.

German laws state that companies may not collect personal information unless they have identified a legal basis for the collection. Once collected, German law permits personal data to be used only for the specified purposes and requires that data not be kept any longer than necessary. In contrast, US law allows companies to collect many types of personal information from consumers, as long as they are not acting deceptively or unfairly.

In practice, the picture is much more complicated. Many leading US companies are actually strictly regulated on a national level, if they are collecting data deemed sensitive or used for certain protected purposes. The banking, credit, insurance, health, education, housing, telecom and children’s sectors, among others, are subject to detailed federal regulations that limit how data can be used and bans discriminatory practices. State regulations such as data breach laws, requirements to provide privacy policies and restrictions on providing social media passwords to employers create an additional layer of regulation. A well-staffed Federal Trade Commission, and more than 50 politically ambitious Attorneys General, leverage this patchwork of laws to bring enforcement actions; this framework has resulted in actions against every major tech company and hundreds of other firms in recent years. Add in the class action bar, which routinely succeeds in extracting million-dollar settlements on behalf of consumers, and it is no surprise that companies increasingly take privacy protection seriously.

In fact, a study conducted by two leading University of Berkeley academics found that although Germany and the US have different legislative approaches to privacy, actual outcomes, i.e. protections provided to individuals, are comparable.

But critics on both sides continue to debate, with the most difficult challenges for the private sector often flaring up over marketing uses of data. The German position forbids collecting data without a legal basis and marketing is rarely considered to be a noble cause. Data protection for the individual is a constitutionally protected human right. The US position has been that data use for innovation should be encouraged, unless there is concern that a particular use will cause real harm. Although each position can be flexible, the different approaches often lead to debate and conflict between companies and regulators.

As new technologies are developed that can tangibly improve health care, transportation and education, the issues that divide the two countries will likely become more complicated and less easily contrasted. Over the last two decades, new technologies have advanced and are leveraging machine learning and access to massive amounts of data in order to find medical breakthroughs and to create valuable efficiencies. Connected cars rely on data about passengers and the environment to drive more safely. Personalized medicine requires research that captures a lifetime of data across populations to hone the treatments that can save individual lives. The internet of things enables the development of a manufacturing chain that reports detailed information about product performance and results.

In each of these areas, researchers and leading companies in Germany and the US are determined to collect and use the data needed to develop the next generations of breakthroughs that can improve society. German and US carmakers want their vehicles to be the safest and best performing, Health researchers depend on access to research data to find the cures to diseases and better treatments. And the manufacturing sectors in each country are being transformed as the internet of things becomes essential to being competitive in the new economy.

Many new uses of data will use de-identified information or will involve personal data collected with consent; these circumstances help minimize data protection challenges. But in many cases, obtaining consent will not be feasible and beneficial research will require retention of extensive data sets. Data collected from German citizens will be protected by the new European General Data Protection Regulation, which goes into effect in 2018. Important research, product development and personalization will be feasible under the new regulation, but the analysis that legitimizes such activity is complex and nuanced. In many cases, new uses of data will pose risks for data controllers and processors until local data regulators weigh in or until a consensus develops between the 29 national EU data regulators. These regulators are often under resourced and some don’t have the bandwidth to personally engage with the vast number of new data innovations already underway.

US companies have an easier path forward, but will need to deal with an uncertain political environment and an active media that has made misuse of data a reporting priority. Civil rights organizations have made discriminatory data uses an important focus and intend to continue to be active when they identify data uses they believe are harmful.

If we want a society that can continue to develop safer cars, better healthcare and more efficient manufacturing, leaders on both sides of the Atlantic will need to seriously grapple with both the benefits and risks of data use. Leaders will need to be open to advances in data use, while ensuring the companies and researchers have processes in place to protect individuals’ rights. It may be that each tradition will be influenced by the legal intersections needed for cross border flows, the collaborations of researchers at universities across institutions, compliance norms, and the business operations of global companies. Indeed, such an outcome maybe the ideal formula for a world that seeks to avoid the pitfalls of an Orwellian future while advancing the uses of data that will improve society.